[Senate Hearing 113-241]
[From the U.S. Government Publishing Office]









                                                        S. Hrg. 113-241

   CYBERSECURITY: PREPARING FOR AND RESPONDING TO THE ENDURING THREAT

=======================================================================

                                HEARING

                               before the

            COMMITTEE ON APPROPRIATIONS UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            SPECIAL HEARING

                     JUNE 12, 2013--WASHINGTON, DC

                               __________

         Printed for the use of the Committee on Appropriations




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









   Available via the World Wide Web: http://www.gpo.gov/fdsys/browse/
        committee.action?chamber=senate&committee=appropriations

                               __________
                               
                               
                         U.S. GOVERNMENT PUBLISHING OFFICE 

81-526 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                               
                      COMMITTEE ON APPROPRIATIONS

               BARBARA A. MIKULSKI, Maryland, Chairwoman
PATRICK J. LEAHY, Vermont            RICHARD C. SHELBY, Alabama, 
TOM HARKIN, Iowa                         Ranking
PATTY MURRAY, Washington             THAD COCHRAN, Mississippi
DIANNE FEINSTEIN, California         MITCH McCONNELL, Kentucky
RICHARD J. DURBIN, Illinois          LAMAR ALEXANDER, Tennessee
TIM JOHNSON, South Dakota            SUSAN M. COLLINS, Maine
MARY L. LANDRIEU, Louisiana          LISA MURKOWSKI, Alaska
JACK REED, Rhode Island              LINDSEY GRAHAM, South Carolina
FRANK R. LAUTENBERG, New Jersey \1\  MARK KIRK, Illinois
MARK L. PRYOR, Arkansas              DANIEL COATS, Indiana
JON TESTER, Montana                  ROY BLUNT, Missouri
TOM UDALL, New Mexico                JERRY MORAN, Kansas
JEANNE SHAHEEN, New Hampshire        JOHN HOEVEN, North Dakota
JEFF MERKLEY, Oregon                 MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska                  JOHN BOOZMAN, Arkansas

                   Charles E. Kieffer, Staff Director
             William D. Duhnke III, Minority Staff Director

----------
    \1\ Died on June 3, 2013.
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                            C O N T E N T S

                              ----------                              
                                                                   Page

Opening Statement of Senator Barbara A. Mikulski.................     1
Statement of Senator Richard C. Shelby...........................     4
Statement of Hon. General Keith B. Alexander, Commander, U.S. 
  Cyber Command; Director, National Security Agency; Chief, 
  Central Security Service.......................................     5
    Prepared Statement...........................................     6
Defending the Nation in Cyberspace...............................     7
The U.S. Federal Cybersecurity Team..............................     8
Resources........................................................     9
Guarding Privacy and Civil Liberties.............................    10
Legislation......................................................    11
Statement of Hon. Rand Beers, Acting Deputy Secretary, Department 
  of Homeland Security...........................................    11
    Prepared Statement...........................................    13
Department of Homeland Security Mission in Protecting Government 
  Networks and Critical Infrastructure...........................    14
Response to Cyber Events.........................................    14
Combating Cyber Crime............................................    15
Cooperation Across the Federal Government........................    17
Presidential Policy Directive 21 and Cyber Executive Order 13636.    17
Budget Priorities................................................    17
Cyber Legislative Priorities.....................................    19
Statement of Richard A. McFeely, Executive Assistant Director, 
  Criminal, Cyber, Response, and Services Branch, Federal Bureau 
  of Investigation, Department of Justice........................    19
    Prepared Statement...........................................    21
The Cyber Threat.................................................    21
Federal Bureau of Investigation Response.........................    21
Recent Successes.................................................    21
Next Generation Cyber............................................    22
Private Sector Outreach..........................................    23
Fiscal Year 2014 Budget Request..................................    23
Statement of Hon. Dr. Patrick D. Gallagher, Acting Deputy 
  Secretary, Department of Commerce; Director, National Institute 
  of Standards and Technology....................................    24
    Prepared Statement...........................................    25
The Role of the National Institute of Standards and Technology in 
  Cybersecurity..................................................    25
The Role of the National Institute of Standards and Technology in 
  Protecting Federal Information Systems.........................    26
The National Institute of Standards and Technology's Engagement 
  with Industry..................................................    27
The National Institute of Standards and Technology's Role in 
  Executive Order 13636, ``Improving Critical Infrastructure 
  Cybersecurity''................................................    28
National Institute of Standards and Technology Support for Cyber 
  Research and Development.......................................    30
Critical Infrastructure: Incidents Reporting.....................    45
Qualified Workforce: Recruiting and Retaining....................    47
Critical Infrastructure: Cybersecurity Improvements..............    52
Collaboration with State and Local Law Enforcement...............    57
Bank Attacks.....................................................    58
Qualified Workforce: Centers of Excellence.......................    59
Additional Committee Questions...................................    61
Questions Submitted to Hon. General Keith B. Alexander, 
  Commander, U.S. Cyber Command Director, National Security 
  Agency Chief, Central Security Service.........................    62
Questions Submitted by Senator Patty Murray......................    62
Questions Submitted by Senator Richard J. Durbin.................    62
Cyber Executive Order--Role of the Executive Order Versus Cyber 
  Legislation....................................................    62
Cyber Executive Order--Protecting Privacy and Civil Liberties....    63
Questions Submitted by Senator Mary L. Landrieu..................    63
Cybersecurity Role for the National Guard........................    63
Cyber Test Beds/Ranges...........................................    64
Questions Submitted by Senator Tom Udall.........................    65
Role of National Laboratories in Promoting Cybersecurity.........    65
Need for International Cooperation for Cybersecurity Standards...    66
China and Theft of Intellectual Property.........................    66
Questions Submitted by Senator Thad Cochran......................    67
Questions Submitted by Senator Mike Johanns......................    68
Cyber Command....................................................    68
Questions Submitted to Hon. Rand Beers, Acting Deputy Secretary, 
  Department of Homeland Security................................    69
Questions Submitted by Senator Patty Murray......................    69
Questions Submitted by Senator Richard J. Durbin.................    70
Cyber Executive Order--Role of the Executive Order Versus Cyber 
  Legislation....................................................    70
Cyber Executive Order--Protecting Privacy and Civil Liberties....    71
Questions Submitted by Senator Mary L. Landrieu..................    72
Cybersecurity Role for the National Guard........................    72
Cyber Test Beds/Ranges...........................................    73
Role of the Secret Service in Cyber Investigations...............    74
Role of DHS in Capability Building for Law Enforcement Cyber 
  Investigations.................................................    76
Questions Submitted by Senator Tom Udall.........................    77
Role of National Laboratories in Promoting Cybersecurity.........    77
Mobile Phones and Cybersecurity Awareness........................    78
Questions Submitted by Senator Thad Cochran......................    79
Questions Submitted to Hon. Dr. Patrick D. Gallagher, Acting 
  Deputy Secretary, Department of Commerce Director, National 
  Institute of Standards and Technology..........................    83
Questions Submitted by Senator Patty Murray......................    83
Questions Submitted by Senator Richard J. Durbin.................    83
Cyber Executive Order--Role of the Executive Order Versus Cyber 
  Legislation....................................................    83
Cyber Executive Order--Protecting Privacy and Civil Liberties....    83
Questions Submitted by Senator Tom Udall.........................    84
Role of National Laboratories in Promoting Cybersecurity.........    84
Engagement with Industry Groups..................................    84
Federal Cybersecurity Standards and New Computing Trends.........    85
Mobile Phones and Cybersecurity Awareness........................    85
Questions Submitted by Senator Thad Cochran......................    86
Questions Submitted to Richard A. McFeely, Executive Assistant 
  Director, Criminal, Cyber, Response, and Services Branch, 
  Federal Bureau of Investigation................................    87
Questions Submitted by Senator Richard J. Durbin.................    87
Cyber Executive Order--Role of the Executive Order Versus Cyber 
  Legislation....................................................    87
Cyber Executive Order--Protecting Privacy and Civil Liberties....    88
Questions Submitted by Senator Mary L. Landrieu..................    88
Questions Submitted by Senator Tom Udall.........................    88
Role of National Laboratories in Promoting Cybersecurity.........    88
Questions Submitted by Senator Thad Cochran......................    89
 
   CYBERSECURITY: PREPARING FOR AND RESPONDING TO THE ENDURING THREAT

                              ----------                              


                        WEDNESDAY, JUNE 12, 2013

                                       U.S. Senate,
                               Committee on Appropriations,
                                                    Washington, DC.
    The committee met at 2:02 p.m., in room SD-G50, Dirksen 
Senate Office Building, Hon. Barbara A. Mikulski (chairwoman) 
presiding.
    Present: Senators Mikulski, Leahy, Murray, Feinstein, 
Durbin, Landrieu, Pryor, Tester, Udall, Merkley, Shelby, 
Cochran, Collins, Coats, Johanns, and Boozman.


            opening statement of senator barbara a. mikulski


    Chairwoman Mikulski. This afternoon I am opening a hearing 
on cybersecurity. We are going to examine the efforts to 
protect the American people from cyber threats, to protect our 
domains of dot-mil, dot-gov, and dot-com. We need to make sure 
that the American people know what our programs are, know what 
we are spending our money for, and also to make sure that we 
make wise use of taxpayer dollars so that there are no techno-
boondoggles. We hope to make sure we know how to help the 
private sector and to protect dot-com by real-time information-
sharing about threats and helping the private sector develop 
the secure technologies we need. We need to prevent hackers, 
nation-states, and criminals from stealing our cyber 
identities, cyber espionage, cyber sabotage against our online 
commerce or our critical infrastructure, track and disrupt the 
hackers, and prosecute them when possible.
    I have two goals for this hearing.
    First, I want to make sure that we protect the American 
people from cyber threats by working together across the 
Government to protect, as I said, the domains of dot-mil, dot-
gov, and dot-com.
    Second, I want to examine how agencies will use 
cybersecurity funding in the budget. The administration is 
requesting more than $13 billion for fiscal year 2014. In this 
very stringent environment, we are concerned about techno-
boondoggles. The Government is often very good at spending 
money, but we need to make sure we spend the money well. Over 
the years, there have been failures and inefficiencies in 
Government IT programs, and we do not want that to happen as we 
move forward in this cyber domain.
    I called this hearing as the full committee chairwoman to 
work across the subcommittees to make sure there are not 
stovepipes, to make sure, as we look at this, the questions 
that we have related to governance, are we developing the right 
technologies to protect us, are we investing in the workforce 
we need, and how do we protect our civil liberties.
    I am so proud of my subcommittee chairs. I want to 
acknowledge the work of Senator Durbin and the Ranking Member 
Cochran on Defense. I want to acknowledge the work of 
Chairwoman Landrieu and her ranking member, Senator Coats, both 
with a great deal of expertise. For me, we will have the 
Federal Bureau of Investigation (FBI) and National Institute of 
Science and Technology (NIST), and my great vice chairman, 
Senator Shelby.
    This is a committee that is loaded with talent in this 
area, coming with enormous expertise from the authorizing 
committee. We have Senator Leahy from the Judiciary Committee, 
well versed on the issues of law on cybersecurity and a staunch 
protector of our civil liberties. We have Chairwoman Feinstein 
on the Intelligence Committee. From Armed Services, we have 
Reed, Shaheen, Graham, and Blunt. We have the former Chair of 
the Homeland Security Committee, Senator Collins, herself now a 
member of the Intelligence Committee. Rarely has a committee 
had so much talent coming together from both those of us from 
appropriations as well as the authorizers.
    I hope that our country has a sense of urgency. We are 
already under attack. This is the new, enduring war. We are in 
a cyber war every day. Every time someone steals our identity, 
steals our State secrets or our trade secrets, we are at war. 
We now see the growing nexus between cyber criminals and nation 
states hacking our networks, planning disruptions of our 
business operations. Director Mueller of the FBI said that 
cyber crime will eventually surpass terrorism as our number one 
threat to America. Secretary Hagel and General Dempsey continue 
to warn us against cyber as an insidious threat. These are such 
critical concerns that President Obama, in his recent meeting 
with the Chinese President, raised cybersecurity as one of our 
great, great international tensions between both countries.
    Now, last year, we tried to pass cybersecurity legislation. 
We all worked on a bipartisan basis. It was actually under the 
Collins-Lieberman bill. But it did not happen. The President 
has issued an Executive order. But just because authorizing has 
not happened does not mean that nothing is happening.
    So in February, the President signed his Executive order, 
and it improves real-time information sharing, protects 
critical infrastructure, provides critical infrastructure in 
cyber risk, and brings private sector experts into the Federal 
service.
    Each one of these goes through a different subcommittee, 
but here today we are going to do something pretty different. 
And I bring to your attention the President's fiscal year 2014 
budget on the areas of cybersecurity. This will be the first 
time in one place that we can look across all of the areas to 
make sure we know what the request is, what they are not only 
in individual agencies, but do we get the synergistic effect 
necessary to protect our country. It is significant that this 
document that you all have, which is a public document, that we 
have in one place, a one-stop shop, really what the President 
is requesting.
    The President of the United States in his budget message to 
the Congress has asked for $13 billion in order to execute the 
cybersecurity strategy across the agencies of the Federal 
Government. The purpose of this hearing today is to look at the 
cybersecurity threat, not every program from the National 
Security Agency (NSA), not every program being run by Homeland 
or the Department of Justice or the great work being done by 
NIST. It is to focus on the cybersecurity.
    But it is a committee first and I might say a Senate first. 
No other committee has tried to hold a hearing across the 
different domains, agencies, and smokestacks, and also to do it 
in an open, public way.
    And the expertise, as I said, here from both the 
subcommittee chairs and the authorizing is stunning. So we know 
that we are going to be able to do it.
    The President has asked for $13 billion: $9.3 billion for 
the Department of Defense (DOD), $1.3 billion for the 
Department of Homeland Security (DHS), $670 million for the 
Department of Justice (DOJ), primarily the Federal Bureau of 
Investigation, and the National Institutes of Standards and 
Technology, $215 billion--$215 million. NIST has never seen 
$215 billion. That is the defense guys.
    Today we will hear from our Government's lead people on 
this: General Alexander, the Director of the National Security 
Agency and the head of Cyber Command; Rand Beers, the Acting 
Deputy Secretary of Homeland Security; Dr. Gallagher, the 
Acting Deputy Secretary of Commerce but the Director of NIST; 
and Richard McFeely, the FBI Executive Assistant Director in 
charge of the Criminal, Cyber, and Response, and Services 
Branch.
    I also want to acknowledge that in the last several days 
many intelligence issues have been in the press, and I 
understand that these are issues that are very much on the 
public's mind and Members of the Senate.
    Last week, in my Commerce, Justice hearing with the 
Attorney General, this topic of particularly our surveillance 
program came up. I pledged to Senator Shelby, a former Chair of 
the Intelligence Committee, well versed on the topic, not of 
the surveillance but on this, that we would have a full 
committee hearing on that particular program. That is not 
today. That is for another day.
    I understand that our colleague, Senator Chairwoman, the 
Chair of the Intelligence Committee, has scheduled a briefing 
for all Senators tomorrow. And this is the second hearing that 
Senator Feinstein has opened up the Intelligence Committee for 
a briefing for all Senators to be able to participate. After 
the Feinstein meeting tomorrow, if Senator Shelby continues to 
recommend that this committee hold a hearing on this matter, I 
will be happy to comply, and I pledge that to you, sir. I did 
last week and so on. But we will see if it is necessary, and if 
deemed so, we certainly will.
    So, again, today's hearing will focus on the cyber threat, 
protecting the American people, protecting the taxpayer in 
their role as both citizen and taxpayer. I hope today's hearing 
will focus on this very important issue, and I say to my 
colleagues this is a committee hearing that is a first. It will 
be not the last on this topic or other matters related to our 
national security.
    I now want to turn to my ranking member, Senator Shelby, 
who has been active on this matter, the vice chairman of the 
committee, former Chair of the Intelligence Committee. Senator 
Shelby.


