[Senate Hearing 113-295]
[From the U.S. Government Publishing Office]
S. Hrg. 113-295
THE CYBERSECURITY PARTNERSHIP
BETWEEN THE PRIVATE SECTOR
AND OUR GOVERNMENT: PROTECTING OUR
NATIONAL AND ECONOMIC SECURITY
=======================================================================
JOINT HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
and the
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 7, 2013
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
----------
U.S. GOVERNMENT PRINTING OFFICE
88-180 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington ROY BLUNT, Missouri
FRANK R. LAUTENBERG, New Jersey MARCO RUBIO, Florida
MARK PRYOR, Arkansas KELLY AYOTTE, New Hampshire
CLAIRE McCASKILL, Missouri DEAN HELLER, Nevada
AMY KLOBUCHAR, Minnesota DAN COATS, Indiana
MARK WARNER, Virginia TIM SCOTT, South Carolina
MARK BEGICH, Alaska TED CRUZ, Texas
RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska
BRIAN SCHATZ, Hawaii RON JOHNSON, Wisconsin
WILLIAM COWAN, Massachusetts
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
John Williams, General Counsel
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel and Chief Investigator
SENATE COMMITTEE ON HOMELAND SECURITY
AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma, Ranking
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Richard J. Kessler, Staff Director
John P. Kilvington, Deputy Staff Director
Beth M. Grossman, Chief Counsel
Keith B. Ashdown, Republican Staff Director
Christopher J. Barkley, Republican Deputy Staff Director
Andrew C. Dockham, Chief Counsel
C O N T E N T S
----------
Page
Hearing held on March 7, 2013.................................... 1
Statement of Senator Rockefeller................................. 1
Prepared statement........................................... 3
Statement of Senator Carper...................................... 4
Prepared statement........................................... 6
Statement of Senator Thune....................................... 8
Statement of Senator Coburn...................................... 9
Prepared statement........................................... 10
Statement of Senator Warner...................................... 30
Statement of Senator Cowan....................................... 35
Statement of Senator Johnson..................................... 36
Statement of Senator Baldwin..................................... 38
Statement of Senator Pryor....................................... 40
Statement of Senator Ayotte...................................... 76
Witnesses
Hon. Janet Napolitano, Secretary, U.S. Department of Homeland
Security....................................................... 11
Prepared statement........................................... 13
Hon. Patrick D. Gallagher, Ph.D., Under Secretary of Commerce for
Standards and Technology, U.S. Department of Commerce.......... 19
Prepared statement........................................... 21
David E. Kepler, Chief Sustainability Officer, Chief Information
Officer, Business Services and Executive Vice President, The
Dow Chemical Company........................................... 42
Prepared statement........................................... 44
Gregory C. Wilshusen, Director, Information Security Issues, U.S.
Government Accountability Office............................... 48
Prepared statement........................................... 50
Appendix
American Gas Association, prepared statement..................... 83
Response to written questions submitted to Hon. Janet Napolitano
by:
Hon. Amy Klobuchar........................................... 88
Hon. Kelly Ayotte............................................ 89
Hon. Dan Coats............................................... 92
Hon. Ron Johnson............................................. 98
Response to written questions submitted to Hon. Patrick D.
Gallagher by:
Hon. Kelly Ayotte............................................ 101
Hon. Dan Coats............................................... 102
Hon. Ron Johnson............................................. 102
Response to written questions submitted to David E. Kepler by:
Hon. Amy Klobuchar........................................... 103
Hon. Dan Coats............................................... 104
Hon. Marco Rubio............................................. 105
Hon. Ron Johnson............................................. 106
Response to written questions submitted by Hon. Ron Johnson to
Gregory C. Wilshusen........................................... 106
THE CYBERSECURITY PARTNERSHIP
BETWEEN THE PRIVATE SECTOR
AND OUR GOVERNMENT: PROTECTING OUR NATIONAL AND ECONOMIC SECURITY
----------
THURSDAY, MARCH 7, 2013
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Committee on Homeland Security and Governmental Affairs,
Washington, DC.
The Committees met, pursuant to notice, at 2:30 p.m., in
room SD-G50, Dirksen Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Commerce Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
Chairman Rockefeller. Ladies and gentlemen, this hearing
will come to order.
I have one quick announcement to make--and that is, I was
just told that we may have a vote on John Brennan, for the CIA,
coming up within a relatively short period of time, so we need
to be as efficient as possible. But, on the other hand, we can
come back from that.
So, let me make my opening statement. And I know that Tom
is coming.
Long ago, we made the decision in this country that private
companies would build, and that they would own, our key
transportation, communications, and energy networks. That was,
and still is, a good decision. Given the opportunity to earn a
reasonable profit on their investment, private companies build
our railroads, our wireline telephone network, our aviation
system, our pipelines, and so many other physical assets that
we have. They were built by private corporations, private
money, and are owned by them.
But, this isn't just our past, it's our future, too. With
the encouragement and support of Federal, State, and local
governments, private companies are hard at work today building
the broadband network that will be the key to our country's
success in the 21st century. What we have always asked these
companies for in return is that they serve, not just the
interests of their shareholders, but also the broader general
interests of the country, however one wants to define that.
As those of us who serve on the Commerce Committee know
well, getting big things done in this country, and in this
body, is slow. It's very slow. And it always takes, on really
big stuff, the private sector and the public sector, working
together. It just has to be that way. That's the kind of
partnership we will need to address the grave new threat that
our country faces today, which are cyber attacks, which, 4
years ago, were treated lightly, and today are still treated
too lightly, in my judgment, but is the number one national
security threat that the country faces.
Back in 2009, when I started working on this issue with
Senator Olympia Snowe, cybersecurity was just an exotic idea.
To some, it still is just that, or it's an idea to push aside
and take up later. But, it is not. Almost every day, we read
about another company, another Government agency that's been
electronically attacked by adversaries trying to cause economic
damage or searching for sensitive information, and getting it.
It's not a threat that we can address through a traditional
military response, of course, and it's not a threat that
individual companies can handle through their normal risk
mitigation practices. It's a threat that challenges our
traditional notion of the public and private spheres. That's
what makes it interesting.
A cyber attack against a government agency or a defense
contractor is an attack against our nation. An attack against a
private company dealing with--say, a water company--is an
attack against our nation. So is it with an attack on a private
company that provides power or clean water to millions of
Americans; an attack against any of these pieces, even though
they might be privately operated, is an attack against our
nation's critical infrastructure and, therefore, against us, as
a nation.
Since I've been working on this issue, I've had a lot of
good and productive sessions with the private sector. But, you
know what? We also have wasted an awful lot of time by turning
an urgent national security issue into a partisan political
fight. How one does that on the number one national security
threat, I don't know, but somehow we've managed to do it.
Back in 2010, we passed, in the Commerce Committee, a cyber
bill. We did it unanimously. And we did that because we didn't
have any vote, everybody just agreed, and it zipped right
through. However, we couldn't get enough votes, in 2012, to
start debate, even, on this issue on the Senate floor even
though the whole military and intelligence establishment was
going crazy at our lack of movement.
The Obama administration got tired of waiting for us. I
can't blame them. This is a problem that's growing worse every
day. So, on February 12 of this year, the President released an
Executive order that takes some very important steps--not
enough, because he can't create the law that's necessary for
some things, but they worked very hard to make this Executive
order a welcoming invitation to the private sector to work
together on this problem. It seeks to formalize and to
strengthen the working relationships many companies already
have with our cybersecurity experts in the Federal Government.
The Executive order starts a process with NIST--can NIST be
helpful? I think this can be helpful. Some others don't think
so, because it's called a ``government agency.'' We're going to
hear more about the Executive orders from our witnesses. The
Senators sitting in this dais today understand what an urgent
issue this is. We all want to do something. We want to come
together. We want to be ruled by our common sense, not by other
interests. So, we have our work cut out.
[The prepared statement of Chairman Rockefeller follows:]
Prepared Statement of Hon. John D. Rockefeller IV, U.S. Senator from
West Virginia and Chairman, U.S. Senate Committee on Commerce, Science,
and Transportation
Long ago we made the decision that in this country, private
companies would build and own our key transportation, communications,
and energy networks. That was and still is a good decision. Given the
opportunity to earn a reasonable profit on their investment, private
companies built our railroads, our wireline telephone network, our
aviation system, our pipelines, and many other physical assets that
have fueled our country's phenomenal economic success. This isn't just
our past. It's our future too. With the encouragement and support of
federal, state, and local governments, private companies are hard at
work today building the broadband network that will be key to our
country's success in the 21st century.
What we have always asked these companies for in return is that
they serve not just the narrow interests of their shareholders, but
also the broader, general interests of this country. As those of us who
serve on the Commerce Committee know very well, getting big things done
in this country always requires a partnership between the public and
private sectors. That's the kind of partnership we will need to address
the grave new threat our country faces today--the threat of cyber
attacks.
Back in 2009, when I started working on this issue with Senator
Snowe, cybersecurity was an exotic idea. Today, four years later, it is
a household word. Almost every day, we read about another company, or
another government agency, that has been electronically attacked by
adversaries trying to cause economic damage or searching for sensitive
information.
It's not a threat we can address through a traditional military
response, and it's not a threat that individual companies can handle
through their normal risk mitigation practices. It's a threat that
challenges our traditional notion of the public and private spheres. A
cyber attack against a government agency or a defense contractor is an
attack against our nation. But so is an attack on a private company
that provides power or clean water to millions of Americans. An attack
against a privately owned and operated piece of our nation's critical
infrastructure is an attack on all of us.
Since I have been working on this issue, I've had a lot of good,
productive discussions with leaders in our business community, our
military, and in other government agencies who understand this threat
and have good ideas about how we can tackle it. But we've also wasted a
lot of time, by turning an urgent national security issue into a
partisan political fight. Back in 2010, we passed a cyber bill out of
the Commerce Committee unanimously, without a vote. By the fall of
2012, we couldn't even get enough votes to close debate on the Senate
floor, even though our country's top national security leaders were
urging us to act.
The Obama Administration got tired of waiting for us. I can't blame
them. This is a problem that is growing worse every day. On February
12, 2013, President Obama released an Executive order that takes some
very important steps to start dealing with our cybersecurity problems.
The order marshals the resources and the expertise we have in many
different Federal agencies to start strengthening our country's ability
to defend ourselves from cyber attacks.
The Obama Administration worked very hard to make this Executive
order a welcoming invitation to the private sector to work together on
this problem. It seeks to formalize and strengthen the working
relationships many companies already have with our cybersecurity
experts in the Federal Government. One of the most important
initiatives in the Executive order is to start a process at the
National Institute of Standards and Technology (NIST) that will develop
cybersecurity standards and best practices with U.S. companies.
We are going to hear more about the Executive order from our
witnesses today, and we are going hear a lot more about cybersecurity
in the 113th Congress. The Senators sitting at this dais today--and
many more who are not sitting up here--understand what an urgent issue
this is. We understand that some of steps we need to take to defend our
people and our critical infrastructure cannot be accomplished by a
presidential order. We have to work with each other. We have to trust
each other. We have to move forward.
And I turn to my distinguished Chairman.
And the only--I regret to say this, but this is--since it's
not a public meeting, it doesn't hurt me anymore--the only West
Virginian--no----
Senator Carper. One of two.
Chairman Rockefeller.--one of two in the United States
Senate. The one who isn't is the one who's just finished
talking.
STATEMENT OF HON. THOMAS R. CARPER,
U.S. SENATOR FROM DELAWARE
Chairman Carper. And the one who is wishes he had his
money.
[Laughter.]
Chairman Carper. Nothing like being born in a log cabin,
I'll tell you.
I'm thrilled to be here with Senator Rockefeller, our
Chair--co-Chair--and Senator Thune and my wingman, here, Tom
Coburn, with whom I've worked on a lot of things.
I'm delighted with our witnesses.
And, Secretary, Pat, we're happy that you could join us
today.
I'm told that our committees have not held a joint hearing
for over 35 years; I guess, since 1975, to be exact. We need to
be able to work together; this is a shared responsibility, and
not just between government and private sector; this is a
shared responsibility here on Capitol Hill: executive branch,
legislative branch, and different committees, and different
parties. So, this is a great way to get started. I'm happy that
we're doing this.
But, we're having this hearing today because, as Chairman
Rockefeller has said, America's economy and our national
security are under attack. This is not the kind of war that
some of us served in earlier in our lives or read about in the
history books or have watched on television. The war that's
occurring today is a war that's occurring in cyberspace, it's
occurring in realtime, because, literally as I speak,
sophisticated cyber thieves are stealing our ideas, our
intellectual property, the very innovation, or the seed corn,
if you will, that fuels our economy in years to come.
Recent report by Mandiant, an American cybersecurity firm,
points the finger for much--not all, but much of the cyber
threat thievery that's going on, to a military unit in China.
Even more alarming are the reports that hackers are constantly
probing the companies that run our nation's critical
infrastructure--our electric grid, our gas lines, our
waterworks, the banking systems, among others.
Since this past summer, for example, websites for a number
of major U.S. banks have become the target of repeated cyber
attacks that have caused a disruption and service delays. We
read about that every week, almost every day. But, once inside
a company network, these hackers can do a lot more than steal
information or create a temporary nuisance. Among other things,
they can shut down our electric grid or release dangerous
chemicals into our water supply or into our air. We only have
to think about the cyber attack that reportedly destroyed more
than 30,000 computers at oil giant Saudi Aramco to know that
the threat is real and it is serious.
Several of our colleagues, including Senator Rockefeller,
Senators Feinstein and Collins, and former Chair of the
Committee that I'm now privileged to chair, Joe Lieberman,
worked diligently with others to move cybersecurity legislation
that Senator Rockefeller has mentioned. Unfortunately, we
couldn't come together to pass this vital piece of bipartisan
legislation. But, given the growing cyber threats that America
faces, we're now more determined than ever to put in place a
thoughtful, comprehensive cyber policy to protect our nation,
its people, its critical infrastructures, and its economy.
Because of Congress's failure to act last year, and the
serious nature of the threat, the President has issued, as we
know, an Executive order, last month, to better protect our
nation's cyber networks. Instead of drafting the order behind
closed doors, the White House was very open with the process,
conducting numerous listening sessions with companies and trade
groups so that the good ideas could be freely shared and
adopted, and bad ideas could be rejected.
Final product is an order that takes a number of critical
steps to improve the security of our critical infrastructure.
One of these steps enhances the way we share cyber threat
information between the Federal Government and the private
sector. For instance, in response to the concerns of many in
industry, the order looks to increase the volume, the
timeliness, and the quantity of cyber threat information shared
with the private sector. The order also relies on public-
private partnerships to strengthen the digital backbone of our
most sensitive systems. In fact, the order calls on the private
sector to lead the development of new security framework, in
coordination with NIST, National Institution--National
Institute of Standards and Technology.
Companies may voluntarily adopt the new cybersecurity
framework or work with their current regulations on their
solutions. To encourage the adoption of any new framework,
though, the order calls for using carrots instead of sticks.
For example, the order requires the Department of Homeland
Security and other Federal agencies to establish a set of
incentives to promote participation in the program. It also
requires Homeland Security to expedite the granting of security
clearances to the people who run our critical infrastructure,
so that industry can better understand the threats that they
face.
Privacy and civil liberties protections are also a key
consideration throughout the order. In fact, agencies are
required to incorporate privacy safeguards in all their
activities under the order. And, while I commend the President
for issuing this important order, there's only so much that he,
or any President, could do, using the authorities granted to a
President under existing law. Those authorities are simply not
enough to get the job done. That's where we come in.