                 statement of senator richard c. shelby


    Senator Shelby. Thank you, Madam Chair.
    As you have pointed out, this is a very important hearing 
on a topic that demands significant congressional involvement. 
The cyber threat, as we all know, is increasing and becoming 
more challenging as our adversaries grow bolder and more 
capable. We have seen recent and stark reminders of the threat 
with constant cyber attacks on the financial sector, the 
Chinese hacking of the New York Times and Wall Street Journal, 
Iranian attacks against a Saudi oil company, and reports that 
information on our most advance weapons systems were stolen by 
the Chinese.
    Earlier this year, an information security company publicly 
reported that Chinese attackers are running an extensive cyber 
espionage campaign with the likely support of the Chinese 
Government. More recently, the same company exposed Iranian 
hacking in the United States.
    These troubling developments remind us of how urgently we 
need a coordinated effort to counter and to respond to these 
attacks.
    Madam Chair, this committee may be the only one with 
jurisdiction over the full complement of Government 
organizations involved in cybersecurity. Therefore, as you 
pointed out, I think it is appropriate that we take a lead role 
in the oversight of this effort, working with others. I would 
like to hear, for example, how each of you today perceive the 
threat and about your continuing efforts to protect critical 
infrastructure against attack and to address the cyber threat 
outside the recently issued Executive order. Cybersecurity is 
an immediate priority, but the framework envisioned in the 
Executive order will take time to develop and probably even 
longer to implement.
    There are still areas that need more attention and may 
require legislation, such as information sharing. Additionally, 
the working relationship between the Government and the private 
sector is still a work in progress. Funding requirements also 
remain unclear in this time of fiscal uncertainty. Clearly, a 
lot needs to be done.
    I look forward today to hearing from our panel of witnesses 
and perhaps they can suggest some of the best ways to protect 
Government systems and information as you partner with industry 
to strengthen our cyber infrastructure across the board.
    Thank you, Madam Chair.
    Chairwoman Mikulski. Thank you, Senator.
    Now we will turn to our witness panel, and then we will go 
to questions, starting with myself and Senator Shelby and then 
the regular order that we follow in the order of arrival.
    I would like to suggest that General Alexander go first, 
followed by Mr. Beers, Mr. McFeely representing Justice, and 
Dr. Gallagher, you are the wrap-up guy. General Alexander, the 
microphone is yours.
STATEMENT OF HON. GENERAL KEITH B. ALEXANDER, 
            COMMANDER, U.S. CYBER COMMAND; DIRECTOR, 
            NATIONAL SECURITY AGENCY; CHIEF, CENTRAL 
            SECURITY SERVICE
    General Alexander. Senator, thank you very much.
    I think what you and Senator Shelby have pointed out with 
respect to cyberspace is absolutely important for us to 
discuss. The threats that we face today continue to grow.
    You know, it takes, for the Government, a team to work 
this. So before I go any further, I do want to point out that 
the team is here, and it is great to be part of that team 
because no one Government department or agency can do it 
itself. For us, it is going to take the partnership between 
DHS, between the FBI, and with the support of NIST especially 
on the Executive order that Senator Shelby brought up for us to 
work together.
    You know, when I look at what is going on in cyberspace and 
the capabilities that are growing, this is an incredible 
opportunity for us as a Nation and for nations around the 
world. The technical capabilities that we have when you look at 
what our children are using, the iPhones, the iPads, the 
ability for education--this is a tremendous time. When we look 
at what we can do with this with respect to medical care in the 
future, it is a bright future for us, but it is complicated by 
the fact of cyber espionage, by cyber hacking, and the threats 
that Senator Shelby talked about. So I do want to hit on that.
    You mentioned the evolution of this threat, and when you 
look at the threat as it has gone forward, some of the things 
that FBI and we see in the Department of Homeland Security work 
every day is a series of exploitations into our networks. The 
issue is how do you fix that. And that issue is complicated by 
the fact that it is not only exploitations that are going on, 
but we are seeing disruptive attacks against our Nation's 
infrastructure, Wall Street, with a potential for destructive 
attacks.
    We as a Nation need to step forward and say how are we 
going to work this. The Government team that is here today 
cannot do it without support from industry. We have to have 
some way of working with industry because they own and operate 
the bulk of our Nation's infrastructure. But we have to do it 
in a transparent way, in a legal way, and we really appreciate 
the efforts of many on this panel, Senator, for what you and 
others have done to try to move that legislation along. But we 
do need to get there. We do need to have a way of working with 
industry. And Dr. Gallagher I know will talk about parts of 
this. We could not have a better person to lead it from NIST. 
So thanks for what you and the team are doing. We do need to 
begin that dialogue with industry. So part of what the 
Executive order does is give us that opportunity to have that 
dialogue.
    At the same time, we have to look at what we need in 
legislation and get that moving forward. So, Senator, thanks 
for what you and the Intelligence Committee are doing to move 
that and others.
    From my perspective, Senator, you asked what is it that we 
need to do. I think there are five key things that we are 
working on.
    First, we have to create a defensible architecture. Both 
the Intelligence Community and the Defense Department are 
moving forward on what we call the ``cloud architecture,'' a 
joint information environment for the Defense Department and 
the intel community's IT environment, the same thing for both 
communities moving forward to what is a more defensible 
architecture. And I think we need to move there. So that is the 
first thing.
    Second, we need to be able to see what is going on in 
cyberspace so that we can work with industry and amongst 
ourselves because getting information after an attack only 
allows us to police it up. We have to have some way of stopping 
it while it is going on. So we need to be able to see it.
    We need a concept for operating in cyberspace not just 
within the Defense Department, but amongst all three of us 
because we all have a role in this, and we all play vital 
roles, from the Department of Homeland Security's role for 
recovery and working with commercial industry to the FBI's law 
enforcement and investigative things to the Defense 
Department's responsibility to defend the Nation. We have to 
bring those together and then reach out to say, now, how is 
that going to work with industry and how can we share 
information that is vital to our common defense. We have to do 
that.
    We need trained and ready forces. I think that is one of 
the most important things that the Congress expects of me of 
Cyber Command and of NSA to, within the Department, create 
trained and ready forces that are trained to a higher standard, 
both on the defense and on the offense, those capabilities that 
our Nation needs that are trained to that standard that know 
how to operate lawfully to protect American civil liberties and 
privacy and to protect this Nation in cyberspace. We have to be 
able to do all three.
    And we have to have a capacity to act when authorized, the 
rules of engagement and the other authorities.
    We are working those five.
    From my perspective, the men and women of Cyber Command and 
NSA--we have tremendous technical talent. We really do. And 
these are great people. Our Nation has invested a lot in these 
people. They do this lawfully. They take compliance oversight, 
protecting civil liberties and privacy, and the security of 
this Nation to their heart every day. I could not be more proud 
of the men and women of NSA and Cyber Command. What we now need 
to do is take the next step in moving that forward.
    That is all I have at this time, Senator. I will defer now 
to my colleague, Mr. Beers.
    [The statement follows:]
         Prepared Statement of Hon. General Keith B. Alexander
    Thank you very much, Chairwoman Mikulski and Ranking Member Shelby, 
for inviting me to speak to you and your colleagues. I am here 
representing the Department of Defense in general and the men and 
women, military and civilian, who serve at U.S. Cyber Command 
(USCYBERCOM) and the National Security Agency/Central Security Service 
(NSA/CSS). It is my honor to appear today with colleagues from the 
Department of Justice (DOJ) and its Federal Bureau of Investigation 
(FBI), the Department of Homeland Security (DHS), and the National 
Institute of Science and Technology (NIST). I hope to describe some of 
the challenges we face in performing the difficult but vital missions 
of keeping U.S. national security systems secure, helping to protect 
our Nation's critical infrastructure from national-level cyber attacks, 
and working with other U.S. Government agencies, State and local 
authorities, national allies, and the private sector in defending our 
Nation's interests in cyberspace. Together we make up a team deeply 
committed to compliance with the law and the protection of privacy 
rights that works every day with other U.S. Government agencies, 
industry, academia, citizens, and allies, for only our combined efforts 
will enable us to make progress in cybersecurity for the Nation as a 
whole.
                   defending the nation in cyberspace
    I would like to start today by discussing the two elements of this 
team that I lead. USCYBERCOM is a subunified command of U.S. Strategic 
Command in Omaha, though we are based at Fort Meade. USCYBERCOM's 
mission is to plan, coordinate, integrate, synchronize and conduct 
activities to direct the operations and defense of Department of 
Defense information networks. We also prepare to, and when directed, 
conduct full-spectrum military cyberspace operations in order to enable 
traditional military activities, ensure U.S./Allied freedom of action 
in cyberspace, and deny our adversaries the ability to harm us or our 
allies. USCYBERCOM has three operational focus areas: defending the 
Nation, supporting the Combatant Commands, and defending DOD 
Information Networks. As I noted when I testified before the Armed 
Services Committee in March, USCYBERCOM will address these three 
operational focus areas with its new Cyber Mission Forces, organized 
into National Mission Teams, Combat Mission Teams and Cyber Protection 
Teams.
    Due to the intersecting responsibilities of the two organizations, 
USCYBERCOM was placed at the headquarters of NSA/CSS at Fort Meade. 
NSA/CSS collects signals intelligence on our cyber adversaries; and 
provides information assurance strategies and technologies to protect 
our national security systems. The conduct of these two missions is 
critical to enabling cyber operations. NSA/CSS also has multiple, 
technical capabilities critical to the cyber mission area, such as 
high-performance computing and large-scale, distributed processing and 
data storage. These are just some of the components of what we call the 
cryptologic platform; it constitutes the collection of signals 
intelligence and communications security capabilities that since 1952 
have served users ranging from national customers, to departmental 
analysts, to battlefield commanders. The defense of U.S. military 
networks depends on knowing what those who would harm us are doing in 
cyberspace, which in turn depends on intelligence produced by NSA and 
other members of the Intelligence Community regarding adversary 
intentions and capabilities.
    Cyberspace is characterized by high levels of convergence of 
separate and different networks and technology that have come together 
to form something greater than the sum of the parts. In this regard, 
USCYBERCOM's co-location with NSA/CSS mirrors the convergence in 
cyberspace and is a direct result of that technological shift. What we 
have learned is that if convergence is the reality of the cyber 
environment, then integration must be the reality of our response. Co-
location promotes intense and mutually beneficial collaboration in an 
operational environment in which USCYBERCOM's success relies on net-
speed intelligence. Although they are separate and distinct 
organizations with their own missions and authorities, NSA/CSS is a 
major force multiplier for USCYBERCOM, pairing the Command's operators, 
planners, and analysts with the expertise and assistance of NSA/CSS' 
cryptographers, analysts, access developers, on-net operators, language 
analysts, and support personnel. These are close working relationships 
that enable seamless, deconflicted operations that are vital to the 
success of the cyber mission. Co-location also improves the 
deconfliction of operations; physical proximity enhances mutual 
understanding and awareness of mission areas and helps forge effective 
partnerships that serve both organizations and the Nation well. Only a 
tightly integrated team, and tightly integrated solutions, can do what 
is required to address cyber threats at net speed.
    I serve as the dual-hatted Commander, USCYBERCOM, and Director, 
NSA/Chief, CSS. The dual-hatting unifies the capabilities for full-
spectrum cyber operations under a single official, maximizes the 
leverage of NSA/CSS cyber capabilities, capacities, and authorities, 
and establishes unity of effort in cyberspace for the Department of 
Defense. It allows deconfliction of the use of the cryptologic platform 
to occur with full knowledge of the needs of both organizations on a 
timely basis. Together, the people under my command and direction at 
USCYBERCOM and NSA/CSS work in concert but always under their 
respective authorities. They direct the operation of the Department's 
information networks, detect threats in foreign cyberspace, attribute 
threats, secure national security information systems, and help ensure 
freedom of action for the United States military and its allies in 
cyberspace--and, when directed, defend the Nation against a cyber 
attack.
    In keeping with the DOD's Strategy for Operating in Cyberspace, 
USCYBERCOM and NSA/CSS are together assisting the Department in 
building: (1) a defensible architecture; (2) global situational 
awareness and a common operating picture; (3) a concept for operating 
in cyberspace; (4) trained and ready cyber forces; and (5) the capacity 
to take action when authorized. Indeed, with another key mission 
partner in DOD--the Defense Information Systems Agency (DISA), also 
based at Fort Meade--we are finding that our progress in each of these 
five areas benefits our efforts in the rest. We are improving our 
tactics, techniques, and procedures, as well as our policies and 
organizations. This means building cyber capabilities into doctrine, 
plans, and training--and building them in a way that senior leaders can 
plan and integrate such capabilities as they would capabilities in the 
air, land, and sea domains.
    The imperative to accomplish this mission grows every day. We 
operate in a dynamic and contested domain that literally changes its 
characteristics each time someone powers on a networked device. Make no 
mistake: in light of the real and growing threats in cyberspace, our 
Nation needs a strong DOD role in cyberspace. While we feel confident 
that most foreign leaders believe that a devastating attack on the 
critical infrastructure and population of the United States by cyber 
means would elicit a prompt and proportionate response, it is possible, 
however, that some regime or cyber actor could misjudge the impact and 
the certainty of our resolve. In particular, we are not yet deterring 
the persistent cyber harassment of private and public sites, property, 
and data. Such attacks have not caused loss of life, but they have been 
destructive to both data and property in other countries. The remote 
assaults last summer on Saudi Aramco and RasGas, for example, rendered 
inoperable--and effectively destroyed the data on--more than 30,000 
computers. Cyber programs and capabilities are growing, evolving, and 
spreading; we believe it is only a matter of time before the sort of 
sophisticated tools developed by well-funded state actors find their 
way to groups or even individuals who in their zeal to make some 
political statement do not know or do not care about the collateral 
damage they inflict on bystanders and critical infrastructure. The 
United States is already a target. Networks and Web sites owned by 
Americans and located here have endured intentional, state-sponsored 
attacks, and some have incurred degradation and disruption because they 
happened to be along the route to another state's overseas targets. Our 
critical infrastructure is thus doubly at risk. On a scale of 1 to 10, 
with 10 being strongly defended, our critical infrastructure's 
preparedness to withstand a destructive cyber attack is about a 3 based 
on my experience. There are variations in preparedness across sectors, 
but all are susceptible to the vulnerabilities of the weakest.
    Let me draw your attention to another serious threat to U.S. 
interests: the continuing and systematic cyber exploitation of American 
companies and enterprises, and the resulting theft of intellectual 
property. Many such incidents are perpetrated by organized 
cybercriminals, but foreign government-directed cyber operators, tools, 
and organizations are targeting the data of American and Western 
businesses, institutions, and citizens. Certain nations have a 
resourced national strategy to grow their economies by intellectual 
property (IP) theft. They target any company with valuable IP or a 
leading position in its sector--and not just that company itself. Even 
companies that have protected their information have partners that 
could be ``soft'' targets. Are we susceptible? In the United States, 
intrusions have occurred against the best in the security business. The 
collective damage that such intrusions inflict on America's economic 
competitiveness and innovation edge is profound, translating into 
missed opportunities for U.S. companies and the potential for lost 
American jobs. Cyber theft jeopardizes our economic well-being.
                  the u.s. federal cybersecurity team
    No Federal department or agency is solely responsible for 
addressing the cyber threat, and none has been designated as the 
Federal cybersecurity lead because each brings unique authorities, 
resources, and capabilities to the effort. Cybersecurity requires a 
team approach, where the leadership and support roles change depending 
on the nature of the threat and the required response. Together, three 
departments carry out important roles and responsibilities as part of 
the broader U.S. Federal cybersecurity team in order to provide for the 
Nation's cybersecurity:
  --The DOJ is the lead Federal department responsible for the 
        investigation, attribution, disruption and prosecution of 
        cybersecurity incidents. Within the DOJ, the FBI conducts 
        domestic collection, analysis, and dissemination of cyber 
        threat intelligence.
  --The DHS is the lead Federal department responsible for national 
        protection against, mitigation of, and recovery from domestic 
        cybersecurity incidents. The DHS is also the lead for securing 
        unclassified Federal civilian government networks and working 
        with owners and operators of critical infrastructure to secure 
        their networks through risk assessment, mitigation incident-
        response capabilities.
  --The DOD is ultimately responsible for defending the Nation from 
        attack in cyberspace, just as it is in all other domains. In 
        the event of a foreign cyber attack on the United States with 
        the potential for significant national security or economic 
        consequences, the DOD, including USCYBERCOM with the support of 
        NSA/CSS, will be prepared to respond.
    These efforts depend on shared situational awareness and integrated 
operations across the U.S. Government, State and local authorities, and 
international partners. Together, we are helping to increase our global 
situational awareness through our growing collaboration with Federal 
Government mission partners and other departments and agencies, as well 
as with private industry and with other countries. That collaboration 
allows us to better understand what is happening across the cyber 
domain, which enhances our situational awareness, not only for DOD but 
also across the U.S. Government.
    Under the joint leadership of DHS and NSA, the FBI and the other 
Federal cybersecurity centers created a framework to describe 
cybersecurity functions and information exchanges and are now 
developing an implementation plan for an information sharing 
environment that will create a cross-government shared situational 
awareness that is extensible to other partners such as the State and 
local governments and our allies. Implementing this capability to 
improve our collective response actions is one of the President's top 
cyber priorities for fiscal year 2014.
    Successful operations in cyberspace depend on collaboration between 
defenders and operators. Those who secure and defend must synchronize 
with those who operate, and their collaboration must be informed by up-
to-date intelligence. I see greater understanding today of the 
importance of this synergy across the Department, the government, and 
our public at large. Last fall the departments negotiated, and the 
President endorsed, a broad clarification of the responsibilities of 
the various organizations and capabilities operating in cyberspace, 
revising the procedures we employ for ensuring that, in the event of a 
cyber incident of national significance, we are prepared to act with 
all necessary speed in a coordinated and mutually-supporting manner. 
USCYBERCOM is also being integrated into the National Event response 
process, so that a cyber incident of national significance can elicit a 
fast and effective response, to include self-defense actions where 
approved, necessary, and appropriate.
    As part of this progress, we in the Federal Government are working 
with State, local, international, and private partners. NSA/CSS, for 
example, is defining security dimensions that government and private 
users can utilize for ``cloud'' architectures, and has shown how we can 
manage large quantities of data and still preserve strong security. We 
have even shared the source code publicly so public and private 
architectures can benefit from it. USCYBERCOM has sponsored not only an 
expanding range of training courses but also two important exercises, 
CYBER FLAG and CYBER GUARD. The former is USCYBERCOM's major Command-
level exercise, the most recent iteration of which brought in 
international partners to practice force-on-force maneuvers in 
cyberspace. The latter assembled 500 participants last summer, 
including a hundred from the National Guards of 12 States. They 
exercised State- and national-level responses in a virtual environment, 
learning each other's comparative strengths and concerns should an 
adversary attack our critical infrastructure in cyberspace.
                               resources
    For the past 5 years, Federal cyber-related spending and 
performance reporting have been organized around the Comprehensive 
National Cybersecurity Initiative (CNCI), from which NSA/CSS received a 
significant amount of funding to provide specialized capabilities and 
foundational support to address the cyber threat. Last summer--and 
planned as a yearly exercise--the administration issued a data call, 
which includes CNCI and non-CNCI investments, in order to better 
understand and track cybersecurity and cyberspace operations funding. 
NSA/CSS's budget under this taxonomy represents spending under the 
major cybersecurity categories: (1) Prevent malicious cyber activity; 
(2) Detect, analyze, and mitigate intrusions; and (3) Shape the 
cybersecurity environment. These investments are fundamental to our 
overall cybersecurity strategy to develop and deploy unique cyber 
capabilities that leverage the use of signals intelligence to enhance 
network defense. Additional investments in cyberspace operations 
provide the foundational infrastructure necessary to build those 
capabilities as well as support full spectrum cyberspace operations in 
direct support of Combatant Command requirements (e.g., cryptanalysis, 
net-centric capabilities, data repositories, sensor deployments, and 
research).
    From the operational perspective, the ultimate objective of 
cybersecurity is to deny the adversary any opportunity to exploit our 
systems. Doing so requires that we protect ourselves from both known 
and unknown threats as we execute our comprehensive strategy of 
hardening our networks, defending our networks, and leveraging all 
instruments of national power--both within our own networks and beyond. 
We have made significant progress in realizing the mission capabilities 
and cryptologic capacity required to meet the demands of operating in 
cyberspace. While there is still much work to do, I'd like to highlight 
a few of the ongoing efforts in implementing our strategy.
    The Department of Defense is responsible for 7 million networked 
devices and thousands of enclaves. USCYBERCOM and NSA/CSS work around 
the clock with DISA to monitor what is happening on global networks and 
the functioning of DOD's information enterprise. We are also helping 
the Department build the DOD Joint Information Environment (JIE), 
comprising a shared infrastructure, enterprise services, and a single 
security architecture to improve mission effectiveness, increase 
security, and realize IT efficiencies. The JIE will be the base from 
which we can operate knowing that our networks are safer from 
adversaries. Senior officers from USCYBERCOM and NSA/CSS sit on JIE 
councils and working groups, playing a leading role with the office of 
the DOD's Chief Information Officer, Joint Staff J6, and other agencies 
in guiding the Department's implementation of the JIE. NSA/CSS in 
particular serves as the Security Advisor to the JIE, and is defining 
the security dimension of that architecture.
    Moving to the JIE will make sharing and analytics easier while also 
enhancing security. I know this sounds paradoxical but it is 
nonetheless true, as NSA/CSS has demonstrated in its cloud capability 
and its support for the Intelligence Community's growing Information 
Technology Enterprise (IC ITE). Let me emphasize our confidence that 
the JIE will save resources for the Department--moving to it will give 
us greater capability and security at less cost.
    Our progress, however, can only continue if we are able to fulfill 
our urgent requirement for sufficient trained, certified, and ready 
forces to defend U.S. national interests in cyberspace. Last December, 
DOD endorsed the force presentation model we need to implement this new 
operating concept. We are establishing cyber mission teams in line with 
the principles of task organizing for the joint force. The Services are 
building these teams to present forces for STRATCOM in support of 
USCYBERCOM-delegated Unified Command Plan mission. They will soon be 
capable of operating on their own, with a range of operational and 
intelligence skill sets, as well as a mix of military and civilian 
personnel. They will also have appropriate operating authorities under 
order from the Secretary of Defense and from my capacity as the 
Director of NSA/CSS. Each of these cyber mission teams is being trained 
to common and strict operating standards so that they can be online 
without putting at risk our own military, diplomatic, or intelligence 
interests.
    I must also mention our concerns over the ongoing budget 
uncertainty. Foremost in the minds of many of our people are the 
looming furloughs which entail up to 11 days without pay between July 7 
and September 21. While many of our personnel are exempted from the 
furloughs, others are not, and their absence will degrade our mission 
readiness and performance this summer and beyond, and make the 
development of a strong and capable cyber force more problematic. Our 
people truly are our most important capability. We can and have 
showcased the incredibly valuable contributions made by our entire 
workforce daily in securing our networks, supporting our war fighters, 
and providing unique insights into foreign intelligence targets. I want 
to emphasize the harmful impact of furloughs on the vital mission and 
functions we perform and on the people we have entrusted to perform or 
enable them. Furloughs make hiring new personnel harder and will drive 
our best personnel away to jobs awaiting in the private sector. Our 
USCYBERCOM and NSA/CSS workforce, regardless of funding stream, is one 
that by definition seamlessly collaborates across the many functions 
and disciplines that constitute our capabilities and operations. All 
are essential to the whole.
                  guarding privacy and civil liberties
    Let me emphasize that our Nation's security in cyberspace is not a 
matter of resources alone. It is an enduring principle and an 
imperative. Everything depends on trust. We operate in a way that 
ensures we keep the trust of the American people because that trust is 
a sacred requirement. We do not see a tradeoff between security and 
liberty. It is not a choice, and we can and must do both 
simultaneously. The men and women of USCYBERCOM and NSA/CSS take this 
responsibility very seriously, as do I. Beyond my personal commitment 
to do this right, there are multiple oversight mechanisms in place. 
Given the nature of our work, of course, few outside of our Executive, 
Legislative and Judicial Branch oversight bodies can know the details 
of what we do or see that we operate every day under strict guidelines 
and accountability within one of the most rigorous oversight regimes in 
the U.S. Government. For those of you who do, and who have the 
opportunity to meet with the men and women of USCYBERCOM and NSA/CSS, 
you have seen for yourself how seriously we take this responsibility 
and our commitment to earning and maintaining your trust.
                              legislation
    Although the February 2013 Executive order will help raise the 
Nation's cyber defenses, it does not eliminate the urgent need for 
legislation in these and other areas of cybersecurity. The 
administration's legislative priorities for the 113th Congress build 
upon the President's 2011 Cybersecurity Legislative Proposal and take 
into account 2 years of public and congressional discourse about how 
best to improve the Nation's cybersecurity. We support legislation 
that:
  --Facilitates cybersecurity information sharing between the 
        government and the private sector as well as among private 
        sector companies. We believe that such sharing can occur in 
        ways that protect privacy and civil liberties, reinforce the 
        appropriate roles of civilian and intelligence agencies, and 
        include targeted liability protections;
  --Incentivizes the adoption of best practices and standards for 
        critical infrastructure by complementing the process set forth 
        under the Executive order;
  --Gives law enforcement the tools to fight crime in the digital age;
  --Updates Federal agency network security laws, and codifies DHS' 
        cybersecurity responsibilities; and
  --Creates a National Data Breach Reporting requirement.
    In each of these legislative areas, we want to incorporate 
appropriate privacy and civil liberties safeguards.
    The administration wants to continue the dialogue with the Congress 
and stands ready to work with Members of Congress to incorporate our 
core priorities to produce cybersecurity information-sharing 
legislation that addresses these critical issues.
                               conclusion
    Thank you again, Madam Chairwoman and members of the committee, for 
inviting me to speak to you today. I also thank you on behalf of the 
men and women of USCYBERCOM and NSA/CSS for your support, and for the 
support of the Congress. We are working to mitigate the vulnerabilities 
inherent in any networked environment or activity while ensuring that 
the benefits that we gain and the effects we can create are 
significant, predictable, and decisive. If I could leave you with one 
thought about the course of events, it is that we have no choice but to 
``normalize'' cyberspace operations and to make them part of the 
capability set of our senior policymakers and commanders. We are 
working closely with our interagency partners as well as other DOD 
elements. This is a necessity, for, as I suggest above, our Nation 
faces diverse and persistent threats in cyberspace that cannot be 
defeated through the efforts of any single organization. Most cyber 
operations are interagency efforts, almost by definition. We have 
gained valuable insight from the great work of partners like the 
Departments of Justice, Commerce, and Homeland Security, as well as 
from the collaboration of industry, academia, and allies. Indeed, the 
flow of information and expertise across the commands, agencies, 
departments and foreign mission partners here and overseas is improving 
slowly but steadily. We have much to gain from this partnership, but 
perhaps not much more time left before our situation in cyberspace 
becomes even more worrisome than today. And now I look forward to your 
questions.
STATEMENT OF HON. RAND BEERS, ACTING DEPUTY SECRETARY, 
            DEPARTMENT OF HOMELAND SECURITY
    Mr. Beers. Thank you, General Alexander, and Chairwoman 
Mikulski, Ranking Member Shelby, and other distinguished 
members of the committee.
    We all welcome this opportunity to appear before you. As 
you said, Senator Mikulski, this is a unique opportunity to 
talk about the range of cybersecurity activities across the 
Government, and we welcome that.
    As most of you know, cybersecurity is one of the five major 
missions of the Department of Homeland Security and one that we 
take very seriously. The threats that we face are varied and 
serious, and in that regard, our cybersecurity mission focuses 
in two primary areas. They are to protect the Federal civilian 
networks and to work with the private sector to protect 
America's critical infrastructure.
    In that regard and as the chairwoman mentioned, the 
President's policy initiatives for the year ahead are to secure 
Federal networks, to protect critical infrastructure, to 
improve incident response, to engage internationally, and to 
shape the future.
    With respect to the first, this is one of the major areas 
that DHS is responsible for. We are investing about $600 
million in protecting Federal networks through our intrusion 
protection systems and through our continuous diagnostics and 
mitigation systems. We are also working heavily with America's 
critical infrastructure, both public and private.
    We are working under the Executive order with our partners 
in NIST to create the cybersecurity framework, and this is, as 
you know, an important initiative on our part. The Executive 
order, as you know, is the administration's effort after an 
attempt to get legislation last year. That is not to say that 
we still are not interested in getting that legislation, and 
that is certainly something that we want to talk about in the 
time ahead.
    In addition to that, we are working to improve incident 
response, working with our partners in the FBI and with the 
National Security Agency. This is a ``call to one, call to 
all'' initiative in which we work together both in our 
headquarters and our operation center in terms of sharing 
information and where we work together in the field in the 
deployment of teams to go to particular sites of particular 
incidents in order to determine what happened and in order to 
be able to provide information to other parts of the private 
sector that will help them prevent the same kind of an incident 
from occurring.
    We are also involved in the international area with 
individual countries and partners around the world, but also 
with the European Union as well. While it is a small program 
within the Department of Homeland Security, it is a very 
important program and we have a lot of key partners that we 
work with. And that is just in terms of the engagement in terms 
of face to face. In terms of the information sharing, our whole 
incident response structure, the National Cybersecurity 
Communications and Integration Center, on a regular basis 
shares information internationally with other computer 
emergency readiness teams around the world in order to do with 
them what we do for ourselves nationally in order to protect 
cyberspace around the world.
    And finally, we work in terms of our research and 
development and other activities to try to shape the future.
    This is an important effort that is ongoing, one in which, 
as General Alexander said, we could not do if we were doing it 
individually in DHS. It takes all of us here at the table to 
make this work.
    And I want to thank you for the opportunity to speak with 
you today and to talk about DHS programs and our teamwork 
together. Thank you.
    [The statement follows:]
                 Prepared Statement of Hon. Rand Beers
    Cyberspace is woven into the fabric of our daily lives. According 
to recent estimates, globally interconnected communications and 
information networks that operate in this space encompass more than 2 
billion people with at least 12 billion computers and devices, 
including global positioning systems, mobile phones, satellites, data 
routers, ordinary desktop computers, and industrial control computers 
that run power plants, water systems, and more.
    While this increased connectivity has led to significant 
transformations and advances across our country--and around the world--
it also has increased the importance and complexity of our shared risk 
and requires a collaborative approach within government and between 
governments and the private sector. Our daily activities, economic 
vitality, and national security depend on the Nation's ability to 
secure cyberspace. A vast array of interdependent information 
technology (IT) networks, systems, services, and resources are critical 
to communication, travel, powering our homes, running our economy, and 
obtaining government services. No country, industry, community or 
individual is immune to cyber risks. The word ``cybersecurity'' itself 
encompasses prevention, protection and resilience against a broad range 
of malicious activity from a variety of actors perpetrating denial of 
service attacks, targeting our financial system to steal millions of 
dollars, accessing valuable trade secrets, and intruding into 
government networks and systems that control our critical 
infrastructure.
    Cyber attacks and intrusions can have very real consequences in the 
physical world. The Department of Homeland Security (DHS) is the lead 
Federal civilian department responsible for coordinating the national 
protection, prevention, mitigation, and recovery from cyber incidents 
and works regularly with business owners and operators to take steps to 
strengthen their facilities and communities. The Department's National 
Cybersecurity and Communications Integration Center (NCCIC) works daily 
to enhance situational awareness among stakeholders, including those at 
the State and local level, as well as industrial control system owners 
and operators, by providing critical cyber threat, vulnerability, and 
mitigation data to a number of organizations including through 
Information Sharing and Analysis Centers, which are cybersecurity 
resources for critical infrastructure sectors. Last year DHS notified 
potential targets of a campaign of cyber intrusions that focused on 
natural gas and pipeline companies that was highly targeted, tightly 
focused and well crafted. With the assistance of our interagency 
partners, we responded to this campaign with a comprehensive effort 
that included outreach, technical assistance, and mitigation.
    The U.S. Government has worked closely with the private sector 
during the recent series of denial-of-service incidents against the 
financial sector. Together with our interagency partners, we have 
provided classified cyber threat briefings and technical assistance to 
help banks improve their defensive capabilities. This includes 
identifying and releasing hundreds of thousands of distributed denial 
of service-related IP addresses and supporting information in order to 
help financial institutions and their IT security service providers 
improve their defenses. In addition to sharing with these private 
sector entities, DHS working with the Department of State (DOS) has 
provided this threat information to more than 120 international 
partners, many of whom have contributed to our mitigation efforts. 
These developments reinforce the need for greater information sharing 
and collaboration among government, industry, and individuals to reduce 
the ability for malicious actors to establish and maintain capabilities 
to carry out such efforts.
    In addition to these attacks and intrusions, we also face a range 
of traditional crimes now perpetrated through cyber networks. These 
include child pornography and exploitation, as well as banking and 
financial fraud, all of which pose severe economic and human 
consequences. For example, in March 2012, the U.S. Secret Service 
(USSS) worked with U.S. Immigration and Customs Enforcement (ICE) to 
arrest nearly 20 individuals in its ``Operation Open Market,'' which 
seeks to combat transnational organized crime, including the buying and 
selling of stolen personal and financial information through online 
forums.
    Additionally, in late May 2013, the Secret Service, in close 
coordination with U.S. Immigration and Customs Enforcement's (ICE) 
Homeland Security Investigations (HSI) and the Global Illicit Financial 
Team, arrested five individuals and seized bank accounts containing 
approximately $20 million located in eight countries. The investigation 
of Liberty Reserve, a transnational online payment processor and money 
transfer system, led to the seizure of an online domain owned and 
operated by the company. It is alleged that Liberty Reserve is used by 
criminal elements worldwide to launder money and distribute illegal 
proceeds globally. Liberty Reserve had approximately 1 million users 
worldwide with more than 200,000 users in the United States. It is 
estimated that Liberty Reserve processed more than 12 million financial 
transactions annually with a combined value of more than $1.4 billion. 
Overall, Liberty Reserve processed an estimated 55 million separate 
financial transactions and is believed to have laundered more than $6 
billion in criminal proceeds. The United States Attorney's Office for 
the Southern District of New York is prosecuting this case.
    As Americans become more reliant on modern technology, we also 
become more vulnerable to cyber exploits such as corporate security 
breaches, social media fraud, and spear phishing, which targets 
employees through emails that appear to be from people they know, 
allowing cyber criminals to steal personal and business information.
    Cybersecurity is a shared responsibility, and each of us has a role 
to play. Emerging cyber threats require engagement from government, the 
private sector, law enforcement, and members of the public. The success 
of our efforts to reduce cybersecurity risks depends on effective 
identification of cyber threats and vulnerabilities, analysis, and 
enhanced information sharing between departments and agencies from all 
levels of government, the private sector, international entities, and 
the American public.
   department of homeland security mission in protecting government 
                  networks and critical infrastructure
    DHS is committed to ensuring cyberspace is supported by a secure 
and resilient infrastructure that enables open communication, 
innovation, and prosperity while protecting privacy, confidentiality, 
and civil rights and civil liberties by design. The Department is 
achieving its cybersecurity mission by helping to create a safe, 
secure, and resilient cyber environment while promoting cybersecurity 
knowledge and innovation.
    DHS has operational responsibilities for securing unclassified 
Federal civilian government networks and working with owners and 
operators of critical infrastructure to secure their networks through 
cyber threat analysis, risk assessment, mitigation, and incident 
response capabilities. The Department is also responsible for 
coordinating the Federal Government response to significant cyber or 
physical incidents affecting critical infrastructure consistent with 
Presidential Policy Directive (PPD) 21. In addition, the Department 
combats cyber crime by leveraging the skills and resources of the USSS 
and ICE and working in cooperation with partner organizations to 
investigate cyber criminals. In addition, pursuant to the President's 
recent Executive Order 13636 on Improving Critical Infrastructure 
Cybersecurity as well as Presidential Policy Directive 21 on Critical 
Infrastructure Security and Resilience, we are working with our 
partners to strengthen the security and resilience of critical 
infrastructure through an updated and overarching national framework 
that acknowledges the increased role of cybersecurity in securing 
physical assets.
                        response to cyber events
    The NCCIC is a key component of DHS's ability to work with 
government, industry, and international partners to protect critical 
cyber and communications systems. To create shared situational 
awareness, the NCCIC integrates internal analysis and data, 
Intelligence Community and law enforcement reporting, and data shared 
by private sector and international partners into a comprehensive 
series of actionable information products, including joint products 
with the Federal Bureau of Investigation (FBI). The NCCIC works closely 
with those Federal agencies most responsible for helping to enhance the 
cybersecurity of critical infrastructures, including the Departments of 
Treasury and Energy.
    In addition to Federal partners, the NCCIC also actively engages 
with the appropriate private sector entities; information sharing and 
analysis centers; State, local, tribal, and territorial (SLTT) 
governments, including the Multi-State Information Sharing and Analysis 
Center (MS-ISAC); and international partners. As integral parts of the 
cybersecurity and communications community, these groups work together 
to protect the portions of critical information technology that they 
interact with, operate, manage, or own. The NCCIC leverages the 
collective capabilities of its partners to provide joint incident 
response to assist with forensic investigations, malware analysis, 
review network data, and security posture assessment.
    To further increase awareness of both cyber threat and resources 
available, the NCCIC and the United States Computer Emergency Readiness 
Team (US-CERT) have conducted approximately 50 threat briefings thus 
far in fiscal year 2013 as a part of our outreach effort to our 
Federal, SLTT, and private sector partners. Since 2009, the NCCIC has 
responded to nearly half a million incident reports and released more 
than 26,000 actionable cybersecurity alerts to the Department's public 
and private sector partners. An integral player within the NCCIC, the 
US-CERT also provides response support and defense against cyber-
attacks for Federal civilian agency networks as well as private sector 
partners upon request. US-CERT collaborates and shares information with 
State and local government, industry, and international partners, 
consistent with rigorous privacy, confidentiality, and civil liberties 
guidelines, to address cyber threats and develop effective security 
responses. In 2012, US-CERT processed approximately 190,000 cyber 
incidents involving Federal agencies, critical infrastructure, and the 
Department's industry partners--a 68-percent increase from 2011. In 
addition, US-CERT issued over 20,411 actionable cyber-alerts over the 
past 3 years that were used by private sector and government agencies 
to protect their systems.
    Similar growth has been seen for the Department's Industrial 
Control Systems Computer Emergency Response Team (ICS-CERT) and 
National Coordinating Center for Telecommunications (NCC), whose 
outreach has resulted in providing access to cyber threat information 
to more than 980 and 300 entities, respectively. ICS-CERT also 
responded to 177 incidents last year while completing 89 site 
assistance visits and deploying 15 teams with US-CERT to assist with 
significant private sector cyber incidents. This rapid increase in 
production for ICS-CERT, including the dissemination of more than 800 
products over the past 3 years, yielded them the award of Best Security 
Team by SC Magazine at the 2013 RSA Security Conference.
    The effectiveness of DHS's cyber protection, response, mitigation 
and recovery relies heavily on sharing information with the private 
sector. In 2011, DHS launched the Cyber Information Sharing and 
Collaboration Program (CISCP), which is specifically designed to 
elevate the cyber awareness of all critical infrastructure sectors 
through close and timely cyber threat information sharing and direct 
analytical exchange. The Department is constantly enhancing the CISCP. 
In an effort to ensure the program continues to evolve with the needs 
of industry, DHS has conducted numerous feedback sessions, monthly 
collaboration conference calls, and three face-to-face technical 
exchanges. It is also working to automate the program so that it can 
share information in real-time.
    In addition to the CISCP, DHS, in close collaboration with 
interagency and private sector partners, is continuing to expand the 
Enhanced Cybersecurity Services (ECS) program, which establishes a 
voluntary information sharing program that assists critical 
infrastructure owners and operators to improve protection of their 
systems from unauthorized access, exploitation, or data exfiltration. 
DHS works with cybersecurity organizations from across the U.S. 
Government to gain access to a broad range of cyber threat information. 
ECS consists of the operational processes and security oversight 
required to share sensitive and classified cyber threat information 
with qualified Commercial Service Providers (CSP). The ECS program 
develops threat ``indicators'' with this information and provides CSPs 
with those indications of active, malicious cybersecurity activity to 
better protect their critical-infrastructure customers.
    In fiscal year 2013, DHS has already shared more than 200,000 
indicators via the ECS program and other Joint Indicator Bulletin 
products with partners for computer network defense. CSPs may use these 
threat indicators to provide approved cybersecurity services to 
critical infrastructure entities. ECS augments, but does not replace, 
entities' existing cybersecurity capabilities. The program was also 
built with privacy and civil liberties protections in mind. Consistent 
with their commercial agreements with the protected entities, CSPs are 
not required to share with the Government, but may voluntarily do so. 
The incident information is anonymized, unless the protected entity 
consents to having its identity provided to DHS.
                         combating cyber crime
    DHS employs more law enforcement agents than any other department 
in the Federal Government and has personnel stationed in every State 
and in more than 75 countries around the world. Since 2009, DHS has 
prevented $10 billion in potential losses through cyber crime 
investigations and arrested more than 5,000 individuals for their 
participation in cyber crime activities.
    The Department leverages the 31 USSS Electronic Crimes Task Forces 
(ECTF), which combine the resources of academia, the private sector, 
and local, State and Federal law enforcement agencies to combat 
computer-based threats to our financial payment systems and critical 
infrastructure. A recently executed partnership between ICE Homeland 
Security Investigations and USSS demonstrates the Department's 
commitment to leveraging capability and finding efficiencies. Both 
organizations will expand participation in the existing ECTFs. In 
addition to strengthening each agency's cyber investigative 
capabilities, this partnership will produce benefits with respect to 
the procurement of computer forensic hardware, software licensing, and 
training that each agency requires. The Department is also a partner in 
the National Cyber Investigative Joint Task Force, which serves as a 
collaborative entity that fosters information sharing across the 
interagency.
    In fiscal year 2012, the Secret Service arrested 1,378 individuals 
for cyber-crime violations while maintaining a 99.6-percent conviction 
rate; these criminals were responsible for over $335 million in fraud 
losses and could have potentially caused over $1.2 billion in fraud 
loss based on financial account information in their possession at the 
time of their arrest. As part of its protective duties, the Secret 
Service has developed a Critical Systems Protection Program, which 
assesses and mitigates the risks to critical infrastructure that could 
impact Secret Service protectees or National Special Security Events 
(NSSEs). This program applies risk management practices developed by 
the National Institute of Standards and Technology to help critical 
infrastructure owners and operators secure their systems from cyber 
threats. From October 2009 to May 2013 this program has conducted over 
560 advances and secured eight NSSEs.
    In the course of investigating cyber crimes over the last 30 years, 
the Secret Service has developed a number of cybersecurity capabilities 
to support its mission. The backbone of the ECTFs is its Electronic 
Crimes Special Agent Program (ECSAP), which is comprised of nearly 
1,400 Secret Service special agents who have received at least one of 
three levels of computer crimes-related training. These agents are 
deployed in more than 98 Secret Service offices throughout the world 
and have received training in forensic identification, preservation and 
retrieval of electronically stored evidence. ECSAP-trained agents are 
computer investigative specialists, qualified to conduct examinations 
on all types of electronic evidence. These special agents are equipped 
to investigate the continually evolving arena of electronic and cyber 
crimes and have proven invaluable in the successful prosecution of 
criminal groups involved in computer fraud, bank fraud, identity theft, 
access device fraud and various other electronic and cyber crimes 
targeting our financial institutions and private sector. USSS also 
supports State and local law enforcement, in addition to other Federal 
agencies, by making these capabilities available to support their 
operations.\1\ They include computer forensics specialists, mobile 
wireless investigation teams, and advanced research support.
---------------------------------------------------------------------------
    \1\ Included are the following:
      -- Computer forensics specialists, which in fiscal year 2012 
conducted more than 7,000 digital forensics exams, totaling more than 
1,100 terabytes of data;
      -- Cell Phone Forensics Facility at University of Tulsa, which 
since opening in 2008 has supported 6,135 exams, and 305 advanced exams 
at the University of Tulsa;
      -- 22 Mobile Wireless Investigations Teams, which in fiscal year 
2012 conducted nearly 1,140 investigations, supporting primarily State 
and local law enforcement with this advanced capability and directly 
contributing to solving homicide cases and locating missing persons;
      -- Advanced research support at Carnegie Mellon and development 
of advanced tools for use by law enforcement partners; and
      -- Support of landmark research studies, like the Insider Threat 
Report, Verizon Data Breach Investigations Report, and the Trust Wave 
Global Security Report, which are an effective way to share law 
enforcement information, while protecting victim privacy, to develop 
national understanding of cyber risks.
---------------------------------------------------------------------------
    To expand its collaborative efforts, the Secret Service provides 
its ECSAP training to investigators at the ICE Computer Crimes Center 
as well as via the National Computer Forensics Institute (NCFI), which 
is a result of a partnership between the National Protection and 
Programs Directorate, the Secret Service, the State of Alabama, the 
City of Hoover, Shelby County, the Alabama District Attorney's 
Association, and the Alabama Securities Commission, established to 
provide computer forensic training and tools to State and local law 
enforcement officers, prosecutors, and judges. Investigators are 
trained to respond to network intrusion incidents and conduct 
electronic and cyber crimes investigations. This training also has the 
benefit of providing State and local law enforcement with the skills 
and tools to combat a myriad of crimes in their community. Further, the 
NCFI has supported training for DHS Fusion Centers and the FBI's 
National Domestic Communications Assistance Center. Responding to the 
growth of cyber crimes and the level of sophistication these criminals 
employ requires training, resources and greater collaboration among law 
enforcement and its public and private sector partners.
    Since opening in May 2008, NCFI has trained more than 2,050 State 
and local officials, including more than 1,360 police investigators, 
525 prosecutors and 165 judges from all 50 States and three U.S. 
territories.
    In addition to these activities, ICE HSI's Cyber Crimes Center (C3) 
delivers computer-based technical services to support domestic and 
international investigations into cross-border crime. C3 is made up of 
the Cyber Crimes Unit, the Child Exploitation Investigations Unit and 
the Computer Forensics Unit. This state-of-the-art center offers cyber 
crime support and training to Federal, State, local and international 
law enforcement agencies. C3 also operates a fully equipped computer 
forensics laboratory, which specializes in digital evidence recovery, 
and offers training in computer investigative and forensic skills.
               cooperation across the federal government
    Successful response to dynamic cyber threats requires leveraging 
homeland security, law enforcement, national defense, and intelligence 
authorities and capabilities, which respectively promote domestic 
preparedness, criminal deterrence and investigation, and national 
defense. DHS, the Department of Justice (DOJ), and the Department of 
Defense (DOD) each play a key role in responding to cybersecurity 
incidents that pose a risk to the United States. To achieve a whole of 
government response to specific cyber incidents, DHS, DOJ, and DOD 
synchronize their operations. The leaders of DHS, DOJ, and DOD have 
held a series of meetings to clarify the lanes in the road in cyber 
jurisdiction. The group agreed that DHS' primary role is to protect 
critical infrastructure and networks, coordinate mitigation and 
recovery, disseminate threat information across various sectors and 
investigate cybercrimes under DHS's jurisdiction. DOJ is the lead for 
investigation, enforcement, and prosecution of those responsible for 
cyber intrusions affecting the United States. As part of DOJ, the FBI 
conducts domestic national security operations; investigates, 
attributes, and disrupts cybercrimes; and collects, analyzes, and 
disseminates domestic cyber intelligence. DOD's role is to defend the 
Nation, gather intelligence on foreign cyber threats, and to protect 
national security systems. DHS supports our partners in many ways. For 
example, the United States Coast Guard as an Armed Force has partnered 
with U.S. Cyber Command and U.S. Strategic Command to prepare for 
military cyberspace operations as directed. In coordination with DOS, 
DHS also works with international partners in strategic and operational 
engagements.
    While each agency operates within the parameters of its 
authorities, the U.S. Government's response to cyber incidents of 
consequence is coordinated among these three agencies such that ``a 
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD 
not only ensures that whole of Government capabilities are brought to 
bear against cyber threats, but also improves Government's ability to 
share timely and actionable cybersecurity information among a variety 
of partners, including the private sector.
    presidential policy directive 21 and cyber executive order 13636
    America's national security and economic prosperity are 
increasingly dependent upon the cybersecurity of critical 
infrastructure. With today's physical and cyber infrastructure growing 
more inextricably linked, critical infrastructure and emergency 
response functions are inseparable from the information technology 
systems that support them. The Federal Government's role in this effort 
is to share information and to encourage enhanced security and 
resilience, while also identifying gaps not filled by the marketplace. 
As mentioned previously, the enhanced information sharing programs 
supported by Executive Order 13636 and PPD-21 help secure critical 
infrastructure and increase its resilience against cyber and physical 
attacks, as well as natural disasters and terrorist attacks.
    To complement PPD-21, Executive Order 13636 promotes more efficient 
sharing of cyber threat information with the private sector and directs 
the establishment of a cybersecurity framework to identify and 
implement better security practices among critical infrastructure 
sectors. Through partnerships between the Government and private 
sector, the critical infrastructure cyber systems upon which much of 
our economic well-being, national security, and daily lives depend are 
being better protected. PPD-21 and Executive Order 13636 reinforce 
holistic thinking and action in the realms of security and risk 
management and the issuance of these important documents allows us to 
build upon and enhance our existing partnership model with our key 
private sector and SLTT partners. Implementation of Executive Order 
13636 and PPD-21 will also drive action toward system and network 
security and resilience. The Department is well positioned to make 
advances in the space defined by the cyber-physical security nexus that 
PPD-21 and Executive Order 13636 address.
                           budget priorities
    The fiscal year 2014 budget supports initiatives to secure our 
Nation's information and financial systems and to defend against cyber 
threats to private-sector and Federal systems, the Nation's critical 
infrastructure, and the U.S. economy. Taken together, the 
administration's initiatives strengthen the security and resilience of 
critical infrastructure against evolving threats through an updated and 
overarching national framework that acknowledges the linkage between 
cybersecurity and securing physical assets.
    Included in the fiscal year 2014 budget are enhancements to the 
National Cybersecurity Protection System (NCPS) to prevent and detect 
intrusions on Government computer systems and to the National 
Cybersecurity and Communications Integration Center to protect against 
and respond to cybersecurity threats. The budget also leverages the new 
operational partnership between ICE and USSS through the established 
network of USSS ECTFs to safeguard the Nation's financial payment 
systems, combat cybercrimes, target transnational child exploitation 
including large-scale producers and distributors of child pornography, 
and prevent attacks against U.S. critical infrastructure.
  --Federal Network Security.--$200 million is included for Federal 
        Network Security, which manages activities designed to enable 
        Federal agencies to secure their IT networks. The budget 
        provides funding to further reduce risk in the Federal cyber 
        domain by enabling continuous monitoring and diagnostics of 
        networks in support of mitigation activities designed to 
        strengthen the operational security posture of Federal civilian 
        networks. DHS will directly support Federal civilian 
        departments and agencies in developing capabilities to improve 
        their cybersecurity posture and to better thwart advanced, 
        persistent cyber threats that are emerging in a dynamic threat 
        environment.
  --NCPS.--$406 million is included for Network Security Deployment, 
        which manages NCPS, operationally known as EINSTEIN. NCPS is an 
        integrated intrusion detection, analytics, information-sharing, 
        and intrusion-prevention system that supports DHS 
        responsibilities to defend Federal civilian networks.
  --US-CERT.--$102 million is included for operations of US-CERT, which 
        leads and coordinates efforts to improve the Nation's 
        cybersecurity posture, promotes cyber information sharing, and 
        manages cyber risks to the Nation. US-CERT encompasses the 
        activities that provide immediate customer support and incident 
        response, including 24-hour support in the National 
        Cybersecurity and Communications Integration Center. As more 
        Federal network traffic is covered by NCPS, additional US-CERT 
        analysts are required to ensure cyber threats are detected and 
        the Federal response is effective.
  --SLTT Engagement.--In fiscal year 2014, DHS will expand its support 
        to the MS-ISAC to assist in providing coverage for all 50 
        States and 6 U.S. territories in its managed security services 
        program. MS-ISAC is a central entity through which SLTT 
        governments can strengthen their security posture through 
        network defense services and receive early warnings of cyber 
        threats. In addition, the MS-ISAC shares cybersecurity incident 
        information, trends, and other analysis for security planning.
  --Cybersecurity Research and Development.--The fiscal year 2014 
        budget includes $70 million for the Science and Technology 
        Directorate's research and development focused on strengthening 
        the Nation's cybersecurity capabilities.
  --Cyber Investigations.--The fiscal year 2014 budget continues to 
        support ICE and USSS to strategically investigate domestic and 
        international criminal activities, including computer fraud, 
        network intrusions, financial crimes, access device fraud, bank 
        fraud, identity crimes and telecommunications fraud, benefits 
        fraud, arms and strategic technology, money laundering, 
        counterfeit pharmaceuticals, child pornography, and human 
        trafficking occurring on or through the Internet. The budget 
        continues to enable these DHS law enforcement agencies to 
        provide computer forensics support and training for law 
        enforcement partners to enable them to effectively investigate 
        cyber crime and conduct other highly technical investigations. 
        ICE projects a fiscal year 2014 expenditure of $13.8 million 
        for the Cyber Crimes Center supporting investigations to 
        identify, disrupt, and dismantle domestic and transnational 
        criminal organizations engaged in crimes facilitated by use of 
        computers and cyberspace. In addition, ICE expects to spend 
        $96.5 million on investigations of cyber crime/child 
        exploitation. Other investigations of illicit trade, travel and 
        finance all make use of cyber investigative techniques 
        including computer forensic analysis. The Secret Service's 
        ECTFs will also continue to focus on the prevention of cyber 
        attacks against U.S. financial payment systems and critical 
        infrastructure through aggressive investigation and information 
        sharing.
  --Cyber Protection.--The fiscal year 2014 budget includes $13.5 
        million to enhance the Secret Service's ability to secure 
        protective venues, National Special Security Events and 
        associated Critical Infrastructure/Key Resources from cyber 
        attacks.
                      cyber legislative priorities
    It is important to note that the Executive order directs Federal 
agencies to work within current authorities and increase voluntary 
cooperation with the private sector to provide better protection for 
computer systems critical to our national and economic security. It 
does not grant new regulatory authority or establish additional 
incentives for participation in a voluntary program. We continue to 
believe that a suite of legislation is necessary to implement the full 
range of steps needed to build a strong public-private partnership, and 
we will continue to work with the Congress to achieve this.
    To help us achieve our mission, we have created a number of 
competitive scholarship, fellowship, and internship programs to attract 
top talent. We are growing our world-class cybersecurity workforce by 
creating and implementing standards of performance, building and 
leveraging a cybersecurity talent pipeline with secondary and post-
secondary institutions nationwide, and institutionalizing an effective, 
ongoing capability for strategic management of the Department's 
cybersecurity workforce. Congress can support this effort by pursuing 
legislation that provides DHS with the hiring and pay flexibilities we 
need to secure Federal civilian networks, protect critical 
infrastructure, respond to cyber threats, and combat cybercrime.
                               conclusion
    The American people expect us to secure the country from the 
growing danger of cyber threats and ensure the Nation's critical 
infrastructure is protected. The threats to our cybersecurity are real, 
they are serious, and they are urgent. I appreciate this committee's 
guidance and support as, together, we work to keep our Nation safe.
STATEMENT OF RICHARD A. MCFEELY, EXECUTIVE ASSISTANT 
            DIRECTOR, CRIMINAL, CYBER, RESPONSE, AND 
            SERVICES BRANCH, FEDERAL BUREAU OF 
            INVESTIGATION, DEPARTMENT OF JUSTICE
    Mr. McFeely. Good afternoon, Madam Chairwoman, Vice 
Chairman Shelby, and members of the committee.
    It is difficult to overstate the potential impacts cyber 
threats pose to our economy, our national security, and the 
critical infrastructure upon which our country relies. That is 
why the FBI, along with our key partners sitting at the table 
here, are strengthening our cyber capabilities in the same way 
we enhanced our intelligence and national security capabilities 
in the wake of 9/11.
    I want to talk briefly about what the FBI's response has 
been, but I echo both of these two gentlemen's comments that 
this is a whole of Government approach when it comes to 
addressing this issue.
    In the last year within the FBI, we have undergone a 
paradigm shift in how we conduct cyber operations. While we 
previously watched, collected information, and added to our 
understanding of the adversaries' intentions, we did not always 
take action by seeking to disrupt them as we might in a 
counterterrorism case. We are now, working with our partners, 
successfully disrupting and impacting the individuals behind 
the keyboard who have made it their mission to attack, steal, 
spy, and commit terrorist acts against our Nation and its 
citizens. Instead of watching foreign countries steal our 
intellectual property, we are going out to companies and trying 
to prevent it.
    For example, working with DHS, we now routinely provide 
private industry and our law enforcement partners overseas with 
IP addresses that are responsible for launching attacks against 
our country. Just last week, the FBI, Microsoft, and the 
financial services industry conducted separate but coordinated 
operations to successfully disrupt more than 1,000 botnets, 
networks of compromised computers that had been infected with a 
malware known as Citadel. The botnets were part of a massive 
global cyber crime operation estimated to be responsible for 
more than half a billion dollars in financial fraud.
    These actions are part of a larger U.S. Government strategy 
led by the National Cyber Investigative Joint Task Force, or 
NCIJTF, to target botnet creators and distributors. They 
exemplify how the FBI and our partners are using private/public 
partnerships both domestically and internationally to protect 
the public from cyber criminals.
    At the NCIJTF, which serves as the deconfliction center on 
cyber threat investigations among 19 U.S. and two international 
agencies, the Government is coordinating its efforts at an 
unprecedented level. This coordination involves senior 
personnel at key agencies. While it is led by the FBI, it now 
has Deputy Directors from the National Security Agency, DHS, 
the Central Intelligence Agency (CIA), the U.S. Secret Service, 
and U.S. Cyber Command.
    We must recognize that to work together we have to make 
sure that we keep pace and surpass the capabilities of our 
cyber adversaries. As General Alexander described earlier, the 
leaders of the FBI, DHS, and NSA met last fall and clarified 
the lanes in the road to cyber jurisdiction. And I believe that 
the collective opinion among the worker levels is that there is 
now an unprecedented level of cooperation not seen since the 
immediate post-9/11 era.
    In addition to strengthening our partnerships in 
Government, we have significantly enhanced our collaboration 
with the private sector. As part of that outreach, we have 
begun to provide industry partners with classified threat 
briefings and other information and tools to help repel 
intruders. Among these tools is a new platform we are 
developing for trusted industry partners to report cyber 
incidents to all of Government in real time. Known as 
iGuardian, it is based on a successful guardian terrorist 
threat tracking and collaboration system developed after 9/11. 
We are also developing an automated malware analysis tool to 
which law enforcement and industry partners could submit 
samples of malware for triage and analysis. We expect an 
unclassified version of this system to be piloted with the 
private sector this fall.
    And while we have been primarily focused on cyber 
intrusions, which we see as the greatest cyber threat to our 
national security, we are working with our State and local law 
enforcement partners to identify and address gaps in the 
investigation and prosecution of Internet fraud crimes. The 
FBI, the U.S. Secret Service should not bear all responsibility 
for this. We believe that there is a huge space for our State 
and local partners to join us in this fight.
    To address these gaps, we have developed a pilot program, 
in collaboration with the International Chiefs of Police and 
other law enforcement organizations to enhance the Internet 
fraud targeting packages that the FBI's Internet Crime 
Complaint Center, or IC3, currently provides to State and local 
law enforcement for investigation and potential prosecution.
    I thank you for the opportunity to be here today and look 
forward to answering questions.
    [The statement follows:]
                Prepared Statement of Richard A. McFeely
    Good afternoon Chairwoman Mikulski, Vice Chairman Shelby, and 
members of the committee. I appreciate the opportunity to appear before 
you today to discuss the cyber threat, how the Federal Bureau of 
Investigation (FBI) has responded to it, and how we are marshaling our 
resources and strengthening our partnerships to more effectively combat 
the increasingly sophisticated adversaries we face in cyberspace.
                            the cyber threat
    As the committee is well aware, the frequency and impact of cyber 
attacks on our Nation's private sector and government networks have 
increased dramatically in the past decade, and are expected to continue 
to grow. Since 2002, the FBI has seen an 84-percent increase in the 
number of computer intrusion investigations.
    Our adversaries in the cyber realm include spies from nation-states 
who seek our secrets and intellectual property; organized criminals who 
want to steal our identities and money; terrorists who aspire to attack 
our power grid, water supply, or other infrastructure; and hacktivist 
groups who are trying to make a political or social statement. It is 
difficult to overstate the potential impact these threats pose to our 
economy, our national security, and the critical infrastructure upon 
which our country relies. The bottom line is we are losing data, money, 
ideas, and innovation to a wide range of cyber adversaries and much 
more is at stake.
    Director Mueller has said he expects the cyber threat to surpass 
the terrorism threat to our Nation in the years to come. That is why we 
are strengthening our cyber capabilities in the same way we enhanced 
our intelligence and national security capabilities in the wake of the 
September 11th attacks.
                federal bureau of investigation response
    The FBI recognized the significance of the cyber threat more than a 
decade ago and, in response, created the Cyber Division and elevated 
the cyber threat to our number three national priority (only after 
counterterrorism and counterintelligence). We also significantly 
increased our hiring of technically trained agents, analysts, and 
forensic specialists and expanded our partnerships with law 
enforcement, private industry, and academia.
    We have made great progress since the Cyber Division was first 
created in 2002. Prior to that, we considered it a success when we 
recognized that networks were being attacked. We soon enhanced our 
ability to determine attribution knowing who was breaking into our 
computers and networks and to track Internet Protocol (IP) addresses 
back to their source. Now, the question we ask ourselves is, ``How are 
we going to take action on that information?''
    The perpetrators of these attacks are often overseas, but in the 
past, tracking an IP address back to its source in a foreign country 
usually led to a dead end. To address this problem, we embedded cyber 
agents with law enforcement in several key countries, including 
Estonia, Ukraine, the Netherlands, Romania, and Latvia. We have also 
worked with several of these countries to extradite subjects from their 
countries to stand trial in the United States.
    Building on the success of our international outreach, we are 
currently expanding our Cyber Assistant Legal Attache program to the 
United Kingdom (U.K.), Singapore, Bulgaria, Australia, Canada, the 
Republic of Korea, and Germany.
                            recent successes
    A prime example of international collaboration came in the 2011 
takedown of Rove Digital, a company founded by a ring of Estonian and 
Russian hackers to commit a massive Internet fraud scheme. The scheme 
infected more than 4 million computers in more than 100 countries with 
malware. The malware secretly altered the settings on infected 
computers, enabling the hackers to hijack Internet searches using rogue 
servers for Domain Name System (DNS) routers and re-route computers to 
certain Web sites and ads. The company received fees each time these 
Web sites or ads were clicked on or viewed by users and generated $14 
million in illegitimate income for the operators of Rove Digital.
    Following the arrest of several alleged co-conspirators in Estonia, 
FBI agents, linguists, and forensic examiners assisted Estonian 
authorities in retrieving and analyzing data linking them to the 
scheme. Seven individuals have been indicted in the Southern District 
of New York in this case. Two of the six for which the United States 
sought extradition have been remanded to U.S. custody and have recently 
pleaded guilty to wire fraud and computer intrusion.
    While the FBI and our partners have had multiple recent 
investigative successes against the threat, we are continuing to push 
ourselves to respond more rapidly and prevent attacks before they 
occur.
    One area in which we have had great success with our overseas 
partners recently is in targeting infrastructure we believe has been 
used in Distributed Denial of Service (DDOS) attacks, and preventing it 
from being used for future attacks. Since October 2012, the FBI and the 
Department of Homeland Security (DHS) have released nearly 168,000 
Internet Protocol addresses of computers that were believed to be 
infected with DDOS malware. We have released this information through 
Joint Indicator Bulletins (JIBs) to more than 130 countries via DHS' 
National Cybersecurity and Communications Integration Center Team as 
well as our Legal Attaches.
    These actions have enabled our foreign partners to take action and 
reduced the effectiveness of the botnets and the DDOS attacks. We are 
continuing to target botnets through this strategy and others.
                         next generation cyber
    The need to prevent attacks is a key reason we have redoubled our 
efforts to strengthen our cyber capabilities while protecting privacy, 
confidentiality, and civil liberties. The FBI's Next Generation Cyber 
Initiative, which we launched in 2012, entails a wide range of 
measures, including focusing the Cyber Division on intrusions into 
computers and networks--as opposed to crimes committed with a computer 
as a modality; establishing Cyber Task Forces in each of our 56 field 
offices to conduct cyber intrusion investigations and respond to 
significant cyber incidents; hiring additional computer scientists to 
assist with technical investigations in the field; and expanding 
partnerships and collaboration at the National Cyber Investigative 
Joint Task Force (NCIJTF).
    At the NCIJTF--which serves as a coordination, integration, and 
information sharing center among 19 U.S. agencies and two foreign 
governments for cyber threat investigations--we are coordinating at an 
unprecedented level. This coordination involves senior personnel at key 
agencies. NCIJTF, which is led by the FBI, now has deputy directors 
from the National Security Agency (NSA), DHS, the Central Intelligence 
Agency, U.S. Secret Service, and U.S. Cyber Command. We recently 
invited our Five Eyes partners to join us at the NCIJTF. Australia 
agreed, and embedded personnel there in May. The U.K. is scheduled to 
do so in July 2013. By developing partnerships with these and other 
nations, NCIJTF is working to become the international leader in 
synchronizing and maximizing investigations of cyber adversaries.
    We recognize that we must work together more efficiently than ever 
to keep pace with and surpass our cyber adversaries. To that end, the 
leaders of the FBI, DHS, and NSA recently held a series of meetings to 
clarify the lanes in the road in cyber jurisdiction. The group agreed 
that the Department of Justice (DOJ) is the lead for investigation, 
enforcement, and prosecution of those responsible for cyber intrusions 
affecting the United States. As part of DOJ, the FBI conducts domestic 
national security operations; investigates, attributes, and disrupts 
cybercrimes; and collects, analyzes, and disseminates domestic cyber 
intelligence. DHS's primary role is to protect critical infrastructure 
and networks, coordinate mitigation and recovery, disseminate threat 
information across various sectors and investigate cybercrimes under 
DHS's jurisdiction. The Department of Defense's role is to defend the 
Nation, gather intelligence on foreign cyber threats, and to protect 
national security systems.
    Earlier this year, the U.S. Intellectual Property Enforcement 
Coordinator released the administration's Strategy on Mitigating the 
Theft of U.S. Trade Secrets. As part of the strategy, the Department of 
Justice, including the FBI, will continue to prioritize prosecutions 
and investigations of foreign corporate and state-sponsored trade 
secret theft. Further, the FBI is expanding its efforts to fight 
computer intrusions that involve the theft of trade secrets by 
individuals, foreign corporations, and nation-state cyber hackers.
    While we are primarily focused with our Federal partners on cyber 
intrusions, we are also working with our State and local law 
enforcement partners to identify and address gaps in the investigation 
and prosecution of Internet fraud crimes.
    Currently, the FBI's Internet Crime Complaint Center (IC3) collects 
reports from private industry and citizens about online fraud schemes, 
identifies emerging trends, and produces reports about them. The FBI 
investigates fraud schemes that are appropriate for Federal prosecution 
(based on factors like the amount of loss). Others are packaged 
together and referred to State and local law enforcement. However, we 
have learned that very few of these referred cases are being worked.
    To close this gap, we have developed a pilot program in 
collaboration with the International Association of Chiefs of Police, 
the Major City Chiefs Association, and the National Sheriffs' 
Association to enhance the Internet fraud targeting packages IC3 
provides to State and local law enforcement for investigation and 
potential prosecution. During the first phase of the pilot, IC3 will 
develop better investigative leads for direct dissemination to State 
and local agencies, beginning with the Utah Department of Public 
Safety.
                        private sector outreach
    In addition to strengthening our partnerships in government and law 
enforcement, we recognize that to effectively combat the cyber threat, 
we must significantly enhance our collaboration with the private 
sector. Our Nation's companies are the primary victims of cyber 
intrusions and their networks contain the evidence of countless 
attacks.
    In the past, industry has provided us information about attacks 
that have occurred, and we have investigated the attacks, but we have 
not always provided information back. We realize the flow of 
information must go both ways. As part of our enhanced private sector 
outreach, we have begun to provide industry partners with classified 
threat briefings and other information and tools to help them repel 
intruders.
    Among them is a new platform we are developing for trusted private 
industry partners to report cyber incidents to us in real time. Known 
as iGuardian, it is based on the FBI's successful Guardian terrorist 
threat tracking and collaboration system. Guardian has also been 
enhanced to accept cyber incident reporting from fusion centers and 
State and local law enforcement.
    Over the past year, we have been engaged in classified briefs on 
nearly a daily basis at NCIJTF with private-sector partners and 
representatives of our Nation's most critical infrastructure sectors. 
Earlier this year, in coordination with the Treasury Department, we 
provided a classified briefing on threats to the financial services 
industry to executives of more than 40 banks who participated via 
secure video teleconference in FBI field offices around the country.
    In addition to these actions, we are also expanding our 
partnerships with private industry and academia through initiatives 
like InfraGard--a public-private coalition of 55,000 members to protect 
critical infrastructure--and the National Cyber-Forensics and Training 
Alliance, a proven model for sharing private sector information in 
collaboration with law enforcement.
                    fiscal year 2014 budget request
    The combined result of these actions is that the FBI has undergone 
a paradigm shift over the past year in how we are responding to the 
cyber threat, particularly national security cyber threats. While we 
previously watched, collected information, and added to our 
understanding of our nation-state adversaries' intentions, we are now 
looking to disrupt and deter the individuals behind the keyboard who 
have made it their mission to attack, steal, spy, and commit terrorist 
attacks against our Nation and its citizens.
    Instead of watching foreign countries steal our intellectual 
property, we're going out to companies and trying to prevent it. For 
example, in coordination with DHS, we will provide organizations with 
IP addresses that are likely to launch attacks against them or the e-
mail addresses used to send their employees messages with links to 
malicious software, in a technique known as ``spearphishing.''
    Undertaking these new actions and initiatives requires additional 
personnel and other resources. That is why, to help the FBI combat this 
rapidly developing and diverse threat, the fiscal year 2014 budget 
request includes an additional 152 positions (60 Special Agents, 1 
Intelligence Analyst, and 91 Professional Staff) and $86.6 million to 
help address this threat.
                               conclusion
    In conclusion, Chairwoman Mikulski, to counter the threats we face, 
we are engaging in an unprecedented level of collaboration within the 
U.S. Government, with the private sector, and with international law 
enforcement.
    We are grateful for the committee's support and look forward to 
continuing to work with you and expand our partnerships as we determine 
a successful course forward for the Nation to defeat our cyber 
adversaries.
    Thank you again for the opportunity to be here today. I would be 
happy to answer any questions you may have.
STATEMENT OF HON. DR. PATRICK D. GALLAGHER, ACTING 
            DEPUTY SECRETARY, DEPARTMENT OF COMMERCE; 
            DIRECTOR, NATIONAL INSTITUTE OF STANDARDS 
            AND TECHNOLOGY
    Chairwoman Mikulski. Dr. Gallagher.
    Dr. Gallagher. Thank you. Chairwoman Mikulski and Vice 
Chairman Shelby, members of the committee, it is a distinct 
pleasure to be here today to join my colleagues to talk to you 
about cybersecurity.
    Since I am batting cleanup, I want to touch quickly on just 
two topics.
    First is the all-of-Government approach. Good teamwork is 
based on playing your position, and the NIST position is based 
on our mission. We are a measurement science and standards 
organization, and our role is to support industry, the owners 
and operators of this infrastructure, as they respond to the 
information that they get from our Intelligence Community, from 
our law enforcement community, and from Homeland Security.
    This is a top priority for NIST. In our fiscal year 2014 
budget request, there was a $24 million increase to 
cybersecurity R&D programs at NIST. This is on top of making 
our total investment of $68 million. This funding enables our 
R&D performance in a number of critical areas, including the 
National Initiative for Cybersecurity Education, an interagency 
effort; the National Strategy for Trusted Identities in 
Cyberspace; the National Cybersecurity Center of Excellence; 
and implementation of Executive Order 13636, ``Improving 
Critical Infrastructure Cybersecurity.''
    Second, I would like to give you a quick update on the 
Executive order. As many of you know, under the order, NIST has 
been directed to work with industry to develop a framework of 
cybersecurity practices, methods, and so forth that supports 
the performance goals established by the Department of Homeland 
Security. For this to be successful, two major elements have to 
be part of the approach.
    First is an effective partnership between the agencies, and 
that is occurring. In fact, we memorialized this with a 
memorandum of understanding between DHS and NIST and with close 
working collaborations with my colleagues here.
    And second, the cybersecurity framework must be developed 
through a process that is industry-led, open and transparent to 
all of the stakeholders because it is by having industry 
develop their own practices that are responsive to the 
performance goals that we end up with an output that is 
technically robust, because it draws on their expertise, and is 
aligned with business interests and practice.
    This is not a new or novel or approach for NIST. We have 
utilized a similar approach in the recent past to address other 
national priorities, including the smart grid and cloud 
computing.
    Madam Chair, I appreciate the challenge before us. The 
Executive order is very aggressive in the timing for the 
framework process. It is to be developed within 1 year. The 
first draft is due in 120 days. Today marks the halfway point 
in that process. We have issued, in support of this effort, a 
request for information and have gathered input from industry 
and other stakeholders. We have held the first two of four 
planned workshops to support this process, and we will use 
these workshops to finalize and develop the framework because 
it is this type of approach that allows us the appropriate 
level of collaboration and engagement with industry.
    In May, we released the initial findings and the early 
analysis from the request for information. That release marks 
the transition from sort of gathering facts to actually 
building the framework. In 8 months, we will have an initial 
draft of the framework, including an initial list of standards, 
guidelines, and practices, and then following that, we will 
work with our agency partners to finalize the framework. But 
even after the framework is done, the work is really only just 
beginning. Adoption and use of the framework is going to raise 
new issues to address. The goal at the end of this process is 
for industry to adopt the framework themselves so it becomes an 
ongoing process that enhances cybersecurity.
    The President's Executive order lays out an urgent and 
ambitious agenda, but it is designed around an active 
collaboration between the public and private sectors, and I 
wholeheartedly believe that partnership is the essential 
ingredient for its success.
    In short, the cybersecurity challenge, both in the dot-gov 
and in the dot-com domain, is greater than it has ever been. 
Active collaboration among the private sector and between the 
public and private sectors is really the only way we can meet 
this challenge, leveraging both sides' roles, responsibilities, 
and capabilities.
    And we have a lot of work, and I look forward to working 
with this committee to make it happen. Thank you.
    [The statement follows:]
          Prepared Statement of Hon. Dr. Patrick D. Gallagher
    Chairwoman Mikulski, Vice Chairman Shelby, members of the 
committee, I am Patrick Gallagher, Under Secretary of Commerce for 
Standards and Technology and Director of the National Institute of 
Standards and Technology (NIST), a nonregulatory bureau within the U.S. 
Department of Commerce. I am also currently serving as the Acting 
Deputy Secretary of Commerce. Thank you for this opportunity to testify 
today on NIST's roles and responsibility for cybersecurity.
   the role of the national institute of standards and technology in 
                             cybersecurity
    NIST's overall mission is to promote U.S. innovation and industrial 
competitiveness by advancing measurement science, standards, and 
technology in ways that enhance economic security and improve our 
quality of life. Our work in addressing technical challenges related to 
national priorities has ranged from projects related to the Smart Grid 
and electronic health records to atomic clocks, advanced nanomaterials, 
and computer chips.
    In the area of cybersecurity, NIST has worked with Federal 
agencies, industry, and academia since 1972, when it was given the 
responsibility for the development of the Data Encryption Standard. Our 
role to research, develop and deploy information security standards and 
technology to protect information systems against threats to the 
confidentiality, integrity and availability of information and 
services, was then strengthened through the Computer Security Act of 
1987 and reaffirmed through the Federal Information Security Management 
Act of 2002.
    Consistent with our mission, NIST actively engages with industry, 
academia, and other parts of the Federal Government including the 
Intelligence Community, and with elements of the law enforcement and 
national security communities. These collaborations inform our efforts 
in coordinating and prioritizing cybersecurity research, standards 
development, standards conformance demonstration and cybersecurity 
education and outreach.
    Our broader work in the areas of information security, trusted 
networks, and software quality is applicable to a wide variety of 
users, from small and medium enterprises to large private and public 
organizations including agencies of the Federal Government and 
companies involved with critical infrastructure.
    We employ collaborative partnerships with our customers and 
stakeholders in industry, government and academia, to take advantage of 
their technical and operational insights and to leverage the resources 
of a global community. These collaborative efforts and our private 
sector collaborations in particular, are constantly being expanded by 
new initiatives, including in recent years through the National 
Initiative for Cybersecurity Education (NICE), National Strategy for 
Trusted Identities in Cyberspace (NSTIC), the National Cybersecurity 
Center of Excellence (NCCoE), and through development of the 
Cybersecurity Framework under Executive order (EO) 13636, ``Improving 
Critical Infrastructure Cybersecurity.''
    My testimony has four parts today: I'll discuss the role of NIST in 
protecting Federal information systems; our engagement with industry; 
our work under the President's Executive order; and how our funding 
supports all of those efforts.
   the role of the national institute of standards and technology in 
                 protecting federal information systems
    The E-Government Act of 2002, Public Law 107-347, recognized the 
importance of information security to the economic and national 
security interests of the United States. Title III of the E-Government 
Act, known as the Federal Information Security Management Act of 2002 
(FISMA), included duties and responsibilities for the National 
Institute of Standards and Technology to develop standards and 
guidelines for Federal information systems.
    The NIST Special Publications (SPs) and Interagency Reports (IRs) 
provide management, operational, and technical security guidelines for 
Federal agencies and cover a broad range of topics such as BIOS 
management and measurement, key management and derivation, media 
sanitization, electronic authentication, security automation, Bluetooth 
and wireless protocols, incident handling and intrusion detection, 
malware, cloud computing, public key infrastructure, risk assessments, 
supply chain risk management, authentication, access control, security 
automation and continuous monitoring.
    Beyond these documents--which are peer-reviewed throughout 
industry, government, and academia--NIST conducts workshops, awareness 
briefings, and outreach to ensure comprehension of standards and 
guidelines, to share ongoing and planned activities, and to aid in 
scoping guidelines in a collaborative, open, and transparent manner.
    In support of FISMA implementation, in recent years NIST has 
strengthened its collaboration with the Department of Defense, the 
Intelligence Community, and the Committee on National Security Systems, 
through the Joint Task Force Transformation Initiative, which continues 
to develop key cybersecurity guidelines for protecting Federal 
information and information systems for the Unified Information 
Security Framework.
    This collaboration allows the most broad-based and comprehensive 
set of safeguards and countermeasures ever developed for information 
systems. This unified framework provides a standardized method for 
expressing security at all levels, from operational implementation to 
compliance reporting. It allows for an environment of information 
sharing and interconnections among these communities and significantly 
reduces costs, time, and resources needed for finite sets of systems 
and administrators to report on cybersecurity to multiple authorities.
    To support agency implementation of cloud technology, NIST has 
worked with the General Services Administration (GSA) to help establish 
the Federal Risk and Authorization Management Program (FedRAMP) to 
identify security assessment requirements, and prototype a process for 
approving Third-Party Assessment Organizations (3PAOs) that demonstrate 
capability in assessing Cloud Service Provider (CSP) information 
systems for conformance to identified standards and guidelines.
    Given the Department of Homeland Security's (DHS's) important role 
in Federal agency cybersecurity, our partnership with DHS informs 
NIST's collaborative efforts. Earlier in the year I signed a Memorandum 
of Agreement with DHS Undersecretary Rand Beers to ensure that our work 
with industry on cybersecurity standards, best practices, and metrics 
is fully integrated with the information sharing, threat analysis, 
response, and other work of DHS. We believe this will help enable a 
more holistic approach to addressing the complex nature of the 
challenge facing Federal agencies.
 the national institute of standards and technology's engagement with 
                                industry
    It is important to note that the impact of NIST's activities under 
FISMA extend beyond providing the means to protect Federal IT systems. 
They provide the cybersecurity foundations for the public trust that is 
essential to our realizing the national and global productivity and 
innovation potential of electronic business and its attendant economic 
benefits. Many organizations voluntarily follow these standards and 
guidelines, reflecting their wide acceptance throughout the world.
    Beyond our responsibilities under FISMA, under the provisions of 
the National Technology Transfer and Advancement Act, Public Law 104-
113, and related OMB Circular A-119, NIST is tasked with the key role 
of encouraging and coordinating Federal agency use of voluntary 
consensus standards and participation in the development of relevant 
standards, as well as promoting coordination between the public and 
private sectors in the development of standards and in conformity 
assessment activities. NIST works with other agencies, such as the 
State Department, to coordinate standards issues and priorities with 
the private sector through consensus standards organizations such as 
the American National Standards Institute (ANSI), the International 
Organization for Standardization (ISO), the Institute of Electrical and 
Electronic Engineers (IEEE), the Internet Engineering Task Force 
(IETF), and the International Telecommunication Union (ITU).
    A partnership with industry to develop, maintain, and implement 
voluntary consensus standards related to cybersecurity best practices 
promotes the interoperability, security and resiliency of this global 
infrastructure and makes us all more secure. It also allows this 
infrastructure to evolve in a way that embraces both security and 
innovation--allowing a market to flourish to create new types of secure 
products for the benefit of all Americans.
    NIST also conducts cybersecurity research and development in areas 
such as security for Federal mobile environments and techniques for 
measuring and managing security. These efforts focus on improving the 
cybersecurity of current and future information technologies, and on 
improving the trustworthiness of IT components such as claimed 
identities, data, hardware, and software for networks and devices.
    In addition, NIST recognizes that further development of 
cybersecurity standards will be needed to improve the security and 
resiliency of critical U.S. information and communication 
infrastructure. The availability of cybersecurity standards and 
associated conformity assessment schemes is essential to these efforts, 
which will help enhance the deployment of sound security solutions and 
build trust among those creating and those using the solutions 
throughout the country.
    Additionally, the State of Maryland, Montgomery County, and NIST 
have jointly established the National Cybersecurity Center of 
Excellence (NCCoE), a public-private collaboration for accelerating the 
widespread adoption of cybersecurity technologies. Through the creation 
of standards-based reference designs, templates, and example 
``builds,'' the NCCoE will reduce barriers for companies that see the 
deployment of more secure technologies as too costly, too complicated, 
or technically infeasible. Reducing these economic, educational, and 
technical barriers to adoption can improve the security posture, and 
increase the competitiveness, of U.S. industry.
    The NCCoE tackles some of the most pressing cybersecurity 
challenges identified by the members of one or more economic sectors. 
These challenges are then synthesized into specific ``use cases'' that 
include technical details that allow the NCCoE to develop an integrated 
solution based on commercially available technology. All of this work 
is done in an open and collaborative process: the use cases are 
published for public comment on the NCCoE Web site; the solutions are 
developed in collaboration with the private sector, other government 
agencies, and academia; the NCCoE hosts workshops and public meetings 
to exchange expertise and validate the practicality of the solutions 
under development; and when complete, the entire set of material 
necessary to recreate the NCCoE example solution is made available to 
the public.
    The NCCoE is a unique opportunity that brings together, under one 
roof, experts from industry, government, and academia to develop 
practical, interoperable, and usable cybersecurity solutions. The 
center collaborates with the private sector primarily through three 
channels:
  --A Sector Community of Interest.--Open to the public, with primary 
        participation drawn from sector-specific businesses (e.g., 
        healthcare, financial services, energy, etc.).
  --National Cybersecurity Excellence Partnership Companies.--U.S. IT 
        and cybersecurity companies that have committed to share 
        technology and engineering staff with the NCCoE on persistent 
        basis.
  --Use Case Collaborators.--Companies that are providing a secure 
        technology and engineering expertise as a part of an integrated 
        solution for a specific use case.
    The National Strategy for Trusted Identities in Cyberspace (NSTIC) 
is another key area in which NIST engages with industry. Under NSTIC, 
NIST is working with a wide array of stakeholders on creation of an 
online environment--the ``Identity Ecosystem''--that addresses the 
myriad security and convenience problems caused by passwords, and 
allows individuals and organizations to better trust one another, with 
minimized disclosure of personal information. The Identity Ecosystem 
will be a user-centric online environment, supported by a framework of 
technologies, policies, and agreed-upon standards, which will enable 
individuals to transact business in a way that is more secure, 
convenient and privacy-enhancing everywhere they go online.
    In the Identity Ecosystem, consumers will be able to choose in the 
marketplace from a variety of identity solutions--both private and 
public--that would issue trusted credentials that could be used in lieu 
of passwords across the Internet. Key attributes of the Identity 
Ecosystem include privacy, convenience, efficiency, ease-of-use, 
security, confidence, innovation, and choice. Creating this Identity 
Ecosystem requires a partnership between the private sector, advocacy 
groups, public sector agencies and others--all of whom are currently 
working to support NSTIC by collaborating in the privately led Identity 
Ecosystem Steering Group (IDESG). The request continues and expands 
existing efforts to coordinate Federal activities needed to implement 
NSTIC.
    NIST also supports the continued work under the National Initiative 
for Cybersecurity Education (NICE). As we all know, cybersecurity is 
much more than technological solutions to technical problems; it is 
also highly dependent on educated users who are aware of and routinely 
employ sound practices when dealing with cyberspace. NIST will continue 
to work with the Federal Government, and with State, local, and tribal 
governments, for improving cybersecurity education. NIST will ensure 
coordination, cooperation, focus, public engagement, technology 
transfer, and sustainability of NICE. NIST works with DHS and other 
Federal agencies in the implementation of the cybersecurity education 
framework to address national cybersecurity awareness, formal 
cybersecurity education, Federal cybersecurity workforce structure, and 
cybersecurity workforce training and professional development.
    Small businesses face particular cybersecurity challenges, as they 
tend to have more limited resources that must be well applied to meet 
the most obvious and serious threats. The vulnerability of any 
individual small business may not seem significant, other than to the 
owner and employees of that business. However, given that over 95 
percent of all U.S. businesses are small- and medium-size businesses 
(SMBs), a vulnerability common to a large percentage of SMBs poses a 
threat to the Nation's economic base. SMBs frequently cannot justify an 
extensive security program or a full-time expert. Nonetheless, they 
confront serious security challenges and must address security 
requirements based on identified needs.
    Cognizant of the needs of SMBs, NIST partners with the Small 
Business Administration (SBA) and the Federal Bureau of Investigation's 
InfraGard program to sponsor computer security workshops and provide 
online support for small businesses. Through these efforts, experts in 
computer security are made available to offer small business owners an 
overview of information security threats, vulnerabilities, and 
corresponding protective tools and techniques, with a special emphasis 
on providing useful information that small business personnel can apply 
directly or use to task contractor personnel.
    In fiscal year 2012, NIST, SBA, and the FBI hosted 25 small 
business information security workshops in Oklahoma, Louisiana, 
Colorado, New Hampshire, Connecticut, Minnesota, Texas, California, 
Indiana, Ohio, and New Mexico, and provided online support to SMBs 
throughout the United States.
the national institute of standards and technology's role in executive 
    order 13636, ``improving critical infrastructure cybersecurity''
    As you know, on February 13, 2013, the President signed Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which 
gave NIST the responsibility to develop a framework to reduce cyber 
risks to critical infrastructure (the Cybersecurity Framework). As 
directed in the Executive order, NIST, working with industry, will 
develop the Cybersecurity Framework and the Department of Homeland 
Security (DHS) will establish performance goals. DHS, in coordination 
with sector-specific agencies, will then support the adoption of the 
Cybersecurity Framework by owners and operators of critical 
infrastructure and other interested entities, through a voluntary 
program. NIST is also working closely with partners throughout the 
interagency--including the Intelligence Community--to ensure that the 
Framework leverages their expertise and role as the Framework is 
developed.
    A Cybersecurity Framework is an important element in addressing the 
challenges of improving the cybersecurity of our critical 
infrastructure. A NIST-coordinated and industry-led Framework will draw 
on standards and best practices that industry already develops and 
uses. NIST coordination will ensure that the process is open and 
transparent to all stakeholders, and will ensure a robust technical 
underpinning to the framework. This approach will significantly bolster 
the relevance of the resulting Framework to industry, making it more 
appealing for industry to adopt.
    This multi-stakeholder approach leverages the respective strengths 
of the public and private sectors, and helps develop solutions in which 
both sides will be invested. The approach does not dictate solutions to 
industry, but rather facilitates industry coming together to offer and 
develop solutions that the private sector is best positioned to 
embrace. Any efforts to better protect critical infrastructure need to 
be supported and implemented by the owners and operators of this 
infrastructure.
    Underlying all of this work, NIST sees its role in developing the 
Cybersecurity Framework as partnering with industry and other 
stakeholders to help them develop the Framework. In addition to this 
critical convening role, our work will be to compile and provide 
guidance on principles that are applicable across the sectors for the 
full range of quickly evolving threats, based on inputs from DHS and 
other agencies. NIST's unique technical expertise in various aspects of 
cybersecurity related research, technology development and an 
established track record of working with a broad cross-section of 
industry and government agencies in the development of standards and 
best practices positions us very well to address this significant 
national challenge in a timely and effective manner.
    NIST's initial steps towards implementing the Executive order 
included issuing a Request for Information (RFI) in February to gather 
relevant input from industry and other stakeholders, and asking 
stakeholders to participate in the Cybersecurity Framework process. 
NIST is following up the RFI process with continued engagement with 
stakeholders through a series of workshops and events to ensure that we 
can cover the breadth of considerations that will be needed to make 
this national priority a success. We have already initiated an 
aggressive outreach program to raise awareness of this issue and begin 
engaging industry and stakeholders. NIST will continue to bring many 
diverse stakeholders to the table. Last week, a 3-day workshop hosted 
by Carnegie Mellon University in Pittsburgh allowed NIST to engage with 
stakeholders to discuss the foundations of the Framework and the 
initial analysis.
    The Executive order requirement for the Framework to be developed 
within 1 year, and a preliminary framework due within 8 months gives 
this task a sense of urgency. Throughout the year, you can expect NIST 
to use its capabilities to gather the input needed to develop the 
Framework.
    In a year's time, once we have developed an initial Framework, we 
will continue to need to work with DHS, sector-specific agencies, and 
the specific sectors themselves to build strong voluntary programs for 
specific critical infrastructure areas. Their work will then inform the 
needs of critical infrastructure and the next versions of the 
Framework. The goal at the end of this process will be for industry to 
take and manage the Cybersecurity Framework--allowing it to evolve when 
needed.
    Although this Executive order will help raise the Nation's cyber 
defenses, it does not eliminate the urgent need for legislation in 
these and other areas of cybersecurity. The administration's 
legislative priorities for the 113th Congress build upon the 
President's 2011 cybersecurity legislative proposal and take into 
account 2 years of public and congressional discourse about how best to 
improve the Nation's cybersecurity.
    The administration is working toward legislation that:
  --Facilitates cybersecurity information sharing between the 
        Government and the private sector as well as among private 
        sector companies. We believe that such sharing can occur in 
        ways that protect privacy and civil liberties protections, 
        reinforce the appropriate roles of civilian and intelligence 
        agencies, and include targeted liability protections;
  --Incentivizes the adoption of best practices and standards for 
        critical infrastructure by complementing the process set forth 
        under the Executive order;
  --Gives law enforcement the tools to fight crime in the digital age;
  --Updates Federal agency network security laws, and codifies DHS' 
        cybersecurity responsibilities; and
  --Creates a national data breach reporting requirement.
    In each of these legislative areas, the right privacy and civil 
liberties safeguards must be incorporated. The administration wants to 
continue the dialogue with the Congress and stands ready to work with 
members of Congress to incorporate our core priorities to produce 
cybersecurity information sharing legislation that addresses these 
critical issues.
   national institute of standards and technology support for cyber 
                        research and development
    As highlighted today cybersecurity is a top priority for NIST, 
which has been reflected in our recent budget requests. In fiscal year 
2013 NIST has proposed to increase cybersecurity spending by $7.5 
million with most of this increase supporting NIST's efforts to develop 
a framework to reduce cyber risks to critical infrastructure in support 
of the EO. In the President's fiscal year 2014 budget request NIST has 
requested a $24 million increase to its cybersecurity research and 
development (R&D) programs for a total NIST investment in cybersecurity 
and related efforts of $68 million. The requested increases for NIST in 
fiscal year 2014 will provide additional support for NIST's roles in 
cyber education, identity management, and will support R&D to improve 
the security and interoperability of our Nation's cyberspace 
infrastructure, accelerate the development and adoption of 
cybersecurity standards in support of administration priorities, and to 
support the leading-edge work of the National Cybersecurity Center of 
Excellence (NCCoE).
                               conclusion
    The cybersecurity challenge facing critical infrastructure--both in 
the ``dot-gov'' and the ``dot-com''--is greater than it ever has been. 
Active collaboration within the public sector, and between the public 
and private sectors, is the only way to effectively meet this 
challenge, leveraging both sectors' roles, responsibilities, and 
capabilities.
    Thank you for the opportunity to present NIST's views regarding 
cybersecurity security challenges. I appreciate the committee holding 
this hearing. I look forward to working with the committee to help 
address these pressing challenges. I will be pleased to answer any 
questions you may have.

    Chairwoman Mikulski. Thank you very much, Dr. Gallagher and 
all four witnesses.
    Today the way we will function is we will follow the 5-
minute rule. We will go in order of arrival.
    We also know that this hearing does not preclude the 
subcommittees from also continuing their own hearings where 
they will even probe more deeply. And also, after we have 
concluded all of our questioning, we will also understand that 
there will be certain aspects--in order to drill down, we will 
also have an additional classified forum this afternoon in the 
classified section in the Capitol Visitor Center. But now we 
will be in full and open session, not precluding further 
hearings by the subcommittees.
    General Alexander--well, to all, just to reiterate the 
President's budget, the President has requested $9.2 billion 
for DOD: $1.2 billion, almost $1.3 billion, for DHS; for all of 
DOJ, including the FBI, $589 million; $215 million for 
Commerce, primarily in NIST; the National Science Foundation, 
$197 million; General Service Administration, $50 million; 
Department of State, $37 million.
    When one hears $13 billion, that is a lot of money. 
However, we are in an enduring war where our citizens are under 
attack from identity theft to State secrets, trade secrets, 
business secrets, et cetera.
    But our question today is, is $13 billion adequate in the 
various areas? Number one. And number two, when we spend the 
$13 billion, will we also avoid the kind of things where--
sometimes we throw money at a new problem, and often we have 
what I call techno-boondoggles. We have seen it at the FBI in 
the past. We have seen in Homeland Security in the past. We 
have seen it at DOD. So this is what we are doing.
    But let us go right to the President's request and the 
purpose. As I understand from the administration's priorities, 
the administration's priority--and if you look in the budget 
statement to us--secure the Federal networks, lead by example 
and make sure our networks are safe and secure, protect 
critical infrastructure, improve incident response, engage 
internationally. Number three, shape the future.
    General Alexander, you will be getting--if we pass this 
budget where the request is for $9 billion, I understand that 
$3.5 billion will be to protect the DOD network. We understand 
that. But what will you use the other $5.8 billion to do and 
how will we get security for that dollar and avoid the problems 
of the past?
    General Alexander. Well, thanks, Senator. It is a lot of 
money, and I can tell you that from our perspective, what we 
are talking about here is not just protecting our networks, but 
developing the forces that we need. So part of that money goes 
for training and outfitting the teams at Cyber Command and our 
components need. Part of that money goes for the information 
assurance and fixing the networks--you hit on part of that--and 
developing future architectures.
    So when I look at this from my perspective, I believe this 
is right, the right amount. I know the administration and the 
Defense Department has already looked internally to this budget 
to see where we can take cuts, and we did. We cut it back to 
what we thought was the minimum that we could use and still do 
this job.
    You pointed out, Senator, that for the Defense Department, 
our job is to protect the Nation and our networks and building 
up the infrastructure that we need both within DOD and amongst 
the services and Cyber Command. That is where that $5.8 billion 
goes. So it is split across all those. It does not go to one 
lump. It helps each of the services, Defense Intelligence 
Agency, and Cyber Command do their missions.
    $2.17 billion, as you pointed out and others, goes to NSA 
for doing their job and is part of the intel community's 
budget. So that is rolled in there as well.
    $582 million goes to U.S. Cyber Command, and that is for 
five key areas: leases for teams, setting up the teams, 
training our teams, starting the military construction to have 
a place to house these teams, for our headquarters, and for 
research, development, training, another $68 million.
    So I think it is the right number. I think we have looked 
at where we could take savings and have done that. I also think 
it is important to state that the Department sees this as an 
area to help ensure the Nation is ready as we look at the rest 
of our force posture. This is going to be key to our future.
    That is all I have, Senator.
    Chairwoman Mikulski. Just a follow-on question. In your 
testimony--this goes to protecting critical infrastructure, an 
obsession I think of this committee and something we have 
concentrated on very keenly when we were working on authorizing 
legislation under Lieberman-Collins, or Collins-Lieberman, or 
now Collins and a lot of us.
    But in your testimony, sir, you say from 0 to 10 in our 
capacity to defend our critical infrastructure, you rate us at 
a 3. A 3. A 3 to protect our grid, a 3 to protect our financial 
services. And my question then is of the money that you are 
getting, I understand Homeland Security is supposed to protect 
us against domestic threats. Where do you come in and where 
does Homeland Security come in? And is part of your money also 
used to do the services to support them?
    General Alexander. Well, we do work together, but our 
monies--they are not overlapping in this case, as you point 
out.
    Specifically, the Defense Department has two sets of roles 
and responsibilities here. One, to build, operate, and defend 
the DOD networks. That is the one responsibility and that is a 
big cost because that is our global forces, and that is the 
biggest bulk of the money that is here. The second part is to 
develop the teams to defend the Nation from a cyber attack, and 
that is where we come in.
    Now, we work with DHS. We work with FBI in setting up the 
op centers and funding and supporting those op centers so that 
we can communicate amongst us, but DHS has that responsibility 
to work with industry to set the standards to work recovery and 
that part. FBI has the responsibility to do law enforcement 
investigations. We have the responsibility on the NSA side for 
the foreign intelligence and to defend against an attack. So 
what we are doing is developing the capabilities and the teams. 
We are still going to need legislation to do those operations.
    Chairwoman Mikulski. Well, I could have follow-up, but I 
want to turn to Senator Shelby.
    Senator Shelby. Thank you, Madam Chairman.
    Dr. Gallagher, I will address my first question to you. 
Since NIST has been tasked under the Executive order with 
developing a framework to reduce cyber risk of critical 
infrastructure, could you explain how the NIST process will 
work, how the development of a framework to reduce cyber risk 
differs from the development of standards to reduce such risk? 
And what do you believe will compel private industry, which I 
think is so important, to implement the framework that it has 
developed?
    And given the evolution of technology, which you are very 
much into, all of you, generally in cyber threats specifically, 
how useful is the development of a broad-based, generic 
framework long term? Will NIST just be chasing its tail, so to 
speak, or will you be able to get ahead of the curve? I would 
be interested for you to share your thoughts here, how the 
framework and the standards and so forth will apply or could 
apply.
    Dr. Gallagher. Well, thank you very much.
    Senator Shelby. I know that is a mouthful.
    Dr. Gallagher. I am going to do my best.
    The idea behind the framework is very simply to get 
industry to develop a set of practices, standards, 
methodologies, whatever it would take that if implemented would 
improve cybersecurity performance. So we used the term 
``framework'' as a term of art to refer to whatever you would 
put into place that would result in enhanced cybersecurity 
performance. That will include a large measure of standards.
    And the idea behind having industry do it, with NIST acting 
as a technical supporting role and a convener, has a couple of 
motivations. First of all, it addresses the capacity. Industry 
is the one developing IT technology and communication 
technology, and therefore, they know where this technology is 
going and they can bring that skill and that expertise into the 
process to develop these standards.
    Second, this Internet is a global infrastructure, and these 
companies operate at a global scale. And by embedding security 
performance into the products and services themselves, we can, 
in fact, achieve a cybersecurity performance than is much 
broader than our borders, much broader than what we would buy 
directly. It embeds it in the market. It in fact gives our 
companies the power to shape those technologies around the 
world.
    In terms of chasing our tail, I think in a time when this 
technology is moving so quickly and when the threat environment 
is changing right in front of us, this is going to be an 
ongoing challenge. But I think the bottleneck cannot be NIST. 
We are simply not large enough to support this on our own. Our 
role really has to be viewed as did we help industry come up 
with a vehicle where they can organize and be responsive to 
this. That is the only way sufficient technical capacity can be 
brought to bear in my view.
    Senator Shelby. Let me pick up on that, if I could. The 
Executive order, as I understand it, discusses the development 
of a broad framework which presumably, I would think, means it 
will be generic in order to have broad applicability to all 
critical infrastructure sectors. But how will, doctor, a 
generic framework address the inherent differences in our 
critical infrastructure and their unique needs for being 
protected against cyber attacks? In other words, if we are not 
addressing sector-specific needs, how can we be sure that we 
are actually helping to protect any of these industries from a 
cyber attack?
    And last in this same vein, how do you bring industry on 
board? Because they have systems, trade secrets, formulas, 
everything, you name it, to protect and the Government would 
have to protect those and should. How will that work?
    Dr. Gallagher. So you are exactly right. The question you 
asked about industry's capacity to come together and carry this 
out is actually the central question. How generic and how 
sector-specific this framework looks is, in fact, the exact 
question that the participants in the framework are tackling.
    The good news is that in spite of the strong differences 
across sectors, looking at energy or agriculture or 
transportation and so forth, they are dependent on a core set 
of communication and IT technologies. And one of the big 
advantages they have to working together to set a common 
platform is that they can drive that performance into the 
market and they can buy these computer services and IT 
equipment at better cost because they are helping to shape the 
entire market.
    And that really gets to one of the questions you raised 
earlier, which is how do you drive adoption of this framework. 
I think the bottom line is doing good cybersecurity has to 
become good business. In the end, this is all going to be about 
alignment. These framework practices have to be compatible with 
profitable and well run companies. It may very well turn out 
that the framework discussions are more about management and 
business practices than they are about technical controls, and 
that is okay if it helps us achieve the level of performance we 
are looking for.
    Senator Shelby. Thank you, Madam Chair.
    Chairwoman Mikulski. Senator Leahy.
    Senator Leahy. Thank you, Madam Chair.
    You know, like most Vermonters, I have had a lot of concern 
about section 215 of the PATRIOT Act, section 702 of the 
Foreign Intelligence Surveillance, the FISA. We have had a 
number of common sense proposals in the Judiciary Committee to 
improve these provisions, but the Intelligence Community has 
told us that really we obviously do not have the ability as 
simple Senators to know anything as well as you do, and so they 
do not need changes. I am told they are critical to our 
counterterrorism efforts. The Congress should not tinker with 
them at all. We should simply trust you to use them the right 
way, and they should not be made permanent.
    I do not think that is wise. I think that there should be 
sunset provisions, and we should look at them periodically and 
we should actually debate them in a free and open society.
    Now, we have information, recently declassified by the 
Director of National Intelligence, and I am not going into 
questions of whether he contradicted himself on a couple of 
answers. But taking what he has recently declassified, it 
appears that section 702 collection he said was critical to 
disrupting the Zazi case in New York City, but it is not clear 
that data collected pursuant to 215 of the PATRIOT Act was 
similarly critical or crucial.
    So, General Alexander, let me ask you this. Aside from 
these two cases, has the Intelligence Community kept track of 
how many times phone records obtained through section 215 of 
the PATRIOT Act were critical to discovery and disruption of 
terrorist threats?
    General Alexander. I do not have those figures today.
    Senator Leahy. Are those figures available?
    General Alexander. We are going to make those figures 
available----
    Senator Leahy. How soon?
    General Alexander. Over the next week, it would be our 
intent to get those figures out. I have talked to the Intel 
Committee on that yesterday. I think it is important to----
    Senator Leahy. Wait a minute. You talked to the intel 
community about this yesterday, but you did not have the 
figures yesterday.
    General Alexander. I gave an approximate number to them in 
a classified----
    Senator Leahy. Okay.
    General Alexander. Classified. But it is dozens of 
terrorist events that these have helped prevent.
    Senator Leahy. Okay, so dozens.
    Now, we collect millions and millions and millions of 
records through 215, but dozens of them have proved crucial or 
critical. Right?
    General Alexander. For both here and abroad in disrupting 
or contributing to the disruption of terrorist attacks.
    Senator Leahy. Out of those millions, dozens have been 
critical.
    General Alexander. That is correct.
    Senator Leahy. Would you get me the specific--even it has 
to be in classified, the specific cases you are talking about?
    General Alexander. We will, but we are going through the 
Intelligence Committee to do this. Tomorrow I will give as 
clear as we have vetted precisely what we have done on each of 
those. And the reason that I want to get this exactly right, 
Senator, is I want the American people to know that we are 
being transparent in here.
    Senator Leahy. No, no. You are not giving it to the 
American people. You are giving in a classified to specific 
Members of Congress. Is that correct?
    General Alexander. Well, there are two parts. We can give 
the classified. That is easy. But I think also for this debate 
what you were asking--and perhaps I misunderstood this, but I 
think you were also asking what we could put out unclassified. 
And so the intent would be to do both.
    Senator Leahy. You can do that within a week?
    General Alexander. That is our intent. I am pushing for 
that and perhaps faster, if I do not get any kicks from behind 
me.
    Senator Leahy. If you do not get any what?
    General Alexander. Kicks from the people behind me who are 
doing the work because we do want to get this right. And it has 
to be vetted across the community so that what we give you, you 
know, is accurate and we have everybody here, especially 
between the FBI and the rest of the Intelligence Community, who 
can say this is exactly correct.
    Senator Leahy. Now, DNI Clapper said that section 702 
collection was critical to discovery and disruption of the plot 
to bomb the New York City subway system, the Zazi case. Is that 
correct?
    General Alexander. That is correct. In fact, not just 
critical, it was the one that developed the lead on it. So I 
would say it was the one that allowed us to know it was 
happening.
    Senator Leahy. But that is different than section 215.
    General Alexander. That is different than section 215.
    Senator Leahy. 215, phone records; 702----
    General Alexander. So if I could, I could explain this.
    Senator Leahy. No, go ahead.
    General Alexander. Because I do think it is important that 
we get this right, and I want the American people to know that 
we are trying to be transparent here, protect civil liberties 
and privacy, but also the security of this country.
    On the New York City one, the Zazi case, it started with a 
702 set of information based on operatives overseas. We saw 
connections into a person in Colorado. That was passed to the 
FBI. The FBI determined who that was, Zazi, and phone numbers 
that went to that. The phone numbers on Zazi were the things 
that then allowed us to use the business records, FISA, to go 
and find out connections from Zazi to other players throughout 
the communities, specifically in New York City. That is how 
those two worked together.
    Senator Leahy. Was 215 critical?
    General Alexander. I think 215 is critical in corroborating 
and in helping us understand----
    Senator Leahy. Was it critical in Zazi?
    General Alexander. Not to Zazi because the first part to 
Zazi went to the 702.
    Senator Leahy. And Headley? Was either 702 or 215 critical?
    General Alexander. 702 on Headley and some on the business 
record, FISA, for corroborating.
    And I think it is important to understand because this is 
an issue that I think will be part of the debate. And I would 
put on there, Senator, also the Boston. I think we need to walk 
through that so that what we have on the business record, FISA, 
what we have on 702, what you debate, the facts that we can 
give you is what we do with that, how we tip that to the FBI, 
if we took that away, what we could not do, and is that 
something that when we look at this from a security 
perspective----
    Senator Leahy. Of course, in Boston, if you are talking 
about the marathon case, what the FBI could have done was to 
pass on the information to the Boston authorities. They said 
they did not. That might have been helpful too.
    But my time is up. I mention this only because before it is 
brought up in the Judiciary Committee, we are going to be 
asking some very, very specific questions.
    General Alexander. So if I could, Senator, I just want to 
make sure that we are clear on one point. When I say 
``dozens'', what I am talking about here is that these 
authorities complement each other in helping us identify 
different terrorist actions and help disrupt them. They 
complement each other. So what you are asking me is to state 
unequivocally that A or B contributed solely to that. The 
reality is they work together. And we have got to help make 
that clear to you----
    Senator Leahy. And I will be waiting to see those specific 
examples either in open or classified fashion.
    Chairwoman Mikulski. Senator Cochran.
    Senator Cochran. Madam Chair, thank you.
    Let me first ask General Alexander a question. In testimony 
that was received by the Armed Services Committee, there was a 
discussion about how to provide incentives to talented military 
personnel who might be interested in becoming involved in the 
cybersecurity field. I know it is hard to contemplate how you 
just wave a magic wand and have all of the talented people 
available in the right places with the right responsibilities.
    What do you see as a first step in trying to get an 
infrastructure of leadership organized appropriately to carry 
out these missions?
    General Alexander. Senator, thanks.
    I think the most important part, top to bottom, is the 
training, coming up with a clear training program, which we 
have done with the services and with NSA to develop a set of 
standards. I think the training, in and of itself, helps us 
build a great cyber force, and it is that training for the 
leaders so we have training at the staff officer level, at the 
team level, all the way down to the individual operator. And we 
are standardizing that training amongst the services and 
between NSA and Cyber Command.
    I think raising those standards up has a couple of 
benefits. The soldiers, sailors, airmen, marines, and civilians 
that come into this field get great training, and it is 
something that they look forward to. And the operations that 
they do are significant. I think they really feel good about 
what they are able to do for our country. So from my 
perspective, it starts with training and building that kind of 
a force.
    You mentioned incentives, Senator, if I could. I think 
incentives is going to play a key part in this. As incentive 
pay for languages plays a key part, I think incentives for our 
cyber force is also going to play a key part. And we have had 
discussions with the services about how to start that. We do 
not have that in this program yet, but that is something that 
we are looking at.
    Senator Cochran. Does the Department of Defense have the 
resources to maintain a number of cyber test ranges across the 
services and agencies, for training and research purposes? I 
know you carry out exercises that test the compatibility of 
cyber capabilities with conventional weapons and other weapons 
systems. Could you share with the committee what your thoughts 
are about cyber ranges and whether you plan to dedicate certain 
areas exclusively for these purposes?
    General Alexander. Senator, that is a great question and 
one that we are putting a lot of effort into because I do think 
we need to bring the ranges together so that we have a joint 
approach to this.
    One of the things that I would point out is the service 
academies play a cyber defense exercise together, and this gets 
into your range issue. And when you look at so how do you 
defend your networks in a way--the service academies compete 
against each other for seeing who has the most defensible 
network. When you think about that, in a cyber range what you 
want people to do is to practice their tactics, techniques, and 
procedures in a sterile environment so nothing bad happens. It 
only happens inside that. They can learn. We have seen that on 
the military side. The National Training Center and other 
things are great places for that. We need to do the same here. 
So those that are defending our networks know what the 
adversaries are going to do and are prepared for all those 
contingencies. It helps raise that. And I think bringing the 
ranges together ensures that they are operating at the right 
level as a joint team.
    Senator Cochran. My staff informed me that last week our 
committee received a notice that about one-half of NSA's 
personnel in the Cyber Threat Center could be furloughed as a 
result of sequestration. Now, that is a fine ``How do you do?'' 
Has there been any attention given to what you are going to do 
to address shortfalls due to sequestration?
    General Alexander. So we have worked this. It is across the 
Defense Department. So the sequestration for all the military 
has been standardized across all the departments. The NSA--on 
the intelligence side is not there--but all of Cyber Command--
our civilians will be sequestered. Right now that is an 11-day 
or 1 day a week for the last 11 weeks of the fiscal year. That 
has a significant impact on us and all others that will be 
furloughed. I think that is a key issue and has significant 
impact on our people. And it goes right back to how do you hire 
good people and then furlough them. This is a tough issue that 
not only we face but the rest of the Department.
    Senator Cochran. Thank you, Madam Chair.
    Chairwoman Mikulski. Thank you, Senator Cochran, and thank 
you for raising the sequester issue. It has been raised at the 
intel hearing when we listened to the worldwide threat right as 
we were moving into the continuing funding resolution. DNI 
Clapper asked for more flexibility. Of course, he wanted more 
money but more flexibility. We were precluded by the House from 
putting that in the bill. I think the intel community, which is 
primarily particularly a DOD civilian force--you need that 
flexibility.
    So we look forward to working on both sides of the aisle 
and both sides of the dome to be able to do this.
    I just would like to share with the committee the order. We 
are going to go to Durbin, then Johanns, Merkley, Collins, Tom 
Udall, Senator Coats, Senator Landrieu, and Senator Feinstein, 
you came before the testimony started. So instead of 
alternating, we will go right to you. Then we will go to 
Senator Boozman and then Senator Pryor. That is our order of 
our lineup. So now it is going to be Durbin, Johanns, Merkley, 
Collins. Senator Durbin.
    Senator Durbin. Thank you, Madam Chair. And thanks as well 
to Senator Mikulski for bringing the cyber issue into sharp 
focus for the entire Senate with our bipartisan briefing.
    I was on the Intelligence Committee right at the time of 9/
11. I saw what happened immediately afterwards. There was a 
dramatic investment in intelligence resources for our Nation to 
keep us safe and a dramatic investment in the personnel to 
execute the plan to keep us safe.
    I trusted--and I still do--that we were hiring the very 
best, trusting them to not only give us their best in terms of 
knowledge but also their loyalty to our country.
    I would like to ask you about one of those employees who is 
now in a Hong Kong hotel, and what we know about him is as 
follows. He was a high school dropout. He was a community 
college dropout. He had a GED degree. He was injured in 
training for the U.S. Army and had to leave as a result of 
that. And he took a job as a security guard for the NSA in 
Maryland. Shortly thereafter, he took a job for the CIA in what 
is characterized as IT security in the Guardian piece that was 
published.
    At age 23, he was stationed in an undercover matter 
overseas for the CIA and was given clearance and access to a 
wide array of classified documents.
    At age 25, he went to work for a private contractor and 
most recently worked for Booz Allen, another private contractor 
working for our Government.
    I am trying to look at this resume and background. It says 
he ended up earning somewhere between $122,000 and $200,000 a 
year. I am trying to look at the resume background for this 
individual who had access to this highly classified information 
at such a young age with a limited educational and work 
experience, part of it as a security guard, and ask you if you 
are troubled that he was given that kind of opportunity to be 
so close to important information that was critical to the 
security of our Nation.
    General Alexander. I do have concerns about that. Over the 
process, Senator, I have grave concerns over that. The access 
that he had, the process that we did--and those are things that 
I have to look into and fix from my end and across the intel 
community, Director Clapper said we are going to look across 
that as well. I think those absolutely need to be looked at.
    I would point out that in the IT arena, in the cyber arena, 
some of these folks have tremendous skills to operate networks. 
That was his job for the most part from the 2009/2010 as an IT, 
a system administrator within those networks. He had great 
skills in that area.
    But the rest of it, you have hit on the head. We do have to 
go back and look at these processes, the oversight on those--we 
have those--where they went wrong and how we fix those.
    Senator Durbin. Let me shift to another topic raised by 
Senator Leahy, section 215. 10 years ago, I first introduced 
legislation known as the SAFE Act. It was a bipartisan bill to 
reform the PATRIOT Act. My cosponsors included Senators Chuck 
Hagel, John Kerry, and Barack Obama. My most significant 
concern with 215 was that it would be used to obtain sensitive 
personal information of innocent Americans who had no 
connection to any suspected terrorism or spy activity.
    When the PATRIOT Act was up for reauthorization in 2005, I 
worked to establish a new standard for 215, and under the 
standard, the FBI would have broad authority to obtain any 
information, even tangentially connected to a suspected 
terrorist or spy, such as the examples you used in the Zazi 
case. 702 information could have led to 215 phone record 
information on any suspect. But under my provision, innocent 
Americans with no connection to any of these activities or 
suspects would be protected.
    The Republican-controlled Senate approved my reform to 215 
unanimously. However, the Bush administration objected. It was 
removed in the conference committee.
    2009, I tried again with no success to put this protection 
of innocent Americans back into the PATRIOT Act.
    Now the cloak has been lifted by media reports that the NSA 
obtained phone records of millions of innocent Americans with 
no connection to terrorism. The data includes the numbers of 
both parties to the calls, the location of the callers, the 
time and duration of the calls. I have been briefed on these 
programs, and I obviously will not discuss their details here. 
But it appears to me the Government could obtain the useful 
information we need to stay safe and still protect innocent 
Americans.
    My question to you is this. Section 215 can be used to 
obtain, ``any tangible thing'' that could include medical 
records, Internet search records, tax records, credit card 
records, et cetera.
    Last year, the Government filed 212 section 215 orders. 
That is an increase from 21 such orders in 2009. So clearly, 
this authority is being used for something more than phone 
records.
    So let me ask you. Do you think section 215 giving you 
authority to secure tangible things could include the 
categories of information that I just listed?
    General Alexander. I do not use those, so I am not aware of 
anything that goes that--that would be outside of NSA. All we 
use this for today is the business records, FISA.
    I would point out--I just want to characterize something 
that you said here. As you know, this was developed--and I 
agree with you. We all had this concern coming out of 9/11. How 
are we going to protect the Nation? Because we did get 
intercepts on Midar, but we did not know where he was. We did 
not have the data collected to know that he was a bad person. 
And because he was in the United States, the way we treat it is 
he is a U.S. person. So we had no information on that, and if 
we did not collect that ahead of time, we could not make those 
connections.
    So what we create is a set of data and we put it out here, 
and then only under specific times can we query that data. And 
as you know, Senator, every time we do that, it is auditable by 
the committees, by the Justice Department, by the court, and by 
the administration. We get oversight from everybody on this.
    Senator Durbin. I am over my time, but here is the point. 
If you knew that a suspect had made a call into area code 312, 
the city of Chicago, it certainly defies logic that you need to 
collect all of the telephone calls made in the 312 area code on 
the chance that one of those persons might be on the other end 
of the phone. Now, if you have a suspected contact, that to me 
is clear. I want you to go after that person. What I am 
concerned about is the reach beyond that that affects innocent 
people.
    General Alexander. So we agree at least on that part.
    And the next step, I think, in the debate that we actually 
need to talk about is so what happens if you do not know he is 
in 312 yet. And so something happens, and now we say who was he 
talking to. So let us take Midar. You had authorized us to get 
Midar's phones in California. But Midar was talking to the 
other four teams. Under the business record, FISA, because we 
had stored that data in a database, we now have what we call 
reasonable, articulable suspicion. We could take that number 
and go backward in time and see who he was talking to. And if 
we saw there were four other groups, we would not know who 
those people were. We would only get the numbers. We would say 
this looks of interest and pass that to the FBI. We do not look 
at the identities of it. We only look at the connections.
    Senator Durbin. I am way over time. I am not going to dwell 
on it.
    You have just given a clear illustration where you had 
specific information about telephone contacts, which I do not 
quarrel with. What I quarrel with is collecting all of the 
information in California on telephone records to try to find 
that specific case. That to me seems overly broad.
    Chairwoman Mikulski. Thank you very much.
    Senator Johanns.
    Senator Johanns. General Alexander, I want to talk to you 
about Cyber Command, but Senator Durbin has raised a very 
interesting question. And let me just follow up on this.
    Would this lead--the scenario that he has laid out--to a 
telephone record search for all of Omaha? Or walk us through 
that.
    General Alexander. So the methodology would be what is put 
into a secure environment called ``detail records.'' These are 
to/from records and at a selected time. So we do not know 
anything that is in there. We will not search that unless we 
have some reasonable, articulable suspicion about a terrorist-
related organization. If we see that, we have to prove that we 
have that. Then given that, we can now look and say who was 
this guy talking to in the United States and why.
    Senator Johanns. And so you could search across the breadth 
of telephone records.
    General Alexander. All you are looking for on that is so 
who did he talk to.
    Senator Johanns. Yes.
    General Alexander. And so the system just gives us back who 
he was talking to. But if you did not collect it, how do you 
know who he was talking to? And so the issue really becomes if 
you do not have the information--so I do not give you any 
connections. I just give you a number and say, now, find who he 
is talking to. You do not have the information.
    So this was the debate. I mean, you bring it up because 
this came up 10 years ago. So how do we do that? How do we 
solve this problem? And the answer was we want to protect civil 
liberties and privacy. We do. And we want to protect the 
country. So the thought was a reasonable approach that we all 
agreed on--the Congress, the courts, the administration--was we 
will put this in a way that we have tremendous oversight by the 
court. And so every time your people, a small set of those, can 
go in, they have to have a reason to go in and look at the 
data. And when they get something out, they have to look at it 
and say does this meet the reporting guidelines and put that in 
the report. Only a few reports a year go out on that, just a 
handful--handfuls.
    Senator Johanns. Does this extend beyond telephone records? 
For example, could you check and see what that person is 
Googling? Could you check and see who that person is e-mailing?
    General Alexander. So there are two parts of your question 
here.
    So going to the next step, once we identify a person of 
interest, then it goes to the FBI. The FBI will then look at 
that and say what more do we need to now look at that 
individual themselves. So there are issues and things that they 
would then look at if passed to them.
    Senator Johanns. So the answer to the question is yes.
    General Alexander. Yes, you could. I mean, you can get a 
court order to do that. So in either case----
    Senator Johanns. But would that take a court order?
    General Alexander. It would. To do any kind of search in 
these areas on a U.S. person, you have to have a court order.
    Senator Johanns. So now you have gotten into phone records. 
You have gotten into who they might be Googling. You have 
gotten who they might be e-mailing. What else do you feel that 
you can get?
    General Alexander. So I am not sure of your question. On a 
terrorist acting in the United States----
    Senator Johanns. Well, you do not know if it is a terrorist 
yet. You have got this reasonable suspicion, which is not even 
probable cause. You have just got this kind of uneasy notion, 
this feeling that something is happening here.
    General Alexander. So that is the----
    Chairwoman Mikulski. Wait, wait. Let us just stop here a 
minute. We are not going to inhibit your questions, but I think 
we need to clarify that the activity in which you are 
operating, General Alexander--so we are getting into probable 
cause, a lot of these that are absolutely important in a 
debate. But you will be functioning also with a warrant.
    Senator Feinstein, did you want to clarify? Just if we 
could.
    Senator Feinstein. If I may.
    Chairwoman Mikulski. And I am going to come back and give 
you more time. Senator Johanns, you will get more time.
    Senator Johanns. Thank you.
    Senator Feinstein. If I may quickly, Senator.
    It is my understanding you have the metadata. You have the 
records of what appears on a phone bill, and if you want to go 
to the content, then you have to get a court order, the same 
thing you would do in a criminal case. You would have to get a 
court order that would permit you to collect the content of the 
call. You can ask him if that is right or wrong.
    General Alexander. But it is correct.
    Senator Johanns. And I assume that, but I am not talking 
about content at this point. I am not asking if you can read 
somebody's emails. I am assuming at some point there would be a 
legal standard by which you could do that. Being a lawyer, I 
know that.
    What I am only getting to is you have identified for us 
that you can get phone contacts. I am asking can you get Google 
contacts. Can you get e-mail contacts? I am not talking about 
reading the e-mail or seeing what they are saying back and 
forth. I am not at that point. But what I worry about is how 
far do you believe this authority extends. Can you get Google 
contacts? Can you get e-mail contacts? Again, I am not asking 
about reading the e-mail.
    General Alexander. So I think there are a couple things 
here that I want to make sure that we have got.
    The BR-FISA only talks about phone contacts, phone 
metadata. That is all that program talks about. So any program 
that we have--and Senator Feinstein, if you want to get the 
content, you would have to get a court order. In any of these 
programs, you know we have court orders for doing that, with 
oversight by the Congress, by the courts, and by the 
administration.
    So my concern in all of this is that I think this is an 
area where we have to give you both the detail--and I think we 
need this for the American people. They need to understand it 
so they can see what we are doing and what the results of it 
are. I do think that is important.
    I also believe--you know, we had this debate several 
times--and Senator Durbin brought it up--from 2001 on. And this 
is one now where we need to bring out, because of these leaks, 
the rest of the story, show what we do, what it protects the 
country from, and have the debate. Does it make sense? In order 
to do that, I think what we have to give you is the rest of 
that data. Tomorrow we will put that in a classified session, 
but the intent would be to try to get as much out publicly so 
that everybody has the information, where we can.
    And the reason that I hesitate a little bit here is I do 
not want to make the mistake that causes the statements that I 
have for our country to lose some form of protection and we get 
hit with a terrorist attack because I made that mistake.
    Senator Johanns. And I thank the Chair for the additional 
time. I will wrap up with a comment.
    The concern here--the American public is fearful that in 
this massive amount of data you get, that there is the ability 
of the Federal Government to synthesize that data and learn 
something more than maybe what was ever contemplated by the 
PATRIOT Act. That would be number one.
    The second thing is a more personal issue, and it kind of 
gets into some of the concerns about Cyber Command. And that 
is, you are in this hugely unique role. We have always had this 
view of separating the civilian leadership politically elected 
from the military leadership, and yet you have got this dual 
hat. And it creates a concern not about you because you have 
got a remarkable record, and I thank you for your service. But 
it is a very, very concerning role that we find you in, at 
least for Mike Johanns. And I just think we have got to get 
some information out to the public because right now we are all 
getting bombarded with questions that many of us at the rank 
and file level in the Senate cannot answer. I am not the chair 
of the Intelligence Committee. I am not the ranking member. I 
do not serve on the committee. And the impression has been 
created that people are parked in our office giving us daily 
briefings on this or monthly briefings and that has not been 
the case. So we need to know.
    Chairwoman Mikulski. Senator Johanns, I think you had an 
excellent line of questioning, and I must say the tone and 
demeanor are appreciated.
    Senator Johanns. Thank you.
    Chairwoman Mikulski. And, General Alexander, we are going 
to move on from this topic. I think you have that. Senator 
Merkley has been waiting. What we are now moving into is a 
domain that is not the parameters of this hearing, though this 
Senator will not inhibit any Senator from asking any question 
they want.
    I want to remind the Senators that tomorrow in the 
Feinstein hearing, many of these can be followed and I hope it 
is a learning experience that when you go to Feinstein, your 
questions will even be as cogent and comprehensive as they are 
here today.
    So, Senator Merkley, we are going to turn to you now.
    Senator Merkley. Thank you very much, Madam Chair.
    And thank you, General. You referred to section 215, and 
215 requires an application for production of any tangible 
thing. And it says in it that this application must have a 
statement of facts showing reasonable grounds that the tangible 
things sought are relevant to an authorized investigation. So 
we have several standards of law embedded in this application, 
a statement of facts, reasonable grounds, tangible things that 
are relevant to an authorized investigation.
    Now, as it has been described in this conversation and in 
the press, the standard for collecting phone records on 
Americans is now all phone records all the time all across 
America. How do we get from the reasonable grounds, relevant 
authorized investigation, statement of facts to all phone 
records all the time, all locations? How do you make that 
transition and how has the standard of the law been met?
    General Alexander. Well, so this is what we have to deal 
with the court, and I think that we go through this court 
process. It is a very deliberate process where we meet all of 
those portions of 215. We lay out for the court what we are 
going to do, and to meet that portion that you just said, the 
answer is we do not get to look at the data. We do not get to 
swim through the data.
    Senator Merkley. Let me stop you there because these are 
requirements to acquire the data, not to analyze the data, to 
acquire the data. This is the application to acquire the data.
    So here I have my Verizon phone, my cell phone. What 
authorized investigation gave you the grounds for acquiring my 
cell phone data?
    General Alexander. I want to make sure I get this exactly 
right. You know, I think on the legal standards and stuff, on 
this part here, I think we need to get the Department of 
Justice and others because it is a complex area. And you are 
asking a specific question. I do not want to shirk that, but I 
want to make sure I get it exactly right. And so I do think 
what we should do, as part of perhaps the closed hearing 
tomorrow, walk through that with the intent of taking what you 
have asked and seeing if we can get it declassified and out to 
the American people so they see exactly how we do it because I 
do think that should be answered.
    Senator Merkley. General, thank you. Let me fill in the 
middle piece here. In between----
    Chairwoman Mikulski. Senator Merkley, I would like to help 
you out. I think Senator Merkley has asked an excellent 
question, and you want to get it right. And the answer, I would 
suggest, should be in writing. That way you get it right and he 
gets his answer. How does that sound?
    General Alexander. We will take that for the record.
    Senator Feinstein. If you will yield. I have asked that 
that question get answered tomorrow at the hearing by DOJ, 
Senator Merkley, exactly as you have delivered the question.
    Chairwoman Mikulski. Okay. But either way, Senator Merkley 
should get his answer, and I would suggest perhaps both in 
writing, your hearing, and into his hands.
    Senator Merkley. I thank the Chair, both chairs.
    If I can elaborate on the piece that I would like answered, 
is that okay, Madam Chair?
    Chairwoman Mikulski. It is your time.
    Senator Merkley. In between these two pieces, a FISA court 
gives an interpretation of the plain language of the law. Their 
interpretation is what translates the standards in the law into 
what is governable in terms of what you can do.
    I had an amendment last December that said these findings 
of law that translate the requirements that are in the law into 
what is permissible needs to be declassified so we can have the 
debate.
    I believe that what you just said is you want that 
information to be declassified that explains how you get from 
these standards of law to the conduct that has now been 
presented publicly. Did I catch that right? And do you support 
the standards of law, the interpretations of the FISA court of 
the plain language to be set before the American people so we 
can have this debate?
    General Alexander. I think that makes sense. I am not the 
only decisionmaker in the administration on this process. So 
there are two issues. I am not equivocating. I just want to 
make sure that I have put this expectation exactly right, and 
that is I do not want to jeopardize the security of Americans 
by making a mistake and saying, yes, we are going to do all 
that. But the intent is to get the transparency there.
    So, Senator, I will work hard to do that, and if I cannot 
do that, I will come back to you and tell you why and then we 
should have that discussion and run it out. And I would defer 
to the chair of the Intel Committee, but I think that is 
reasonable to get this out.
    Now, having said that, I do not have the legal background 
that perhaps you have in this area. I want this debate out 
there for a couple reasons. I think what we are doing to 
protect American citizens here is the right thing. Our agency 
takes great pride in protecting this Nation and our civil 
liberties and privacy and doing it in partnership with this 
committee, with this Congress, and with the courts. We have 
everybody there. We are not trying to hide it. We are trying to 
protect America. So we need your help in doing that. This is 
not something that is just NSA or the administration doing it 
on its own. This is what we--that our Nation expects our 
Government to do for us. So we ought to have that debate. We 
ought to put it out there and we have got to put those two 
together. So I just want to put that one caveat there, and if I 
can make it happen, I will.
    Senator Merkley. General, I thank you for your expression 
of support.
    I also want to thank Chair Feinstein who helped develop and 
sent a letter expressing this concern about the secrecy of the 
interpretations of the FISA court. I do think it is time that 
that become understandable in public because otherwise how in a 
democracy do you have a debate if you do not know what the 
plain language means. I do have concerns about that 
translation. I will continue this conversation and thank you.
    Chairwoman Mikulski. Senator Collins.
    Senator Collins. Thank you, Madam Chairman.
    Madam Chairman, I am actually going to ask a question about 
computer security, but before I do so, I do want to give 
General Alexander a chance to answer a very quick question that 
has to do with Americans' concern about their own private 
computer security and privacy.
    I saw an interview in which Mr. Snowden claimed that due to 
his position at NSA, he could tap into virtually any Americans' 
phone calls or emails. True or false?
    General Alexander. False. I know of no way to do that.
    Senator Collins. Thank you. I just wanted to clarify that 
because perhaps that is one issue we could put to rest.
    Now let me switch to the computer security question.
    Chairwoman Mikulski. Oh, boy.
    General Alexander. We are not ready for those.