Now is the time to begin the process of gathering input
from the administration and the broad array of stakeholders in
order to ascertain what Congress needs to do, what we need to
do, to build on, or fill in the gaps, if you will, around this
Executive order so that--that the President has promulgated.
For example, we know that what--that more needs to be done
on information sharing so that companies can more freely share
their best practices and threat information with each other and
with our government. We should also consider how we can further
improve the protection of our nation's critical infrastructure,
including offering incentives, such as liability protection, in
certain instances.
In addition, we need to be modernize the dated process we
have in place to ensure that the security of our Federal
network, something that we call FISMA, an area that Senator
Coburn and I have worked on for quite some time, along with
Senator Collins.
It's also important for us to clarify the roles and
responsibilities of Federal agencies involved in cybersecurity
so that we know who should be held accountable for our
successes or failures in tackling this growing threat.
And finally, we must also continue to develop the next
generation of cyber professionals, grow our own, and better
coordinate our cyber research-and-development efforts. A lot of
people in this country of ours question, today, whether we're
still able to set aside partisan differences or other
differences--the stakes are high--and summon the political will
to do what's best for America. The stakes are high. And it's
important--as the Chairman has said, here--important that we
should set aside our difference, whether political or
otherwise, and do what's right for our country. And I'm
confident, I'm encouraged, that, with the cooperation of the
folks that are on these committees and our colleagues with whom
we serve, that we're up to the task, and we're going to seize
this opportunity.
Thank you, Mr. Chairman.
[The prepared statement of Chairman Carper follows:]
Prepared Statement of Hon. Thomas R. Carper, U.S. Senator from Delaware
I am very pleased to be here today with our colleagues from the
Senate Commerce Committee hosting a joint hearing on cybersecurity, an
incredibly important topic for our country. I would like to thank
Chairman Rockefeller, Ranking Member Thune, and my Ranking Member, Dr.
Coburn--along with our staff members--for all their work on this
hearing. I would also like to thank our witnesses for being here today
and for their valuable service to our country.
I am told that our Committees have not held a joint hearing for
over 35 years--since 1975 to be exact. It is fitting that we have come
together again to address this issue because we definitely need a true
partnership to pass comprehensive cybersecurity legislation in this
Congress--a partnership between Democrats and Republicans, the House
and the Senate, Congress and the Administration; and, as the title of
this hearing indicates, between government and industry.
We are having this hearing today because America's economy and our
national security are under attack. This is not the kind of war that
some of us served in earlier in our lives, or read about in history
books, or watched on TV. This war is occurring in cyberspace and in
real time. Literally as I speak, sophisticated cyber thieves are
stealing American ideas and intellectual property--the very innovation
that fuels our economy.
A recent report by Mandiant, an American cybersecurity firm, points
the finger for much of this cyber theft to a military unit in China.
Even more alarming are the reports that hackers are constantly probing
the companies that run our Nation's critical infrastructure--our
electrical power grid, gas lines, waterworks, and banking system, among
others.
Since this past summer, for example, websites for a number of major
U.S. banks have become the target of repeated cyber attacks that have
caused disruption and service delays. But once inside a company
network, these hackers can do a lot more than steal information or
create a temporary nuisance. Among other things, they can shut down our
electric grid or release dangerous chemicals into our water supply.
We only have to think about the cyber attack that reportedly
destroyed more than 30,000 computers at oil giant Saudi Aramco to know
this threat is real--and serious. Several of our colleagues, including
Senators Rockefeller, Feinstein, and Collins, and the former Chairman
of the Committee I now chair, Joe Lieberman, worked diligently to move
cyber legislation last year. Unfortunately, the Senate could not come
together to pass this vital piece of bipartisan legislation. But given
the growing cyber threats that America faces, we are now more
determined than ever to put in place a comprehensive cyber policy to
protect our nation, its people, its critical infrastructure, and its
economy.
Because of Congress' failure to act last year and the serious
nature of the threat, the President issued an Executive Order last
month to better protect our Nation's cyber networks. Instead of
drafting the Order behind closed doors, the White House was very open
with the process, conducting numerous ``listening sessions,'' with
companies and trade groups so that good ideas could be freely shared
and adopted. The final product is an Order that takes a number of
critical steps to improve the security of our critical infrastructure.
One of these steps enhances the way we share cyber threat
information between the Federal Government and the private sector. For
instance, in response to the concerns of many in industry, the Order
looks to increase the volume, timeliness, and quality of cyber threat
information shared with the private sector.
The Order also relies on a public-private partnership to strengthen
the digital backbone of our most sensitive systems. In fact, the Order
calls on the private sector to lead the development of new security
frameworks in coordination with the National Institute of Standards and
Technology.
Companies may voluntarily adopt the new cybersecurity framework or
work with their current regulators on other solutions. To encourage the
adoption of any new framework, the Order calls for using carrots
instead of sticks. For example, the Order requires the Department of
Homeland Security and other Federal agencies to establish a set of
incentives to promote participation in the program.
It also requires Homeland Security to expedite the granting of
security clearances to the people who run our critical infrastructure,
so that industry can better understand the threats they face. Privacy
and civil liberties protections are also a key consideration throughout
the Order. In fact, agencies are required to incorporate privacy
safeguards in all their activities under the Order.
While I commend the President for issuing this very important
Order, there was only so much he could do using the authorities granted
to him under existing law. Those authorities are simply not enough to
get the job done. Now is the time to begin the process of gathering
input from the Administration and a broad array of stakeholders in
order to ascertain what Congress needs to do to build on the Executive
order that the President has promulgated.
For example, we know that more needs to be done on information
sharing so that companies can more freely share best practices and
threat information with each other, and with the Federal Government. We
should also consider how we can further improve the protection of our
Nation's critical infrastructure, including offering incentives such as
liability protection in certain instances. In addition, we need to
modernize the dated process we have in place to ensure the security of
our Federal networks. This is an area that I have worked on for years.
It is also important for us to clarify the roles and
responsibilities of Federal agencies involved in cybersecurity so that
we know who should be held accountable for our success or failure in
tackling this growing threat. Finally, we must also continue to develop
the next generation of cyber professionals and better coordinate our
cyber research and development efforts.
A lot of people in this country of ours question today whether
we're still able to set aside our partisan differences when the stakes
are high and summon the political will to do what's best for America. I
believe this joint hearing is a good step in showing the American
people we can. I look forward to working with our colleagues, as well
as with the Administration, industry, and other stakeholders, to pass
critically needed cyber legislation.
Chairman Rockefeller. The distinguished Ranking Member of
the Commerce Committee, Senator Thune.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman and Chairman Carper.
I look forward, along with you and with Senator Coburn and
members of both of our committees, to examining the need for a
greater cybersecurity partnership between the private sector
and the Federal Government.
No one can deny the serious threat that we're confronting
in cyberspace. Almost daily, we learn of new cyber threats and
attacks targeting our government agencies and companies that
drive our economy. In these perilous economic times, it's
especially troubling that the intellectual capital that fuels
our prosperity is being siphoned off by cyber criminals and
even nation--states.
The National Counterintelligence Executive, the country's
chief counterintelligence official, summed it up this way in
2011, and I quote, ``Trade secrets developed over thousands of
working hours by our brightest minds are stolen in a split
second and transferred to our competitors.'' This large-scale
theft cannot be allowed to continue unchecked. We must find
solutions that leverage the innovation and know-how of the
private sector, as well as the expertise and information held
by the Federal Government. And, given the escalating nature of
the threat, we should look for solutions that will have an
immediate impact.
As today's hearing title suggests, one thing we must do is
strengthen the partnership between the government and the
private sector. As one of our witnesses, David Kepler, of The
Dow Chemical Company, observed in his testimony, timely
information sharing between government and industry, and among
industry peers, is key to this collaboration.
The Chair of the House Intelligence Committee has said
that, according to intelligence officials, allowing the
government to share classified information with private
companies could stop up to 90 percent of cyber attacks on U.S.
networks. Even if the figure was only 60 to 70 percent, the
return would be well worth the effort.
Improving research and development is another area where
our focus could yield new tools to secure the cyber domain. We
should not underestimate the value of R&D. I'm proud to know
that South Dakota's own Dakota State University is one of only
four schools in the nation designated by the National Security
Agency as a National Center of Academic Excellence in Cyber
Operations.
It's no secret that, during the last Congress, the Senate
reached an impasse on cybersecurity legislation. It is my
hope--and I suspect that it's our shared hope--that we can
avoid another stalemate in this Congress. Today's hearing
represents a good start.
As we all recognize, this issue crosses the jurisdictional
boundaries of many committees, so it is appropriate, if
somewhat challenging, that we've joined with our colleagues on
the Homeland Security and Governmental Affairs Committee today.
Of course, given the importance of this topic and the value of
hearing from multiple stakeholders, I look forward to
additional sessions in the Commerce Committee as we seek
consensus on this vital matter.
Our hearing today takes place against the backdrop of the
President's recently released Executive order on cybersecurity
and related Presidential policy directive. Even though I, like
many of my colleagues, was skeptical about executive action,
the order's release may provide an opportunity for Congress to
find common ground on other steps that will improve our
cybersecurity. Of course, we must also conduct meaningful
oversight of the Executive order's implementation.
I look forward to hearing from Secretary Napolitano and
Under Secretary Gallagher today regarding the steps the
Department of Homeland Security and the National Institute of
Standards and Technology are taking to ensure that the
Executive order's promise of improved partnership and
collaboration with the private sector is realized in practice.
I'm particularly interested in hearing about how the Executive
order builds upon or enhances existing mechanism for public-
private collaboration. And I'll be interested in the views of
our GAO witness, Greg Wilshusen, as to whether the Federal
Government is up to the task envisioned by the Executive order,
given persistent shortcomings in its own cybersecurity efforts
identified by the watchdog agency.
Again, Mr. Chairman, I thank you, and I thank all of the
witnesses for being here today, and I look forward to hearing
their testimony.
Chairman Rockefeller. Distinguished Senator from Oklahoma,
Tom Coburn.
STATEMENT OF HON. TOM COBURN,
U.S. SENATOR FROM OKLAHOMA
Senator Coburn. Thank you, Mr. Chairman.
Welcome, to all the witnesses. I appreciate you being here.
Senator Carper and I had a little demonstration or
presentation on the Executive order yesterday, and I have to
say I was impressed with the thoroughness and the presentation
of it.
I'm highly disappointed that OMB didn't release the FISMA
report. And there's no reason for it, other than it's--shows
significant criticism of our ability to manage critical
information within the Federal Government. And I will apologize
to them vociferously if, in fact--my assessment of that report.
But, to not put it out before this hearing is absolutely
ridiculous, because we all know--and the GAO's going to testify
today what we all know--is the status within our own government
on how well we're doing. And so, it's unfortunate that we've
chosen not to have a critical piece of information that
analyzes a report card on us for this hearing.
The--I am appreciative of the leadership of the President
and his staff in doing this Executive order. I think it was
timely and it was appropriate. And I'll speak to the issue that
nobody wants to directly speak to, is--the reason the bill
didn't go through the Senate is because there's a--there is a
disagreement on the liability protections for business and
industry, when they share their information, to protect them
against frivolous lawsuits. And in the hearings that Senator
Carper and I have had that have been classified thus far, there
hasn't been one person who's testified--all administrative
witnesses, all administration--who don't agree that those
protections are going to have to be there for us to accomplish
what we need to do for our country. And so, what we have to do
is, we have to get past that one issue, and we have to address
the real issues in front of us.
The other thing that I would like to emphasize is the
fact--and Senator Thune spoke about it, and I know Senator
Rockefeller and Senator Carper care immensely about it--and
that's the intellectual property loss that this country loses
every year. And General Alexander, head of the NSA, has said
it's around $400 billion a year. And if we do not create a
workable situation, what we're doing is taking the investment
that we spend every year, that we want to spend, in terms of RD
in this country, and giving it away.
So, we have to find a way to solve this problem, in the
Senate, and we have to work across the aisle and across the
special interest groups that don't want certain things because
it might create a lack of a supreme benefit for their cause.
What we have to do is what's in the best interests of the
nation. And I think the President has shown real leadership
with this Executive order, and now we need to come behind it
and firm it up.
And I appreciate, also, Senator Rockefeller, his
cooperation on the witnesses for this. I want to thank you
publicly for that. Having a hearing on cybersecurity and not
listening to the expert at GAO would be inappropriate. And Mr.
Wilshusen is here, and he's knowledgeable, and I look forward
to his testimony, on the second panel.
Thank you.
[The prepared statement of Ranking Member Coburn follows:]
Prepared Statement of Hon. Tom Coburn, U.S. Senator from Oklahoma,
Ranking Member, U.S. Senate Committee on Homeland Security and
Governmental Affairs
Thank you, Mr. Chairman. Welcome to all the witnesses. I appreciate
you being here. Senator Carper and I had a little demonstration or
presentation on the executive order yesterday. And I have to say I was
impressed with the thoroughness and the presentation of it.
I am highly disappointed that OMB didn't release the FISMA report.
There is no reason for it other than it shows significant criticism of
our ability to manage critical information within the Federal
Government. I will apologize to them vociferously if, in fact, my
assessment of that report--but to not put it out before this hearing is
absolutely ridiculous, because we all know, and the GAO's going to
testify today what we all know, is the status within our own government
on how well we're doing, and so it's unfortunate that we have chosen
not to have a critical piece of information that analyzes a report card
on us for this hearing.
I am appreciative of the leadership of the President and his staff
in doing this Executive order. I think it was timely and appropriate.
I'll speak to the issue that nobody wants directly to speak to, is the
reason the bill didn't go through the Senate is because there is a
disagreement on the liability protections for business and industry
when they share their information to protect them against frivolous
lawsuits. In the hearings that Senator Carper and I have had, that have
been classified thus far, there hadn't been one person who has
testified, all the administrative witnesses--all of administration--who
do not agree that those protections are going to have to be there for
us to accomplish what we need to do for our country. We have to get
past that one issue, and we have to address the issues in front of us.
The other thing that I would like to emphasize is the intellectual
property loss that this country loses every year. General Alexander,
head of the NSA, has said it's around $400 billion a year, and if we do
not create a workable situation, what we are doing is taking the
investment that we spend every year that we want to spend in terms of
R&D in this country, and giving it away.
We have to find a way to solve this problem in the Senate, and we
have to work across the aisle and across the special interest groups
that don't want certain things, because it might create a lack of a
supreme benefit for their cause. What we have to do is what's in the
best interest of the nation, and I think the President has shown real
leadership with this Executive order, and now we need to come behind
and firm it up.
I appreciate--also, Senator Rockefeller, his cooperation on the
witnesses for this. I want to thank you publicly for that. Having a
hearing on cybersecurity and not listening to the expert at GAO would
be inappropriate, and Mr. Wilshusen is here, and he's knowledgeable,
and I look forward to his testimony in the second panel.
Thank you.
Chairman Rockefeller. Thank you, Senator Coburn.
And we now go to our first two witnesses. We're glad
they're here.
The Honorable Janet Napolitano, who's Secretary, U.S.
Department of Homeland Security.
I see you at more hearings, on more television, than
anybody else within a 10-mile radius of Washington, D.C. But,
fortunately, you're here today for us. Please proceed.
STATEMENT OF HON. JANET NAPOLITANO, SECRETARY,
U.S. DEPARTMENT OF HOMELAND SECURITY
Secretary Napolitano. Well, thank you. Thank you, Chairman
Rockefeller and Ranking Member Thune and Chairman Carper,
Ranking Member Coburn, members of the Committee. I appreciate
the opportunity to testify regarding our cybersecurity efforts
at the Department of Homeland Security. And I also want to
thank Under Secretary Gallagher for our partnership with NIST
with the Department of Commerce.
This is, as you all have acknowledged, an urgent and
important topic. As you know, DHS is responsible for securing
unclassified Federal civilian government networks and working
with owners and operators of critical infrastructure to help
them secure their own networks. We also coordinate the national
response to significant cyber incidents, and create and
maintain a common operational picture for cyberspace across the
government.
This is critical, time-sensitive work, because we confront
a dangerous combination of known and unknown cyber
vulnerabilities and adversaries with strong and rapidly
expanding capabilities. Threats range from denial-of-service
attacks to theft of valuable intellectual property to
intrusions against government networks and systems that control
our nation's critical infrastructure. These attacks come from
every part of the globe. They come every minute of every day.
They are continually increasing in seriousness and
sophistication.
To protect Federal networks, DHS is deploying technology to
detect and to block cyber intrusions, and we are developing
continuous diagnostic capabilities while providing guidance on
what agencies need to do to protect themselves. We also work
closely and regularly with owners and operators of critical
infrastructure to strengthen their facilities through onsite
risk assessment, mitigation, and incident response, and by
sharing risk and threat information. For example, we provided
classified cyber threat briefings and technical assistance to
help banks improve their defensive capabilities following the
recent spate of DDOS attacks.
DHS is home to the National Cybersecurity and
Communications Integration Center, the NCCIC. The NCCIC is an
around-the-clock cyber situational awareness and incident-
response center, which, over the past 4 years--and that's as
old as it is--has responded to nearly a half a million incident
reports and released more than 26,000 actionable cybersecurity
alerts to public-and private-sector partners. Last year, the
Computer Emergency Readiness Team, US-CERT, resolved
approximately 190,000 cyber incidents and issued more than
7,450 alerts--in and of itself, a 68 percent increase from the
year before--and our Industrial Control System Cyber Emergency
Response Team responded to 177 incidents while completing 89
site visits, deploying 15 teams to respond to significant
private-sector cyber incidents involving control systems.
Since 2009, DHS components have prevented $10 billion in
potential losses through cyber crime investigations. We have
arrested more than 5,000 individuals in connection with cyber
crime. And we partner closely with the Departments of Justice
and Defense to ensure that a call to one is a call to all. So,
while each agency operates within the parameters of its
authorities, our overall Federal response to cyber incidents of
consequence is coordinated among the three agencies. Where
agency authorities overlap, as in law enforcement protection
and response, we also directly coordinate with and support each
other.
This synchronization--a call to one is a call to all--
ensures that all of our capabilities are brought to bear
against cyber threats, enhances our ability to share timely and
actionable information with a variety of partners.
But, while our accomplishments are significant and
cybersecurity remains a priority for the administration, in
order to be able to best meet this growing threat, we need
Congress to enact a suite of comprehensive cybersecurity
legislation. I appreciate the efforts made in the last Congress
to pass bipartisan legislation, but the inability to get this
done has, indeed, required the President to take executive
action.
The EO [Executive order] on Improving Critical
Infrastructure Cybersecurity supports more efficient sharing of
realtime cyber threat information with the private sector. It
directs DHS to develop a voluntary program to promote the
adoption of a new cybersecurity framework, and assists the
private sector in its implementation. The accompanying
Presidential Policy Directive on Critical Infrastructure,
Security, and Resilience also directs the executive branch to
strengthen our capability to understand and share information
about how well critical infrastructure systems are functioning,
and the consequence of potential failure. And it calls for a
comprehensive research-and-development plan to guide the
government's effort to enhance market-based innovation.
These two documents, the EO and the PPD, reflect input from
stakeholders of all viewpoints across government, industry, and
the advocacy community. Their ideas and lessons were
incorporated, as were rigorous protections for individual
privacy and civil liberties. Importantly, the EO calls us to
work within current authorities and increase voluntary
cooperation with the private sector. It does not grant any new
regulatory authority or establish additional incentives for
participation in a voluntary program.
Nonetheless, we continue to believe that a comprehensive
suite of legislation is necessary to build stronger, more
effective public/private partnerships in the realm of cyber.
Specifically, Congress should enact legislation to incorporate
privacy and civil liberty safeguards into all aspects of
cybersecurity, further increase information sharing, and
establish and promote the adoption of standards for critical
infrastructure, give law enforcement additional tools to fight
crime in the Digital Age, create a national data-breach
reporting requirement; and, finally, give DHS hiring authority
equivalent to that of the NSA.
We also know that threats to cyberspace, and the need to
address them, do not diminish because of budget cuts. Even in
the current fiscal climate, we do not have the luxury of making
significant reductions to our capabilities without having
significant impacts. Sequester reductions will require us to
scale back the development of critical capabilities for the
defense of Federal cyber networks. It will disrupt long-term
efforts to grow our cybersecurity workforce, and delay the
implementation of E3A by approximately 1 year. In addition,
sequester has resulted in canceling major cybersecurity
exercises by which, involving international, Federal, State,
local, private-sector partners, we actually work through the
various problem sets and scenarios we confront.
The American people expect us to secure the country from a
growing cyber threat and to ensure that critical infrastructure
is protected. Further action is needed by Congress, including
immediate action to address the sequester, if we are to meet
our responsibilities. We must act now, not years from now.
So, I look forward to working with both committees to make
sure we continue to do everything possible to keep the nation
safe.
I thank you for your continued guidance and support, and
for the opportunity to be with you this afternoon.
[The prepared statement of Secretary Napolitano follows:]
Prepared Statement of Hon. Janet Napolitano, Secretary,
U.S. Department of Homeland Security
Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn,
and Members of the Committees:
I am pleased to join you today, and I thank the Committee for your
strong support for the Department of Homeland Security (DHS) over the
past four years and, indeed, since the Department's founding ten years
ago.
I can think of no more urgent and important topic in today's
interconnected world than cybersecurity, and I appreciate the
opportunity to explain the Department's mission in this space and how
we continue to improve cybersecurity for the American people as well as
work to safeguard the nation's critical infrastructure and protect the
Federal Government's networks.
Current Threat Landscape
Cyberspace is woven into the fabric of our daily lives. According
to recent estimates, this global network of networks encompasses more
than two billion people with at least 12 billion computers and devices,
including global positioning systems, mobile phones, satellites, data
routers, ordinary desktop computers, and industrial control computers
that run power plants, water systems, and more.
While this increased connectivity has led to significant
transformations and advances across our country--and around the world--
it also has increased the importance and complexity of our shared risk.
Our daily life, economic vitality, and national security depend on
cyberspace. A vast array of interdependent IT networks, systems,
services, and resources are critical to communication, travel, powering
our homes, running our economy, and obtaining government services. No
country, industry, community or individual is immune to cyber risks.
The word ``cybersecurity'' itself encompasses protection against a
broad range of malicious activity, from denial of service attacks, to
theft of valuable trade secrets, to intrusions against government
networks and systems that control our critical infrastructure.
The United States confronts a dangerous combination of known and
unknown vulnerabilities in cyberspace and strong and rapidly expanding
adversary capabilities. Cyber crime has also increased significantly
over the last decade. Sensitive information is routinely stolen from
both government and private sector networks, undermining the integrity
of the data contained within these systems. We currently see malicious
cyber activity from foreign nations engaged in espionage and
information warfare, terrorists, organized crime, and insiders. Their
methods range from distributed denial of service (DDoS) attacks and
social engineering to viruses and other malware introduced through
thumb drives, supply chain exploitation, and leveraging trusted
insiders' access.
We have seen motivations for attacks vary from espionage by foreign
intelligence services to criminals seeking financial gain and hackers
who may seek bragging rights in the hacker community. Industrial
control systems are also targeted by a variety of malicious actors who
are usually intent on damaging equipment and facilities or stealing
data. Foreign actors are also targeting intellectual property with the
goal of stealing trade secrets or other sensitive corporate data from
U.S. companies in order to gain an unfair competitive advantage in the
global market.
Cyber attacks and intrusions can have very real consequences in the
physical world. Last year, DHS identified a campaign of cyber
intrusions targeting natural gas and pipeline companies that was highly
targeted, tightly focused and well crafted. Stolen information could
provide an attacker with sensitive knowledge about industrial control
systems, including information that could allow for unauthorized
operation of the systems. As the President has said, we know that our
adversaries are seeking to sabotage our power grid, our financial
institutions, and our air traffic control systems. These intrusions and
attacks are coming all the time and they are coming from different
sources and take different forms, all the while increasing in
seriousness and sophistication.
The U.S. Government has worked closely with the private sector
during the recent series of denial-of-service incidents. We have
provided classified cyber threat briefings and technical assistance to
help banks improve their defensive capabilities and we have increased
sharing and coordination among the various government elements in this
area. These developments reinforce the need for government, industry,
and individuals to reduce the ability for malicious actors to establish
and maintain capabilities to carry out such efforts.
In addition to these sophisticated attacks and intrusions, we also
face a range of traditional crimes that are now perpetrated through
cyber networks. These include child pornography and exploitation, as
well as banking and financial fraud, all of which pose severe economic
and human consequences. For example, in March 2012, the U.S. Secret
Service (USSS) worked with U.S. Immigration and Customs Enforcement
(ICE) to arrest nearly 20 individuals in its ``Operation Open Market,''
which seeks to combat transnational organized crime, including the
buying and selling of stolen personal and financial information through
online forums. As Americans become more reliant on modern technology,
we also become more vulnerable to cyber exploits such as corporate
security breaches, social media fraud, and spear phishing, which
targets employees through e-mails that appear to be from colleagues
within their own organizations, allowing cyber criminals to steal
information.
Cybersecurity is a shared responsibility, and each of us has a role
to play. Emerging cyber threats require the engagement of our entire
society--from government and law enforcement to the private sector and,
most importantly, members of the public. The key question, then, is how
do we address this problem? This is not an easy question because
cybersecurity requires a layered approach. The success of our efforts
to reduce cybersecurity risks depends on effective identification of
cyber threats and vulnerabilities, analysis, and enhanced information
sharing between departments and agencies from all levels of government,
the private sector, international entities, and the American public.
Roles, Responsibilities, Activities
DHS is committed to ensuring cyberspace is supported by a secure
and resilient infrastructure that enables open communication,
innovation, and prosperity while protecting privacy, confidentiality,
and civil rights and civil liberties by design.
Securing Federal Civilian Government Networks
DHS has operational responsibilities for securing unclassified
Federal civilian government networks and working with owners and
operators of critical infrastructure to secure their networks through
cyber threat analysis, risk assessment, mitigation, and incident
response capabilities. We also are responsible for coordinating the
national response to significant cyber incidents and for creating and
maintaining a common operational picture for cyberspace across the
government.
DHS directly supports Federal civilian departments and agencies in
developing capabilities that will improve their cybersecurity posture
in accordance with the Federal Information Security Management Act
(FISMA). To protect Federal civilian agency networks, our National
Protection and Programs Directorate (NPPD) is deploying technology to
detect and block intrusions through the National Cybersecurity
Protection System and its EINSTEIN protective capabilities, while
providing guidance on what agencies need to do to protect themselves
and measuring implementation of those efforts.
NPPD is also developing a Continuous Monitoring as a Service
capability, which will result in an array of sensors that feed data
about an agency's cybersecurity risk and present those risks in an
automated and continuously-updated dashboard visible to technical
workers and managers to enhance agencies' ability to see and counteract
day-to-day cyber threats. This capability will support compliance with
Administration policy, be consistent with guidelines set forth by the
National Institute of Standards and Technology (NIST), and enable
Federal agencies to move from compliance-driven risk management to
data-driven risk management. These activities will provide
organizations with information necessary to support risk response
decisions, security status information, and ongoing insight into
effectiveness of security controls.
Protecting Critical Infrastructure
Critical infrastructure is the backbone of our country's national
and economic security. It includes power plants, chemical facilities,
communications networks, bridges, highways, and stadiums, as well as
the Federal buildings where millions of Americans work and visit each
day. DHS coordinates the national protection, prevention, mitigation,
and recovery from cyber incidents and works regularly with business
owners and operators to take steps to strengthen their facilities and
communities. The Department also conducts onsite risk assessments of
critical infrastructure and shares risk and threat information with
state, local and private sector partners.
Protecting critical infrastructure against growing and evolving
cyber threats requires a layered approach. DHS actively collaborates
with public and private sector partners every day to improve the
security and resilience of critical infrastructure while responding to
and mitigating the impacts of attempted disruptions to the Nation's
critical cyber and communications networks and to reduce adverse
impacts on critical network systems.
DHS enhances situational awareness among stakeholders, including
those at the state and local level, as well as industrial control
system owners and operators, by providing critical cyber threat,
vulnerability, and mitigation data, including through Information
Sharing and Analysis Centers, which are cybersecurity resources for
critical infrastructure sectors. DHS is also home to the National
Cybersecurity & Communications Integration Center (NCCIC), a 24x7 cyber
situational awareness, incident response, and management center that is
a national nexus of cyber and communications integration for the
Federal Government, intelligence community, and law enforcement.
Responding to Cyber Threats
DHS is responsible for coordinating the Federal Government response
to significant cyber or physical incidents affecting critical
infrastructure. Since 2009, the NCCIC has responded to nearly half a
million incident reports and released more than 26,000 actionable
cybersecurity alerts to our public and private sector partners. The DHS
Office of Intelligence and Analysis is a key partner in NCCIC
activities, providing tailored all-source cyber threat intelligence and
warning to NCCIC components and public and private critical
infrastructure stakeholders to prioritize risk analysis and mitigation.
An integral player within the NCCIC, the U.S. Computer Emergency
Readiness Team (US-CERT) also provides response support and defense
against cyber attacks for Federal civilian agency networks as well as
private sector partners upon request. US-CERT collaborates and shares
information with state and local government, industry, and
international partners, consistent with rigorous privacy,
confidentiality, and civil liberties guidelines, to address cyber
threats and develop effective security responses. In 2012, US-CERT
processed approximately 190,000 cyber incidents involving Federal
agencies, critical infrastructure, and our industry partners. This
represents a 68 percent increase from 2011. In addition, US-CERT issued
over 7,455 actionable cyber-alerts in 2012 that were used by private
sector and government agencies to protect their systems, and had over
6,400 partners subscribe to the US-CERT portal to engage in information
sharing and receive cyber threat warning information.
The Department's Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) also responded to 177 incidents last year
while completing 89 site assistance visits and deploying 15 teams with
US-CERT to respond to significant private sector cyber incidents. DHS
also empowers owners and operators through a cyber self-evaluation
tool, which was used by over 1,000 companies last year, as well as in-
person and on-line training sessions.
Successful response to dynamic cyber threats requires leveraging
homeland security, law enforcement, and military authorities and
capabilities, which respectively promote domestic preparedness,
criminal deterrence and investigation, and national defense. DHS, the
Department of Justice (DOJ), and the Department of Defense (DOD) each
play a key role in responding to cybersecurity incidents that pose a
risk to the United States. In addition to the aforementioned
responsibilities of our Department, DOJ is the lead Federal department
responsible for the investigation, attribution, disruption, and
prosecution of domestic cybersecurity incidents while DOD is
responsible for securing national security and military systems as well
as gathering foreign cyber threat information and defending the Nation
from attacks in cyberspace. DHS supports our partners in many ways. For
example, the United States Coast Guard as an Armed Force has partnered
with U.S. Cyber Command and U.S. Strategic Command to conduct military
cyberspace operations.
While each agency operates within the parameters of its
authorities, the U.S. Government's response to cyber incidents of
consequence is coordinated among these three agencies such that ``a
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD
not only ensures that whole of government capabilities are brought to
bear against cyber threats, but also improves government's ability to
share timely and actionable cybersecurity information among a variety
of partners, including the private sector.