              CRITICAL INFRASTRUCTURE: INCIDENTS REPORTING

    Senator Collins. In the President's budget, it is mentioned 
that the Nation has four top cyber risks, and the first one 
listed is one that has been of great concern to me since we 
produced the bill last year that, unfortunately, could not get 
past a filibuster, and that is attacks that are aimed at our 
critical infrastructure. And Secretary Beers, I am going to ask 
you this question.
    The General has alluded to the fact that much of our 
critical infrastructure is owned or operated by the private 
sector. In fact, it is 85 percent that is in the private 
sector. And our FBI witness has talked about the iGuardian 
program which encourages private industry partners to report 
cyber incidents to the Government in real time.
    Our legislation last year had a requirement that the owners 
and operators of critical infrastructure--not all 
infrastructure, critical infrastructure--would be required to 
report major cybersecurity incidents. Does the administration 
still support mandatory reporting in such cases?
    Mr. Beers. Senator, that was our position then and that 
remains our position at this point in time. Obviously, we are 
prepared to work with the Congress. You all ultimately write 
the legislation. But that remains the administration's 
position.
    Senator Collins. Thank you.
    In that legislation, we did pay attention to the need for a 
more expert cyber workforce, and boy, this latest account, 
which Senator Durbin did such a great job of going through the 
resume of this individual, just underscores how much work there 
is to be done in making sure that whether it is public sector 
or private sector, that we have a well vetted, well qualified 
cyber workforce.
    I would like to hear from all four of you on whether you 
are having difficulties in recruiting individuals who have the 
skills that you need and doing the appropriate vetting of them 
so that we can avoid having the hiring of a young high school 
dropout, community college dropout, did not complete his 
military service, young person with so little experience being 
given access to so much classified information. And, General 
Alexander, we will start with you and then just go down the 
panel.
    General Alexander. Well, Senator, I would just like to 
state first that in the military, we are going to hire young 
folks out of high school, who graduate from high school, to 
work in this area. And the key will be the training that we 
give them.
    Now, ideally we would like to get 4 years out of a top-
notch engineering school for some of the military positions, 
but we will not get that. So what we have is a responsibility 
to train them, bring them into the force and train them. And we 
have a program, but it takes several years to get somebody 
trained in this area, as you know. So in effect, what we are 
running is a cyber college for many of our young enlisted folks 
to get them to the requisite skills.
    On the NSA side, we are able to hire more college graduates 
into the Government side of that.
    What I need I think is greater scrutiny. What I need to go 
back and look at is what am I getting with my contract support 
and what are their capabilities and how do we manage that from 
a Government perspective. So that is something I have concerns 
about and I have got to go back and address.