Combating Cybercrime
DHS employs more law enforcement agents than any other Department
in the Federal Government and has personnel stationed in every state
and in more than 75 countries around the world. To combat cyber crime,
DHS relies upon the skills and resources of the USSS and ICE and works
in cooperation with partner organizations to investigate cyber
criminals. Since 2009, DHS has prevented $10 billion in potential
losses through cyber crime investigations and arrested more than 5,000
individuals for their participation in cyber crime activities.
The Department leverages the 31 USSS Electronic Crimes Task Forces
(ECTF), which combine the resources of academia, the private sector,
and local, state and Federal law enforcement agencies to combat
computer-based threats to our financial payment systems and critical
infrastructure. A recently executed partnership between ICE Homeland
Security Investigations and USSS demonstrates the Department's
commitment to leveraging capability and finding efficiencies. Both
organizations will expand participation in the existing ECTFs. In
addition to strengthening each agency's cyber investigative
capabilities, this partnership will produce benefits with respect to
the procurement of computer forensic hardware, software licensing, and
training that each agency requires. The Department is also a partner in
the National Cyber Investigative Joint Task Force, which serves as a
collaborative entity that fosters information sharing across the
interagency.
We work with a variety of international partners to combat
cybercrime. For example, through the U.S.-EU Working Group on
Cybersecurity and Cybercrime, which was established in 2010, we develop
collaborative approaches to a wide range of cybersecurity and
cybercrime issues. In 2011, DHS participated in the Cyber Atlantic
tabletop exercise, a U.S.-EU effort to enhance international
collaboration of incident management and response, and in 2012, DHS and
the EU signed a joint statement that advances transatlantic efforts to
enhance online safety for children. ICE also works with international
partners to seize and destroy counterfeit goods and disrupt websites
that sell these goods. Since 2010, ICE and its partners have seized
over 2,000 domain names associated with businesses selling counterfeit
goods over the Internet. To further these efforts, the Administration
issued its Strategy on Mitigating the Theft of U.S. Trade Secrets last
month. DHS will act vigorously to support the Strategy's efforts to
combat the theft of U.S. trade secrets--especially in cases where trade
secrets are targeted through illicit cyber activity by criminal
hackers.
In addition, the National Computer Forensic Institute has trained
more than 1,000 state and local law enforcement officers since 2009 to
conduct network intrusion and electronic crimes investigations and
forensic functions. Several hundred prosecutors and judges as well as
representatives from the private sector have also received training on
the impact of network intrusion incident response, electronic crimes
investigations, and computer forensics examinations.
Building Partnerships
DHS serves as the focal point for the Government's cybersecurity
outreach and awareness efforts. Raising the cyber education and
awareness of the general public creates a more secure environment in
which the private or financial information of individuals is better
protected. For example, the Multi-State Information Sharing and
Analysis Center (MS-ISAC) opened its Cyber Security Operations Center
in November 2010, which has enhanced NCCIC situational awareness at the
state and local government level and allows the Federal Government to
quickly and efficiently provide critical cyber threat, risk,
vulnerability, and mitigation data to state and local governments. MS-
ISAC has since grown to include all 50 states, three U.S. territories,
the District of Columbia, and more than 200 local governments.
The Department also has established close working relationships
with industry through partnerships like the Protected Critical
Infrastructure Information (PCII) Program, which enhances voluntary
information sharing between infrastructure owners and operators and the
government. The Cyber Information Sharing and Collaboration Program
established a systematic approach to cyber threat information sharing
and collaboration between critical infrastructure owners and operators
across the various sectors. And, in 2010, we launched a national
campaign called Stop.Think.Connect to spread public awareness about how
to keep our cyber networks safe.
In addition, DHS works closely with international partners to
enhance information sharing, increase situational awareness, improve
incident response capabilities, and coordinate strategic policy issues
in support of the Administration's International Strategy for
Cyberspace. For example, the Department has fostered international
partnerships in support of capacity building for cybersecurity through
agreements with Computer Emergency Response and Readiness Teams as well
as the DHS Science & Technology Directorate (S&T). Since 2009, DHS has
established partnerships with Australia, Canada, Egypt, India, Israel,
the Netherlands, and Sweden.
Fostering Innovation
The Federal Government relies on a variety of stakeholders to
pursue effective research and development projects that address
increasingly sophisticated cyber threats. This includes research and
development activities by the academic and scientific communities to
develop capabilities that protect citizens by enhancing the resilience,
security, integrity, and accessibility of information systems used by
the private sector and other critical infrastructure. DHS supports
Centers of Academic Excellence around the country to cultivate a
growing number of professionals with expertise in various disciplines,
including cybersecurity.
DHS S&T is leading efforts to develop and deploy more secure
Internet protocols that protect consumers and industry Internet users.
We continue to support leap-ahead research and development, targeting
revolutionary techniques and capabilities that can be deployed over the
next decade with the potential to redefine the state of cybersecurity
in response to the Comprehensive National Cybersecurity Initiative. For
example, DHS was a leader in the development of protocols at the
Internet Engineering Task Force called Domain Name System Security (DNS
SEC) Extensions. DNS SEC is necessary to protect Internet users from
being covertly redirected to malicious websites and helps prevent
theft, fraud, and abuse online by blocking bogus page elements and
flagging pages whose Domain Name System (DNS) identity has been
hijacked. S&T is also driving improvements through a Transition to
Practice Program as well as liability and risk management protections
provided by the Support Anti-terrorism by Fostering Effective
Technology (SAFETY) Act that promote cyber security technologies and
encourage their transition into successful use.
Growing and Strengthening our Cyber Workforce
We know it only takes a single infected computer to potentially
infect thousands and perhaps millions of others. But at the end of the
day, cybersecurity is ultimately about people. The most impressive and
sophisticated technology is worthless if it's not operated and
maintained by informed and conscientious users.
To help us achieve our mission, we have created a number of
competitive scholarship, fellowship, and internship programs to attract
top talent. We are growing our world-class cybersecurity workforce by
creating and implementing standards of performance, building and
leveraging a cybersecurity talent pipeline with secondary and post-
secondary institutions nationwide, and institutionalizing an effective,
ongoing capability for strategic management of the Department's
cybersecurity workforce. Congress can support this effort by pursuing
legislation that provides DHS with the hiring and pay flexibilities we
need to secure Federal civilian networks, protect critical
infrastructure, respond to cyber threats, and combat cybercrime.
Recent Executive Actions
As discussed above, America's national security and economic
prosperity are increasingly dependent upon the cybersecurity of
critical infrastructure. With today's physical and cyber infrastructure
growing more inextricably linked, critical infrastructure and emergency
response functions are inseparable from the information technology
systems that support them. The government's role in this effort is to
share information and encourage enhanced security and resilience, while
identifying and addressing gaps not filled by the marketplace.
Last month, President Obama issued Executive Order 13636 on
Improving Critical Infrastructure Cybersecurity as well as Presidential
Policy Directive 21 on Critical Infrastructure Security and Resilience,
which will strengthen the security and resilience of critical
infrastructure through an updated and overarching national framework
that acknowledges the increased role of cybersecurity in securing
physical assets.
DHS Responsibilities
The President's actions mark an important milestone in the
Department's ongoing efforts to coordinate the national response to
significant cyber incidents while enhancing the efficiency and
effectiveness of our work to strengthen the security and resilience of
critical infrastructure. The Executive order supports more efficient
sharing of cyber threat information with the private sector and directs
NIST to develop a Cybersecurity Framework to identify and implement
better security practices among critical infrastructure sectors. The
Executive order directs DHS to establish a voluntary program to promote
the adoption of the Cybersecurity Framework in conjunction with Sector-
Specific Agencies and to work with industry to assist companies in
implementing the framework.
The Executive order also expands the voluntary DHS Enhanced
Cybersecurity Service program, which promotes cyber threat information
sharing between government and the private sector. This engagement
helps critical infrastructure entities protect themselves against cyber
threats to the systems upon which so many Americans rely. This program
is a good example of information sharing with confidentiality, privacy
and civil liberties protections built into its structure. DHS will
share with appropriately cleared private sector cybersecurity providers
the same threat indicators that we rely on to protect the .gov domain.
Those providers will then be free to contract with critical
infrastructure entities and provide cybersecurity services comparable
to those provided to the U.S. Government.
Through the Executive order, the President also directed agencies
to incorporate privacy, confidentiality, and civil liberties
protections. It specifically instructs DHS to issue a public report on
activities related to implementation, which would therefore enhance the
existing privacy policy, compliance, and oversight programs of DHS and
the other agencies.
In addition, the Presidential Policy Directive directs the
Executive Branch to strengthen our capability to understand and
efficiently share information about how well critical infrastructure
systems are functioning and the consequences of potential failures. It
also calls for a comprehensive research and development plan for
critical infrastructure to guide the government's effort to enhance
market-based innovation.
Because the vast majority of U.S. critical infrastructure is owned
and operated by private companies, reducing the risk to these vital
systems requires a strong partnership between government and industry.
There is also a role for state, local, tribal and territorial
governments who own a significant portion of the Nation's critical
infrastructure. In developing these documents, the Administration
sought input from stakeholders of all viewpoints in industry,
government, and the advocacy community.
Their input has been vital in crafting an order that incorporates
the best ideas and lessons learned from public and private sector
efforts while ensuring that our information sharing incorporates
rigorous protections for individual privacy, confidentiality, and civil
liberties. Indeed, as we perform all of our cyber-related work, we are
mindful of the need to protect privacy, confidentiality, and civil
liberties. The Department has implemented strong privacy and civil
rights and civil liberties standards into all its cybersecurity
programs and initiatives from the outset. To accomplish the integrated
implementation of these two directives, DHS has established an
Interagency Task Force made up of representatives from across all
levels of government.
Continuing Need for Legislation
It is important to note that the Executive order directs Federal
agencies to work within current authorities and increase voluntary
cooperation with the private sector to provide better protection for
computer systems critical to our national and economic security. It
does not grant new regulatory authority or establish additional
incentives for participation in a voluntary program. We continue to
believe that a suite of legislation is necessary to implement the full
range of steps needed to build a strong public-private partnership, and
we will continue to work with Congress to achieve this.
The Administration's legislative priorities for the 113th Congress
build upon the President's 2011 Cybersecurity Legislative Proposal and
take into account two years of public and congressional discourse about
how best to improve the Nation's cybersecurity. Congress should enact
legislation to incorporate privacy, confidentiality, and civil
liberties safeguards into all aspects of cybersecurity; strengthen our
critical infrastructure's cybersecurity by further increasing
information sharing and promoting the establishment and adoption of
standards for critical infrastructure; give law enforcement additional
tools to fight crime in the digital age; and create a National Data
Breach Reporting requirement.
Conclusion
The American people expect us to secure the country from the
growing danger of cyber threats and ensure the Nation's critical
infrastructure is protected. The threats to our cybersecurity are real,
they are serious, and they are urgent.
I look forward to working with this Committee and the Congress to
ensure we continue to take every step necessary to protect cyberspace,
in partnership with government at all levels, the private sector, and
the American people, and continue to build greater resiliency into
critical cyber networks and systems.
I appreciate this Committee's guidance and support as together we
work to keep our Nation safe. Thank you, again, for the attention you
are giving to this urgent matter.
Chairman Rockefeller. Thank you, Secretary.
Now The Honorable Patrick Gallagher, who's Under Secretary
of Commerce for Standards and Technology, and Director of the
National Institute of Standards and Technology, which is in the
U.S. Department of Commerce, and which is just chock full of
Nobel laureates. It's one of the ultimate gems in Washington,
D.C., and is not used as it should be.
Please proceed, sir.
STATEMENT OF HON. PATRICK D. GALLAGHER, Ph.D.,
UNDER SECRETARY OF COMMERCE FOR STANDARDS AND TECHNOLOGY, U.S.
DEPARTMENT OF COMMERCE
Dr. Gallagher. Thank you very much. And it's a real
pleasure to be here.
Let me begin by thanking both Chairmen Rockefeller and
Carper, and both Ranking Members Thune and Coburn, and members
of both committees, for the opportunity to testify today. It's
a particular pleasure to be joining one of my critical partners
in this effort, Secretary Napolitano.
Let me very briefly summarize NIST's role in our
responsibilities to develop a framework for reducing cyber risk
and critical infrastructure under the Executive order.
It may be a surprise to some that an agency of the U.S.
Department of Commerce has been given this key role in
cybersecurity but, in fact, NIST has a long history in this
area. We have provided technical support to cybersecurity for
over 50 years, working closely with our Federal partners. And
also because NIST is a technical, but nonregulatory agency, we
provide a unique interface with industry to support their
efforts in technical and standards development. Today, NIST has
programs in a wide variety of cybersecurity areas, including
cryptography, network security, security automation, hardware
roots of trust, and identity management.
As directed in the Executive order, NIST will work with
industry to develop a cybersecurity framework that supports
performance goals established by the Department of Homeland
Security. DHS, then, in coordination with sector specific
agencies, will support the adoption of the cybersecurity
framework by owners and operators of critical infrastructure
and other interested entities through a voluntary program.
To be successful, two major elements have to be part of
this approach:
First, it will require an effective partnership with DHS.
Last month, I signed a Memorandum of Agreement with DHS Under
Secretary Rand Beers to ensure that our work was fully
coordinated with DHS.
Second, the cybersecurity framework must be developed
through a process that is industry-led and open and transparent
to all stakeholders. By having industry develop their own
practices that are responsive to the performance goals, the
process will ensure that it is both robust, technically, but
also aligned with their business needs.
This approach has many advantages. It does not dictate
specific solutions to industry, but promotes industry offering
their own solutions. It allows solutions to be developed that
are compatible with business and market conditions. And, by
leveraging industry's own considerable capacity, it brings more
talent and expertise to the table to tackle this topic.
This is not a new or novel approach for NIST. We have
utilized very similar approaches in the recent past to address
other pressing national priorities, notable examples being
smart grid and cloud computing. We know how to do this.
Since this is industry's framework, the NIST role is to act
as a convener and technical contributor. By working closely
with our Federal partners, we also ensure that industry's work
is relevant to their missions to protect the public.
So, what is in this framework? The short answer is,
whatever is needed to achieve the needed cybersecurity
performance, but, in practice, we expect the framework will
include standards, methodologies, procedures, and processes
that align the business, policy, and technological approaches
to address the cyber risk for critical infrastructure.
Let me touch, briefly, on the topic of standards and their
importance to success in this effort.
First, by ``standards,'' I'm using the term as industry
does. These are agreed-upon specifications, or norms, that
allow compatibility of efforts to achieve a goal. These are not
the same thing as regulation. Industry standards are developed
through a multi-stakeholder voluntary consensus process, and it
is this process that gives these standards their power and
their broad acceptance around the world. These standards are
not static. They can be changed to meet technological advances
and meet new performance requirements. And, in fact,
performance-based standards promote innovation specifically
because they allow new products--services to be developed in a
way that's not a tradeoff.
Mr. Chairman, I appreciate the challenge before us. This EO
requires the framework to be developed within a year. A
preliminary framework, in fact, is due within 8 months. We have
already issued a request for information to gather relevant
input from industry and other stakeholders. We are actively
inviting those stakeholders to participate in the framework
process. The early response has been very positive.
Over the next few months, we will convene a series of
workshops, where we will develop the framework, because this
forum allows the necessary collaboration and engagement with
industry. Our first organizational workshop will be held on
April 3. In May, we will release our initial findings from the
request for information, and our analysis of this response.
And, by the 8-month point, we will have an initial draft
framework, including an initial list of standards, guidance,
and practices.
The President's Executive order lays out an urgent and
ambitious agenda, but it is designed around an active
collaboration between the public and private sectors. And I
believe that this partnership provides the needed capacity to
meet this agenda and it will effectively give us the tools to
manage the cybersecurity risk we face.
And I appreciate the Committees holding this joint hearing.
It's reflective of the partnership we'll need to be successful
in this effort. And I look forward to answering any questions
you may have.
[The prepared statement of Dr. Gallagher follows:]
Prepared Statement of Hon. Patrick D. Gallagher, Ph.D., Under Secretary
of Commerce for Standards and Technology, U.S. Department of Commerce
Introduction
Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn,
members of the Committees, I am Patrick Gallagher, Under Secretary of
Commerce for Standards and Technology and Director of the National
Institute of Standards and Technology (NIST), a non-regulatory bureau
within the U.S. Department of Commerce. Thank you for this opportunity
to testify today on NIST's role under Executive Order 13636,
``Improving Critical Infrastructure Cybersecurity'' and our
responsibility to develop a framework for reducing cyber risks to
critical infrastructure.
The Role of NIST in Cybersecurity
Let me begin with a few words on NIST itself: NIST's mission is to
promote U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology in ways that enhance
economic security and improve our quality of life. Our work in
addressing technical challenges related to national priorities has
ranged from projects related to the Smart Grid and electronic health
records to atomic clocks, advanced nanomaterials, and computer chips.
In the area of cybersecurity, we have worked with Federal agencies,
industry, and academia since 1972 on the development of the Data
Encryption Standard. Our role to research, develop and deploy
information security standards and technology to protect information
systems against threats to the confidentiality, integrity and
availability of information and services, was strengthened through the
Computer Security Act of 1987 and reaffirmed through the Federal
Information Security Management Act of 2002. Consistent with this
mission, NIST is actively engaged with industry, academia, and other
parts of the Federal Government including the intelligence community,
and elements of the law enforcement and national security communities,
coordinating and prioritizing cybersecurity research, standards
development, standards conformance demonstration and cybersecurity
education and outreach.
Our broader work in the areas of information security, trusted
networks, and software quality is applicable to a wide variety of
users, from small and medium enterprises to large private and public
organizations including agencies of the Federal Government and
companies involved with critical infrastructure.
Executive Order 13636, ``Improving Critical Infrastructure
Cybersecurity''
On February 13, 2013, the President signed Executive Order 13636,
``Improving Critical Infrastructure Cybersecurity,'' which gave NIST
the responsibility to develop a framework to reduce cyber risks to
critical infrastructure (the Cybersecurity Framework). As directed in
the Executive order, NIST, working with industry, will develop the
Cybersecurity Framework and the Department of Homeland Security (DHS)
will establish performance goals. DHS, in coordination with sector-
specific agencies, will then support the adoption of the Cybersecurity
Framework by owners and operators of critical infrastructure and other
interested entities, through a voluntary program.
Our partnership with DHS will drive much of our effort. Last month
I signed a Memorandum of Agreement with DHS Under Secretary Rand Beers
to ensure that our work with industry for the Cybersecurity Framework,
and also with cybersecurity standards, best practices, and metrics, is
fully integrated with the information sharing, threat analysis,
response, and operational work of DHS. This will enable a more holistic
approach to addressing the complex nature of the challenge at hand.
A Cybersecurity Framework is an important element in addressing the
challenges of improving the cybersecurity of our critical
infrastructure. A NIST-coordinated and industry-led Framework will draw
on standards and best practices that industry is already involved in
developing and adopting. NIST coordination will ensure that the process
is open and transparent to all stakeholders, and will ensure a robust
technical underpinning to the framework. This approach will
significantly bolster the relevance of the resulting Framework to
industry, making it more appealing for industry to adopt.
Why This Approach?
This multi-stakeholder approach leverages the respective strengths
of the public and private sectors, and helps develop solutions in which
both sides will be invested. The approach does not dictate solutions to
industry, but rather facilitates industry coming together to offer and
develop solutions that the private sector is best positioned to
embrace.
I would also like to note that this is not a new or novel approach
for NIST. We have utilized very similar approaches in the recent past
to address other pressing national priorities. The lessons learned from
those experiences are informing how we are planning for and structuring
our current effort. In 2009, the Energy Independence and Security Act
(EISA) mandated NIST to develop a standards framework to help with the
deployment of a nationwide, end-to-end interoperable Smart Grid.
Following a similar approach to the one envisioned for the
Cybersecurity Framework, NIST coordinated a forward leaning approach
involving more than 1500 representatives from approximately 21 distinct
domains that now constitute the Smart Grid.
This effort led to the development of a framework called the Smart
Grid Roadmap that defined the domains of the Smart Grid and the
interfaces for those domains, identified existing standards for these
domains, prioritized standards needs and identified standards gaps.
Many of these standards gaps are currently being addressed in various
standards development organizations around the world. We are seeing the
results of this effort pay off in many ways. Cybersecurity standards
are being developed and adopted to secure different elements of the
electrical grid. Standards based deployments of secure Smart Meters are
enabling consumers safe and secure access to data about electricity
usage. The U.S. Smart Grid Roadmap is being used as a template for
frameworks in many countries around the world. Automakers are reaching
agreement regarding chargers for electric vehicles. All these
developments have helped address important policy objectives while also
positioning the U.S. as a leader in Smart Grid development and
deployment.
Another example of how NIST has brought together the public and
private sector to address technical challenges is NIST's work in the
area of Cloud Computing technologies. The unique partnership formed by
NIST has enabled us to develop important definitions and architectures,
and is now enabling broad Federal Government deployment of secure Cloud
Computing technologies.
What is the Cybersecurity Framework?
The Cybersecurity Framework will consist of standards,
methodologies, procedures and processes that align policy, business,
and technological approaches to address cyber risks for critical
infrastructure. Once the Framework is established, the Department of
Homeland Security (DHS), in coordination with sector-specific agencies,
will then support the adoption of the Cybersecurity Framework by owners
and operators of critical infrastructure and other interested entities
through a voluntary program. Regulatory agencies will also review the
Cybersecurity Framework to determine if current cybersecurity
requirements are sufficient, and propose new actions if it is
determined they are insufficient.
This approach reflects both the need for enhancing the security of
our critical infrastructure and the reality that the bulk of critical
infrastructure is owned and operated by the private sector. Any efforts
to better protect critical infrastructure need to be supported and
implemented by the owners and operators of this infrastructure. It also
reflects the reality that many in the private sector are already doing
the right things to protect their systems and should not be diverted
from those efforts through new requirements.
The Important Role of Standards in the Cybersecurity Framework
I'd like to explain why this approach relies on standards,
methodologies, procedures and processes, and why we believe it to be a
critical part of our work under the Executive order. First of all, by
standards, I am referring to agreed-upon best practices against which
we can benchmark performance. Thus, these are NOT regulations.
Typically these standards are the result of industry coming together to
develop solutions for market needs and are developed in open
discussions and agreed upon by consensus of the participants. This
process also gives standards the power of broad acceptance around the
world. Standards have a unique and key attribute of scalability. By
this I mean, that when we can use solutions that are already adopted by
industry, or can readily be adopted and used by industry, then those
same solutions reduce transactions costs for our businesses and provide
economies of scale when deployed in other markets, which makes our
industries more competitive.
A partnership with industry to develop, maintain, and implement
voluntary consensus standards related to cybersecurity best ensures the
interoperability, security and resiliency of this global infrastructure
and makes us all more secure. It also allows this infrastructure to
evolve in a way that embraces both security and innovation--allowing a
market to flourish to create new types of secure products for the
benefit of all Americans.
Developing the Cybersecurity Framework
NIST's initial steps towards implementing the Executive order
include issuing a Request for Information (RFI) to gather relevant
input from industry and other stakeholders, and asking stakeholders to
participate in the Cybersecurity Framework process. This RFI was
published last week and we are already getting informal feedback from
industry and other stakeholders on the RFI. Given the diversity of
sectors in critical infrastructure, these initial efforts will help
identify existing cross-sector security standards and guidelines that
are immediately applicable or likely to be applicable to critical
infrastructure. Industry has begun responding to the RFI and is coming
to the table to work with us on this analysis.
Underlying all of this work, NIST sees its role in developing the
Cybersecurity Framework as partnering with industry and other
stakeholders to help them develop the Framework. In addition to this
critical convening role, our work will be to compile and provide
guidance on principles that are applicable across the sectors for the
full-range of quickly evolving threats, based on inputs from DHS and
other agencies. NIST's unique technical expertise in various aspects of
cybersecurity related research, technology development and an
established track record of working with a broad cross-section of
industry and government agencies in the development of standards and
best practices positions us very well to address this significant
national challenge in a timely and effective manner.
The approach of the Executive order will allow industry to protect
our Nation from the growing cybersecurity threat while enhancing
America's ability to innovate and compete in a global market. It also
helps grow the market for secure, interoperable, innovative products to
be used by consumers anywhere.
Next Steps
The Executive order requirement for the Framework to be developed
within one year, and a preliminary framework due within eight months
gives this task a sense of urgency. We have already initiated an
aggressive outreach program to raise awareness of this issue and begin
engaging industry and stakeholders. Over the next few months, NIST will
bring many diverse stakeholders to the table through a series of
``deep-dive'' engagements. Throughout the year, you can expect NIST to
use its capabilities to gather the input needed to develop the
Framework.
In addition to the Request for Information (RFI), we are planning a
series of workshops and events to ensure that we can cover the breadth
of considerations that will be needed to make this national priority a
success. Our first workshop will be held in early April to initiate the
process of identifying existing resources and gaps, and to prioritize
the issues to be addressed as part of the framework. In May, we are
planning to release initial findings from early analyses of the
responses to the RFI. This will mark a transition into the dialogue
regarding the foundations of the framework.
In June, the Departments of Commerce, Homeland Security, and
Treasury will submit reports regarding incentives designed to increase
participation with the voluntary program. NIST will be supporting the
report drafted by the Department of Commerce, which will analyze the
benefits and relative effectiveness of such incentives.
Around the five-month mark, in July, NIST will host a workshop to
present initial considerations for the Framework, based on the analysis
conducted with the responses to the RFI. This workshop will be the most
in-depth of the three, with an emphasis on particular issues that have
been identified from the initial work--including the specific needs of
different sectors. At eight months, we will have an initial draft
Framework that clearly outlines areas of focus and initial lists of
standards, guidelines and best practices that fall into those areas
In a year's time, once we have developed an initial Framework,
there will still be much to do. For example, our partners at the
Department of Homeland Security will be working with specific sectors
to build strong voluntary programs for specific critical infrastructure
areas. Their work will then inform the needs of critical infrastructure
and the next versions of the Framework. The goal at the end of this
process will be for industry to take and update the Cybersecurity
Framework themselves--allowing it to evolve when needed.
Conclusion
The cybersecurity challenge facing critical infrastructure is
greater than it ever has been. The President's Executive order reflects
this reality, and lays out an ambitious agenda founded on active
collaboration between the public and private sectors. NIST is mindful
of the weighty responsibilities with which we have been charged by
President Obama, and we are committed to listening to, and working
actively with, critical infrastructure owners and operators to develop
a Cybersecurity Framework.
Thank you, for the opportunity to present NIST's views regarding
critical infrastructure cybersecurity security challenges. I appreciate
the Committees holding this joint hearing- it is reflective of the
working partnership we have with Department of Homeland Security and
other agencies to tackle cybersecurity issues. We have a lot of work
ahead of us--and I look forward to working with both Committees to help
us address these pressing challenges. I will be pleased to answer any
questions you may have.
Patrick D. Gallagher
Dr. Patrick Gallagher was confirmed as the 14th Director of the
U.S. Department of Commerce's National Institute of Standards and
Technology (NIST) on Nov. 5, 2009. He also serves as Under Secretary of
Commerce for Standards and Technology, a new position created in the
America COMPETES Reauthorization Act of 2010, signed by President Obama
on Jan. 4, 2011.
Gallagher provides high-level oversight and direction for NIST. The
agency promotes U.S. innovation and industrial competitiveness by
advancing measurement science, standards, and technology. NIST's FY
2012 resources total $750.8 million from the Consolidated and Further
Continuing Appropriations Act of 2012 (P.L. 112-55), with an estimated
additional annual income of $62.7 million in service fees, and $128.9
million from other agencies. The agency employs about 2,900 scientists,
engineers, technicians, support staff, and administrative personnel at
two main locations in Gaithersburg, Md., and Boulder, Colo.
Gallagher had served as Deputy Director since 2008. Prior to that,
he served for four years as Director of the NIST Center for Neutron
Research (NCNR), a national user facility for neutron scattering on the
NIST Gaithersburg campus. The NCNR provides a broad range of neutron
diffraction and spectroscopy capability with thermal and cold neutron
beams and is presently the Nation's most used facility of this type.
Gallagher received his Ph.D. in Physics at the University of Pittsburgh
in 1991. His research interests include neutron and X-ray
instrumentation and studies of soft condensed matter systems such as
liquids, polymers, and gels. In 2000, Gallagher was a NIST agency
representative at the National Science and Technology Council (NSTC).
He has been active in the area of U.S. policy for scientific user
facilities and was chair of the Interagency Working Group on neutron
and light source facilities under the Office of Science and Technology
Policy. Currently, he serves as co-Chair of the Standards Subcommittee
under the White House National Science and Technology Council.
Chairman Rockefeller. Thank you, sir.
I'm going to ask a question, and the four who spoke will
too, but we'll be very brief, because there are a lot of people
here. We're going to go according to the early bird rule. To
start, I'm just going to ask one quick question to both of you.
There are some people who say, ``Look, the House basically
has information sharing in its bill.'' It doesn't have much
about workforce, it doesn't have much about standards, it
doesn't have much about a lot of things, which I think are
critical to a good bill, but it's in their bill, so, in theory,
in that most people would agree with that, if you wanted to get
a piece of legislation, you could just hold yourself back to
information sharing. I think that's wholly insufficient. I
don't think that's a wise, useful, constructive approach to the
kind of bill that we can't really come back to each and every
year. We've got to do our full work this year.
So, I'm asking, starting with you, Secretary Napolitano, do
you think that information sharing alone is sufficient?
Secretary Napolitano. No. I think you've got it right, Mr.
Chairman.
In terms of the House bill, even in the information-sharing
area, I think there were some deficiencies in it. It had no
privacy protections built around it, which is very important in
the--particularly in the civilian realm. And it resided almost
all of the cybersecurity information monitoring
responsibilities within the NSA, which, of course, is part of
the military. We're talking about a totally different
environment here, the domestic environment, the partnership
with core critical infrastructure.
But, beyond that, what we are looking for is legislation
that can, if necessary, put in statute the clarity of the roles
and responsibilities now contained in the EO, so that that is
preserved, moving forward; a bill that looks at the basic
standard-setting that we need for core critical infrastructure
of the country; a bill that addresses FISMA as we move, and try
to move, from a paperwork-dominated statute to one that
requires and embodies continuous diagnostics, in realtime; and
increased research and development, among other things.
So, as we kind of lay out the topics involved under the
umbrella of cybersecurity, information sharing is very, very
important. Realtime information sharing is critical, but it is
not the only concern we have in this arena.
Chairman Rockefeller. Thank you.
Secretary Gallagher.
Dr. Gallagher. So, I think--it's hard to add to that
answer, but I think cybersecurity doesn't lend itself to simple
solutions. And I think, in the particular example you gave,
even with information sharing, where you're going to provide
threat information to the private sector, they have to have the
capacity to act on that information. And, to do that, it
involves some of the standards and technology issues that we're
talking about in the framework.
So, I think these things tend to be interdependent and go
hand-in-hand.
Chairman Rockefeller. Senator Carper.
Chairman Carper. Thanks, Mr. Chairman.