             QUALIFIED WORKFORCE: RECRUITING AND RETAINING

    Senator Collins. Secretary Beers.
    Mr. Beers. Senator, we have a major initiative underway, as 
you are well aware. We have defined our cyber workforce. We are 
matching the positions with the skill set that is required to 
serve in those positions. We are also in the process of looking 
to hire another 600 individuals to augment that 1,500-person 
workforce. We have a series of programs, one with community 
colleges where we are looking to find people who have taken the 
correct, appropriate courses at the community college level who 
we can hire as beginning workforce members and train them up. 
We also have a program in conjunction with NSA that goes to 
colleges and universities that have Centers for Excellence that 
provide us with top-notch 4-year graduates. And then we have an 
effort to reach out to the private sector to find individuals 
there.
    I think we have an excellent workforce, but we have, as you 
well know, a provision that was in the bill that you worked 
on----
    Senator Collins. Correct.
    Mr. Beers [continuing]. And that we would like to see in 
any cyber legislation that gives us some assistance in terms of 
both recruiting and retaining that kind of a workforce which 
would allow us comparable pay and benefits to what NSA is able 
to offer to its workforce.
    Thank you.
    Senator Collins. Thank you. I know my time has expired. So 
I am going to ask the other two witnesses to submit their 
answers for the record.
    But I thank the whole workforce issue is absolutely 
critical. We did have that as an important part of our bill 
last year.
    Thank you, Madam Chairman.
    Chairwoman Mikulski. I think you are absolutely right, 
Senator Collins, and thank you for asking a question actually 
on the topic, though it is our security.
    And we are going to turn now to Senator Udall, but just to 
add to that, as we go to Senator Udall, we keep hearing Snowden 
had the skills. Well, maybe he did. You know, but just because 
you are a swimmer and you are a champion swimmer does not mean 
we ought to make you a Navy SEAL. So I will leave it at that.
    Senator Udall.
    Senator Udall. Thank you, Madam Chair, and I thank the 
entire panel for their service to the country in these very 
difficult times.
    First, I would like to welcome Dr. Pat Gallagher. Although 
his career took him away from Albuquerque, Dr. Gallagher is a 
native of New Mexico, and I want to recognize him for his 
leadership at NIST and his commitment to public service. Pat, 
it is good to have you here today.
    American citizens, businesses, and Government agencies face 
serious cyber threats, and you have talked about some of these 
here today. Personal data, trade secrets, and national security 
secrets are at risk from intrusion by independent hackers and 
foreign governments. And I have supported cybersecurity 
legislation in the Senate, and I support funding for our 
cybersecurity defense.
    But the elephant in the room today here is--and we have 
been talking about it some--that many Americans are also 
becoming more concerned about what their own Government is 
doing with domestic surveillance. Last week, we learned of 
widespread collection of Americans' phone records under section 
215 of the PATRIOT Act, also the massive-scale online 
surveillance through the PRISM system conducted under FISA 
section 702.
    I want to let you know, I voted against the PATRIOT Act in 
2001 and the FISA Amendment Act in 2008. I have also voted 
against their reauthorizations since then. Several of us 
attempted to add privacy protections to these laws but faced 
strong resistance, as Senator Durbin indicated.
    Today I am sending a bipartisan letter to the Privacy and 
Civil Liberties Oversight Board asking them to make it a 
priority to investigate the bulk phone records collection and 
the PRISM program to determine whether they, number one, are 
conducted within the statutory authority granted by Congress 
and, number two, take the necessary precautions to protect the 
privacy and civil liberties of American citizens under the 
Constitution.
    The Board was created by the Congress based on a 
recommendation of the 9/11 Commission, but it has taken years--
many of you realize this and know this--to get a full 
membership and a chairman. I have been working to get this 
Board operational since I was in the House, and I believe it 
can provide an important check against civil liberties abuses.
    Richard Clarke, who was the counterterrorism aide under 
three Presidents I believe, just wrote an article recently on 
this and suggested we would not have the problems today if we 
had stood up this Board much more quickly.
    General Alexander, will the NSA cooperate with any 
investigation conducted by the Privacy and Civil Liberties 
Oversight Board into the agency's collection and analysis 
programs?
    General Alexander. Senator, we will. And I think, in fact, 
my Deputy met with the Board yesterday and actually briefed 
them for a couple of hours on both programs so that they 
understood. And I do not know if you have gotten feedback from 
that, but my understanding is I think it went well.
    I think you bring up a very important point here because I 
do think what we are doing does protect Americans' civil 
liberties and privacy. The issue is to date we have not been 
able to explain it because it is classified. So that issue is 
something that we are wrestling with. How do we explain this 
and still keep this Nation secure? That is the issue that we 
have in front of us.
    So you know that this was something that was debated 
vigorously in the Congress, both the House and the Senate, 
within the administration and now works for the court. So when 
you look at this, this is not us doing something under the 
covers. This is what we are doing on behalf of all of us for 
the good of this country. Now what we need to do, I think, is 
to bring as many facts as we can out to the American people.
    So I agree with you, but I just want to make that clear 
because the perspective is that we are trying to hide something 
because we did something wrong. We are not. We want to tell you 
what we are doing and tell you that it is right and let the 
American people see this. I think that is important, but I do 
not want to jeopardize the security of our country or our 
allies. So that is what we have to weigh in what we look at 
what we are going to declassify to allow this very public 
debate.
    Senator Udall. General, I very much appreciate your answer, 
but it is very, very difficult, I think, to have a transparent 
debate about secret programs approved by a secret court issuing 
secret court orders based on secret interpretations of the law.
    I know there are many other questions here, and I am going 
to ask the ones in closed session when we get together later in 
the week. I have several other questions on cybersecurity, but 
I see my time has expired and so I will submit those for the 
record.
    But thank you very much for your answers, and I very much 
appreciate you meeting with the Board and briefing them on what 
you are doing. I think that they are a good counterbalance in 
terms of what is going on here in terms of asking questions and 
then being able to, I hope, have the credibility of the 
American people to answer some of these questions also. Thank 
you.
    Thank you, Madam Chair.
    Chairwoman Mikulski. We are now going to turn to Senator 
Coats, but before we do, I want to respond to a Tweet about me 
from Rosie Gray. Rosie Gray said on her Tweet 17 minutes ago, 
``Senator Barb is trying hard to keep the other Senators from 
asking General Alexander any more about data mining programs. 
Not everybody might be watching C-SPAN.'' So I want to say to 
Rosie and to others who might read from Rosie there is no 
attempt here to muzzle, stifle any Senator from asking any line 
of questions.
    And so we have an open hearing, but the purpose of the 
hearing was on the enduring war of cybersecurity. While we 
might be concerned about data mining and who is reading our--
the phone records, et cetera, we are also concerned about 
stealing the--the cyber fraud that is going on against our 
senior citizens, our identity theft, stealing our cures for 
cancer that are pending over at the Food and Drug 
Administration (FDA). So we are here on cyber. But any Senator 
can ask any question at this hearing that they want to.
    So, Rosie, it is an open hearing. ``Hi.'' Look forward to 
keeping in touch.
    Senator Coats.
    Senator Coats. Well, I want to send a message to Rosie 
also.
    As a member of the other party, Senator Mikulski, 
chairwoman of this committee, has been extremely tolerant of 
our diversion from what the purpose of this appropriations 
hearing was. This is the Appropriations Committee. Our purpose 
is to determine what kind of financial resources our agencies 
need to address critical issues facing our country, and we have 
diverted, thanks to the tolerance of the Chair, to a critical 
question but one that, as General Alexander said, is scheduled 
to be and will be thoroughly discussed with every Member of 
Congress and with the public to the extent that is possible.
    General, I appreciate your answer to Senator Udall's last 
question. You are walking a very difficult tightrope here 
because there are demands that you release previously 
classified information to not just Members of Congress, but to 
the general public. And if you do not do that, this frenzy of 
mischaracterization of these programs will continue in the 
public. And so you are caught between a rock and a hard place. 
I regret that.
    I have been urging my colleagues that before they draw a 
conclusion and go public with that conclusion, they first learn 
about the counterterrorism program because the more you learn 
about the program, the more you realize the enormous effort 
that has been made to respect the privacy and civil liberties 
of Americans and the hurdles you have to go through to get the 
most minimal list of information.
    I think as the public hears more mischaracterizations of 
this program, like the government listens to and saves all the 
phone records all the time and the public interprets that as 
meaning everything that has been said over a phone is stored 
somewhere and you can go in and retrieve it or abuse the use of 
these programs. You have tried to clarify the program a number 
of different times in terms of what you collect and what you do 
not collect and how you have to go through a legal process in 
order to even begin to ascertain information that is necessary 
for you to come to some conclusion about whether or not this 
country is about to be attacked by terrorists.
    Well, let me ask you this question. Given the fact that 
this issue has swept across the country and we are in a 
position where we have to disclose more about it in order to 
calm the public misperception of what it is, are there 
consequences? Do we have to look at both sides of this 
question, one, being transparent, addressing civil liberties 
but, two, the importance of keeping some missions and some 
activities in a classified manner so that those that are 
intending to do us harm do not learn about our counterterrorism 
efforts and therefore make adjustments to bypass the very 
methods that we have to potentially prevent a serious attack 
against the United States?
    I would like you to address that question, particularly in 
relationship to what you have said about 9/11 and how perhaps 
if we had had these programs in place at the time, we could 
have prevented that, and a little bit more about the 
consequences of--as some have suggested--simply opening this up 
for the whole world, including people sitting in places where 
they are trying to determine how they can best attack the 
United States.
    General Alexander. Senator, thank you for the question 
because that is my concern. Great harm has already been done by 
opening this up, and the consequence I believe is our security 
is jeopardized. There is no doubt in my mind that we will lose 
capabilities as a result of this and that not only the United 
States but those allies that we have helped will no longer be 
as safe as they were 2 weeks ago. So I am really concerned 
about that.
    I am also concerned that as we go forward, we now know that 
some of this has been released. So what does it make sense to 
explain to the American people so they have confidence that 
their Government is doing the right thing? Because I believe we 
are and we have to show them that. And you said it right. We 
have great people working under extremely difficult conditions 
to ensure the security of this Nation and protect our civil 
liberties and privacy. They do a great job. Actually I would 
like the American people to know that because they would be 
tremendously proud of the men and women of NSA who have done 
this for us for the last decade. It is a great story.
    The issue is that we then have to debate is how much do we 
give out and what does that do to our future security. That is 
where the real debate is going to take place because that is 
the issue that is now before us. There is water, broken glass, 
and everything else on the floor. We now can look at that, but 
what we are going to have to do as a Nation going forward is 
say what can we do, and that is where the Congress, I believe, 
has to stand up on behalf of the American people.
    Some of these are still going to be classified and should 
be because if we tell the terrorists every way that we are 
going to track them, they will get through and Americans will 
die. That is wrong. And our allies. We have got to come up with 
a way of doing this.
    And you know, I thought the great part about this program 
was that we brought the Congress, the administration, and the 
courts all together. We did that. That is what our Government 
stands for under the same Constitution. We follow that 
Constitution. We swear an oath to it.
    So I am concerned and I think we have to balance that. I 
would rather take a public beating and people think I am hiding 
something than to jeopardize the security of this country.
    Now, having said that, some of this is out there, and it is 
right that we have that debate. And so what makes sense to put 
out there so that people will know that what we are doing is 
right, we ought to do that. And I think that part will be good 
for the country.
    And there are other parts that I think you need to weigh in 
and say, but do not do that. And that is where you, the 
administration, and potentially the courts ought to come 
together and say, so now what do we do.
    Chairwoman Mikulski. Thank you.
    Senator Coats. Thank you. I appreciate that statement and I 
think it should be made in the record and published across the 
Nation.
    Chairwoman Mikulski. Senator Landrieu.
    Senator Landrieu. Thank you so much.
    I would like to follow up by saying, General Alexander, I 
am so proud of you for being in charge of this because your 
demeanor through this whole hearing has, once again, proven to 
me that you are the right person for this job, and the four 
stars that you wear indicate a great understanding of the 
balance that you are trying to achieve.
    Perhaps these facts might support what Senator Coats and 
others have been trying to express, given the important, but 
difficult questioning.
    U.S. Cyber Command says there are 250,000 attacks on U.S. 
Government networks every hour, 6 million a day. And among the 
attackers are 140 foreign spy organizations. This is what our 
men and women are up against. We are not in a scrimmage. We are 
in a war. It is a very serious issue, and we are way behind the 
eight ball in my view in terms of allocation of resources, as 
much as we are struggling to clarify roles and responsibilities 
and balance this new war that we have never fought before under 
a Constitution that is probably the best and most open in the 
world. I think they need a little space.
    Second, I have every confidence in this chairman to provide 
leadership. This hearing is one of the best hearings, Madam 
Chair, I have ever participated in in the almost 18 years I 
have been here. I thank you for it.
    And I have great confidence in Senator Feinstein. I do not 
think there is a Member of the Senate in either party that 
would question her integrity on this issue as head of our 
Intelligence Committee trying to balance the civil liberties 
representing the State of California, which probably has the 
strongest views on this of any State, and the military which 
has been engaged in war since the beginning of time but never 
one like this.
    So I just want to say I am very proud of our military and 
very proud of you, General Alexander. And I hope that in the 
classified hearing that more of this can be brought to light. 
And I most certainly am going to be explaining this to my 
constituents in an appropriate, balanced way.

          CRITICAL INFRASTRUCTURE: CYBERSECURITY IMPROVEMENTS

    But I want to say one other thing to you, Mr. Beers. Your 
staff is terrific. They briefed me privately yesterday on 
several briefings. I want to share this and then ask a 
question.
    When I asked them to sort of describe the scope of 
cybersecurity and the challenge before us, they said, well, 
Senator, somebody has described it like this. They said the DOD 
is dot-mil. It is the Coke bottle cap. You think about a Coke 
bottle. It is just the cap of the Coke bottle. The Federal 
civilian Government, which is dot-gov, is like the Coke bottle 
itself, and the companies and citizens, which is dot-com, is 
the entire room the bottle is in. So while all the questions 
are being peppered right now to the top of this Coke bottle, 
Madam Chair, the room that we are in is the battleground that 
we are fighting in. And it takes huge resources and an 
unbelievable amount of commitment and compromise between the 
Government and the private sector.
    So what I want to ask the Secretary of Homeland, since that 
is my--and I am very proud to be the chair of the subcommittee. 
When the President issued his Executive order on improving 
critical infrastructure cybersecurity, it requires not only 
you, Mr. Secretary, but Commerce--Treasury is not here--to come 
up with a report. That report is actually due today. It is 120 
days from it. Do you have the report? Can you comment about, if 
you do not have it, when you are going to have it and one or 
two of the top findings in that report that you are going to be 
giving to the Congress I hope sometime soon?
    Mr. Beers. Senator, yes, the report is done. The report has 
been sent to the Office of Management and Budget (OMB) and the 
White House. I trust that Commerce and Treasury have also 
submitted their report on incentives. It will be subjected by 
OMB to an interagency process, and at the end of the process, 
the expectation is to release it to you all and the private 
sector for comment.
    What we want out of this is to pull together--and we have 
had workshops to talk about incentives. We had one--what--last 
week in Pittsburgh to draw in the private sector to give us 
their ideas about incentives to have critical infrastructure 
adopt the cybersecurity framework.
    That report will cover such things as insurance as a 
possibility. It will cover such things as certification with 
some liability protections as a possibility. These are all 
still ideas that are in a formative stage, and I do not think 
it is appropriate at this point to make those initial reports 
public. But the intention of the administration is to make 
those reports public to you, the Congress, and to the private 
sector.
    Chairwoman Mikulski. But not because they are secret. It is 
because they are incomplete. Is that correct?
    Mr. Beers. Yes, ma'am. That is correct. What we need to 
make sure is that everybody who has a stake in this in the 
Government has an opportunity to comment on it and then to get 
it back out to you and the private sector.
    Senator Landrieu. My time is up. And I am going to ask 
General Alexander in writing what his view is of the goal of 
the National Guard in cybersecurity for the Nation. You know, 
they play a very interesting role in our States. I have written 
you several times about it. I am going to write again to 
clarify their role.
    And finally, for the record, to follow up on Senator 
Collins, the Department of Homeland Security under your 
leadership, Secretary, has awarded a $300,000 grant to the 
Cyber Innovation Center in Louisiana which is starting a very 
scalable and proven model to create the cyber warriors of the 
future. And I look forward to talking with you more about that 
in conjunction with the chairman.
    Chairwoman Mikulski. Thank you, Senator Landrieu. You, as 
the chair of the Homeland Security Subcommittee, along with 
Senator Coats, who is your ranking member I believe--I really 
would hope you would do your due diligence in getting ready for 
the bill--pursue this topic because we covered a lot of topics 
today. But we really count on you in the homeland security 
area.
    Senator Feinstein.
    Senator Feinstein. Thanks very much, Madam Chairman, and 
thank you for holding this hearing, and I thank all our 
witnesses for their service to our country.
    Just to be corrected, if I need to be corrected, I would 
like to just quickly read my understanding of section 215.
    The section 215 business records provision was created in 
2001 in the PATRIOT Act for tangible things, hotel records, 
credit card statements, et cetera, things that are not phone or 
e-mail communications. The FBI uses that authority as part of 
its terrorism investigations.
    The NSA only uses section 215 for phone call records, not 
for Google searches or other things. Under section 215, NSA 
collects phone records pursuant to a court record. It can only 
look at that data after a showing that there is a reasonable, 
articulable suspicion that a specific individual is involved in 
terrorism actually related to al Qaeda or to Iran. At that 
point, the database can be searched, but that search only 
provides metadata of those phone numbers of things that are in 
the phone bill. So the vast majority of records in the database 
are never accessed and are deleted after a period of 5 years. 
To look at or use content of a call, a court warrant must be 
obtained.
    Is that a fair description or can you correct it in any 
way?
    General Alexander. That is accurate, Senator. Thank you.
    Senator Feinstein. Thank you very much.
    Let me express my hope once again. You expressed some 
things to us yesterday in Intelligence. I think it is really 
very important to show the cases where this has been used and 
has been effective and do that tomorrow at the classified 
briefing for all Senators. Will you do that?
    General Alexander. Senator, we are going to bring those. We 
will bring a layout of all those that have happened. And we 
will work with the interagency as quickly as possible so that 
the aggregate numbers can be released by you and others so that 
the Nation knows how much this has really done to protect us 
and our allies.
    Senator Feinstein. Good. That is appreciated.
    Now, let me go to cyber. As you know, the vice chairman of 
our committee, Saxby Chambliss, with whom I work closely--we 
have been sitting down trying to forge a consensus information-
sharing bill in cyber. Senator Coats, Senator Collins, Senator 
Mikulski are all members of this committee. And one of the main 
things is the extent of liability protection, the importance of 
the domestic portal of entry for cyber attacks.
    I would like to ask that you describe what is meant by a 
civilian portal for Senators assembled here today and also the 
rationale, why this is important for privacy and other reasons.
    General Alexander. Senator, thanks for that question.
    The reason, from my perspective, for a portal to one of the 
civilian infrastructures is so the Nation knows that somebody 
is not going directly to an intelligence or a military thing 
with secret information, but rather, give it to, for example, 
DHS and it can be pushed to FBI and NSA Cyber Command because 
we all see the data at the same time. And the public will have 
great confidence that what we are doing is exactly right. Or 
send it to FBI depending on the type and then FBI can shoot it 
to both of us. So you have a way of doing this. I think that is 
critical, given the discussion that we have on the other parts, 
is that the American people know that we are being transparent.
    We do not look at our cyber infrastructure to know what is 
going into Wall Street, as an example. And so if there is an 
attack on Wall Street, I will not see it until afterward. And 
so think of that as a missile coming into Wall Street. The 
people that do see it, like the Internet service providers, 
could tell us that--could--but there is no guarantee and there 
is no quick way of doing that.
    Cyber legislation is needed for that. We need to be able to 
share that information, and all of us need it because we all 
will have a role there. Our role would be defend the country. 
If this is a nation state trying to take down Wall Street, you 
want us to act.
    So I think that is the reason for having that civilian 
portal. That was a longer answer than you probably wanted, but 
that is why I think all of that is needed.
    Senator Feinstein. Thank you.
    Let me go to another subject quickly and that is liability 
protection. And you talked to us a little bit about what the 
liability protection standards should be in a bill. There are 
two parts of it. One is for use of a Government countermeasure, 
and the other is voluntary information-sharing between two 
companies. I think many members feel companies will not share 
unless they have immunity from liability. Could you comment on 
that?
    General Alexander. So there are two different aspects, as 
you stated, and one is how do you share with the Government and 
what action do you take. And so here is where I think my 
personal thoughts on this are that if the Government asks the 
company to do something to protect the networks or to do 
something and a mistake is made and it was our fault, then they 
should have liability protection for that. And they should not 
stand up and have to be sued. So I think there is a case for 
that.
    But if they go company to company or if they are sharing 
data back and forth, as they do today, I am not sure that the 
Government needs to provide liability insurance that way.
    So I think there are two different things.
    Now, this is something that the administration--your folks 
and we ought to bring everybody together, if that is the key 
point, and iron that out. I think we want to get it right. 
There are subtleties to what we just said. So there are 
different cases and conditions upon when we would act and how 
we would act and what level of liability you would have. And so 
I think those are the ones that we truly got to get exactly 
right.
    From my perspective, we just cannot grant everybody gets 
liability protection. And on the other hand, we do not want to 
say do something for the Government and if it goes bad, you are 
on your own. So I think there is something in the middle there 
that we have to get right, and from my perspective it is when 
the Government is asking them to do something, we ought to have 
at least part of that liability protection.
    Senator Feinstein. Thank you.
    Thank you, Madam Chairman.
    Chairwoman Mikulski. Senator Boozman and then Senator 
Tester.
    Senator Boozman. Thank you, Madam Chair, and thank you all 
so much for being here.
    I do have some questions about the situation we are in, but 
I think what I would like to do is wait until we get into the 
classified. I think you have said about as much as you could 
say in a setting like this.
    I do think that the Senator from Nebraska, though, raised 
an important consideration that we are probably not talking 
about enough. I think by any standards, this is a very far-
reaching program that really does have tremendous implication 
to the general public. And having the military--as he said, 
your record is exemplary. You are a tremendous American. My dad 
did 20 years active duty, and I will do anything I can to help 
you all in that regard.
    But I do think that the idea of having military control--we 
have had those firewalls in the past, and that is a discussion 
at some point that I think we need to have and would appreciate 
again at some point your contribution in that. But I do think 
that that is very, very important. And like you said, we are 
not talking about that.
    In regard to cybersecurity, Secretary McFeely, what are the 
top countries--and you can chime in on this also, General. What 
are the top countries that are pinging us? Who is involved in 
this?
    Mr. McFeely. We do have an answer for that. I believe that 
would be a more appropriate discussion in our classified 
setting.
    Senator Boozman. So it is not okay to say who is getting 
after us?
    Mr. McFeely. I do not believe in this setting based on the 
fact that our information and our assessment is based on our 
classified work--I do not believe that--I think I would be 
overstepping a line.
    Senator Boozman. Okay.
    You mentioned in your testimony the FBI's collaboration 
with State and local law enforcement. Again, it is hard for 
them to deal with this. This is something that they are not, 
most of the time, equipped to do. Do you feel that the Federal 
Government, specifically the FBI, is doing enough to aid our 
State and local departments when they are faced with a cyber 
attack?
    Mr. McFeely. You mean specific governments or are we 
working with State and local law enforcement----
    Senator Boozman. Yes, State and local law enforcement.
    Mr. McFeely. So I think the short answer to that is no, but 
I am happy to report that we have, I believe, a working plan 
moving forward. About 2 months ago, we met with various 
associations representing the police and sheriffs and 
investigators at the State and local side. And through 
conversation going through really a discussion of where law 
enforcement is with the cyber threat, we realized collectively 
that information is not flowing down to the State and local 
departments, and even in the instances where it was, they did 
not have the capability or the level of competence to even 
address it.
    We decided that we needed to address that. We have worked a 
pilot plan out, and the centerpiece of this will be the 
Internet Crime Complaint Center where we literally get 
thousands of complaints in a year from people who have been 
defrauded over the Internet. Most of the complaints that come 
in do not meet Federal prosecutive guidelines. In other words, 
it is not something that a United States Attorney's office 
would routinely prosecute and it is not something, because 
these are fraud-type complaints, either the FBI or Secret 
Service would routinely investigate. But because State and 
local's competence level is not at the level where it should 
be, it is just simply falling off.
    Chairwoman Mikulski. I could not hear your word to Senator 
Boozman. I could not hear you. Are you saying ``confidence'' or 
``competence''?
    Mr. McFeely. Competence, technical capabilities.
    So what we have worked out is a pilot project where we are 
going to package up these types of threats and actually 
disseminate them direct to the major departments where the 
victims are located. At the same time, we are going to increase 
our outreach to State and local law enforcement and give them 
the tools and the training that they need to get them up to 
that level of technical competence that they need.
    Senator Boozman. Thank you.
    Mr. Beers. Senator, could I add to that, please?

           COLLABORATION WITH STATE AND LOCAL LAW ENFORCEMENT

    Senator Boozman. Yes, sir, sure.
    Mr. Beers. So our Secret Service, working with the FBI in a 
number of cases, as Mr. McFeely indicated, in the joint task 
force--we have a National Computer Forensics Institute in 
Alabama. We have trained over 1,300 State and local law 
enforcement prosecutors and judges in order to be able to deal 
with this.
    What we are dealing with here--that is, mostly their 
competence or the part of, not the national security threats 
but the criminal fraud threats--is the stealing of credit cards 
and other personally identifiable information and using that to 
take money out of banks around the world. You heard about the 
$46 million that was taken out of two banks from the Middle 
East, including a large amount in this country. That is the 
kind of training where we can give them the competence and we 
can work with them, and that is something that we and the FBI 
are trying to do very much. The outreach that we have had to 
the various police associations and other things are part of 
it.
    But the main thing is to get the training and then to work 
together. A lot of this happens overseas and that is where we 
have to be involved in order to be able to trace those 
activities overseas, which State and local law enforcement do 
not really have the ability to do. But it is a joint program 
and really quite successful.
    Senator Boozman. Thank you, Madam Chair.
    Chairwoman Mikulski. Senator Tester.
    Senator Tester. Thank you, Madam Chair.
    And I want to thank you all for being here, particularly 
General Alexander. I want to thank you for coming today. Thank 
you for your service to our country. And I have been looking at 
the slides the committee provided, and they are very helpful. 
We are going to spend more than $13 billion in unclassified 
cyber activities. Seven agencies are involved, excluding the 
network defense that every agency must do.
    According to my notes, after the WikiLeaks incident in 
2010, a Presidential Executive order directed agencies to 
improve classified network security and create a committee to 
oversee those improvements. So we have had 3 years to improve 
the control of classified networks and information. Whatever 
one thinks of Edward Snowden, it looks to me as if we have also 
got a big problem that is internal, not external.
    So you tell me that the President has requested $13 billion 
in cyber spending for fiscal year 2014, and yet a contractor, 
not even somebody who is accountable to your chain of command 
or anyone else in the Government, is able to get his hands on a 
copy of a FISA court order allowing the collection of metadata 
from Verizon. How on earth does this happen? And why does a 
contractor have access to information that we are spending $13 
billion to prevent outsiders from getting their hands on?
    General Alexander. So that is one of the grave concerns we 
both have in that in our networks, the system administration of 
those networks, the IT infrastructure, was outsourced about 14 
years ago to push more of our work out to contractors. As a 
consequence, many in Government, not just us, have system 
administrators who are contractors working and running our 
networks. Now, they do not have total visibility of the 
network, but they get key parts to it. And in this case, this 
individual was a system administrator with access to key parts 
of the network. So we have got to address that. That is of 
serious concern to us and something that we have to fix.
    Senator Tester. I mean, from your perspective, do you 
anticipate a recommendation coming forward that this work be 
done in house instead of contract?
    General Alexander. Senator, I am not prepared to make that 
statement yet. I do not want to react because there are good 
contractors out there that are doing a good job. I think what 
we have to do is come back and perhaps look at the oversight 
mechanism that we have, the checks and balances that are in the 
system, the automated checks and balances that exist, and what 
we can do to improve those. As you may know, what the 
Department is going through in the joint information 
environment would greatly assist in protecting this data. So 
going to what we call JIE is a huge step in the right 
direction.
    I think those cloud security and encrypting data is things 
that we can and should do, but that is going to take time. I do 
not want to mislead you. This is a significant effort for the 
Defense Department to move to, but it is one that I know I have 
personally talked to the Secretary on and the Chairman. We are 
pushing this. It is the right way to go. I wish we had it. I 
wish we would go back in time. NSA is doing the same.

                              BANK ATTACKS

    Senator Tester. Financial services. I am told by folks that 
I deal with on the Banking Committee that almost every night 
somebody is trying to hack their system.
    Do you have the mechanism by which you can follow up if a 
bank gave you an IP address that they think that is doing the 
problem? And if it is not the right question for you, General, 
you can ship it any way you want. Or do you not have the 
mechanism to be able to follow up?
    General Alexander. So we do as a team, the team here. 
Almost assuredly, if it is a criminal or other, it would start 
with the FBI being on the team. We may have people on the team. 
If the FBI saw this was a foreign one, they would tip that over 
to us. So we act as a part. DHS has a key role in that team to 
see what it is. We have made great progress in bringing that 
team together.
    The bottom line to your answer is someone on this team 
would take it. Normally that leadership would probably be, the 
cases you described, FBI with DHS and us.
    Mr. Beers. Sir, on that, we gave out 200,000 IP addresses 
to individuals within this country--to the banks--excuse me--to 
block when those distributed denial of services attack. Some of 
those were overseas. We also sent them to friendly governments 
overseas. So as a matter of course, we do this on a regular 
basis as part of this tripartite team.
    Senator Tester. Okay. So let me ask you this. If a bank 
comes to you with an IP address that they believe was trying to 
hack their system, do you guys follow up on that?
    Mr. Beers. In exactly the same way. The three of us, the 
three agencies that we represent, go and provide some forensic 
assistance with respect to that particular incident, and then 
we provide a larger mitigation message out to the rest of the 
community so that particular form of attack cannot be 
replicated.
    Senator Tester. Then do you go back to the bank that has 
initiated this investigation and tell them what you have done?
    Mr. Beers. We do, and when we put out the information, we 
do not necessarily indicate which bank was affected. We 
anonymize that information unless that particular firm wants it 
public.
    Senator Tester. Okay. So when a bank comes up to me and 
says, look, we give them IP addresses and they do not follow up 
on it, you would classify that as being baloney?
    Mr. Beers. Sir, I cannot speak to each and every one of 
those instances, but what I am telling is the way we work as a 
team in order to try to do that. And if there are banks that 
have spoken to you about this, we would be happy to get back to 
them if they are prepared for you to tell me about that.
    Senator Tester. I do not know that they are, but maybe they 
are. I cannot say. Actually multiple banks have talked to me 
about that.
    So I just want to say thank you very much. I will tell you 
that there has been a lot--if I might editorialize just for a 
second, Madam Chair. There has been a lot of concern about what 
has happened in the last couple weeks. And I do not serve on 
the Intelligence Committee. I do serve on Homeland Security, 
but I do not serve on the Intelligence Committee. And I will 
tell you that I think it is positive for this country to be 
having the discussion we are having. And there may be some 
negatives involved here, but I think it is positive to have the 
discussion so that we are thinking about civil liberties and we 
are thinking about freedom as it relates to our national 
security. You guys all have a tough job, but we will get 
through this and hopefully we will secure both our security and 
our freedoms when this is done.
    Thank you very much.
    Chairwoman Mikulski. Senator Murray.
    Senator Murray. Madam Chairman, thank you very much for 
having this hearing.
    Is ``baloney'' a Montana name?
    Senator Tester. I was being very nice. I was going to refer 
to cow excrement here.

               QUALIFIED WORKFORCE: CENTERS OF EXCELLENCE

    Senator Murray. We were lucky.
    Again, thank you so much for having this hearing.
    Let me just start by saying that I think our Nation's most 
important cybersecurity resource is its cyber workforce. 
Without the right people using it, even the most sophisticated 
technology is really only of limited use. That is why I think 
it is important that we successfully identify, recruit, and 
train a cyber workforce to form the foundation of any national 
cybersecurity plans.
    DHS and NSA's Centers of Academic Excellence are really 
important tools in this effort, and my State, Washington State, 
hosts a number of these Centers of Excellence. We have the 
Information Assurance Education Centers at the University of 
Washington--Tacoma and the University of Washington--Bothell. 
We have the Information Assurance Research Center at the 
University of Washington--Seattle, and the Information 
Assurance 2-year Education Center at Whatcom Community College. 
And together those programs offer cybersecurity education and 
training at the 2-year, undergraduate, masters, and Ph.D. 
level.
    Secretary Beers and General Alexander, if you could comment 
on how you think these Centers of Excellence play into your 
respective cyber hiring pipelines and workforce development 
programs, I would love to hear your comments on that.
    Mr. Beers. Let me go first on that. We absolutely are 
dependent upon that form of education as a way to get qualified 
individuals into our workforce. We at DHS have an outreach 
program to community colleges generally but also to these 
Centers of Excellence as well as to universities. The only 
comment that I would make is we do not have enough people 
around the country trained to do all the jobs that we in 
Government and the private sector need to have done. I think 
that is really one of the educational frontiers for this 
country is to create that kind of a workforce for all of us. So 
that is certainly something that we support very much at DHS.
    Senator Murray. General, do you want to comment?
    General Alexander. Senator, thank you for that question 
because that is a huge program that we do with more than 140 
different schools collectively between DHS, NSA. And the 
curriculums that we set up there with those schools--this is 
not just you get a thing, you go do it. They actually set up a 
curriculum that helps ensure that the students that are going 
through that will have the background we need in information 
assurance, and now in cyber operations, a new one. So there are 
double credentials that they can get. And I just encourage your 
schools. I know everybody is looking at that, and we are 
getting tremendous pressure.
    These are very difficult to get into. This is not something 
that we just grant. It is interesting because we got a number 
of schools to bring this forward. Some of them do not meet the 
qualifications and do not get that accreditation. So they work 
through that. We work with them. We have a great outreach. I 
think this is great for our country to build these kinds of 
people----
    Senator Murray. We absolutely must have that workforce. I 
agree.
    I know that a coherent national cybersecurity strategy 
really requires some cooperation. You have got to have 
collaboration between Government, private industry, and 
academia. And as we saw with the development of the information 
economy on the Internet, clustering these universities, 
companies, and the appropriate Government agencies together 
offer some really great benefits. Within the cybersecurity 
industry, the South Puget Sound in my State has emerged as a 
leading cyber cluster, if you will. The unique and nationally 
recognized resources the region has to offer have created a 
great environment for cybersecurity to really flourish. They 
have some great stakeholders who help make this possible, 
including the Center for Information Assurance and 
Cybersecurity at the University of Washington. We also have 
great influential technology and defense companies, Microsoft, 
Amazon, Boeing, and we have two military installations, Joint 
Base Lewis-McChord and Washington National Guard Camp Murray in 
the South Puget Sound. And I have seen personally how those 
relationships have really benefited that region.
    And, Secretary Gallagher, I would love it if you could talk 
about the importance of these so-called cyber clusters like the 
one we have in my State and what steps NIST and Commerce are 
taking to really promote those.
    Dr. Gallagher. So the notion of clusters as a way of sort 
of creating this amplification effect that you talk about is 
broader even than just cybersecurity. In fact, it is a key part 
of our strategy in other areas like advanced manufacturing. And 
what tends to happen is you get sort of a critical mass where 
you have enough expertise that it creates an attracting and 
pooling, and that talent base really starts to create wins. So 
you attract the right kinds of companies and government 
agencies and academic programs.
    I think it has to be a key part of the cybersecurity 
education effort as well because in the end, you are talking 
about workforce development. And so you are going to have to 
bring together--that is one of the reasons the public/private 
partnerships are going to be such a key element here. We are 
seeing some of that already. Senator Mikulski provided a 
program funded through NIST, the National Cybersecurity Center 
of Excellence, which leverages Maryland and Virginia which have 
also been looking at this sort of effect, to bring in companies 
to work collaboratively on cybersecurity and create this 
tipping-in effect that you so eloquently described that are 
part of clusters.
    Senator Murray. Great. Well, I am a big proponent of that.
    I am out of time, but I did want to submit a question about 
the National Guard. I think as we move forward, we are going to 
have to make sure that we are coordinating with them. They are 
going to be our boots on the ground if there is ever an issue, 
and I am hoping that we are doing the right things to support 
them. So, Madam Chairman, I would like to just submit that 
question.
    Chairwoman Mikulski. Thank you very much, Senator. And we 
hope that through the respective subcommittees, there will be 
follow-ups that will go even deeper to this.
    In terms of your clustering, we in Maryland feel we are at 
the epicenter of cybersecurity because we have the National 
Security headquartered there. We have the National Institute of 
Standards headquartered there. We hope to have the FBI 
headquartered there. We have the University of Maryland----
    Senator Murray. Yes. Well, we will take the west side of 
the country.
    Chairwoman Mikulski. But thank you very much.
    I think, Senator Shelby, did you want to say something, 
sir?
    Senator Shelby. I just have one last observation. I just 
want to thank the panel, all of you, for your service to the 
country, the way you have conducted yourself before you got 
here today, and what you have done here for the day for 
America. And I think it has to be said. We have worked together 
a long time. Thank you.