I'd like to go back a bit in time with each of you, and go
back to when the Senate--particularly Senators Lieberman,
Collins, Rockefeller, myself, Feinstein--offered the earlier
version of our legislation, our comprehensive legislation. And,
in it, critics said, ``Well, you've got the standards--with
respect to standards,'' that's best practices, if you will, for
critical infrastructure--``basically, you've got it mandated,
and somebody telling us what to do. That somebody might be
DHS.'' They didn't appreciate that very much. And the idea was
rejected. So, we changed it.
As you know, we changed it so that--we came back and said,
``Well, why don't we say that, for critical infrastructure, the
best practices would be, not mandated, but we'd ask the
industries--the owners, the operators of the critical
infrastructure--to tell us what--or to tell the Department of
Homeland Security what the standards ought to be. There would
be a dialogue between--that includes DHS, NSA, FBI, others--and
they would somehow--in this discussion, this roundtable, they'd
figure out what the best practices should be.'' Again, there
was a push-back from the--part of the business community said,
``No, no, that's going to end up with--we'll end up with
mandated best practices, mandated standards in that.''
And so, we come up with this Executive order. And the
Executive order says, as I understand it, ``Your dance partner,
owners of critical infrastructure, is not going to be FBI, it's
not going to be Homeland Security, it's going to be Assistant
Secretary Gallagher and our friends at NIST. And they work with
industry all the time on stuff that's related to this, like''--
that's one of the things that you talked about.
It's--what you've laid out, here, this framework, suggests
to me that each time--it's the third major proposal, here--each
time, it's been changed; and each time, it's been changed to
reflect, maybe the legitimate concerns, or maybe not so
legitimate concerns, that were raised within parts of the
business community.
But, I think we've moved a long ways, y'all have moved a
long ways, and, I think, in smart ways.
As my wingman here, Dr. Coburn, has suggested, there are
still some concerns about liability protection. My
understanding is, on the information-sharing sides, there's not
so much--it's not so much an issue anymore. I think there may
be bipartisan agreement with respect to punitive damages, and
maybe general damages. I think there are some questions about
liability protection on the critical infrastructure side.
Should it be punitive? Should it be more than punitive?
But, there has been a whole lot of movement, as I see it,
from the administration and, I think, from a bipartisan group
of us in the Senate, to meet the legitimate concerns that have
been raised.
Here's my question. Two-part. One, as you've gone out and
done good work in seeking input, Dr. Gallagher, from the
business community, what are you hearing? Is there any
acknowledgment that changes have been made? In a sense, the
administration is kind of negotiating against itself, but I
think we're negotiating after hearing what's being offered by
those who have been critical of our earlier approaches.
Number one, what are you hearing in response to the
changes, this latest iteration? Positive, or not?
And, second--this is, maybe, more for our Secretary--on the
liability side--general and punitive on the information
sharing. That's pretty--most people say that's pretty good, in
terms of give to the business community. And the question is,
what do we have to do in liability, on the critical
infrastructure side, to get their buy-in.
Two questions.
Chairman Rockefeller. And before those are answered, the
vote is premature, but it has started--the cloture motion on
John Brennan--so, we're going to work a tag-team thing here.
Whether we're Republicans or Democrats, it makes no difference.
I'm going to go over. John, you can run faster than I can.
Chairman Carper. Mr. Chairman?
Chairman Rockefeller. Yes.
Chairman Carper. Someone just handed me a note. It says
it's going to be--the first vote is on the Brennan nomination,
the 3:15. If it's agreed to--and I'm encouraged that it's going
to be agreed to----
Chairman Rockefeller. Well, we're 10 minutes into it. It's
already started.
Chairman Carper. Oh, OK. OK. Fair enough.
Chairman Rockefeller. Because we're going to have two
votes.
Chairman Carper. Good. We're going to have two votes. Fair
enough.
Chairman Rockefeller. OK.
Chairman Carper. All right.
Chairman Rockefeller. Go ahead and answer.
Chairman Carper [presiding]. Yes. Two questions, please.
Thank you.
Dr. Gallagher. So, very quickly, let me give you the
reaction that I've been hearing from business. I think,
generally, it's been very positive. And I think the origin of
that reaction has to do with the tension that you've observed
as these negotiations on how standards and requirements play
off each other.
I think one of the reasons the reaction is positive is that
I--and Senator Rockefeller mentioned this in his opening
remark--the tricky issue here is that there is a public
accountability for performance in the forum of critical
infrastructure. If it fails, it causes impact to the nation.
But, these type of standards and requirements also have
business impact; they touch how businesses perform, they touch
their business practices, and they affect the markets. And I
think, generally, there's a reticence to having the government
somehow have an undue impact on their business condition.
So, this arrangement allows, really, kind of the ideal
choreography, because the Department of Homeland Security lays
out the performance expectation--what do we have to achieve,
from a cybersecurity-performance view?--and then charges
industry with coming up with the business and cybersecurity
practices that meet that goal. And then we try to align our
practices.
So, in this complicated mix, where you want this to take
place, I think this is the best of all possible worlds.
NIST is kind of an ideal convener, because we're technical
and we're not in charge of anything. So, we can be sort of
neutral and be a partner with industry as they develop that.
Chairman Carper. Good.
Secretary Napolitano, the second half of the question,
please.
Secretary Napolitano. With respect to liability protection,
I think the administration is already on record as having
supported the targeted liability protections that were in the
bill last year, the bipartisan bill last year. But, the EO also
requires us to look at other ways to incentivize businesses to
raise their practice to meet the standards that are ultimately
seen as optimal. And so, for example, a--exploring, as we are,
whether there could be a procurement preference, for example,
given; whether there could be some kind of a seal of approval
that is given. Now, those are just two ideas that can also
provide incentives, because--recognize that the market, in and
of itself, has not provided sufficient incentive, yet, for all
business to voluntarily raise their standards.
Chairman Carper. All right. This vote's started--thank you
for--both of you--for those responses--the vote started about 8
minutes--9 minutes ago, and----
Thuney, you want to take a shot?
Senator Thune. All right, thank you, Mr. Chairman, I will,
and we'll race over there together.
Let me just, if I might, Secretary Napolitano, direct this
question to you. The Executive order directs the Secretary of
Homeland Security--you--to provide performance goals for the
cybersecurity framework. We've been told the performance goals
are intended to establish the level of security that the
framework should meet. Doesn't the ability to set the
performance goals put DHS in the driver's seat for this
process, no matter how collaborative the initial NIST process
may be?
Secretary Napolitano. Well, we already do this, in the
physical security side, with critical infrastructure. We work
with critical infrastructure in 18 separate sectors to work on
commonly understood performance goals and standards. So, in a
way, Senator, this is simply extending that into the cyber
realm.
But, we intend, and are pursuing, a realm that is very
collaborative in nature. Our goal is to set performance goals.
And NIST, then, establishes the framework and the standards of
how those goals are reached.
So, by way of example, a goal might be for a major--let's
say, a utility--if its major server, or servers, is attacked
and is nonfunctional--to have the capability to restore service
within a certain period of time. What the definition of that
certain period of time is, is something that we would be
working with, with industry, what makes sense, how would they
do it, what are their options, and so forth. But, that would
then feed into the framework that NIST will be establishing.
Senator Thune. And just to elaborate on that a little bit,
how do you intend to ensure that the performance goals are
reasonably attainable by your private sector partners?
Secretary Napolitano. Well, again, the EO requires us to
engage in a collaborative process, and to make sure that all
voices are listened to. And we do this in other areas already.
So, I would say, again, we will simply take some of the lessons
learned from some other things that we have done in the
physical infrastructure realm, and continue them into
cybersecurity.
Senator Thune. All right.
Dr. Gallagher, how will NIST ensure that the framework that
you're directed to develop with industry and other agencies
does not undermine, conflict with, or duplicate existing
mandatory--or voluntary, for that matter--government- or
industry-led standards for each infrastructure sector?
Dr. Gallagher. So, the way we'd like to approach that is by
having the industry and the critical infrastructure community
put the framework together themselves. I think we've--we've
done this approach in smart grid, where--and in cloud
computing--where those same stakeholders, who are operating
under either mandatory or industry-led standards, are quite
willing to put those on the table; and that's actually the
starting point for this framework process. This is not NIST
developing new or additional material; this is much closer--
much better thought of as a harmonization of what industry is
presently doing, itself. So, that's the way of taking care of
that conflict.
Senator Thune. You mention, in your testimony, that--and
I'm going to quote, here--``Many in the private sector are
already doing the right things to protect their systems, and
should not be diverted from those efforts through new
requirements.''
How are you going to work with DHS to ensure the Federal
Government is not diverting companies with new requirements?
Dr. Gallagher. So, I think the way that this works is--and,
in fact, the request for information we just put out asks
companies and stakeholders to share with us their current
practices and standards that they use. And I think the way this
framework is going to look, at the beginning, is, you're going
to see areas of overlap or where there's, you know, maybe,
existing and--from--existing practices from different sectors
that tackled the same problem in different ways. And there's
going to be areas where there are gaps.
And so, the roadmap is going to have a very interesting
sort of--the framework is going to have a roadmap character to
it, where, you know, we can use that to address those areas of
overlap and see whether that's a problem, or not. And I think
the way--industry needs to lead those discussions, not us. And,
conversely, when we see areas where there are gaps, then
there's going to be the ability to organize and set priorities
to address those gaps.
So, I think the process is specifically designed to make
sure we don't reinvent the wheel.
Senator Thune. And one quick question before we go vote--
what's the threshold for sufficient industry feedback and
participation in the framework development process? How are you
going to ensure that you receive enough industry input?
Dr. Gallagher. That's an interesting question. I don't--we
haven't had the problem of insufficient industry involvement in
the past, so we're anticipating the opposite problem, which is
an enormous insurge of participation. And I think what happens
at the working level, through most of these efforts, is, you
pick up on industry's own consensus-standards processes. And
so, the same sort of criteria for whether the right
stakeholders are involved and participating applies there.
And I think the final analysis is going to determine--is
going to look at the quality of their work product. If the
right folks were around the table, and the best ideas were
brought out, and then we're going to have the most viable
product, I guess the final test of all would be the market, you
know, pickup. I mean, the real test of the framework is whether
it's put into practice. And if insufficient involvement was
there, that's not that buy-in, then we're not going to see that
adoption.
Senator Thune. Mr. Chairman, I think we have to go vote.
Chairman Carper. Yes, we do.
Senator Thune. Recess?
Chairman Carper. We're going to do a short recess, probably
10 minutes. We'll be back in about 10 minutes. Thank you for
your patience and letting us go do our nation's work. Thanks so
much.
We're in recess for 10 minutes.
[Recess.]
STATEMENT OF HON. MARK WARNER,
U.S. SENATOR FROM VIRGINIA
Senator Warner [presiding]. Well, this may be the first and
only time I get to chair this combined hearing, for the next 20
or 30 years, so I rushed back. We do have a second vote, but it
appears that the first vote may take some extended time. There
are some folks at the White House. So, hopefully Senator Coburn
will be back shortly, as well, and we'll be able to continue to
move on.
I wanted to look--and I know one of the biggest challenges
we've got on this whole question is, you know, how we set
appropriate standards, how those standards are nimble enough as
a--in a field that is constantly evolving. As somebody who made
a living in the technology field, I'm somewhat familiar with
that. And I think Senator Coburn raised, appropriately, the
right question, how we can then use the information sharing so
that firms are able to share in a way that has both--
appropriate protections in place.
And one thing that I would just add--since I may have a
little bit more time, as folks come back--is that I sense that
there is a changing feeling in the business community, because,
one, the increased amount of cyber activities, cyber attacks;
two, the publicly released Mandiant report, which cited and
specified the activities, particularly coming from China, and
how pervasive they are, and how much intellectual property is
stolen. So, while I, clearly, want to make sure that businesses
get the appropriate protections, I think there's an evolving
feeling, in the business community, that standards that had
some enforcement behind them, other than voluntary, are
important.
And what I wanted to have, perhaps--Mr. Gallagher, start
first--and then Secretary Napolitano address, is this--the
free-rider issue. When you have a voluntary set of standards,
and you have those businesses, entities that meet these
standards, then those that don't, in effect, have that plain
economic free rider effect. And is it not the case that,
particularly within sectoral industries--take utilities, for a
moment--you may have--because the--all the utilities have an
enormous interconnection between them--those free riders who
don't have appropriate protections in place may end up being an
entry point, not only into their own operations, but then into
other firms, because the firewalls between common industry
partners are not as great.
So, if both of you would like a take a crack at this issue
of the free riders--whether you see it, whether you're seeing
an emerging feeling from the business community on this issue.
Dr. Gallagher. So, thank you, Senator Warner.
I think that, with regard to the accountability of the
standards framework, you know, voluntary sometimes feels soft,
as if it's optional. But, the term is used in business--in
fact, standards developed through a voluntary consensus process
by businesses can be, in fact, fairly muscular. They can
include schemes that are there to identify whether products and
services conform to those standards. And those conformity
assessment vehicles, like product marking or various other
things, can be used in their business-to-business
relationships; they can be part of contract requirements, they
can be part of their own procurement requirements, and so
forth. And that's why these standards have such a powerful
market effect, is that they start driving these interactions.
So, I don't think we should believe that, because business
is in charge of the standards environment, that it's going to
be weak. I think--as long as the accountability is there for
the underlying cybersecurity performance, I think they're going
to be inclined to look at making sure that there's a robustness
there and they can identify their supply chain as not
undermining their credibility.
That being said, there is going to be unevenness in
adoption, and I think that's going to be one of the things we
continue to monitor, both with the stakeholders who are helping
us develop the framework and with our Federal partners. In some
cases, it's going to be, maybe, willful; in other cases, it may
be just the size of the company. Small businesses sometimes
face different hurdles, in terms of compliance, than large
companies. And hopefully that's a part of the framework and the
partnership.
Senator Warner. Before Secretary Napolitano answers, I
guess the one thing I would just come back to you at little bit
is, you know, the analogy, a little bit, breaks down where
industry sets a standard, and there may be a marketing
advantage. If you get the Good Housekeeping seal of approval,
that helps you. A competitive product that doesn't have that
Good Housekeeping seal of approval doesn't cause you any risk;
whereas, within an industry--again, critical infrastructure, in
particular--the weakest link could not only provide a way into
your company, even though you've got the Good Housekeeping seal
of approval, and cause harm, or, in addition, you know, you may
have the weakest link, then cause such a problem that there
could be industrywide repercussions even if you got--because
you're not going to have any safe harbor provisions.
Secretary Napolitano, and then also you want to----
Secretary Napolitano. Well, Senator, I think there is a
risk, here. And the risk is the free rider risk, that all who
need to be involved won't invest in order to be involved. But,
I think it's a measured risk, compared to a process that is an
open process, that involves industry from the get-go, and that
really aligns well with what we've done on the physical
security side, and with what NIST has done, in terms of other
types of standard-setting.
One of the questions is, why wouldn't a company
participate? One reason is that they, themselves, do not have
the technical know-how. They don't have the IT personnel, and
the like, to really be able to participate.
One of the things we will be building and encouraging
through this is the exchange of best practices. That exchange,
among those actually in the market, actually can help smaller
entities or those who have not invested what they should have,
already.
And finally, as I mentioned in my opening, I think there's
not just a Good Housekeeping seal-of-approval sort of incentive
that we can build, but, again, looking at things like
procurement preferences, acquisitions, and the like, that
really, at least to the extent that government is a consumer of
these services, can be helpful.
But, there is--as you have identified, this is,
legitimately, a risk.
Senator Warner. Well, I just personally believe that--I
think this collaboration ought to be industry-led. I do believe
there needs to be an enforcement mechanism, and I do think
there needs to be, similar to some of the legislation that was
introduced last year, standards that had some teeth to it. And,
as Mr. Gallagher said, you can have standards with teeth that's
industry-driven, but you've got to have some kind of
enforcement tool.
I want to follow up, Secretary Napolitano, with your
question of ``those entities that might be in a particular
sector that don't have the capabilities.'' You know, how do you
make sure they are able to get the intellectual product that is
being created by, you know, the large utility versus the small
rural utility? If the large utility is spending lots of
resources getting the best and the most efficient cybersecurity
system in place, you know, they're going to be--they may be
reluctant to share that benefit with partners who are, again,
free riders. How do we get over that----
Secretary Napolitano. I think----
Senator Warner.--challenge?
Secretary Napolitano. I think the way to think about that
is their participation in the construct of the framework,
because NIST really sits as kind of a neutral in the creation
of the ultimate framework, but the framework itself provides a
way for all entities involved in a particular area to exchange
information. And I think we've seen that happen with some of
NIST's other activities. So, the process itself could help
solve that problem.
Senator Warner. I'm not--I want Mr. Gallagher to--I'm not
sure I fully got the answer, there, because I'm--you know, this
is a very competitive space right now, as people come out with
cybersecurity products and services. Some are better than
others. You know, you've got--this will constantly be evolving.
You know, one of the concerns, I know, is that we end up with a
stagnant standard that kind of gets industry-accepted,
technology moves ahead, and how do the new movers in that
cybersecurity industry break in if you've already got a
government-established standard? But, somehow or the other,
we've got to figure this out.
Do you have any thoughts on it, Mr. Gallagher?
Dr. Gallagher. Well, I think--you know, I--that's one of
the reason why we don't like to have government set standards
in the United States. I think, by law, we have a preference,
where Federal agencies look to the private sector standards
organizations for their needs as the first preference. And one
of the reasons for that is, they tend to be more dynamic,
because they're market-attuned, and they're going to keep
looking at that.
The tension you point out, where it's a very competitive
market--I mean, the standards process can be weaponized, as you
know. Large companies can come in and want to, you know, take
advantage of the--incorporating their technology in a standard
because of the--the market advantage that would accrue to them
if that was widely adopted. But, the standards processes have
learned how to adopt to those kinds of commercial tensions in
the process. That's really the kind of diplomatic negotiation
that's occurring in the voluntary consensus standards process.
And so, we will be, not replacing that function, we'll--the
framework process will be engaging existing standards
development organizations and leveraging their expertise, and
carrying that out.
Senator Warner. Well--I've run over my time; I'm still not
completely sure how we work that out on the free rider issue.
The last quick--very quick question, and I'll turn it back
to Senator Coburn--it just--when we think about cyber threats,
a lot of what's discussed in the press are those intellectual
property threats and those threats that could actually
interfere, turn on and off, operations. Do we--do you
prioritize nature of threat, those that are simply, in effect,
passive stealing versus those threats that are actually able to
shut down critical infrastructure, for example?
Chairman Carper [presiding]. I'm going to ask our witnesses
just to be very brief in your response, please.
Secretary Napolitano. In some senses, yes. I can explain
later, when there's more time.
Chairman Carper. That was good.
[Laughter.]
Chairman Carper. All right, thanks.
Have you made the second vote? Yes, there is a second vote.
Final passage. You know? OK.
Dr. Coburn.
Senator Coburn. Well, thank you.
Madam Secretary, I--one of the things--you have this great,
big agency--in there--like on FISMA--do you really feel like
you have the authorities you need, right now in your position,
to actually accomplish what we need to do, especially when it
comes to cybersecurity for the government?
Secretary Napolitano. I think we can accomplish much with
our existing authorities. As I've suggested, Senator, I think
some FISMA reform, which would move us out of the paperwork
generation into the Digital Age, very helpful, was considered
part of the original legislation.
The ability to do hiring equivalent, with equivalency to
the sorts of hiring that the NSA could do--because, realize, in
this realm, civilian capacity needs to be enhanced, because
we're going to manage most of this through civilian capacities,
with some utilization of the NSA. And we already have those
arrangements made. But, on that personnel side, we will need
legislative assistance.
Senator Coburn. OK. Do you feel comfortable--and I'm not
asking this question so you'll make a criticism of the
Executive order--do you think we have the proper balance, in
terms of intellectual property and protection of critical
infrastructure, within the Executive order? We're going to help
that, but what's your feeling about that?
Secretary Napolitano. I think, overall, yes. And I think
our key interests--and it's partially a response to Senator
Warner, earlier--is the protection of the country from a cyber
event that could cause undue economic loss or, in worst case
circumstances, even endanger life. So, we fundamentally need to
be concerned with that.
That kind of investment may not be as marketable or return-
on-investment-oriented as, say, protection against the theft of
your intellectual property. I mean, I think there's an easy
economic case, ``This is better for us, it's going to be better
for our bottom line, it's part of the R&D process and our
protection of our intellectual property.''
In the security context, there's a public element to this
that is not reflected immediately in the return on investment.
That's why, from a standpoint of where we focus most of our
efforts--we do the theft of intellectual property, the
counterfeiting, the--all of that, those kinds of cases--but,
where we are focused within the security of the United States
is really on that fundamental attack, that fundamental
interference that could shut us down.
Senator Coburn. Yes. You have all these areas of
responsibility, and a large agency, and we're coming up on a
tenth anniversary of your agency. And we had a great
conversation, when I came out to visit you. But, there are--you
have some real challenges. I mean, they're documented. GAO has
documented, your own IG, as well as our investigative
subcommittee. Do you--can you assure us you're seeing
improvements in all those areas, and you're making the
management adjustments those criticisms that have been rightly
leveled, in terms of difficulties within the agency? Because
your ability to respond to those has a lot to do with your
ability to carry out the function that we're going to be giving
you under the President's Executive order.
Secretary Napolitano. Right. And I think--in terms of
management of a Department that was brought together out of 22
agencies and is still relatively young, I think we have worked
very closely with the GAO and the IG to really tighten the
management and the accountability of the management,
departmentwide.
I can also share with you that there has been no part of
the Department that has expanded so rapidly, in terms of
capability and responsibility, than the part that deals with
cyber. And that's because of the continuing threat that we
face.
Now, with the EO, we will take on even more
responsibilities. Many of these are continuations of things
we've done. Some of them are actual expansions. But, we are
fully prepared to do that.
Senator Coburn. I have to tell you, I have been thoroughly
impressed with the employees and the people that have given us
the briefings that we've had. There's no doubt to their
competence, their dedication, and their service. And I would
just tell you, you should take that back.
Before my time's up, which it almost is, I would ask that
you leave some people here to hear the GAO testimony after you
leave, if you would. I think some of that some of this is spot
on; some of it may not be. But, I think having this--the GAO
outline where they see the problems, and you hearing--somebody
in your agency actually hearing that, and reporting to you what
that is--and the flavor, and the insight that they have, I
think will be beneficial as you work to implement what you're
charged to do.
Secretary Napolitano. Happy to do that, Senator.
Senator Coburn. Thank you.
Chairman Carper. And I second that request. If you could,
that would be great.
All right, I've been waiting to make this introduction for
a while, but--Senator from Massachusetts, Senator Mo Cowan.
Senator Cowan.
STATEMENT OF HON. WILLIAM COWAN,
U.S. SENATOR FROM MASSACHUSETTS
Senator Cowan. Thank you, Mr. Chairman. Madam Secretary,
Mr. Gallagher.
My first question, Madam Secretary, is to you.
First of all, before I offer it, I'd preface it by saying
thank you for your testimony today, and thank you for your
partnership with us up in the Commonwealth of Massachusetts.
You and your team have been very helpful to us, and through
some difficult times. We really do appreciate that.
But, to the issue at hand--and forgive me if I cover a
territory that may have been covered while I was away for the
vote--but, I want to talk a little bit about the concept about
cybersecurity as it relates to, sort of, the concept of the
weakest link in the chain. And we're going to hear testimony
today from a CIO from a major company about--and this is my
description, not his--the--sort of the platinum level of
security, or focus on cybersecurity that they employ. And
that's a very strong link in the chain.
But, while that may be true of Dow Chemical and other
companies, is it fair to say that the failure of any market
participant, particularly when it comes to critical
infrastructure, to improve their defenses, on the cybersecurity
side, to a minimum baseline standard leaves us all exposed,
notwithstanding those platinum structures in place, and leaves
us exposed, not only to some significant costs, but some
significant security concerns?
Secretary Napolitano. Senator, I think the--our efforts are
to have everyone raised to a certain baseline standard. There
may be entities that do more than that, but a certain baseline.
And that should be attached with greater real time information
sharing, because information sharing is a big part of this, and
exchange of best practices, new technologies, and the like.
But, there is no--there is no mandate, per se, in the Executive
order. So, we are getting at this through a cooperative,
voluntary regime.
Senator Cowan. And through that cooperative, voluntary
regime--I just want to be clear--you do believe that there is--
there is value in that minimum baseline standard across all
players in this critical sector. Fair to say?
Secretary Napolitano. Yes. I think it--there is value,
because what we are trying to do is, in a realm where there is
an increasing number and sophistication of cyber threats from a
variety of actors, making sure we are best prepared, as a
country, to prevent or, if necessary, respond, and to mitigate
any damage.
Senator Cowan. And perhaps--this question, to you, Dr.
Gallagher--I've talked to a number of folks with particular
knowledge and expertise in this field, including Cynthia
LaRose, of Mintz Levin, about privacy in cybersecurity issues,
and the point has been made to me that the market participants,
obviously, should play an important role with the government in
establishing baseline standards that are out there, and there
should be--the ability of the market player is to have a
significant influence over what those standards are. But, if
businesses may be left to their own devices, we may never get
to a point where we can ensure ourselves that we've properly,
across all critical infrastructure issues, sort of addressed
cybersecurity, because of the difference in scale of entities
and a difference in focus. Would you agree with that
assessment?
Dr. Gallagher. I think, if it's not done correctly, that
could happen. I think the challenge is--turning to private
sector-led standard-setting when the public sector needs those
standards means that there's an accountability of the private
sector to that performance. In other words, the--it's not the
same thing as saying there's an abrogation of responsibility by
the public sector by saying we want industry's help in doing
it.
So, I think the EO correctly lays this out. It starts with
a process where we try to articulate the cybersecurity standard
of performance that we'd like to engage on. And then we let
industry, who knows the market, who understands their
technology, who understands the dynamics, attempt to respond to
that.
In the final analysis, I guess the public sector will have
to evaluate whether that meets the public's needs to secure the
safety of the U.S. population, and respond accordingly. But, we
do this very often. I think, you know, it's not uncommon for
government agencies, in procurement and regulation and so
forth, to depend on the private sector. And, in fact, the
private sector wants to be responsive to that, generally,
because they want their efforts to be aligned with those needs.
Senator Cowan. Thank you.
Chairman Rockefeller [presiding]. Senator Johnson.
STATEMENT OF HON. RON JOHNSON,
U.S. SENATOR FROM WISCONSIN
Senator Johnson. Thank you, Mr. Chairman.
Madam Secretary, Mr. Gallagher, thanks for coming before
us.
Mr. Gallagher, I was actually pleased to see, in your
testimony, that you said the approach should not dictate
solutions, but, rather, facilitate it. I think that was one of
the things that kind of bogged us down last time, when we tried
to pass a cybersecurity bill.
And this is really a question for both of you. As you have
gone around and talked to industry--certainly my input was, I
think, last time around, there was an assumption, or a
presumption, that business had to be dictated to. You know, I
come from industry. I really think businesses want to protect
their cyber assets and realize that government really has a
real role to play here, and has a lot of valuable information.
So, can you just give me your evaluation, in terms of
that--I guess, that assessment? How willing is business? How
often do they really have to be nudged along a little bit more
forcefully?
Madam Secretary.
Secretary Napolitano. In general, the responsible business
players recognize the multiple interests involved, and our work
is furthered when there's truly a collaborative atmosphere. We
all want to solve problems. No one is benefited if there's a
major or successful cyber attack within the United States. So,
we're approaching it from that dimension.
To the extent this is a national security issue, which it
is, and we are leaving it to a collaborative process to help
resolve, that is a first. Normally, when security is concerned,
it is much more of a government, kind of, top-down, as it were,
philosophy. So, this is a grand and bold experiment, in that
regard. But, I proceed on the notion that we can make this
work, and that we will.
Senator Johnson. Thank you.
Mr. Gallagher.
Dr. Gallagher. I would confirm that. I don't want to talk
about the irresponsible players, but, I mean, my reaction, in
working with business leaders, particularly in critical
infrastructure, is, they acutely feel their obligation to
protect the public, and want to perform.
I think the underlying issue--and this touches on some
comments that Senator Warner raised, as well--is, this will
work best of all when good cybersecurity is also good business.
And when that alignment occurs, I think that's when the magic
happens and this really works very powerfully. And that's
related to this discussion on incentives. And I think one of
the things that can come out of this process, since this is an
industry-led standards development effort, is, we will be
monitoring those areas where the standard-setting and adoption
seem to be--where there seems to be a headwind that is related
to, maybe, disincentives or, you know--and those will be
important information for us to pay attention to. But, I think
that's where this wins most dramatically, is when good security
is also good business.
Senator Johnson. Now, last time around, the regulations
were stated to be voluntary, but I think businesses viewed that
as saying, ``Yes, it was voluntary, but pretty coercive,
particularly after 1 year.'' What has changed? Because it
sounds like the reaction from businesses has changed pretty
dramatically. I mean, what, specifically, did you change, in
terms of that voluntary nature of the EO, in your proposals?
Secretary Napolitano. I think one of the things that
happened is that there was a process, led by the White House,
to engage business in the construction of the EO, itself. So,
it didn't just kind of spring like, you know, Athena from the
head of Zeus, but it was really a collaborative process to
begin with.
So, it's, you know--and the second thing I would mention,
Senator, is, we have--we didn't stop work because the bill
failed. I mean, we were already, all summer, you know, working
on, How do we make sure that we are looking at adequate cyber
performance goals? And what could standard-setting look like in
this regime? So--and I think that gave, perhaps, assurance to
some in the business community that we truly are engaged in a
collaborative process.
Senator Johnson. OK. One of my assumptions is that just the
word ``comprehensive'' makes things more difficult around here.
There are certainly different components to cybersecurity that
could potentially--I'm just saying potentially--could be
enacted in a step-by-step basis.
First of all, do you agree with that? Does it have to be
comprehensive? And if it could be a step-by-step approach, do
you have a priority? I know, Mr. Gallagher, I think you've
listed the five pieces of legislative actions that are
required. But, is comprehensive required, or, if it's not
possible to get that, can we go step-by-step?
Dr. Gallagher. So, I think the problem with cybersecurity,
of course, is, you're talking about a system behavior. And so,
in the end, you have this problem, where it's a chain of
performance, and you're as strong as your weakest link. And
that's one of the reasons that you always have to think about
the whole.
But, you're right, in order to make progress, you can't
boil the whole ocean at once, and I think you have to set
priorities. I think the Executive order, and this process, will
allow that to happen. Clearly, part of this is dealing with
known threats and known vulnerabilities, just good cyber
hygiene and putting it into practice robustly. Some of this is
putting in the tools that allow us to do adaptive
cybersecurity. How do we react to the new information, the new
threat information, the type of cybersecurity automation tools?
And some of this is, how do sector-specific organizations
address, you know, their requirements in the--you know, in
their context, to protect the public, in the advent of a cyber.
So, it's a complicated challenge, in the sense that the
whole matters, but you have to work at it in pieces.