                     ADDITIONAL COMMITTEE QUESTIONS

    Chairwoman Mikulski. Well said, Senator Shelby.
    If there are no further questions this afternoon, Senators 
may submit additional questions for the committee's official 
record, and we request the witnesses' response within 30 days.
    [The following questions were not asked at the hearing, but 
were submitted to the Departments for response subsequent to 
the hearing:]
Questions Submitted to Hon. General Keith B. Alexander, Commander, U.S. 
    Cyber Command Director, National Security Agency Chief, Central 
                            Security Service
              Questions Submitted by Senator Patty Murray
    Question. Currently, the development, marketing, sale, and resale 
of software exploits, including attack capabilities, is legal and 
unregulated making it one of the few remaining unregulated weapons 
markets.
    Is it in the United States' interest to allow the open and 
unfettered sale of these exploits and other attack capabilities? What 
steps are currently being taken to protect the United States against 
the proliferation of these capabilities?
    Answer. We share the concerns of the Committee and others about the 
unfettered proliferation of malicious cyber tools and the potential 
misuse of those tools to inflict harm against U.S. interests and those 
of our allies. With other agencies, we are studying the global export 
market for cyber technologies, and what actions may be prudent for 
national security, while being mindful of U.S. industry's need to 
innovate to meet global demand for cyber defense capabilities.
    Question. Given the risk that cyber attack poses to critical 
infrastructure and other important domestic systems, creating and 
maintaining a robust cyber civil defense is essential. Traditionally, 
National Guard units have played a central role within civil defense 
and in Washington State, the 262nd Network Warfare Squadron--the first 
operational non-flying wing within the Air National Guard--has extended 
its response and support capabilities to cyberspace.
    What steps is CYBERCOM taking to coordinate with Guard units like 
the 262nd to improve homeland readiness and resilience in the face of 
cyber attack?
    Answer. Currently, we conduct exercises and training with the 262nd 
Network Warfare Squadron focused on responding to a domestic cyber 
attack against critical U.S. infrastructure. These events involve 
intense collaboration and coordination across Federal, State, and 
private sector boundaries. Going forward, we are working with 
USNORTHCOM and the National Guard Bureau to develop a broad framework 
for integrating the National Guard into the Cyber Mission Forces. This 
framework will guide the Service components as they work to incorporate 
additional cyber capabilities into their forces.
                                 ______
                                 
            Questions Submitted by Senator Richard J. Durbin
    cyber executive order--role of the executive order versus cyber 
                              legislation
    Question. President Obama issued Executive Order (EO) 13636 in 
February of this year. What is the effect of this Executive order? Is 
it improving your ability to share information with the private sector?
    Answer. The overall effect of the Executive order is to jump-start 
some key initiatives that begin to address the cybersecurity threat.
  --With implementation of the Enhanced Cybersecurity Services, a USG/
        industry partnership program, the robust cybersecurity 
        protections currently afforded only to the Defense Industrial 
        Base primarily through cleared commercial service providers 
        will be made available to all critical infrastructure sectors 
        while minimizing the potential for divulging our classified 
        sources and methods.
  --The cybersecurity framework to be developed by the National 
        Institute of Standards and Technology in partnership with 
        industry will help owners and operators of critical 
        infrastructure to understand the levels of security measures 
        that are needed to make it more difficult for adversaries to 
        penetrate their networks.
  --The voluntary certification program is designed to encourage and 
        assist owners and operators of critical infrastructure to adopt 
        those standards to harden their networks.
  --All three efforts recognize that cybersecurity is a team effort and 
        must be done with full collaboration within Government and with 
        industry and other private stakeholders.
    I think it is essential; however, that all parties realize that the 
Executive order (EO) is only a first step in addressing the threat and 
not a substitute for actual legislation. The EO can move us only so 
far, and it does not eliminate the need for Congress to enact 
cybersecurity legislation.
    While the Executive order does make some headway in enabling and 
facilitating some cybersecurity information sharing across a larger 
portion of the critical infrastructure, such sharing remains largely 
one-sided--from the USG to private sector. With so much of the critical 
infrastructure owned and operated by the private sector, the Government 
is often unaware of the malicious activity targeting our critical 
infrastructure. These blind spots prevent the Government from being in 
a position to either help defend the critical infrastructure or to 
defend the Nation from a cyber attack, if necessary. This can only be 
overcome through legislation that removes statutory barriers to 
cybersecurity information sharing and provides the narrowly scoped 
liability protections needed to incentivize two-way, real-time 
information sharing between the private sector and the Government. 
Similarly, we need legislation that encourages industry cooperation in 
the development and implementation of the cybersecurity standards that 
will secure their networks.
    Question. When he signed the Executive order, President Obama also 
underscored the need for comprehensive cybersecurity legislation, since 
the scope of the Executive order is limited. What are your legislative 
priorities in terms of items you believe should be included in cyber 
legislation?
    Answer. I believe that cyber legislation needs to:
  --Eliminate the statutory information sharing barriers and facilitate 
        two-way, real-time cybersecurity information sharing between 
        the private sector and the Government as well as among private 
        companies. Any legislation must instill confidence that such 
        sharing will protect privacy and civil liberties, and will 
        preserve the longstanding, respective roles and missions of 
        civilian and intelligence agencies. It also needs to provide 
        reasonable liability protections for companies in order to 
        incentivize such information sharing.
  --Build on the efforts under EO 13636 to develop a cybersecurity 
        standards framework and certification program by incentivizing 
        the private sector to adopt the framework to protect its 
        networks.
     cyber executive order--protecting privacy and civil liberties
    Question. The Executive order requires Federal agencies to develop 
cybersecurity efforts in accordance with the Fair Information Practice 
Principles, as well as other policies, principles, and frameworks to 
protect privacy and civil liberties. I worked with a number of other 
Senators to ensure that the Cybersecurity Act of 2012 included 
provisions to protect privacy and civil liberties.
    What specific steps can government agencies take to ensure that 
privacy and civil liberties are protected as we enhance our Nation's 
cybersecurity?
    Answer. I believe that the U.S. Government could take the following 
steps to ensure that privacy and civil liberties are protected:
  --Ensure transparency by establishing processes and procedures based 
        on Fair Information Practice Principles for the U.S. Government 
        receipt, retention, use, and disclosure of cyber threat 
        information received from the private sector.
  --Require independent review and oversight to ensure that use and 
        sharing restrictions are being enforced.
  --Leverage technology to establish a transparent, real-time, policy-
        based, machine-to-machine messaging construct that 
        automatically enforces the policy/rules for use and any 
        restrictions on sharing.
                                 ______
                                 
            Questions Submitted by Senator Mary L. Landrieu
               cybersecurity role for the national guard
    Question. On June 13, 2013, the day of the Appropriations Committee 
hearing entitled ``Cybersecurity: Preparing for and Responding to the 
Enduring Threat'', the Committee received a report from the Department 
of Homeland Security (DHS) and Department of Defense (DOD) which was 
due to Congress on May 1, 2012, as prescribed in the joint explanatory 
statement accompanying the fiscal year 2012 DHS Appropriations Act 
(Public Law 112-74). The purpose of the report was to outline the 
capabilities of a coordinated response to a cyber attack by DHS and the 
National Guard and how critical relationships can be established across 
the agencies to fulfill cybersecurity responsibilities. The information 
provided, which was submitted separately by the two agencies, outlines 
on a high-level, the programs DHS and DOD (as a whole) are maintaining 
for a response. Unfortunately, the report falls short of providing 
Congress an understanding of the DHS and National Guard's capacity to 
respond to a cyber attack jointly. In order for Congress to better 
understand the gap between capacity and need, a sense of scope is 
required.
    How many National Guard cybersecurity personnel currently exist, 
and where? Are they employed in teams or individually? If they are 
employed in teams, how many teams are there and where are they located?
    Answer. Although these questions are better directed to the 
National Guard Bureau, I understand that there are approximately 1,000 
National Guard personnel in cybersecurity positions. The U.S. Army 
National Guard is filling 8-person Computer Network Defense teams in 
each State that operate part-time in support of State missions. 
Additionally, the U.S. Air Force has established Air National Guard 
units in Washington, Delaware, Rhode Island, Maryland, California, and 
Kansas. USCYBERCOM continues to explore with the Services the unique 
capabilities the National Guard brings to the Total Force and the role 
they will have in securing our Nation in cyberspace.
    Question. As DOD and DHS are building the capacity the Federal 
Government needs to protect against and respond to a cyber attack: what 
specific role is being considered for the National Guard; and how is 
the Guard's ability to switch between title 32 authorities and title 10 
authorities being taken into consideration?
    Answer. We are working through the best way to strategically 
integrate the National Guard into the cyber national defense mission to 
include the Guard's particular authorities and capabilities. Most 
importantly, National Guard forces should complement the Total Force in 
the same way that they do for other missions. As part of a Total Force 
solution, the National Guard forces will need to be trained to the same 
standard as the active forces to meet those requirements.
    Although we are focused on working with the Services and the 
National Guard Bureau on how these personnel can help meet DOD 
requirements, the Department is actively engaged with its interagency 
partners and the States to improve our ability to respond to 
cybersecurity challenges in a whole-of-Government approach that 
leverages all appropriate authorities.
    It is also important to note that, as Chairman of the Joint Chiefs 
of Staff General Martin Dempsey stated in recent congressional 
testimony, title 32 may not provide authorities for operating in 
cyberspace. Any activities on networks within a State's jurisdiction 
which have effects outside of that jurisdiction would have to be 
conducted under title 10 authorities. This will be an important factor 
in the planned integration of the National Guard into the cyber 
national defense mission.
    Question. Is there a cost savings associated with utilizing the 
National Guard based on current training? How much?
    Answer. In coordination with the services, the Department is 
working out how to create an effective cyber workforce by looking 
across the Total Force in a way that best meets DOD cyber requirements. 
As a critical element of building its force structure, USCYBERCOM has 
established common training requirements for all of its personnel, 
Active component, Reserve component, or civilian.
    We are eager to leverage the skills and training of all our team 
members while we ensure that they are properly trained and certified to 
carry out their USCYBERCOM mission. It is very difficult to estimate 
potential savings based upon current training of personnel, as it will 
be highly dependent both upon the particular training and certification 
an individual has previously received and how much training meets the 
requirements of roles to which the personnel will be assigned.
    Question. Are there skills identified within the National Guard 
that cut down the time needed to train a cyber airman or soldier to be 
able to respond to a cyber attack?
    Answer. The services retain training and accreditation authorities 
for all training. Each service will make a determination on what 
civilian skills, experience, and credentials might be credited for 
required military training.
    USCYBERCOM is establishing common training requirements for all of 
its forces. Skills may help them progress and support their ability to 
operate, while ensuring that all of our forces are trained to the same 
standard.
                         cyber test beds/ranges
    Question. General Alexander testified that the services, 
departments, and agencies need to work together to ensure that they 
have adequate test bed and range space to safely organize, train, and 
equip the cyber warriors, operators, managers, researchers, and agents 
across the Federal Government.
    What are the specific requirements that your departments and their 
various agencies have for test bed and range space?
    Answer. Test bed and range spaces must support training on all 
aspects of the USCYBERCOM mission as specified by the Joint Cyber 
Training and Certification Standards and the Cyber Forces Concept of 
Employment. They also need to be capable of supporting training, 
exercise, and mission rehearsal events from multiple locations on a 24/
7/365 basis.
    Question. What specific outcome will those established requirements 
render in trained personnel and tactics?
    Answer. Testing and range space that fulfills those requirements 
will foster an environment that ensures the Cyber Mission Forces are 
consistently trained and certified to perform operations in defense of 
the Nation and, when authorized, to project force. Methods of training 
tactics development will include force on force, force vs. simulated 
opposition forces, and force vs. live opposition forces.
    Question. What is the current test bed and range capacity available 
to each of your departments?
    Answer. USCYBERCOM has access to the Department of Defense's four 
cyber ranges that support testing and training: the Joint Information 
Operations Range, the Department of Defense Information Assurance 
Range, the National Cyber Range, and the C4 Assessment Division. 
USCYBERCOM also has limited in-house standalone test labs.
    Question. What is the wait time or backlog based on the access you 
currently have?
    Answer. Currently, exercise events are developed to meet specific 
requirements for the training audience. In correlation with the 
development, wait time varies based on range schedule availability and 
planning. Based on historical data from recent range events, the 
average wait time is 60-90 days for a small (10-15 participants) event, 
and 6-9 months for large-scale exercises such as Cyber Flag.
    Question. Have you identified additional test bed or range space 
that you would like to acquire, use, or lease?
    Answer. USCYBERCOM is working with the Joint Information Operations 
Range, the DOD Information Assurance Range, the National Cyber Range, 
and the C4 Assessment Division to identify future capacity needed to 
accommodate projected DOD cyber testing and training requirements.
    Question. What are the fiscal year 2013 and 2014 funding levels for 
testing and training space?
    Answer. Although USCYBERCOM has access to these ranges, we do not 
program their funding nor are the ranges under a single program 
manager. The Command is collaborating with the range program managers 
in a federation of the willing in order to coordinate strategic 
planning/programming. For specific USCYBERCOM events, COCOM Engagement 
and Training Transformation funding was allocated from the baseline 
USCYBERCOM fiscal year 2013 exercise funding and fiscal year 2014 
funding will likely be similar.
    Question. What percentage of your required testing and training 
needs will you be able to meet in fiscal year 2013 and 2014?
    Answer. Of the projected training and certification events to 
support the Cyber Mission Force, approximately 30 percent of the events 
can be supported by the test beds and ranges currently available to 
USCYBERCOM. However, the Command is working with the Joint Information 
Operations Range, the DOD Information Assurance Range, the National 
Cyber Range, and the C4 Assessment Division to identify the capacity 
needed in fiscal year 2014 and beyond to accommodate projected DOD 
cyber testing and training requirements.
                                 ______
                                 
                Questions Submitted by Senator Tom Udall
        role of national laboratories in promoting cybersecurity
    Question. General Alexander, our National Labs--which are the crown 
jewels of our Nation's research system--are active in efforts to 
promote cybersecurity. In my home State of New Mexico, Sandia National 
Laboratories is engaged in efforts to secure the national electrical 
grid from cyber attack. Los Alamos National Laboratories is a leader in 
quantum cryptography. Sandia also has partnerships with universities 
and the private sector. They're helping computer science students 
become cyber professionals.
    Could you discuss what role our National Labs should have in 
protecting our Nation from cyber attack?
    Answer. Our National Labs are incredible resources that continue to 
make vital contributions to cybersecurity and broader national 
security. The three areas that you have identified are three of the 
most important ways that the National Labs are supporting U.S. 
cybersecurity efforts: advanced research to secure our vulnerable 
infrastructure from cyber threats; the improvement of our abilities to 
transmit and store data securely; and, potentially most importantly, 
the development of the cybersecurity professionals that are our most 
critical asset.
     need for international cooperation for cybersecurity standards
    Question. General Alexander, your testimony describes how 
USCYBERCOM is working to defend the Nation against threats from 
cyberspace, especially those that could involve attacks directed by 
foreign states. But cyberspace does not really recognize national 
borders, and we have many shared interests in terms of cybersecurity 
with other nations. Stopping cyber criminals, for example, requires 
cooperation from other countries. Earlier this year, a criminal network 
involving hackers from several countries allegedly stole $45 million 
from banks using fake ATM cards.
    How do we ensure our national security while also working toward 
better international cooperation in the area of cybersecurity?
    Answer. International cooperation on cybersecurity is a requirement 
to ensure our national security. Global cooperation is necessary to 
address the threat, build consensus on the norms of responsible conduct 
in cyberspace, and address ongoing malicious activity. For our 
military, cybersecurity cooperation, including shared situational 
awareness, is foundational to interoperability and mission success 
globally as is the case in other domains.
    Question. How do we reduce cyber vulnerabilities while protecting a 
free and open Internet for all?
    Answer. As the President's International Strategy for Cyberspace 
says, ``To realize fully the benefits that networked technology 
promises the world, these systems must function reliably and securely. 
People must have confidence that data will travel to its destination 
without disruption Assuring the free flow of information, the security 
and privacy of data, and the integrity of the interconnected networks 
themselves are all essential to American and global economic 
prosperity, security, and the promotion of universal rights.'' A 
cyberspace that rewards innovation, empowers individuals, develops 
communities, safeguards human rights, and enhances personal privacy 
will strengthen national and international security. We will reduce our 
cyber vulnerabilities and defend our networks with smart policies that 
combine national and international resilience with vigilance and a 
range of credible response options. Building capacity and fostering 
innovation is necessary to achieve reliable, secure, and safe platforms 
and build confidence in globally interconnected networks. This is why 
partnerships are so important: domestic and international, public and 
private sectors.
                china and theft of intellectual property
    Question. General Alexander, your testimony mentions the systematic 
theft of American intellectual property. This is a serious challenge, 
particularly if aided and abetted by foreign states. President Obama 
reportedly raised concerns about this with Chinese President Xi Jinping 
last week.
    How should our Nation respond if such directed cyber thefts are not 
curtailed?
    Answer. In February 2012, the administration published a 
comprehensive strategy on mitigating the theft of U.S. trade secrets, 
which is currently being implemented. Consistent with the Strategy, we 
need to respond to cyber intrusions that result in the theft of 
American intellectual property in three ways. First, the U.S. 
Government must work with like-minded countries to clearly define 
acceptable and unacceptable behaviors in cyberspace and to promote 
related international norms, including effective criminal and civil 
enforcement. Second, the U.S. Government must work with private sector 
entities to develop more defensible network architectures and computing 
devices that do not contain vulnerabilities that countries such as 
China can exploit for economic gain. As these network architectures and 
computing devices are hardened, we must promote development, sharing 
and deployment of industry-led voluntary best practices in the private 
sector to protect U.S. intellectual property, including trade secrets. 
Third, the U.S. Government must continue to develop and implement 
defensive cyber capabilities to protect the Nation from threats to its 
economic health and stability.
                                 ______
                                 
              Questions Submitted by Senator Thad Cochran
    Question. All witnesses, we have heard about the importance of 
cooperation and clearly defined lanes of responsibility across the 
Federal Government for our cybersecurity efforts. What are your 
respective roles in receiving and sharing threat information with the 
private sector?
    Answer. We are leaning forward to the maximum extent authorized to 
share knowledge across the U.S. Government and private sector. In 
accordance with EO 13636, and consistent with its legal authorities and 
mission responsibilities, NSA/CSS provides classified cyber threat 
information and associated network defense guidance to DOD, DHS, and 
DOJ/FBI to use in support of their specific cybersecurity roles and 
responsibilities. Through the voluntary Enhanced Cybersecurity Services 
and Defense Industrial Base Enhanced Cybersecurity Services programs, 
NSA/CSS is working with DHS and DOD to provide classified cyber threat 
and technical information to eligible critical infrastructure companies 
or commercial service providers that offer security services to 
critical infrastructure.
    Question. All witnesses, I think we all recognize the importance of 
defending our Nation's critical infrastructure against cyber attacks. A 
foreign or terrorist cyber attack on our electric grid, water systems, 
or financial systems could cause widespread damage and even have 
detrimental effects on our economy and consumer confidence. There has 
been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would 
you define the threshold for what types of non-Federal infrastructure 
might qualify as ``critical'' for these purposes?
    Answer. I believe the definition of ``critical infrastructure'' 
used in PPD-21 Critical Infrastructure Security and Resilience is a 
reasonable one, and it applies to both Federal and non-Federal critical 
infrastructures. It defines critical infrastructure as those ``systems 
and assets, whether physical or virtual, determined by a sector 
specific agency or DHS to be so vital to the United States that the 
incapacity or destruction of such systems and assets would have a 
debilitating impact on security, national economic security, national 
public health or safety, or any combination of those matters.''
    Question. General Alexander, a British newspaper recently reported 
on a program called ``Prism,'' in which it referred to collection under 
section 702 of the Foreign Intelligence and Surveillance Amendments 
Act. The newspaper reported that the law ``allows for the targeting of 
any customers. . . who live outside the U.S. or those Americans whose 
communications include people outside the U.S.'' Can you explain if and 
how this description may be inaccurate?
    Answer. The quoted statement is inaccurate. Section 702 does not 
allow the Government to target Americans inside or outside the United 
States.
    Section 702 of FISA allows ``the targeting of persons reasonably 
believed to be located outside the United States to acquire foreign 
intelligence information.'' 50 U.S.C. 1881a(a).
    Additionally, the statute provides several express limitations, 
namely that such acquisition:
    (1) may not intentionally target any person known at the time of 
acquisition to be located in the United States;
    (2) may not intentionally target a person reasonably believed to be 
located outside the United States if the purpose of such acquisition is 
to target a particular known person reasonably believed to be in the 
United States; may not intentionally target a United States person 
reasonably believed to be located outside the United States;
    (3) may not intentionally acquire any communication as to which the 
sender and all intended recipients are known at the time of acquisition 
to be located in the United States; and
    (4) shall be conducted in a manner consistent with the fourth 
amendment to the Constitution of the United States.
50 U.S.C. 1881a(b).
    An acquisition authorized under section 702 must be conducted in 
accordance with targeting procedures reasonably designed to ``ensure 
that any acquisition authorized. . . is limited to targeting persons 
reasonably believed to be located outside the United States.'' 50 
U.S.C. 1881a(c) and (d)(1). These targeting procedures are subject to 
judicial review and approval by the Foreign Intelligence Surveillance 
Court (FISC). 50 U.S.C. 1881(d)(2). Minimization procedures must also 
be adopted and are subject to FISC review. 50 U.S.C. 1881(e)(2) Among 
other requirements, joint authorizations by the U.S. Attorney General 
and Director of National Intelligence under section 702 must attest 
that ``a significant purpose of the acquisition is to obtain foreign 
intelligence information'' and that the acquisition complies with the 
above limitations. 50 U.S.C. 1881a(g)(2).
    Question. All witnesses, we've often heard that there is a 
potential for a Cyber Pearl Harbor, or an unexpected cyber attack on 
our Nation by a foreign entity that has dramatic and lengthy 
consequences. I think it may be difficult for most Americans, and even 
members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to 
better understand these things? Are the appropriations this Committee 
has been recommending sufficient to help prevent such an attack?
    Answer. In a 20 July 2012 opinion piece published online in the 
Wall Street Journal, President Obama reflected on lessons learned from 
a national-level exercise conducted the previous month to test how well 
Federal, State, and local governments and the private sector can work 
together in a crisis. According to the exercise scenario, that crisis 
was the result of a cyber attack by unknown hackers who had inserted 
malicious software into the computer networks of private-sector 
companies that operate most of our transportation, water, and other 
critical infrastructure systems. The simulated consequences included 
train derailments across the country, including one carrying industrial 
chemicals that exploded into a toxic cloud. Water treatment plants in 
several State had shut down, contaminating drinking water and causing 
Americans to fall ill. This worst-case scenario included both cyber and 
physical consequences and targeted our Nation's critical 
infrastructure. In October 2012 Secretary of Defense Panetta described 
a cyber Pearl Harbor as just such a combination of events.
    We believe the administration budget requests are on target and we 
appreciate the Committee's willingness to fund them. Our strength in 
facing this threat relies on the entire U.S. Federal Cybersecurity 
Operations Team including DHS, DOJ/FBI, and DOD to counter cyber 
threats. We each have specific, critical roles, responsibilities, and 
authorities. We are already working together as part of the Federal 
effort to counter cyber threats, and we are partnering to implement EO 
13636 to improve the cybersecurity of our critical infrastructure. 
There are issues with being able to see and prepare for a cyber attack, 
as no single public or private entity has all of the required 
authorities, resources, or capabilities to either respond to or prevent 
a serious cyber attack on our critical infrastructure. We must address 
this threat as a team by sharing the unique insights into cyber threats 
that both the Government and the private sector have and by hardening 
our critical infrastructure and making it more resilient to cyber 
threats. We need legislation that removes existing barriers to the 
sharing of cyber threat information between the private sector and the 
U.S. Government at network speed, while ensuring that privacy and civil 
liberties are protected. We also need legislation that offers 
incentives to encourage core critical infrastructure operators to 
harden their networks.
                                 ______
                                 
              Questions Submitted by Senator Mike Johanns
                             cyber command
    Question. General Alexander, I would like to ask several questions 
about the potential elevation of Cyber Command to a unified combatant 
command. Last year's National Defense Authorization Act included 
language that instructs DOD to brief Congress on any proposal to 
elevate the command. The language asks for specific information such as 
a clear statement of mission, an outline of national security benefits, 
as well as a cost estimate.
    Has DOD prepared this required information and have you shared it 
with Congress?
    Answer. If the administration were to make such a significant 
change to the Unified Command Plan, it would certainly share the 
details with Congress.
    Question. Do you agree that it would be inappropriate to stand up a 
new unified command without possessing this information and sharing it 
with Congress for review?
    Answer. I believe that Congress should be informed on the analysis, 
decisionmaking factors, and outcome of any changes to the Unified 
Command Plan.
    Question. In particular, what would be the costs associated with 
elevating Cyber Command to a unified combatant command beyond the 
initial establishment of the command--costs specifically related to 
operations?
    Answer. If the decision is made to elevate USCYBERCOM to a unified 
command, it is unknown at this time whether there would be costs beyond 
the initial establishment of the command related to operations. Any 
cost increases or decreases will be dependent upon the responsibilities 
and authorities assigned.
    Question. I have heard some assert that no additional allocation 
would be needed to elevate Cyber Command. Regardless of whether costs 
are absorbed by taking away from other DOD missions or expending newly 
allocated tax dollars, there will be operational expenses. What is 
DOD's estimation of these expenses?
    Answer. If the decision is made for significant changes to the 
Unified Command Plan--such as creating an additional unified command--
there will likely be costs involved. The exact costs and any potential 
effect on the overall DOD budget, however, will be dependent upon a 
variety of implementation factors including assigned responsibilities, 
authorities and manning.
    Question. What do you believe are the advantages and disadvantages 
of dual-hatting an individual as both the commander of a unified 
command and of the National Security Agency?
    Answer. Currently, the dual-hatting of the Director of the National 
Security Agency and the Commander of USCYBERCOM is a strategic 
advantage for the Nation. It has enabled DOD to leverage NSA's 
capabilities needed for the conduct of USCYBERCOM's mission. The 
concept ensures that the most knowledgeable officer on the global 
cryptologic platform maintains superior situational awareness, 
empowering swift and effective decisionmaking associated with national 
intelligence and military objectives.
    Question. In light of the widespread concern about an appropriate 
balance between national security and the privacy rights of American 
citizens, is there wisdom in avoiding giving one person virtually 
unprecedented power as the head of both a unified command and a 
civilian intelligence agency?
    Answer. I do not believe that there is. It is imperative that the 
Commander of USCYBERCOM understand the global cryptologic platform. The 
dual-hat relationship facilitates this knowledge and ensures that the 
Commander can maintain situational awareness and respond when required 
in an extremely high-paced, complex, technical environment--while 
applying to both jobs a single ethos of protecting privacy rights.
    Question. What is the timeline for Secretary Hagel's decision?
    Answer. I do not know if there is a timeline for any decision on 
this topic.
    Question. At one point there was talk that DOD might slip this 
important change into an out-of-cycle adjustment to the Unified Command 
Plan (UCP). Can you assure us this will not be the case?
    Answer. Any final recommendation on changes to the Unified Command 
Plan to the President will be made through the Secretary of Defense.
    Question. Will you commit to us that before a final decision is 
made, Congress will be provided a mission statement, clearly defined 
parameters for combat action, and cost estimate?
    Answer. I am sure that the Secretary of Defense will work with the 
White House to ensure that our oversight committees have the 
information that they need to be comfortable with any decisions 
regarding the status of this command.
                                 ______
                                 
   Questions Submitted to Hon. Rand Beers, Acting Deputy Secretary, 
                    Department of Homeland Security
              Questions Submitted by Senator Patty Murray
    Question. Currently, the development, marketing, sale, and resale 
of software exploits, including attack capabilities, is legal and 
unregulated making it one of the few remaining unregulated weapons 
markets.
    Is it in the United States' interest to allow the open and 
unfettered sale of these exploits and other attack capabilities? What 
steps are currently being taken to protect the United States against 
the proliferation of these capabilities?
    Answer. The Department of Homeland Security (DHS) works closely 
with public and private sector partners to coordinate the discovery and 
responsible disclosure of software vulnerabilities before they can be 
exploited. DHS cybersecurity experts are following the evolution of the 
software vulnerability marketplace, including legitimate ``bug bounty'' 
programs, to ensure that our resources are being applied to address 
gaps in vulnerability discovery and mitigation that industry alone 
cannot correct. DHS's Science and Technology Directorate, through its 
Software Quality Assurance project, is developing technologies to 
improve techniques in software quality assurance tools to better detect 
these types of vulnerabilities in software systems. DHS S&T will offer 
these technologies and improvements through the Software Assurance 
Marketplace (SWAMP), a state-of-the-art facility designed to advance 
our Nation's cybersecurity by providing a collaborative research 
environment to improve software development activities that will 
protect the national cyber and critical infrastructure systems against 
the proliferation of these software vulnerabilities and threats. In 
addition, DHS is working with our international industry and government 
partners to ensure that software and supply chain risks can be 
proactively addressed worldwide.
    Question. The North American Electric Reliability Corporation 
(NERC) has been among the more successful industry solutions to 
ensuring basic levels of cybersecurity across whole sectors of critical 
infrastructure. While its mandatory cybersecurity standards are broadly 
implemented across the bulk power system, NERC's voluntary standards 
are minimally adhered to. Compounding this dynamic is the length of 
time NERC takes to issue new mandatory standards; many of the voluntary 
standards issued since the last ruling are recognized as essential 
cybersecurity measures in the face of today's cyber threats. Given that 
NERC is a leader across the greater realm of critical infrastructure, I 
am concerned with the cyber readiness of other sectors.
    How can Congress facilitate the formulation and adoption of 
acceptable standards within the current regulatory framework and create 
the structures needed to develop these standards in the first place 
within the sectors that lack them?
    Answer. Congress can leverage the consultative process adopted 
during the development of the National Institute of Standards and 
Technology's Cybersecurity Framework called for in section 7 of 
Executive Order (EO) 13636, as well as regulatory agencies' assessments 
of current regulatory frameworks from section 10 of the EO, to assess 
the need for new or updated standards and ensure that such standards 
are flexible and adaptable given evolving technologies and unique risk 
environments. Congress can also work with DHS, Sector-Specific Agencies 
(SSAs), the independent regulatory agencies, and the private sector to 
understand the constraints that limit adoption and to implement 
voluntary or legislative solutions to reduce burdens or increase 
benefits of adoption or compliance. By assessing whether, and how, a 
lack of standards or standard adoption is resulting in sub-optimal 
cybersecurity outcomes, Congress can promote solutions associated with 
a measurable business case, and encourage the adoption of particular 
standards by sector organizations, SSAs, insurers, and other relevant 
bodies. This may also include the promotion of particular incentives, 
such as those identified in the DHS, DOC and Treasury responses to the 
EO 13636/Presidential Policy Directive-21 tasking on incentives 
studies.
                                 ______
                                 
            Questions Submitted by Senator Richard J. Durbin
    cyber executive order--role of the executive order versus cyber 
                              legislation
    Question. President Obama issued Executive Order 13636 in February 
of this year. What is the effect of this Executive order? Is it 
improving your ability to share information with the private sector?
    When he signed the Executive order, President Obama also 
underscored the need for comprehensive cybersecurity legislation, since 
the scope of the Executive order is limited. What are your legislative 
priorities in terms of items you believe should be included in cyber 
legislation?
    We'd like to hear from all the witnesses on this issue.
    Answer. Facing persistent and constantly evolving threats to our 
Nation from cyber attacks that could disrupt our power, water, 
communication and other critical infrastructure, the President issued 
Executive Order (EO) 13636 on Improving Critical Infrastructure 
Cybersecurity and Presidential Policy Directive (PPD) 21 on Critical 
Infrastructure Security and Resilience. These policies reinforce the 
need for a holistic approach to security and risk management.
    Implementation of the EO will drive action toward system and 
network security and resiliency, and will also enhance the efficiency 
and effectiveness of the U.S. Federal Government's work to secure 
critical infrastructure and make it more resilient. Information sharing 
is a critical component of a comprehensive strategy, and section 4 of 
the EO directs the Department of Homeland Security (DHS) to expand its 
reporting and dissemination of cyber threat information, expedite 
security clearances, and expand the use of private sector subject 
matter experts in the Federal Government in order to build and 
strengthen information sharing partnerships.
    Section 4 also directs DHS to expand the Enhanced Cybersecurity 
Services (ECS) program to all critical infrastructure sectors.
    The ECS program coordinates the protection, prevention, mitigation, 
and recovery from cyber incidents through information sharing 
initiatives with business owners and operators to strengthen their 
facilities and communities. ECS is a voluntary information sharing 
program that assists critical infrastructure owners and operators as 
they improve the protection of their systems from unauthorized access, 
exploitation, or data exfiltration. DHS works with cybersecurity 
organizations from across the Federal Government to gain access to a 
broad range of sensitive and classified cyber threat information. DHS 
develops indicators based on this information and shares them with 
qualified Commercial Service Providers (CSP), thus enabling them to 
better protect their customers who are critical infrastructure 
entities.
    ECS augments, but does not replace, an entity's existing 
cybersecurity capabilities. It does not involve any Federal Government 
monitoring of private networks or communications, and information 
relating to threats and malware activities detected by the CSPs is not 
directly shared between the critical infrastructure CSP customers and 
the Federal Government. Any information shared by a CSP customer is 
done so voluntarily, in an anonymized fashion. As directed in EO 13636, 
the ECS program is available to each of the 16 critical sectors.
    Although this EO will help to bolster the Nation's cyber defenses, 
it does not eliminate the urgent need for legislation in these and 
other areas of cybersecurity. The administration's legislative 
priorities for the 113th Congress build upon the President's 2011 
Cybersecurity Legislative Proposal and take into account 2 years of 
public and congressional discourse about how best to improve the 
Nation's cybersecurity.
    The administration believes that legislation should:
    1. Facilitate cybersecurity information sharing between the 
Government and the private sector, as well as among private sector 
companies, while protecting privacy and civil liberties, reinforcing 
the appropriate roles of civilian and intelligence agencies, and 
including targeted liability protections;
    2. Incentivize the adoption of best practices and standards for 
critical infrastructure by complementing the process set forth under 
the EO;
    3. Give law enforcement the tools to fight crime in the digital 
age;
    4. Update Federal agency network security laws, and codify DHS's 
cybersecurity responsibilities;
    5. Create a National Data Breach Reporting requirement that 
includes notification to law enforcement personnel.
    Privacy and civil liberties safeguards must be a core component of 
each of these legislative areas.
     cyber executive order--protecting privacy and civil liberties
    Question. The Executive order requires Federal agencies to develop 
cybersecurity efforts in accordance with the Fair Information Practice 
Principles, as well as other policies, principles, and frameworks to 
protect privacy and civil liberties. I worked with a number of other 
Senators to ensure that the Cybersecurity Act of 2012 included 
provisions to protect privacy and civil liberties.
    What specific steps can government agencies take to ensure that 
privacy and civil liberties are protected as we enhance our Nation's 
cybersecurity?
    Answer. The Department believes that protecting privacy and civil 
liberties requires attention in all phases of cybersecurity activities. 
In addition to following the Fair Information Practice Principles and 
any applicable laws or other frameworks that protect individual rights, 
agencies can do the following to ensure that privacy and civil 
liberties are protected as we enhance our Nation's cybersecurity:
    1. Proactively engage with program managers and staff to identify 
cybersecurity activities;
    2. Identify any potential privacy or individual rights concerns 
associated with those activities;
    3. Implement proactive privacy and civil liberties protections
    4. Assess activities in a way to minimize risks to privacy and 
individual rights;
    5. Develop policies and procedures to mitigate any remaining risks 
to individual rights.
    The Department recognizes that the involvement of the privacy and 
civil rights and civil liberties advocacy community is helpful both for 
purposes of establishing an advisory relationship and for building 
robust oversight into security processes. For EO and PPD 
implementation, DHS hosted five sessions with these communities to 
educate them on the Department actions for critical infrastructure 
security and resilience and to solicit their expert guidance as 
programs are put into place.
    Privacy is an integral component of the DHS cyber mission. Within 
the Office of Cybersecurity and Communications (CS&C), the ECS program 
and the National Cybersecurity Protection System (NCPS), or EINSTEIN, 
are good examples of how DHS builds privacy and civil liberties 
protections into cyber activities. DHS conducted both classified and 
unclassified Privacy Impact Assessments (PIA) for both programs, to 
fully assess the privacy protections in place. These PIAs provide a 
comprehensive understanding of the CS&C cybersecurity programs, further 
increasing transparency. The DHS Office for Civil Rights and Civil 
Liberties has also provided advice to both ECS and EINSTEIN program 
leadership since the inception of the programs to ensure that 
appropriate protections are built in. The Office has also provided 
civil liberties training to the U.S. Computer Emergency Readiness Team 
(US-CERT) personnel, articulating principles for operators to ensure 
the protection of individual rights.
    Specifically, the ECS program exemplifies how the Department is 
working to build cybersecurity partnerships based off of transparency 
and privacy protections. ECS is a voluntary information sharing program 
through which the Federal Government provides sensitive and classified 
cyber threat indicators to Commercial Service Providers (CSP), enabling 
them to augment the cybersecurity services available to critical 
infrastructure entities. ECS does not monitor private networks or 
communications. While CSPs may provide anonymized, aggregated 
information about encountered threats, this high-level information is 
strictly used to ascertain the effectiveness of information sharing and 
to help DHS better respond to critical infrastructure's needs.
    Additionally, DHS conducts quarterly reviews of indicators and 
signatures and has conducted an overall Privacy Compliance Review of 
the EINSTEIN program. We also work to ensure that NPPD collects only 
the data necessary to support computer network defense activities. 
Standard operating procedures ensure that we minimize data collection 
to only the information that we determine is analytically relevant to 
pre-defined known or suspected cyber threats.
    This commitment to the protection of privacy and civil liberties in 
DHS cybersecurity activities is longstanding. As part of the Cyberspace 
Policy Review conducted by the administration in 2009, the Department 
met with privacy and civil liberties advocates and academics (at a Top 
Secret/Sensitive Compartmented Information [TS/SCI] level) to discuss 
the Advanced Persistent Threat landscape and the Federal Government 
response. That meeting led to the creation of a subcommittee of DHS's 
Data Privacy and Integrity Advisory Committee (DPIAC), which is briefed 
regularly at the TS/SCI level. Last year, the DPIAC subcommittee 
produced a report that sets forth recommendations for DHS to consider 
when evaluating the effectiveness of cybersecurity pilots and for 
specific privacy protections for DHS to consider when sharing 
information from a cybersecurity pilot with other agencies.
                                 ______
                                 
            Questions Submitted by Senator Mary L. Landrieu
               cybersecurity role for the national guard
    Question. On June 13, 2013, the day of the Appropriations Committee 
hearing entitled ``Cybersecurity: Preparing for and Responding to the 
Enduring Threat'', the Committee received a report from the Department 
of Homeland Security (DHS) and Department of Defense (DOD) which was 
due to Congress on May 1, 2012 as prescribed in the joint explanatory 
statement accompanying the fiscal year 2012 DHS Appropriations Act 
(Public Law 112-74). The purpose of the report was to outline the 
capabilities of a coordinated response to a cyber attack by DHS and the 
National Guard and how critical relationships can be established across 
the agencies to fulfill cybersecurity responsibilities. The information 
provided, which was submitted separately by the two agencies, outlines 
on a high-level, the programs DHS and DOD (as a whole) are maintaining 
for a response. Unfortunately, the report falls short of providing 
Congress an understanding of the DHS and National Guard's capacity to 
respond to a cyber attack jointly. In order for Congress to better 
understand the gap between capacity and need, a sense of scope is 
required.
    How many National Guard cybersecurity personnel currently exist, 
and where? Are they employed in teams or individually? If they are 
employed in teams, how many teams are there and where are they located?
    As DOD and DHS are building the capacity the Federal Government 
needs to protect against and respond to a cyber attack: what specific 
role is being considered for the National Guard; and how is the Guard's 
ability to switch between title 32 authorities and title 10 authorities 
being taken into consideration?
    Is there a cost savings associated with utilizing the National 
Guard based on current training? How much?
    Are there skills identified within the National Guard that cut down 
the time needed to train a cyber airman or soldier to be able to 
respond to a cyber attack?
    Answer. Successful response to dynamic cyber threats requires 
leveraging homeland security, law enforcement, and military authorities 
and capabilities, which respectively promote domestic preparedness, 
criminal deterrence and investigation, and national defense. DHS, the 
Department of Justice (DOJ), and the Department of Defense (DOD) each 
play a key role in responding to cybersecurity incidents that pose a 
risk to the United States. While each agency operates within the 
parameters of its authorities, the U.S. Government's response to cyber 
incidents of consequence is coordinated among these three agencies such 
that ``a call to one is a call to all.'' Synchronization among DHS, 
DOJ, and DOD not only ensures that whole-of-government capabilities are 
brought to bear against cyber threats, but also improves the Federal 
Government's ability to share timely and actionable cybersecurity 
information among a variety of partners, including the private sector. 
In terms of specific National Guard activities, DHS defers to DOD.
                         cyber test beds/ranges
    Question. General Alexander testified that the services, 
departments, and agencies need to work together to ensure that they 
have adequate test bed and range space to safely organize, train, and 
equip the cyber warriors, operators, managers, researchers, and agents 
across the Federal Government.
    What are the specific requirements that your departments and their 
various agencies have for test bed and range space? What specific 
outcome will those established requirements render in trained personnel 
and tactics?
    Answer. The Department has a variety of requirements for test beds 
and range space, which DHS uses for internal employee training 
exercises, broader cybersecurity training for owners and operators 
within each of the 16 critical infrastructure sectors, and joint cyber 
exercises with partners. DHS likewise has longstanding requirements for 
a research-focused test bed that allows for the realistic and at-scale 
evaluation of innovative defensive technologies.
    Improving cybersecurity is a global challenge and, as a critical 
piece of research infrastructure, the test bed needs to be accessible 
to international researchers. The Experimental Research Testbed project 
(formerly the Cyber Defense Technology Experiment Research Testbed 
Program or DETER) began in 2004 as a joint effort between the DHS 
Science and Technology Directorate (S&T) and the National Science 
Foundation (NSF) to address the need to research and understand new 
cybersecurity risks and threats in a safe environment. This 
international access requires that the test bed operate without 
classification restrictions or technology restricted by International 
Traffic in Arms Regulations (ITAR). The test bed must be securely 
accessible over the Internet so as to not require international 
researchers to have to travel to the physical location of the test bed. 
Additionally, since DHS S&T is focused on not only operating a research 
test bed, but also on conducting research to advance state-of-the-art 
test bed technology, it is critical that the software utilized is 
available as Open Source. Put simply, the availability of Open Source 
software allows researchers to transition technology advances to 
additional facilities. The software used in the test bed has been 
transitioned to four other facilities and is in the process of being 
deployed internationally. Test beds at those additional facilities can 
be connected together through ``federation'' techniques and experiments 
spanning multiple facilities can be conducted accordingly. This 
federation allows for greater capacity and access to unique resources, 
such as the power system test bed at the University of Illinois--Urbana 
Champaign.
    Other agencies use the Experimental Research Testbed as a platform 
to develop and evaluate defensive mechanisms against cyber attacks on 
infrastructure. For example, the Defense Advanced Research Projects 
Agency (DARPA) currently uses the test bed as a consolidated evaluation 
platform for one of its programs--a leveraging of resources that saves 
DARPA the time and expense of constructing individual test beds for its 
six participants. In return, DARPA has provided both hardware and 
upgrades to the Experimental Research Testbed project.
    Question. What is the current test bed and range capacity available 
to each of your departments? What is the wait time or backlog based on 
the access you currently have?
    Answer. Currently, the Experimental Research Testbed has more than 
3,500 active users from 29 different countries and is comprised of 
nearly 700 PC-based nodes spread between California and Virginia. It is 
a shared resource capable of running hundreds of concurrent 
experiments. The capacity of the test bed is enhanced by state-of-the-
art virtualization techniques that intelligently assign resources to 
different components of an experiment based upon the level of fidelity 
needed. This capability is under active development and is allowing the 
test bed's capacity to continually grow without requiring additional 
hardware.
    For smaller scale experiments, there is generally no wait time for 
researchers. For larger experiments that require the dedication of a 
large portion of the test bed, researchers may be required to wait 
several days until enough resources can be dedicated. The test bed is 
also used as a learning environment by over 70 college and university 
classes per semester. Test bed access therefore can become constrained 
during finals when large numbers of students attempt to access it to 
finish assignments.
    Question. Have you identified additional test bed or range space 
that you would like to acquire, use, or lease?
    Answer. DHS S&T is collaborating with NSF to conduct a 
comprehensive study across the cybersecurity research landscape to 
determine future requirements. This study is expected to be completed 
in mid-fiscal year 2014 and will be used to identify what additional 
test bed capabilities and capacity are required.
    Question. What are the fiscal years 2013 and 2014 funding levels 
for testing and training space?
    Answer. DHS S&T will be funding the Experimental Research Testbed 
project at $4.8 million in fiscal year 2013, and plans to fund it at 
$4.8 million in fiscal year 2014.
    Question. What percentage of your required testing and training 
needs will you be able to meet in fiscal years 2013 and 2014?
    Answer. DHS S&T's Experimental Research Testbed project currently 
fulfills the identified test bed requirements for cybersecurity 
research. The capabilities and capacity of the test bed will continue 
to improve in order to better address advancing threats and 
increasingly complex research challenges.
           role of the secret service in cyber investigations
    Question. On March 13, 2013, Jenny A. Durkan, United States 
Attorney, Western District of Washington, testified before the House of 
Representatives Committee on Judiciary, Subcommittee on Crime, 
Terrorism, Homeland Security, and Investigations, discussing 
``Investigating and Prosecuting 21st Century Cyber Threats.'' In her 
testimony she highlighted eight significant cyber investigations, four 
of which were Secret Service cases, a component of DHS.
    We hear much about DHS's role in the securing of cyber space; what 
is DHS's role in investigating cyber crimes targeting our financial 
infrastructure?
    Answer. DHS's law enforcement components are essential to securing 
the Nation from cyber criminals and cyber attacks. Investigating, 
arresting, and supporting the successful prosecution of criminal cyber 
actors is a critical element of the Department's strategy to safeguard 
and secure cyberspace. Effective investigations identify and lead to 
the arrest of the individuals and groups behind cyber attacks and 
otherwise disrupt the criminals responsible for such attacks. During 
the course of their investigations, DHS law enforcement components also 
develop criminal intelligence that can provide public and private 
sector entities with the knowledge and tools necessary to detect and 
disrupt future attacks.
    Industry representatives such as Symantec estimate that cyber crime 
costs the U.S. taxpayer more than $110 billion annually.\1\ While 
public discourse tends to center on the potential for national-level 
cyber attacks, cyber crime in the aggregate does serious damage to our 
Nation every day, and fighting cyber crime is an important part of 
keeping our Nation safe and our economy strong. DHS, through the 
investigative authority of the U.S. Secret Service, is focused on 
protecting the Nation's financial system from exploitation by cyber 
criminals. The U.S. Secret Service has adapted its investigative 
techniques over the years to address the emerging trends of cyber 
criminals. For example, since passage of the Comprehensive Crime 
Control Act of 1984, the U.S. Secret Service has arrested over 30,644 
individuals for cybercrime violations with an attributed fraud loss of 
over $2.7 billion and potential fraud loss of over $33 billion.
---------------------------------------------------------------------------
    \1\ Norton 2012 Cybercrime Report: http://www.norton.com/
2012cybercrimereport 
Ponemon Cost of Cybercrime (if extrapolated): http://www8.hp.com/us/en/
hp-news/press-release.html?id=1303754
---------------------------------------------------------------------------
    In 2001, Congress likewise recognized the U.S. Secret Service for 
its expertise in preventing, detecting, and investigating potential 
attacks against critical infrastructure and financial payment systems 
and directed the agency to develop a national network of Electronic 
Crimes Task Forces based on the successful model of the New York 
Electronic Crimes Task Force. Today, the U.S. Secret Service operates 
31 domestic and international Electronic Crimes Task Forces that merge 
the skills and knowledge of representatives from Federal, State, local, 
private industry, and academic partners in furtherance of protecting 
the Nation's critical infrastructure and financial payment systems from 
cyber crime. In fiscal year 2012, the U.S. Secret Service arrested 
1,378 individuals for cyber crime violations responsible for over $355 
million in fraud losses and over $1.2 billion in potential losses. 
These investigations culminated with the Department of Justice 
attaining a 99.6-percent conviction rate for these cases.
    We also work with a variety of international partners to combat 
cybercrime. For example, through the U.S.-EU Working Group on 
Cybersecurity and Cybercrime, which was established in 2010, we develop 
collaborative approaches to a wide range of cybersecurity and 
cybercrime issues. In 2011, DHS participated in the Cyber Atlantic 
tabletop exercise, a U.S.-EU effort to enhance international 
collaboration of incident management and response, and in 2012, DHS and 
the EU signed a joint statement that advances transatlantic efforts to 
enhance online safety for children. U.S. Immigration and Customs 
Enforcement (ICE) also works with international partners to seize and 
destroy counterfeit goods and disrupt Web sites that sell these goods. 
Since 2010, ICE and its partners have seized over 2,000 domain names 
associated with businesses selling counterfeit goods over the Internet. 
To further these efforts, the administration issued its Strategy on 
Mitigating the Theft of U.S. Trade Secrets last month. DHS will act 
vigorously to support the Strategy's efforts to combat the theft of 
U.S. trade secrets--especially in cases where trade secrets are 
targeted through illicit cyber activity by criminal hackers.
    In addition, since opening in May of 2008, the National Computer 
Forensics Institute (NCFI) has held over 90 Cyber and Digital Forensics 
courses in 13 separate subjects. The NCFI has trained more than 2,000 
State and local investigators, prosecutors, and judges. This 
institution serves as the Nation's only center dedicated to instructing 
State and local law enforcement in digital forensics and equips 
graduates to conduct network intrusion and electronic crimes 
investigations. Several hundred prosecutors and judges, as well as 
representatives from the private sector, have also received training on 
the impact of network intrusion incident response, electronic crimes 
investigations, and computer forensics examinations.
    DHS is committed to working with its partners across government and 
the private sector to protect the Nation's critical financial 
infrastructure from cyber attack. To achieve this goal, DHS will bring 
to bear the tremendous investigative resources of its law enforcement 
components against those who attempt to do us harm.
    Question. Would you characterize the recent $45 million ATM scheme, 
investigated by the Secret Service among others, as representative of a 
trend in global cybercrime?
    Answer. The facts relayed in the recently unsealed indictments 
against eight of the individuals involved in the theft of over $45 
million from various ATMs in New York City are an example of the highly 
sophisticated, organized, transnational cyber-criminal activity 
impacting the Nation's financial system. This case is just one example 
of a number of recently ``unlimited cash-out'' operations conducted in 
a highly coordinated fashion by transnational networks of cyber 
criminals.
    The ATM case demonstrates, as numerous cybersecurity experts have 
confirmed in testimony before congressional committees, that the 
majority of network intrusions are carried out by criminal actors whose 
sole motivation is financial gain. The suspects distributed the stolen 
data to organized crews of street criminals in more than 20 countries 
who then encoded the information on magnetic-stripe plastic cards. 
While this particular case was conducted by a transnational network of 
highly technical hackers, other U.S. Secret Service investigations have 
demonstrated that many financial intrusions are successfully executed 
against networks because of weak or stolen credentials. DHS is 
committed to not only reducing this threat through effective 
investigations, but also working with financial institutions through 
the Financial Services Information Sharing and Analysis Center to help 
them better secure their computer systems.
    Question. What additional resources might be needed by the 
investigative arms of DHS to properly combat this type of fraud?
    Answer. Investigating cybercrime requires highly trained and 
experienced criminal investigators. ICE and the U.S. Secret Service are 
expanding participation in the existing Electronic Crimes Task Forces 
(ECTF), which will strengthen the Department's cybercrimes 
investigative capabilities and realize efficiencies in the procurement 
of computer forensic hardware, software licensing, and training. The 
U.S. Secret Service-led ECTF model has been in existence for over 20 
years. Hiring and training additional law enforcement investigators in 
the U.S. Secret Service would enhance the Department's capacity to 
respond to and investigate cybercrime directed at the Nation's 
financial infrastructure. Additional resources would also allow DHS to 
increase the capacity of the Secret Service's network of ECTFs and 
further develop its international cyber investigative working groups to 
respond to transnational threats to critical infrastructure.
    Improving cybersecurity requires public-private partnerships, and 
the vast scope of cybercrime directed at the United States means that 
our partners at the State, local, and tribal governmental levels are 
vital to the national effort. In order to develop State and local 
capacity to investigate cybercrimes, the U.S. Secret Service operates 
the NCFI in Hoover, Alabama. This facility is the Nation's only 
federally funded training center dedicated to instructing State and 
local law enforcement officials about the complexities associated with 
cybercrime investigations. The NCFI is capable of training over 2,000 
State and local police investigators, prosecutors and judges in 
cybercrime investigations every year. Since 2008, the NCFI has been 
funded annually at $4 million. The current level of funding, for 
example, allowed NCFI to train and equip over 600 police investigators, 
prosecutors and judges in 2012. These officials have come from all 50 
States and three U.S. territories.
    Cyber criminals often operate outside the borders of the United 
States, and related investigations accordingly require extensive 
cooperation with international law enforcement agencies. Additionally, 
law enforcement agencies have long recognized that the most critical 
capability for transnational organized crime is to quickly and quietly 
move large quantities of money across borders. The anonymity of 
cyberspace affords a unique opportunity for criminal organizations to 
launder huge sums of money undetected. The cyber crime investigations 
of the U.S. Secret Service depend heavily on developing and maintaining 
effective international law enforcement partnerships. The Department of 
State and the Department of Justice are critical partners in developing 
these international relationships and in the execution of international 
law enforcement action through multilateral assistance treaties. 
Funding to support the international investigations of DHS law 
enforcement components, training for its international law enforcement 
foreign partners, and associated investigative travel costs would 
enhance DHS's investigative capabilities.
    Question. What will be the impact of the dismantling of Liberty 
Reserve and their digital currency system by the Secret Service, its 
Electronic Crimes Task Forces, Immigration and Custom Enforcement 
investigators, and the IRS on illegal cyber money laundering 
operations?
    Answer. Over the course of its 7-year existence, Liberty Reserve 
emerged as the principal means by which cyber criminals around the 
world distributed, stored, and laundered the proceeds of illegal 
activity. Liberty Reserve facilitated a broad range of online criminal 
activity, including narcotics trafficking, child pornography, computer 
hacking, investment fraud, credit card fraud, and identity theft. 
Annually, Liberty Reserve processed more than 12 million financial 
transactions with a combined value of $1.4 billion. Since its founding 
in 2006, Liberty Reserve processed an estimated 55 million separate 
financial transactions and is believed to have laundered more than $6 
billion in criminal proceeds.
    The dismantling of Liberty Reserve by the U.S. Secret Service and 
its partners in the Global Illicit Financial Team--IRS-CI and ICE-
Homeland Security Investigations (HSI)--significantly impacted the 
cyber criminal community, forcing cyber criminals to seek alternative 
means to fund their illicit activities.
     role of dhs in capability building for law enforcement cyber 
                             investigations
    Question. We are seeing more examples of cyber threats being 
encountered and responded to by State and local law enforcement 
officials. In many instances, however, these officials do not have the 
appropriate type of training to fully understand what they are 
investigating may go beyond the incident they have encountered.
    Is DHS involved in developing the cyber law enforcement 
capabilities of State, local, and tribal entities for investigating 
these types of cyber crimes?
    Is this an appropriate role for DHS agencies to fulfill?
    Answer. DHS has a well-established role in developing and 
supporting State, local, tribal, and territorial (SLTT) capabilities. 
Included are the efforts of numerous components to develop SLTT 
capabilities and operational relationships to effectively investigate 
cyber crime. For example, the first U.S. Secret Service ECTF that was 
established in 1995 boosted cyber law enforcement capabilities in 
coordination with State and local authorities. Since 2001, when 
Congress directed that a nationwide network of ECTFs be established, 
the U.S. Secret Service has worked in partnership with SLTT 
authorities, the private sector, and academia to develop cyber 
capabilities for the common purpose of preventing, detecting, and 
investigating various forms of electronic crimes, including potential 
terrorist attacks against critical infrastructure and financial payment 
systems.
    In partnership with the State of Alabama, the Secret Service 
established the NCFI in Hoover, Alabama, for the purposes of training 
SLTT law enforcement officials on cyber law enforcement methods and 
techniques. Since opening in 2008, the NCFI has trained over 2,000 
State and police investigators, prosecutors, and judges in cybercrime 
investigations. These officials have come from all 50 States and three 
U.S. territories. The investigators trained by the NCFI are nominated 
by local Secret Service field offices where they can apply their skills 
as members of the ECTFs.
    When it opened in 2008, the NCFI offered instruction in one of five 
cyber investigation curriculums. As of 2013, the NCFI offers 13 
separate curriculums designed to address developing cyber trends. For 
example, the NCFI worked last year with DHS to develop cyber analytical 
training for State and local law enforcement members staffing the cyber 
intelligence fusion centers throughout the Nation. An intra-agency 
agreement between the Federal Emergency Management Agency and the 
Secret Service will allow the NCFI to fund three more cyber analyst 
courses for fusion center members this year. Additionally, in August 
2012, the NCFI partnered with the Federal Bureau of Investigation to 
conduct two NCFI training courses to State and local law enforcement 
officials assigned to the FBI's National Domestic Communications 
Assistance Centers. Currently, the NCFI operates at 25 percent of its 
capacity on a $4 million annual budget. Additionally, the NCFI through 
its curriculum established a national standard of training in 
cybercrime investigations, network intrusion response, computer 
forensics, and electronic crime prosecution.
    ICE-HSI has a workforce that is well-trained to deal with 
cybercrime. HSI has several hundred special agents that routinely deal 
with cyber crime, and we operate ICE's Cyber Crime Center, or C3, and 
routinely provide investigative expertise and assistance to State, 
local, and tribal entities when consulted for assistance concerning 
transnational cyber crime. These efforts are an appropriate role for 
HSI to fill and to ensure that transnational criminal organizations are 
fully identified and dismantled via successful prosecutions.
                                 ______
                                 
                Questions Submitted by Senator Tom Udall
        role of national laboratories in promoting cybersecurity
    Question. Secretary Beers, our National Labs--which are the crown 
jewels of our Nation's research system--are active in efforts to 
promote cybersecurity.
    In my home State of New Mexico, Sandia National Laboratories is 
engaged in efforts to secure the national electrical grid from cyber 
attack. Los Alamos National Laboratories is a leader in quantum 
cryptography.
    Sandia also has partnerships with universities and the private 
sector. They're helping computer science students become cyber 
professionals.
    Could you discuss what role our National Labs should have in 
protecting our Nation from cyber attack?
    Answer. The National Labs are essential for providing enduring and 
multi-disciplinary research and development capabilities to help solve 
complex national security problems, including cyber-related problems. 
Among other things, the Labs provide unique facilities and 
infrastructure in support of talented subject matter experts who work 
to develop technologies and other solutions that help the Nation 
protect against and recover from cyber attacks. The S&T Cyber Security 
Division (CSD) has had great success in working with the Labs on 
several key cybersecurity initiatives. For example:
  --S&T CSD has frequently worked with Sandia National Labs to red-team 
        developed cybersecurity solutions.
  --The Pacific Northwest and Oak Ridge National Labs currently serve 
        as principal investigator researchers for a number of S&T CSD's 
        research and development contracts.
  --The S&T CSD Transition to Practice Program is currently working 
        with multiple National Labs (Sandia, Los Alamos, Lawrence 
        Livermore, Oak Ridge, and Pacific Northwest) to transition 
        numerous developed cybersecurity technologies into the 
        government and private sectors.
    NPPD also works with DHS S&T to ensure that cybersecurity research 
and development efforts are fully coordinated with ongoing programmatic 
requirements. With Pacific Northwest and Sandia National Labs, the 
Deputy Assistant Secretary for Cybersecurity Coordination participates 
in external review boards to review and shape research conducted at 
these Labs and to gain insight into research areas that may meet NPPD 
and S&T requirements in cybersecurity. S&T and the Homeland Security 
Enterprise should continue to leverage the strengths of the National 
Labs in cybersecurity to help respond to and mitigate the threats from 
cyber attacks.
    In addition, the National Labs provide advanced modeling, 
simulation and analysis, and cyber training. This includes work with 
the National Infrastructure Simulation and Analysis Center, a joint 
partnership with Sandia and Los Alamos to identify and address 
potential impacts to the sectors from possible cyber-related incidents 
and consequence analysis with the DHS NPPD Homeland Infrastructure 
Threat and Risk Analysis Center (HITRAC). HITRAC also works on 
ascertaining impacts from cyber manipulation of industrial control 
systems including leveraging the expertise of Idaho National Labs as a 
partner. This analysis can inform partners, policymakers, and homeland 
security professionals about the potential consequences of a cyber-
related incident and sector resilience to such events.
               mobile phones and cybersecurity awareness
    Question. Secretary Beers, this year, there will be more mobile 
phones than people on the planet. Today, our wireless devices are not 
just phones, but pocket computers. We use them for sensitive 
transactions, including mobile banking and online purchases.
    But GAO recently found that cyber threats are increasing for mobile 
devices and the information they store. GAO recommended that DHS and 
NIST work together to ``establish a baseline measure of consumer 
awareness . . . related to mobile security.'' GAO also recommends the 
development of performance measures that use the baseline to assess the 
effectiveness of initiatives to educate the public about cybersecurity.
    Could you share any thoughts on how best to raise public awareness 
for cyber security threats to mobile devices?
    Answer. Public awareness is best developed in partnership with the 
mobile device communications service providers, which have a financial 
interest in the quality of their service. Part of that quality of 
service would include ensuring proper protection of their customers' 
mobile devices. Increased awareness and the capabilities sought can be 
developed through thoughtful engagement with standing advisory groups 
such as the National Security Telecommunications Advisory Committee.
    Part of the engagement might focus on consumer and supplier 
adoption of the update practices similar to those used to protect 
desktop systems. Anti-malware protection and timely updates of 
applications and operating systems is just as important for mobile 
devices (phones and tablets) as for desktop computers. The same is true 
for other networked devices like multifunction printers that themselves 
host sophisticated operating systems and applications.
    Mobile banking and third-party payment systems continue to increase 
in popularity due to the efficiencies they provide to the consumer and 
financial institutions. This has resulted in cybersecurity challenges 
that merit attention. As part of DHS's responsibilities to secure key 
conveyances in the global economy and the U.S. Secret Service's role to 
protect the financial system from criminal exploitation, the Department 
works closely with its partners across government and in the private 
sector to not only raise awareness of these risks, but establish 
effective ways to mitigate these growing risks. Recently the Federal 
Deposit Insurance Corporation (FDIC) published information about the 
current landscape of mobile banking. As a starting point for financial 
institutions seeking to adopt mobile banking services, the FDIC 
references risk management strategies outlined in the Federal Financial 
Institutions Examination Council IT Examination Handbook. That 
handbook, however, does not discuss mobile devices specifically. The 
FDIC's statements instead relate to mobile banking and not necessarily 
mobile payment systems.
    While there accordingly may be some good cybersecurity work being 
done on the mobile banking side, the consumer likely does not make a 
distinction and may assume the same level of cybersecurity attaches 
whether they use mobile banking or mobile payment systems. For example, 
most users connect their mobile payment systems, such as PayPal, 
directly to their checking accounts or other bank accounts. Disparate 
levels of cybersecurity between the two could result in a systemic 
security risk, where a compromise to one (mobile payment systems) has 
the potential for causing loss in both. In essence, both become a 
single system with shared, lowest-denominator, vulnerability. More 
broadly, current third-party application security is primarily based on 
device/operating system policies regarding application signing and 
privileges. Unfortunately, the devices must rely on transmission 
protocols (like SMS) that were not designed with security in mind. For 
example, the U.S. Secret Service Cell Phone Forensic Facility at the 
University of Tulsa is working to show how SMS payment systems can be 
attacked using simple and widely available wireless devices. Further 
research is needed to assess all attack vectors to determine what 
further mitigation is necessary.
    The Federal Government can raise public awareness about mobile 
device cyber risk by continuing to support fundamental research to 
identify vulnerabilities and to develop effective mitigation and 
protection measures. Both the U.S. Secret Service's Cell Phone 
Forensics Facility at the University of Tulsa and its ongoing 
partnership with Carnegie Mellon CERT serve as outstanding examples of 
how the Federal Government can effectively partner with academia for 
this purpose. S&T has launched a research program to improve the 
security of mobile devices and enable better detection of malicious 
applications. These research efforts not only serve to raise awareness 
of these sorts of vulnerabilities, but also to develop effective 
mitigation and protection measures.
    Question. What is the proper role for government and industry to 
promote best practices for both companies and consumers?
    Answer. Government and industry are well positioned to 
collaboratively promote best practices for companies and consumers. 
Government can measure awareness across a large consumer base and use 
this baseline measure to further assess its performance as it employs 
public cybersecurity awareness initiatives, such as the 
Stop.Think.Connect.TM campaign. In addition, as the 
developer, producer, and consumer of mobile device products, industry 
has an invaluable sense of which security practices are effective. 
Government can convene and organize collaborative processes that ensure 
the best practices from within Government and from across industry are 
brought together and made available to wide range of consumers, both 
technical and nontechnical. Where appropriate, Government can build 
these best practices into its outreach and awareness efforts.
    Among its activities, DHS provides and promotes a trusted 
environment for exchange of information between industry mobile device 
communications service providers, manufacturers, and Government in 
order to identify and develop consensus on best practices in mitigating 
the ongoing emerging cyber threats being deployed to exploit privacy of 
their mobile devices. The best practices are pushed to the public 
through industry partners and Government outreach.
    Currently, DHS promotes cybersecurity and resilience via enhanced 
processes and diagnostics in partnership with industry and academia. 
DHS enables public-private collaboration focused on reducing 
exploitable software weaknesses and addressing means to improve 
capabilities that routinely develop, acquire, and deploy resilient 
information technology (IT) products. Among its activities, DHS:
  --Enables partners and citizens to secure their part of cyberspace by 
        providing public-private collaboration in advancing security 
        and resilience of IT throughout the lifecycle;
  --Focuses on reducing exploitable weaknesses and addressing means to 
        improve capabilities that routinely develop, acquire, and 
        deploy resilient products;
  --Enables security automation and measurement through the use of 
        common indexing, reporting and scoring capabilities for 
        malware, exploitable software weaknesses, counterfeit and 
        tainted hardware, and common attacks on IT assets.
                                 ______
                                 
              Questions Submitted by Senator Thad Cochran
    Question. All witnesses, we have heard about the importance of 
cooperation and clearly defined lanes responsibility across the Federal 
Government for our cybersecurity efforts. What are your respective 
roles in receiving and sharing threat information with the private 
sector?
    Answer. The success of DHS's cyber mission relies heavily on the 
response to dynamic cyber threats through the leveraging of homeland 
security, law enforcement, and military authorities and capabilities, 
which respectively promote domestic preparedness, criminal deterrence 
and investigation, and national defense. DHS, the Department of Justice 
(DOJ), and the Department of Defense (DOD) each play a key role in 
responding to cybersecurity incidents that pose a risk to the United 
States. While each agency operates within the parameters of its 
authorities, the Federal Government's response to cyber incidents of 
consequence is coordinated among these three agencies such that ``a 
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD 
not only ensures that whole-of-government capabilities are brought to 
bear against cyber threats, but also improves the Federal Government's 
ability to share timely and actionable cybersecurity information among 
a variety of partners, including the private sector.
    For its part, the DHS cyber mission relies on its ability to 
establish shared situational awareness of potentially harmful activity, 
events, or incidents across multiple constituencies to improve the 
ability of diverse and distributed partners to protect themselves. To 
do this, the DHS National Cybersecurity and Communications Integration 
Center (NCCIC) incorporates information and data received through its 
own analysis, Intelligence Community, and law enforcement reporting, 
along with data shared by private sector and international partners 
into a comprehensive series of actionable information products, which 
are shared with partners in easy to digest machine-readable formats.
    Multidirectional sharing of alerts, warnings, analysis products, 
and mitigation recommendations among Federal, State, local, tribal, and 
territorial governments, private sector, information sharing and 
analysis centers, and international partners is a key element of the 
NCCIC's cyber and communications protection and prevention framework. 
The NCCIC continuously works with a broad range of partners to explore 
and innovate new ways to enhance information sharing and move closer to 
network speed communications.
    In order to meet DHS's public-private cybersecurity data sharing 
and analytical collaboration mission, the Department has developed a 
critical infrastructure Cyber Information Sharing and Collaboration 
Program (CISCP) and the Enhanced Cybersecurity Services (ECS) program. 
The CISCP program mission is to improve the defensive posture of DHS's 
critical infrastructure partners by:
  --Sharing a view of current threats and vulnerabilities affecting 
        both critical infrastructure and Federal Government sources 
        among Federal Government and industry cybersecurity analysts.
  --Aligning those analysts in collaborative engagements regarding 
        cyber threat detection, prevention, mitigation, and response 
        efforts to reduce risks to critical infrastructure information 
        technology and communications networks, systems, and data.
    The goal of the CISCP program is an effective information sharing 
framework among the Federal Government, Information Sharing and 
Analysis Centers and related organizations, information and 
communications technology service providers, and their respective 
critical infrastructure owner/operator members and customers.
    Within the CISCP program, Federal Government and industry partners 
contribute threat data, adding to the volume of information currently 
available for analysis by the DHS CISCP analytical team. Because the 
act of providing threat or attack data may harm competitive or other 
commercial interests of DHS's industry partners, significant steps are 
taken by the CISCP Team to both conceal the source of data provided and 
to protect Protected Critical Infrastructure Information (PCII). First, 
all data is anonymized so that analysis of submitted data is not 
carried out or based upon the identity of the submitter absent their 
express authorization. The CISCP program data is governed using the 
Traffic Light Protocol (TLP), which is a set of designations used to 
ensure that sensitive information is shared with the correct audience. 
It employs four data-sharing categories (red, amber, green, and white) 
to indicate different degrees of sensitivity and the corresponding 
sharing considerations to be applied by the recipients. Regular 
analyst-to-analyst technical threat exchanges (both classified and 
unclassified) involving Federal Government and industry partners are 
likewise held to share details of cyber threat activity and mitigation 
recommendations. To join CISCP, stakeholders sign a Collaborative 
Research and Development Agreement that provides them with 
opportunities to establish physical access to DHS's NCCIC watch floor 
and to receive clearances up to the TS/SCI level.
    In addition to the CISCP program, DHS actively collaborates with 
public and private sector partners every day through the ECS program to 
respond to and coordinate mitigation efforts against attempted 
disruptions and adverse impacts to the Nation's critical cyber and 
communications networks and infrastructure. Expanded in February 2013 
by EO 13636, the ECS program coordinates the protection, prevention, 
mitigation, and recovery from cyber incidents through information 
sharing initiatives with business owners and operators to strengthen 
their facilities and communities. ECS is a voluntary information 
sharing program that assists critical infrastructure owners and 
operators as they improve the protection of their systems from 
unauthorized access, exploitation, or data exfiltration. ECS augments, 
but does not replace, an entity's existing cybersecurity capabilities; 
rather it responds to high level malware threats that DHS, working with 
other experts, has determined pose the greatest threat to critical 
infrastructure.
    DHS works with cybersecurity organizations from across the Federal 
Government to gain access to a broad range of sensitive and classified 
cyber threat information, and in responding to major cyber incidents 
also comes into possession of such information. It would ordinarily be 
difficult to share classified and sensitive information about high-
level cyber threats with a broad range of private sector partners. 
Doing so could jeopardize intelligence sources and methods as well as 
law enforcement investigations. It likewise could undercut private 
sector partners who provide DHS with threat information under the 
categorical exclusion (confidentiality assurance) provided available 
under the PCII authorities.
    DHS develops indicators based on threat information and shares it 
with a relatively small number of qualified CSPs, thus enabling them to 
better protect their customers who are critical infrastructure 
entities. In addition, the ECS program does not involve Government 
monitoring of private networks or communications; any monitoring is 
strictly voluntary, and solely occurs between the CSP and the protected 
critical infrastructure entity. Collection of communications content, 
and for that matter metadata, is not directed, or permitted under the 
ECS program. The information returned to the Federal Government by the 
CSPs is limited to anonymized, aggregated information about the threats 
detected, and the critical infrastructure sectors at which the threats 
were directed. Any information shared by a CSP customer is done so 
voluntarily, in an anonymized fashion, and for a limited tenure. CSPs 
or critical infrastructure entities may choose to be involved with the 
Federal Government in other ways--for instance reporting a cybercrime 
or seeking technical assistance in case of a major cyber incident--but 
such involvement is not related to the conduct of the ECS program and 
occurs independently of it.
    The U.S. Secret Service also shares information that it derives 
through its cyber crime investigations, primarily through its 31 
Electronic Crimes Task Forces (ECTF). The ECTFs hold quarterly meetings 
to share information with the U.S. Secret Service's public and private 
sector partners, in addition to providing a conduit for sharing 
information with organizations facing specific cyber risks. In addition 
to ECTFs, the U.S. Secret Service and U.S. Immigration and Customs 
Enforcement (ICE) Homeland Security Investigations (HSI) support 
research efforts that provide extensive and detailed data on cyber 
crime trends. These reports include the Verizon Data Breach 
Investigations Report, the Trust Wave Global Security Report, and the 
U.S. Secret Service Computer Emergency Response Team's (USSS-CERT) 
Insider Threat Report. In addition to these annual research reports, 
the U.S. Secret Service regularly sends special agents trained through 
the agency's Electronic Crimes Special Agent Program to speak at 
cybersecurity and law enforcement conferences. The agents provide 
information to improve awareness of cybercrime methods and trends.
    Question. All witnesses, I think we all recognize the importance of 
defending our Nation's critical infrastructure against cyber attacks. A 
foreign or terrorist cyber attack on our electric grid, water systems, 
or financial systems could cause widespread damage and even have 
detrimental effects on our economy and consumer confidence. There has 
been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would 
you define the threshold for what types of non-Federal infrastructure 
might qualify as ``critical'' for these purposes?
    Answer. The term ``critical infrastructure'' is defined in section 
1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), namely 
systems and assets, whether physical or virtual, so vital to the United 
States that the incapacity or destruction of such systems and assets 
would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of those 
matters. This definition is used to determine which infrastructure, 
whether it is owned by a Federal entity or not, qualifies as critical.
    Question. Deputy Secretary Beers, I recognize the important role 
that cyber research and development plays in ensuring we maintain a 
technological edge against those who wish to harm our Nation's civilian 
computer systems. I note that your department requested fiscal year 
2014 funding for such initiatives, including experimental research 
testbed projects. Your Department is still a relatively young one and 
you don't have the robust laboratory network that other Departments 
have. How are you collaborating with other Departments such as Defense 
and Energy to advance important research in cybersecurity and existing 
University capabilities? What are some of the technological challenges 
that we face?
    Answer. DHS S&T conducts large parts of its cybersecurity research 
and development (R&D) program in collaboration with other organizations 
across the Federal Government. For example, the S&T Cyber Security 
Division (CSD) is an active part of the National Information Technology 
Research & Development organization (NITRD), which coordinates R&D 
planning across the Federal Government, chartered through the 
President's National Science & Technology Council and the Office of 
Science and Technology Policy. NITRD developed a National Cybersecurity 
R&D Plan, published in December 2011, and has carried forward and 
sustained this collaborative planning. CSD also leads the working group 
effort developing the National R&D Plan for Critical Infrastructure 
Security & Resiliency, which is a tasking from the EO 13636/PPD-21 
guidance published this past February.
    CSD's collaboration with other Federal agencies and organizations 
extends into specific R&D program efforts, including but not limited to 
the following:
  --DHS S&T and the Department of Defense (DOD) collaborate in their 
        Small Business Innovation Research (SBIR) program efforts, 
        including a combined annual review.
  --Department of Energy (DOE) Laboratories are conducting several 
        elements of the DHS S&T Cyber Security research program.
  --DHS S&T has accepted several research projects transitioned from 
        the Defense Advanced Research Projects Agency
  --The DHS S&T Trustworthy Cyber Infrastructure for the Power Grid 
        program is conducted in partnership with DOE.
    The DHS S&T Transition to Practice program is drawing promising 
cybersecurity technologies from the DOE National Laboratories to 
support its final development and transition into operational 
capability and use.
    The December 2011 NITRD report, ``Trustworthy Cyberspace: Strategic 
Plan for the Federal Cybersecurity Research and Development Program,'' 
describes in detail the technological challenges that DHS faces. Those 
challenges fall into four overall areas:
  --Advancing a balance of both long-term science and near-term 
        engineering improvements;
  --Understanding and addressing the interconnections of technological 
        and human systems;
  --Understanding cyber complexity and addressing major risks and 
        increasing resilience;
  --Transitioning capabilities and improvements into operational use.
    In 2000, the U.S. Secret Service instituted the USSS-CERT liaison 
program in partnership with Carnegie-Mellon University's Software 
Engineering Institute (SEI) in Pittsburgh, Pennsylvania--a federally 
funded research and development center (FFRDC) sponsored by the DOD. 
The USSS-CERT program sponsors the development and implementation of 
innovative, cost-effective solutions to meet emerging cyber threats 
across the full spectrum of operations. The Federal Government, through 
its collaborative model with the CMU-SEI, and the FFRDC, realizes 
significant cost savings by leveraging participating agencies' 
resources to accomplish shared objectives with the cost-effective 
benefits. The U.S. Secret Service's partnership and presence at SEI 
represents the U.S. Secret Service's long-standing commitment to 
developing mission critical systems; cybercrime applications; and 
malware analysis and applications that identify, assess, and mitigate 
threats to the Nation's financial systems, critical infrastructure, and 
persons and facilities protected by the U.S. Secret Service.
    Question. All witnesses, we've often heard that there is a 
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack 
on our Nation by a foreign entity that has dramatic and lengthy 
consequences. I think it may be difficult for most Americans, and even 
members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to 
better understand these things? Are the appropriations this Committee 
has been recommending sufficient to help prevent such an attack?
    Answer. The Department currently sees malicious cyber activity 
attacks against critical infrastructure from foreign nations and 
nonstate actors. Their methods range from distributed denial of service 
attacks and social engineering to viruses and other malware introduced 
through remote access, thumb drives, supply chain exploitation, and 
leveraging trusted insiders' access. These attacks are becoming more 
frequent and more sophisticated, putting at risk the Nation's critical 
infrastructure, which underpins the economy, provides the public with 
basic day to day needs, and ensures the Nation's basic security and 
well-being. Ultimately, a significant cyber incident may come in many 
forms and the vulnerabilities that have yet to be identified may be the 
most important. Because of this increasing risk, DHS is working 
alongside interagency, private sector, and international partners to 
enhance resilience, harden systems, and prepare for a variety of 
national response scenarios.
    We thank the Committee for its ongoing support for the Department's 
cybersecurity activities. However, DHS cybersecurity programs have been 
impacted by sequestration. For example, funding has been reduced for 
operations and maintenance and analytical contracts supporting the 
National Cybersecurity Protection System (NCPS). While this will not 
affect when NCPS E3A will reach initial operating 
capability, full operating capability will be delayed beyond fiscal 
year 2015 if sequestration continues. Funding has also been reduced for 
licensing and installing sensors for continuous monitoring at Federal 
agencies and some features of the Federal dashboard will be delayed 
until fiscal year 2014. Finally, funding for other cybersecurity 
activities, such as the U.S. Computer Emergency Readiness Team, funding 
for the Software Engineering Institute, the GFIRST Conference, updates 
to the Cyber Security Evaluations Tool, and the number of onsite risk 
assessments to the Transportation sector have been impacted by 
sequestration.
                                 ______
                                 
   Questions Submitted to Hon. Dr. Patrick Gallagher, Acting Deputy 
   Secretary, Department of Commerce Director, National Institute of 
                        Standards and Technology
              Questions Submitted by Senator Patty Murray
    Question. The electricity subsector is already subject to mandatory 
and enforceable cybersecurity standards. As NIST works to comply with 
the Executive order on cybersecurity, how is NIST working to ensure the 
Framework will include these existing standards?
    Answer. [A response was not provided by press time.]
    Question. Understanding that cyber threats are constantly evolving 
and that owners and operators of critical infrastructure have to make 
decisions just like the Federal Government on what needs to be secured, 
how is NIST including risk management practices within the Framework 
activities?
    Answer. [A response was not provided by press time.]
                                 ______
                                 
            Questions Submitted by Senator Richard J. Durbin
    cyber executive order--role of the executive order versus cyber 
                              legislation
    Question. President Obama issued Executive Order 13636 in February 
of this year. What is the effect of this Executive order? Is it 
improving your ability to share information with the private sector?
    Answer. The Executive order directs the National Institute of 
Standards and Technology (NIST) to lead the development of a framework 
to reduce cyber risks to critical infrastructure. The framework is 
intended to be used on a voluntary basis throughout an entire 
organization--including by the most senior executives who oversee an 
organization to the officials and staff responsible for managing 
information technology-based resources. It is designed specifically for 
companies and other entities that are part of the critical 
infrastructure, especially owners and operators of critical 
infrastructure, to identify, assess, and manage cyber risk. However, 
other organizations--large and small and with varying business needs--
will benefit by reducing risks and protecting their assets and mission-
driven work by using the framework.
    When he signed the Executive order, President Obama also 
underscored the need for comprehensive cybersecurity legislation, since 
the scope of the Executive order is limited. What are your legislative 
priorities in terms of items you believe should be included in cyber 
legislation?
    We'd like to hear from all the witnesses on this issue.
    Answer. The administration's legislative priorities for the 113th 
Congress build upon the President's 2011 Cybersecurity Legislative 
Proposal and take into account 2 years of public and congressional 
discourse about how best to improve the Nation's cybersecurity.
    The administration is working toward legislation that:
  --Facilitates cybersecurity information sharing between the 
        government and the private sector as well as among private 
        sector companies. We believe that such sharing can occur in 
        ways that protect privacy, confidentiality, and civil 
        liberties, reinforce the appropriate roles of civilian and 
        intelligence agencies, and include targeted liability 
        protections.
  --Incentivizes the adoption of best practices and standards for 
        critical infrastructure by complementing the process set forth 
        under the Executive order;
  --Gives law enforcement the tools to fight crime in the digital age 
        while protecting privacy, confidentiality, and civil liberties;
  --Updates Federal agency network security laws, and codifies DHS' 
        cybersecurity responsibilities; and
  --Creates a National Data Breach Reporting requirement.
    In each of these legislative areas, the right privacy, 
confidentiality, and civil liberties safeguards must be incorporated. 
The administration wants to continue the dialogue with the Congress and 
stands ready to work with members of Congress to incorporate our core 
priorities to produce cybersecurity information sharing legislation 
that addresses these critical issues.
     cyber executive order--protecting privacy and civil liberties
    Question. The Executive order requires Federal agencies to develop 
cybersecurity efforts in accordance with the Fair Information Practice 
Principles, as well as other policies, principles, and frameworks to 
protect privacy and civil liberties. I worked with a number of other 
Senators to ensure that the Cybersecurity Act of 2012 included 
provisions to protect privacy and civil liberties.
    What specific steps can government agencies take to ensure that 
privacy and civil liberties are protected as we enhance our Nation's 
cybersecurity?
    Answer. In April 2013, NIST published the Security and Privacy 
Controls for Federal Information Systems and Organizations, Special 
Publication (SP) 800-53, Revision 4. Appendix J provides a structured 
set of privacy controls, based on best practices that help 
organizations comply with applicable Federal laws, Executive orders, 
directives, instructions, regulations, policies, standards, guidance, 
and organization-specific issuances. The privacy controls are based on 
the Fair Information Practice Principles (FIPPs) embodied in the 
Privacy Act of 1974, section 208 of the E-Government Act of 2002, and 
Office of Management and Budget (OMB) policies. There are eight privacy 
control families, each aligning with one of the FIPPs. They provide 
steps government agencies can take to ensure that privacy protected as 
we enhance our Nation's cybersecurity.
    However, unlike the longstanding framework for evaluating privacy 
impacts under the FIPPs, there exists no similar, corresponding 
framework that supports general evaluations of the potential broad 
range of impacts that might occur within the collection of individual 
rights described as ``civil liberties.'' Policies typically focus on 
the protection of individual rights, and civil liberties issues arise 
within government frameworks (or specific programs implementing those 
frameworks) where implementation of the framework fails to account for 
those rights. Consequently, in addition to the specific NIST guidance 
described above, the Department of Homeland Security has established an 
interagency Assessments Working Group, consisting of representatives of 
the privacy and civil liberties officials of agencies involved in 
implementing the Executive order. The purpose of this group is to 
provide a forum for assisting agencies in meeting their 
responsibilities under the Executive order, including identifying 
cybersecurity activities and how to apply both the Fair Information 
Practice Principles and other applicable policies, principles and 
frameworks that provide privacy and civil liberties protections in 
these activities. Due to the highly divergent nature of critical 
infrastructure entities (including State and local government, private 
sector, quasi-governmental) the exact bundle of rights which are 
applicable in any given workplace will be highly variable; we recognize 
this challenge. The Department of Commerce is an active participant in 
this Working Group.
    As we noted above, the administration also supports legislation 
that would facilitate cybersecurity information sharing between the 
government and the private sector as well as among private sector 
companies. We believe that such sharing can--and must--occur in ways 
that protect privacy, confidentiality, and civil liberties, reinforce 
the appropriate roles of civilian and intelligence agencies, and 
include targeted liability protections.
                                 ______
                                 
                Questions Submitted by Senator Tom Udall
        role of national laboratories in promoting cybersecurity
    Question. Dr. Gallagher, our National Labs--which are the crown 
jewels of our Nation's research system--are active in efforts to 
promote cybersecurity.
    In my home State of New Mexico, Sandia National Laboratories is 
engaged in efforts to secure the national electrical grid from cyber 
attack. Los Alamos National Laboratories is a leader in quantum 
cryptography.
    Sandia also has partnerships with universities and the private 
sector. They're helping computer science students become cyber 
professionals.
    Could you discuss what role our National Labs should have in 
protecting our Nation from cyber attack?
    Answer. NIST recognizes the value of Department of Energy's 
National Laboratories cutting-edge research in addressing national 
priorities including cybersecurity. The results from the laboratories 
cybersecurity research are instrumental in the development of next 
generation standards and best practices. Currently, we are working with 
Department of Energy's Laboratories on critical cybersecurity 
challenges such as security for the advanced metering infrastructure.
                    engagement with industry groups
    Question. Dr. Gallagher, I would like to ask about NIST's work with 
industry partners. When it comes to developing guidelines and standards 
for cybersecurity, is NIST getting the level of cooperation it needs 
from industry stakeholders? Are there areas where more engagement is 
needed?
    Answer. NIST employs collaborative partnerships with our customers 
and stakeholders in industry, government, academia, and consortia to 
leverage their technical and operational insights and the resources of 
a global community. These collaborative efforts and our private sector 
collaborations in particular, are constantly expanding through new 
initiatives, including in recent years through the National Initiative 
for Cybersecurity Education (NICE), National Strategy for Trusted 
Identities in Cyberspace (NSTIC), the National Cybersecurity Center of 
Excellence (NCCoE), and in implementation of Executive Order 13636, 
``Improving Critical Infrastructure Cybersecurity.''
        federal cybersecurity standards and new computing trends
    Question. Dr. Gallagher, last month NIST revised its Federal 
cybersecurity guidelines, which many agencies follow.
    Could you discuss how new computing tools and trends, such as the 
move to ``cloud computing'' and mobile devices creates new potential 
cyber vulnerabilities?
    Answer. Mobile devices and cloud computing have already 
significantly changed business capabilities, allowing employees access 
to information resources wherever and whenever they need it. These 
technologies offer both an opportunity and a challenge. Their unique 
capabilities--including their always-on, always-connected nature--can 
facilitate more efficient and effective business, but also create new 
challenges to ensure the confidentiality, integrity and availability of 
information accessed by these devices.
    To address the security challenges and accelerate the Federal 
Government's secure adoption of cloud computing, NIST is playing a 
leading role in developing standards and guidelines, in close 
consultation and collaboration with standards bodies, the private 
sector, Federal departments and agencies, and other stakeholders. 
NIST's long-term goal is to provide thought leadership and guidance 
around the cloud computing paradigm to catalyze its use within industry 
and government.
    NIST is working collaboratively with industry to bridge the 
security gaps in mobility. For example, NIST has ongoing work to 
identify properties and capabilities of roots of trust needed to secure 
next generation mobile devices. This work examines issues relating to 
boot firmware protections; integrity measurement and reporting of 
critical firmware and software; secure storage; device authentication; 
and application and data isolation.
    What are the main takeaways from NIST's cybersecurity guidance to 
Federal agencies?
    Answer. NIST cybersecurity guidance builds on the guiding principle 
of mission-focused, risk-based information security. NIST performs 
research and develops standards, best practices, testing and metrics in 
order to provide protections against threats to the confidentiality, 
integrity and availability of information and services. Through 
collaborations with industry and academia, NIST's programs in areas 
such as risk management, cryptography, identity management, 
authentication, key management, security automation, privacy, 
usability, biometrics, configuration baselines, vulnerability 
management, and trusted hardware are designed to give practical, 
affordable and innovative guidance and metrics for today's computing 
platforms and information management.
               mobile phones and cybersecurity awareness
    Question. Dr. Gallagher, this year, there will be more mobile 
phones than people on the planet. Today, our wireless devices are not 
just phones, but pocket computers. We use them for sensitive 
transactions, including mobile banking and online purchases.
    But GAO recently found that cyber threats are increasing for mobile 
devices and the information they store. GAO recommended that DHS and 
NIST work together to ``establish a baseline measure of consumer 
awareness . . . related to mobile security.'' GAO also recommends the 
development of performance measures that use the baseline to assess the 
effectiveness of initiatives to educate the public about cybersecurity.
    Could you share any thoughts on how best to raise public awareness 
for cybersecurity threats to mobile devices?
    Answer. NIST is leading the National Initiative for Cybersecurity 
Education (NICE) initiative, involving more than 20 Federal departments 
and agencies, to ensure coordination, focus, public engagement, 
technology transfer and sustainability. DHS, FCC, and FTC are among the 
leads for the awareness components of NICE, including the development 
of baseline and progress information as part of their ongoing 
cybersecurity awareness campaigns. Interactions through this campaign 
suggest public awareness and practices with regard to mobile security 
are limited and this has led to the development of a ``Safety Tips for 
Mobile Devices'' resource by the STOP.THINK.CONNECT campaign and a 
recent blog post on ``Being Smart with your Smartphone.''
    Question. What is the proper role for government and industry to 
promote best practices for both companies and consumers?
    Answer. Government and industry must work together to promote best 
practices for companies and consumers. NIST works closely with industry 
on the research, development and outreach necessary to provide 
standards and guidelines, tools, metrics and best practices to protect 
our Nation's information technology infrastructure for business and 
industrial control systems. Through these collaborations, NIST 
continues to develop cybersecurity standards, security metrics, and 
product assurance programs to promote, measure, and validate the 
security attributes of information systems and services. As technology 
advances and security requirements evolve, NIST, with its industry 
partnerships, can critically evaluate existing standards, guidelines, 
and technologies to ensure that they adequately reflect the current 
state of the art.
                                 ______
                                 
              Questions Submitted by Senator Thad Cochran
    Question. All witnesses, we have heard about the importance of 
cooperation and clearly defined lanes responsibility across the Federal 
Government for our cybersecurity efforts. What are your respective 
roles in receiving and sharing threat information with the private 
sector?
    Answer. NIST works with Federal agencies and private sector 
companies to develop underlying standards and best practices that are 
used to support a wide array of information sharing activities. These 
standards and best practices are a fundamental component of providing 
coordination between organizations, allowing for rapid and accurate 
sharing of information between government and industry, and industry to 
industry. The collaborative development approach ensures that the needs 
of all sectors are adequately addressed, leading to an information 
sharing ecosystem that benefits all organizations.
    Question. All witnesses, I think we all recognize the importance of 
defending our Nation's critical infrastructure against cyber attacks. A 
foreign or terrorist cyber attack on our electric grid, water systems, 
or financial systems could cause widespread damage and even have 
detrimental effects on our economy and consumer confidence. There has 
been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would 
you define the threshold for what types of non-Federal infrastructure 
might qualify as ``critical'' for these purposes?
    Answer. Executive Order 13636 defines critical infrastructure as 
the systems and assets, whether physical or virtual, so vital to the 
United States that the incapacity or destruction of such systems and 
assets would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of those 
matters. NIST is working with critical infrastructure owners and 
operations and their partners to define a cybersecurity framework that 
reduces cyber risks to critical infrastructure. The Draft Cybersecurity 
Framework includes a set of standards, methodologies, procedures, and 
processes that align policy, business, and technological approaches to 
address cyber risks.
    Question. All witnesses, we've often heard that there is a 
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack 
on our Nation by a foreign entity that has dramatic and lengthy 
consequences. I think it may be difficult for most Americans, and even 
members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to 
better understand these things? Are the appropriations this Committee 
has been recommending sufficient to help prevent such an attack?
    Answer. NIST considers a cybersecurity threat to be any 
circumstance or event with the potential to adversely impact 
organizational operations (including mission, functions, image, or 
reputation), organizational assets, individuals, other organizations, 
or the Nation through an information system via unauthorized access, 
destruction, disclosure, modification of information, and/or denial of 
service. This includes threats that are immediate, have significant 
reach across the Internet and rapidly propagate. Ensuring we are able 
to develop solutions that can scale globally, protect technological 
innovation, and keep up with the threats are of utmost importance to 
NIST and the Department of Commerce as a whole.
    Unlike a physical attack that has to conform to physical 
constraints, a cyberattack can have velocity, reach, and scale that 
does not have these limiting factors. A cyberattack can occur at the 
speed of a digital transmission, our interconnected systems can extend 
the reach beyond traditional kinetic limitations and with the 
intersections of cyber and physical systems, the scale of impacts can 
go beyond disruption or disclosure of sensitive information. A 
cyberattack can potentially have a physical impact, conducted at the 
speed, reach of the Internet and at the scale of our interconnected 
systems.
    NIST appreciates the Committee's continued support and funding for 
the critical cybersecurity efforts at NIST.
                                 ______
                                 
    Questions Submitted to Richard A. McFeely, Executive Assistant 
   Director, Criminal, Cyber, Response, and Services Branch, Federal 
                        Bureau of Investigation
            Questions Submitted by Senator Richard J. Durbin
    cyber executive order--role of the executive order versus cyber 
                              legislation
    Question. President Obama issued Executive Order (EO) 13636 in 
February of this year. What is the effect of this Executive order? Is 
it improving your ability to share information with the private sector?
    Answer. Implementation of Executive Order (EO) 13636 is underway 
across the U.S. Government (USG). The Federal Bureau of Investigation 
(FBI) is optimistic that, once fully implemented, the Executive order 
will lead to better information sharing between the private sector and 
the government. Consistent with the USG policy (articulated in section 
4 of EO 13636) ``to increase the volume, timeliness, and quality of 
cyber threat information shared with U.S. private sector entities,'' 
the FBI has prioritized the efficient, effective, and appropriate 
sharing of cyber threat information with authorized entities and is 
working with the Department of Homeland Security (DHS) to ensure a 
consistent, whole-of-government solution to sharing cyber threat 
information with the private sector.
    Among these changes, we have modified the means by which we share 
information with the private sector to prevent intrusion into 
companies' networks and the exfiltration of their data and intellectual 
property. For example, the FBI has increased the level of detail it 
provides to industry partners in briefings regarding cyber threats. The 
National Cyber Investigative Joint Task Force conducts these briefings 
for private sector, government, and critical infrastructure partners on 
a near-daily basis. In partnership with DHS and the Treasury 
Department, we also provided a detailed briefing on financial services 
industry threats to executives of more than 40 banks who participated 
in a secure video teleconference. Detailed briefings have also been 
provided to those in the energy sector, which is a key part of our 
Nation's infrastructure.
    In addition, the FBI is working with DHS to release Joint Indicator 
Bulletins (JIBs) to anti-virus companies, Internet service providers, 
and foreign partners. These JIBs contain information regarding Internet 
Protocol (IP) addresses that are believed to be infected with malware. 
Since October 2012, the FBI has released approximately 170,000 IP 
addresses to more than 130 countries through DHS's U.S. Computer 
Emergency Response Team and our Legal Attache. We have also released 
nine FBI Liaison Alert System notices to victims of intrusions and to 
trusted partners. These notices contain specific and technical 
actionable intelligence related to threats. Furthermore, as required by 
EO 13636, the Deputy Attorney General (DAG) has issued instructions 
regarding the timely production of unclassified reports of cyber threat 
information. The DAG instructions require the FBI to produce timely 
reports that contain sufficient technical and threat detail to 
facilitate cybersecurity defense and response activities. Furthermore, 
all components of the Department of Justice (DOJ) are required to 
update their systems to increase the volume, timeliness, and quality of 
cyber threat information that is shared with U.S. private sector 
entities so they can better protect and defend against cyber threats.
    Question. When he signed the Executive order, President Obama also 
underscored the need for comprehensive cybersecurity legislation, since 
the scope of the Executive order is limited. What are your legislative 
priorities in terms of items you believe should be included in cyber 
legislation?
    Answer. We would be pleased to work with DOJ, DHS, and others to 
identify legislative measures that may enhance cybersecurity, and we 
look forward to providing our views of any possible legislation 
pursuant to DOJ's role in assisting in the development of the 
administration's position.
     cyber executive order--protecting privacy and civil liberties
    Question. The Executive order requires Federal agencies to develop 
cybersecurity efforts in accordance with the Fair Information Practice 
Principles, as well as other policies, principles, and frameworks to 
protect privacy and civil liberties. I worked with a number of other 
Senators to ensure that the Cybersecurity Act of 2012 included 
provisions to protect privacy and civil liberties. What specific steps 
can government agencies take to ensure that privacy and civil liberties 
are protected as we enhance our Nation's cybersecurity?
    Answer. Section 5 of EO 13636 is consistent with the work USG 
agencies have been doing to ensure that privacy and civil liberties are 
incorporated into our cyber activities and affirms the need to continue 
these efforts. Departments and agencies must also conduct regular 
assessments, with subsequent reporting, and include in these 
assessments an evaluation of their activities against the Fair 
Information Practice Principles and other applicable privacy and civil 
liberties policies, principles, and frameworks.
    The FBI builds privacy and civil liberties protections into all 
investigative efforts, including cybersecurity. For example, the 
Domestic Investigations and Operations Guide (DIOG), which articulates 
FBI policy regarding our investigative and intelligence collection 
activities, outlines protections to be afforded at each step of an 
investigation. All FBI operational personnel are required to complete 
DIOG training and a specific privacy course, as well as yearly 
information security training (which includes a privacy component). The 
Privacy and Civil Liberties Unit (PCLU) in the FBI's Office of the 
General Counsel is devoted to privacy and civil liberties issues, 
including Bureau-wide compliance with the requirements of the Privacy 
Act and the eGovernment Act. PCLU is also actively involved in 
assessing the privacy and civil liberties aspects of FBI information 
systems and programs through Privacy Threshold Analyses and Privacy 
Impact Assessments. PCLU works closely with all FBI divisions, 
including the Cyber Division, to help ensure that appropriate 
protections are in place.
                                 ______
                                 
            Questions Submitted by Senator Mary L. Landrieu
    Question. General Alexander testified that the services, 
departments, and agencies need to work together to ensure that they 
have adequate test bed and range space to safely organize, train, and 
equip the cyber warriors, operators, managers, researchers, and agents 
across the Federal Government.
    a. What are the specific requirements that your departments and 
their various agencies have for test bed and range space? What specific 
outcome will those established requirements render in trained personnel 
and tactics?
    b. What is the current test bed and range capacity available to 
each of your departments? What is the wait time or backlog based on the 
access you currently have?
    c. Have you identified additional test bed or range space that you 
would like to acquire, use, or lease?
    d. What are the fiscal years 2013 and 2014 funding levels for 
testing and training space?
    e. What percentage of your required testing and training needs will 
you be able to meet in fiscal years 2013 and 2014?
    Answer to subparts a through e. As used in this inquiry, the 
concepts of ``test-bed'' and ``range space'' are not used by the FBI 
and we are not able to comment on them.
                                 ______
                                 
                Questions Submitted by Senator Tom Udall
        role of national laboratories in promoting cybersecurity
    Question. Mr. McFeely, our National Labs--which are the crown 
jewels of our Nation's research system--are active in efforts to 
promote cybersecurity.
    In my home State of New Mexico, Sandia National Laboratories is 
engaged in efforts to secure the national electrical grid from cyber 
attack. Los Alamos National Laboratories is a leader in quantum 
cryptography.
    Sandia also has partnerships with universities and the private 
sector. They're helping computer science students become cyber 
professionals.
    Could you discuss what role our National Labs should have in 
protecting our Nation from cyber attack?
    Answer. The National Laboratories, which are Department of Energy 
(DOE) entities, are central to cybersecurity research and development 
and should continue to lead in these efforts. There are multiple areas 
in which opportunities exist for FBI-National Lab partnerships that 
leverage National Lab knowledge and resources to assist the FBI in 
meeting investigative challenges. For example, the FBI's Operational 
Technology Division and the Labs could partner to:
  --Enlist the Labs' supercomputing resources to help solve the FBI's 
        most computationally challenging problems;
  --Study where to apply quantum cryptography research to protect 
        against active cyber threats;
  --Apply the Labs' vulnerability research to active FBI 
        investigations; and
  --Use unsolved investigative problems to motivate National Labs' 
        vulnerability research.
    Additionally, we continue to appreciate DOE's critical role as the 
sector specific agency for the energy sector in providing a cooperative 
environment to help the energy sector defend against cyber threats. 
Currently, the FBI collaborates with DOE and DHS to ensure the timely 
sharing of threat information with the energy sector. The FBI also 
works with DOE to support a voluntary program in which energy sector 
asset owners use government-developed tools to improve their 
situational awareness and better protect their own assets. Asset owners 
are free to share this information with the industry and government at 
their discretion.
    Question. Mr. McFeely, your written testimony describes how the FBI 
is trying to help State and local law enforcement agencies pursue 
Internet crimes. I am disturbed by your comment that very few cases 
referred to State and local officials by the FBI are actually being 
worked.
    Could you elaborate on the FBI's pilot program you mention in your 
testimony to help State and local law enforcement agencies pursue 
Internet fraud and cyber crimes?
    Answer. Every year, there are thousands of individual and corporate 
victims of crimes facilitated through the use of computer networks or 
devices with targets that are independent of those networks or devices. 
These crimes are often referred to as Internet-facilitated crimes. 
Because these cases frequently involve victims spread across multiple 
jurisdictions and perpetrators living in foreign countries, local and 
State law enforcement agencies have often viewed these crimes as the 
province of Federal law enforcement agencies. Yet, while many local and 
State agencies have seen the problem as too broad for their 
jurisdictions, Federal agencies have not been able to prioritize these 
crimes in such a way that they receive significant investigative 
attention.
    To properly address the threat of Internet-facilitated crimes 
against U.S. victims, the FBI is establishing a platform to assist in 
the development of these investigations by Federal, State, local, 
tribal, and international law enforcement agencies. This platform is 
being developed through the Internet Crime Complaint Center (IC3), 
which has received victims' reports of Internet crimes for the past 13 
years and is currently receiving approximately 300,000 complaints 
annually. The FBI will leverage intelligence that has been consolidated 
at IC3 and package it in a way that facilitates investigations by 
appropriate law enforcement agencies, with assistance provided by the 
FBI's local Cyber Task Force.
    In addition to this broad program, the FBI is seeking ways to work 
in cost-efficient and effective ways with State and local governments 
on cybersecurity matters. For example, we have begun a pilot project 
with the Utah Department of Public Safety to disseminate Internet fraud 
information to law enforcement authorities throughout the State. We 
will assess the results of this Utah pilot to determine whether it 
should be expanded to other jurisdictions.
                                 ______
                                 
              Questions Submitted by Senator Thad Cochran
    Question. All witnesses, we have heard about the importance of 
cooperation and clearly defined lanes responsibility across the Federal 
Government for our cybersecurity efforts. What are your respective 
roles in receiving and sharing threat information with the private 
sector?
    Answer. The FBI, which is an intelligence-driven and threat-focused 
national security organization with both intelligence and law 
enforcement responsibilities, is charged with investigating, 
attributing, and disrupting cyber crimes. The FBI may receive 
information regarding a cyber threat or incident from a victim or third 
party, including those in the private sector. We are working toward 
making Guardian, which is our terrorist threat tracking and 
collaboration system, available to trusted industry partners to report 
cyber intrusions in real time. Known as iGuardian, this system will 
allow the FBI to more effectively understand and identify cyber 
threats, collaborate with our government partners through the sharing 
of information regarding cyber intrusions, and track pending 
investigations and operations. Each incident reported through this 
system will immediately be routed to CyWatch, the FBI's 24/7 cyber 
operations center, where it will be vetted and assigned to an FBI Cyber 
Task Force investigator.
    In the course of the FBI's investigative process, we share 
information with USG partners in support of their roles in the incident 
response process. The information we share is used to help us and our 
Intelligence Community partners understand the actions, goals, methods, 
and capabilities of those posing threats, and to anticipate and prevent 
future attacks against our critical infrastructure and government 
systems. The FBI also notifies any additional actual or potential 
victims or targets revealed through investigation and, as part of the 
USG team, provides the information they need to protect their systems.
    The FBI completes these activities in a manner that ensures 
protection of the digital crime scene and actions are taken consistent 
with preserving evidence for use in a later criminal proceeding, if it 
is determined that such a proceeding is warranted.
    Question. All witnesses, I think we all recognize the importance of 
defending our Nation's critical infrastructure against cyber attacks. A 
foreign or terrorist cyber attack on our electric grid, water systems, 
or financial systems could cause widespread damage and even have 
detrimental effects on our economy and consumer confidence. There has 
been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would 
you define the threshold for what types of non-Federal infrastructure 
might qualify as ``critical'' for these purposes?
    Answer. Presidential Policy Directive 21, ``Critical Infrastructure 
Security and Resilience'' (2/12/13) (PPD-21) defines the term 
``critical infrastructure'' as follows:
    The term ``critical infrastructure'' has the meaning provided in 
section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), 
namely systems and assets, whether physical or virtual, so vital to the 
United States that the incapacity or destruction of such systems and 
assets would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of those 
matters.
    PPD-21 identifies 16 critical infrastructure sectors. Based on the 
cyber threat to each of these sectors, the potential impact of a cyber 
attack on these sectors, and the extent to which other Federal agencies 
are responsible for their protection, the FBI has organized its efforts 
to address the threats to these 16 critical infrastructure sectors in 
the following order of priority:
  --Financial Services, Chemical, Communications, Defense Industrial 
        Base, Energy, Healthcare and Public Health, Information 
        Technology, Nuclear, and Transportation;
  --Food and Agriculture, Critical Manufacturing, Dams, and Water;
  --Commercial Facilities, Emergency Services, and Government 
        Facilities.
    Question. All witnesses, we've often heard that there is a 
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack 
on our Nation by a foreign entity that has dramatic and lengthy 
consequences. I think it may be difficult for most Americans, and even 
members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to 
better understand these things? Are the appropriations this Committee 
has been recommending sufficient to help prevent such an attack?
    Answer. As the question recognizes, the events of Pearl Harbor 
represented an unexpected, surprise attack on our Nation by a foreign 
entity with devastating consequences. Under this analogy, in a ``Cyber 
Pearl Harbor,'' the United States might one day face, without warning, 
the wide-scale disruption of a critical service that would result in 
damages, both economic and physical, to include the loss of life. Along 
with our law enforcement and Intelligence Community partners, the FBI 
works every day to prevent and address the threat of an attack of this 
scale.
    Cyber-attacks are continually increasing in both frequency and 
sophistication. The U.S. economy is continually threatened by cyber 
activities that are difficult to detect and that deprive us of the full 
value of our intellectual property, threaten our economic prosperity, 
and erode our military advantages. Since 2008, appropriated funds have 
provided more than 500 new FBI support, intelligence, and special agent 
personnel to address cyber threats. Although these and other critical 
resources have helped us counter increasingly aggressive cyber threats, 
as the sophistication of malicious software increases and the demand 
that critical systems be globally available grows, these systems become 
ever more vulnerable to attack.

                         CONCLUSION OF HEARING

    Chairwoman Mikulski. As previously announced and as part of 
our practice on security issues, we will now move to a closed 
briefing. Before we do, I would like to make some general 
closing comments.
    First of all, I really do want to thank the witnesses for 
participating. The hearing has not been quite the way we 
originally thought, but it was a good hearing. People do have a 
right to know. People have a right to say their voices. That is 
why we responded.
    But I think the big national debate that started after 9/11 
is the inherent tension between security and privacy. It is 
time now for a new, fresh national debate. It is beginning in 
the usual committee structure.
    The second thing is that many of us are concerned about 
what is the access to people and businesses' information. Now, 
there are those who, because of the Snowden revelation, wonder 
about Government's access to that information, whether it is 
through the NSA, whether it is through the IRS, or whatever. 
People are asking what is the Government doing.
    The purpose of this hearing, however, is who is raiding the 
information that we have. So maybe people are concerned about 
what is NSA doing. But I am concerned about the people every 
single day that are trying to get access to somebody's Social 
Security number, their Medicare number, their checking account 
number, their smart phone information so they can either steal 
from them or lead to other access to their bank account, to 
their other kinds of assets. So we are worried about that.
    I am concerned every day about the number of people out 
there, with the great intellectual entrepreneurship of our 
country, that are coming up with new ideas and new products to 
create the new jobs for the 21st century. And they are being 
stolen in the greatest cyber espionage heist. So why find a 
cure for cancer if you can try to steal it from FDA or the 
Patent Office? I am worried about that.
    And then I worry about things like the grid and I worry 
about access to those who are trying to raid the grid. Tonight 
there is a gathering storm. We fear a derecho, another derecho 
maybe hitting the Maryland-Washington area. We know when the 
grid is shut down, it is a terrible consequence in terms of our 
society. I do not want ever to have a grid shut down here in 
the Greater Capital Region or anywhere in the United States.
    So the purpose of this hearing was to go after those who 
have predatory intent--predatory, premeditated intent--against 
either an individual, our business, or our critical 
infrastructure.
    There are those who are also concerned about is Government 
now passing beyond a red line on civil liberties. I think we 
ought to have that debate. I think we ought to have that 
discussion. It could be the subject of another hearing here. 
There will be the Feinstein hearing. There will be the 
Judiciary Committee hearing. But you know what? This is 
America. This is America and people have a right to know. They 
have a right to have their public officials explain this.
    So I think it has been a great hearing.
    So, therefore, though, this committee will now stand in 
recess after the closed briefing until the morning of Thursday, 
June 20, where we will vote on our spending allocations and 
also take up the very important legislation of Veterans Affairs 
and our agricultural appropriations. This committee now stands 
in recess.
    [Whereupon, at 4:39 p.m., Wednesday, June 12, the hearing 
was concluded, and the committee was recessed, to reconvene 
subject to the call of the Chair.]

                                   [all]