Senator Johnson. OK, thank you.
Chairman Rockefeller. Senator Baldwin.
STATEMENT OF HON. TAMMY BALDWIN,
U.S. SENATOR FROM WISCONSIN
Senator Baldwin. Thank you, Chairman Rockefeller and
Ranking Member Thune. Thank you, to my Chairman, Carper, and
Ranking Member Coburn.
I'm new to the Senate, new to the Homeland Security and
Governmental Affairs Committee, but, back in my House service,
I had the opportunity to serve on the House Energy and Commerce
Committee, where I started to become more aware, and sometimes
more alarmed, about our need to protect our critical
infrastructure and the threats faced by cyber penetrations, et
cetera. And I look forward to the opportunity to be involved in
this issue, moving forward, but looking at it more broadly than
just the jurisdiction of the Energy and Commerce Committee,
although it was pretty broad.
In that vein, I wanted to start, Madam Secretary--in your
testimony, you briefly referenced the National Cybersecurity
and Communications Integration Center, which is a 24/7 response
center for potential cyber threats. And I wonder if you could
describe for me in greater detail the sort of--the functions of
this center, what sort of business it's seeing, and if you
could highlight a few stories of success that have been
achieved through the creation of the center.
Secretary Napolitano. The NCCIC, as we refer to it, is a
24/7 watch center. It has a number of partners on the watch
center. Importantly, both the NSA and the FBI are partners
there, as we are partners with the FBI in the--their JTTF
center, as we partner with the NSA, as well. So, when you think
about roles and responsibilities, the DHS, the FBI, and the NSA
have really figured out for themselves the lanes in the road
and how a call to one is a call to all.
It is constantly getting information. It gets reports from
the private sector. It sends information out. It deals with
mitigation efforts. It deploys teams to help mitigate damage,
particularly in the area of industrial control systems. It's a
very important subset of this that we've seen a lot of activity
in. It really is our key information collection, sharing,
collating, analysis area in the cyber realm.
One recent area we've been heavily involved in is a whole
spate of DDOS attacks against the financial sector, and
assisting them in responding, and also helping them to work
around the DDOS attacks that they are experiencing.
I would invite you or any members of the Committees. We'd
be happy to host you at the NCCIC to see what really has been
built out there.
Senator Baldwin. Thank you. You mentioned, in your
response, working with industries that have industrial control
systems. And want to sort of ask a related question. I was
talking about my experience, in the House, on Energy and
Commerce, and the cybersecurity issues that are raised there. I
understand, from what I've been learning lately, that the
financial services industry has some of the best protections in
place against cyber threats, and certain, you know, other
sectors that are protecting essential infrastructure have more
lax protections in place, how we say.
I guess I'm wondering how the best practices from the
financial services industry can be applied to other sectors,
and to what extent the absence of industrial control systems in
that sector hinder the application of those best practices.
What's--what can go across sectors and be learned, and the fact
that they don't have SCADA systems, you know, that it's not
going to be that helpful in the other sectors?
Secretary Napolitano. One of the things about cyber is that
this is not--although we talk about sectors, they're not
stovepiped, they're all interconnected. We live in a
interconnected world, in every respect. There are some things
that are being done in the financial sector that will easily
migrate into performance goals, and, indeed, perhaps even into
a framework. There are other things that are not as----
Senator Baldwin. Can you----
Secretary Napolitano.--applicable.
Senator Baldwin.--can you outline--or can you mention some
of those, just so I get a clear sense of what can migrate
easily?
Secretary Napolitano. I'd rather not, in an open setting.
Senator Baldwin. Oh, OK.
Secretary Napolitano. But, we'd be happy to provide a
briefing for you.
Senator Baldwin. Great. And I cut you off. You were saying,
there are some things that migrate easily.
Secretary Napolitano. And some that don't. But, to the--you
know, one of the things that we will be working on with NIST
is, as we set performance goals, and as we engage in this
process, what does the framework absorb by way of things that
are interconnected and that apply across a broad spectrum.
Senator Baldwin. Thank you.
Chairman Rockefeller. All right.
We go now to Senator Pryor. And then, that'll be the end of
the first panel.
And I want to apologize to the first panel, because we've
kept you here a long time. Part of it was my fault, but I
apologize.
Senator Pryor.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairmen. And I use that word
in the plural. Thank you all for your leadership on this.
Secretary Napolitano, always good to see you. Thank you for
being here again today. You mentioned, just briefly, something
in your opening statement about the sequester and some of the
adjustments you're going to have to make this year. Could you
elaborate on that?
Secretary Napolitano. Well, as you know, the sequester
applies virtually account--it does apply account-by-account
across the government, and limits our flexibility, in terms of
where we put resources. The result is, for example, in our CERT
teams, we were looking at, I think, a 10 to 12 percent
reduction there, in terms of being able to fill vacancies. We
are, importantly, I think, probably going to have to delay the
deployment of the next generation of security for the civilian
aspect of the Federal Government, the so-called E3A program,
for a year, because we just are not going to be able to meet
the deadlines, given the lack of resources that had previously
been budgeted. So, those are two concrete things I can give
you.
Senator Pryor. Thank you.
Dr. Gallagher, do you have similar impacts from the
sequester?
Dr. Gallagher. Similar, but not nearly at that scale. So--
--
Senator Pryor. We understand, sure.
Dr. Gallagher.--yes, I think, for NIST, the reductions--so,
the main role of NIST in the Executive order is one of
convening and technical support. So, obviously, those are the
two areas. But, by intentionally pivoting this so that this is
an industry-driven process, I am hopeful that there is a very
minimal impact on our ability to deliver the framework with the
sequester. I think the real impact of the budget, in this
particular case, is going to be more a long-term one, as--
because I see the framework process as being a continuous one,
and I hope it doesn't impact our ability to provide technical
support to that ongoing process.
Senator Pryor. Yes, that actually was my next question for
you, because I assume that, if we do cybersecurity--and I hope
we do--that you will have an ongoing role, but, at some point,
obviously, resources have to be a consideration for you. So, in
a shrinking budget environment, have you thought through how
you're going to manage that, or do you have enough information
yet?
Dr. Gallagher. Well, the way you manage that is by setting
some priorities. And I--you know, our priorities, in supporting
standards coordination, are to support the highest priorities
of other agencies. So, the NIST role in supporting standards is
one of direct support to other agencies. So, it's hard to see
that cybersecurity's not going to be at the top of that list.
So, it may impact other priority areas.
Senator Pryor. Right. I understand. And that--I think
that's a concern of both committees, here.
Dr. Gallagher, next month you're having a--sort of a public
workshop in Gaithersburg, I believe. What are you hoping to
accomplish with that? And is that going to be the only one, or
will others follow?
Dr. Gallagher. It will be the one--one of several. We
anticipate at least four workshops, over the next 8 months, to
develop the framework. We learned, from both our cloud
computing efforts and from the smart grid standards efforts,
that these type of robust workshops were a very powerful way of
bringing together the stakeholders, because you've got to put a
mix of stakeholders in a room and hammer out some of these
issues. You can get pretty far with calls for information, and
people submitting things. But, in the end, there has to be
direct negotiation.
So, the first meeting is organizational. It's going to be,
How do we set up the framework process to be productive?
Hopefully, we'll be looking at what the performance objectives
from DHS start to look like and how do we organize the effort
so that we can produce the initial framework in 8 months.
Senator Pryor. And is this a workshop just for public
sector, or is it public and private?
Dr. Gallagher. We're going to invite everyone who can
contribute.
Senator Pryor. OK. So, how many people is that going to be,
or how many organizations----
Dr. Gallagher. I'm--well, in the case of smart grid, we
were up over 1600 people fairly quickly, and this is a broader
area, so it could be quite large.
Senator Pryor. Do you include--are you including State and
local governments----
Dr. Gallagher. Yes.
Senator Pryor.--in that? Good.
Mr. Chairman, thank you. That's all I have. Thank you.
Chairman Rockefeller. Thank you, Senator Pryor.
I think Chairman Carper wants to say something, as you go,
but stay, for the moment.
Chairman Carper. Real brief.
Thanks very much for coming. Thanks very much for your work
and the work of a lot of folks that you lead, for getting us
this far.
A reporter asked me, earlier today, if the Executive order
might be seen as an excuse for us not legislating; maybe we
don't need to do much heavy lifting on--in the--on the
legislative side. And I said, ``No, I think it's an incentive
for finishing the work that we began in earnest in the last
Congress.'' And I'm encouraged, today, that we've moved even
further, and that we're--I'm encouraged that we're going to get
this done.
So, Mr. Chairman, and to our panel, thank you so much.
Chairman Rockefeller. I share similar sentiments. I'm very
grateful to you both. Testifying probably is not the thing you
most enjoy in life, but you were very helpful. You're both very
smart, you both run very important organizations. Thanks a lot.
Our second panel will be--now, I pray I get this right;
Senator Thune has tried to help me--Mr. Greg Wilshusen--is that
a thumbs-up or a thumbs-down?
Mr. Wilshusen. Thumbs up.
Chairman Rockefeller. Thumbs up, okay--who's Director of
Information Security Issues for the U.S. Government
Accountability Office. He was invited by Senator Thune and all
of us. And also, Mr. David Kepler, who is Chief Sustainability
Officer and Chief Information Officer, Business Services and
Executive Vice President at a small company called Dow.
We welcome you.
And why don't you go--are you friends now?
[Laughter.]
Chairman Rockefeller. OK. Why don't you go first, Mr.
Wilshusen. Yes.
STATEMENT OF DAVID E. KEPLER, CHIEF SUSTAINABILITY
OFFICER, CHIEF INFORMATION OFFICER, BUSINESS
SERVICES AND EXECUTIVE VICE PRESIDENT, THE DOW CHEMICAL COMPANY
Mr. Kepler. Thank you, Chairman Rockefeller, and thank you,
Chairman Carper, as well, and Ranking Member Thune and Ranking
Member Coburn.
I'm the Chief Information Officer and Chief Sustainability
Officer for The Dow Chemical Company, and Dow appreciates the
opportunity to provide our view on the state of cybersecurity
in the U.S. today.
Today's companies regularly have to manage major
information security issues, including corporate espionage,
intellectual property theft, hactivists, attacks on our
systems, and cyber criminals. Companies also have to be
prepared to manage and mitigate risks, such as acts of
terrorisms or sabotage, that may have severe physical and/or
financial consequences.
As an example, Dow monitors and logs approximately 300
million generic network events a day. This gets distilled down
to about 300 investigations each day, and results in about 10
mitigations we have to address. We manage an incident a month.
This requires a major team effort, with a multi-day event--a
multi-day team response.
So, companies have a vested interest, along with a duty to
their stockholders, employees, and communities, to protect and
defend their facilities, processes, and intellectual property
against these cyber inclusions. However, industry must rely on
the Federal Government to approach cybersecurity to deploy an
offensive perspective by preempting attacks, when possible,
through the pursuit and prosecution of criminals behind these
events.
Since 9/11, The Dow Chemical Company, and many other
chemical companies, have made significant investments in the
areas to improve security. For example, the American Chemistry
Council, as part of its responsible care approach, devised the
security code which requires companies to adhere to the
chemical industry best practices for both cyber and physical
security.
Dow believes that the protection of the country's
infrastructure can be addressed most effectively by moving
forward with policy which strengthens the collaboration between
the Federal Government and the private sector. These key
principles of collaboration are, one, advancing more specific
and timely information sharing between government, industry,
and among industry peers; two, reasonable protection for
sharing threat or attack information between the government and
other companies; and, finally, it also has to lead to
aggressive pursuit and prosecution of criminal--cyber
criminals.
Dow does not support prescriptive regulation legislation or
specific technologies or methods. Legislations that set up a
system requiring significant resources to comply with this type
of regulatory framework and the resources from addressing the
threats and risks we need for mitigation. Issues around
cybersecurity are in constant flux, and proper management
requires a fluid and fast risk-based response. Complex
regulatory mandates will only slow the advancement of cyber
risk and management systems.
Effective two-way cybersecurity and physical information
sharing must be linked together, and it must be timely,
specific, and actionable, to help promote the flow of
information. Information provided by the private sector and
government should be adequately protected.
On liability, the protection afforded under the Support
Anti-
terrorism by Fostering Effective Technologies, or the SAFETY
Act of 2002, we think are appropriate for consideration for
cybersecurity.
I was asked to comment on the Executive order on improving
cybersecurity, and Dow supports the information-sharing
initiatives included in the order. I believe we need to do
more, in the long run. If there is anyplace for new
legislation, it is to provide reasonable protection for
information sharing to incur a broader-based sharing in the
industries with government.
Leveraging security standards into the government
procurement practice is a good idea.
Section 7, describing the cyber framework, I think this
reflects a good sentiment and an approach; however, we do need
to recognize that sector specific approaches and a clear
willingness to build on prior work that private sectors have
done is important. And this can't be a one-size-fits-all model,
based on the industries we're trying to manage in the critical
infrastructure.
Section 9, the declaration of risk and managing the
criteria for reasonable result in an incident, needs to be
better defined. The concern is, we'd create a large list of
risks that are not clearly prioritized within a sector, and
then push generic standards into that sector that's trying to
manage the systems that they have to deal with, both in
physical and cybersecurity.
Also, there needs to be more clarity on the position, in
Section 9, that the Secretary shall not indemnify any
commercial information technology products or consumer
information technology services under this section. I hope this
doesn't mean that the IT industry gets a free pass. We need
their help in making this a successful endeavor.
The concept of a partnership is to work together on a
common goal. The outcome of the effort, in cybersecurity,
should not be measured by how many regulations we create, but
how much progress we make against a real threat to our
country's security in progress. We are here to do our part.
Thank you.
[The prepared statement of Mr. Kepler follows:]
Prepared Statement of David E. Kepler, Chief Sustainability Officer,
Chief Information Officer, Business Services and Executive Vice
President, The Dow Chemical Company
The Dow Chemical Company appreciates the opportunity to submit
these written comments to the Senate Committee on Commerce, Science,
and Transportation and the Senate Committee on Homeland Security and
Government Affairs. We applaud the Committee for holding a hearing on
cyber security and the necessary collaboration between government and
the private sector.
About Dow
Dow was founded in Michigan in 1897 and is one of the world's
leading manufacturers of chemicals, plastics and advanced materials.
Dow combines the power of science and technology to passionately
innovate what is essential to human progress. Dow connects chemistry
and innovation with the principles of sustainability to help address
many of the world's most challenging problems such as the need for
clean water, renewable energy generation and conservation, and
increasing agricultural productivity. Dow's diversified industry-
leading portfolio of specialty chemical, advanced materials,
agrosciences and plastics businesses delivers a broad range of
technology-based products and solutions to customers in approximately
160 countries and in high growth sectors such as electronics, water,
energy, coatings and agriculture. More information about Dow can be
found at www.dow.com.
Cyber Security: A Manufacturing Company's Perspective
Cyber threat activity across the business community and the
government has continued to increase over the last decade. The main
driver of this change is in the profile of the threat itself which has
matured from random acts primarily by individuals to now include well
resourced organizations outside the United States. These new threats
are targeted in areas that range from commercial espionage to terrorism
to activism. Companies have a vested interest--along with a duty to
their stockholders, employees and communities--to protect and defend
their facilities, processes and intellectual property against these
cyber intrusions.
The Dow Chemical Company and many other chemical companies have
made significant investments in all of these areas to address cyber
threats. After 9/11 for example, the American Chemistry Council (ACC),
as part of its Responsible Care� approach, devised the Responsible Care
Security Code which requires companies to adhere to the chemical
industry best practices for security, both physical and cyber. Dow has
invested heavily in, and is constantly upgrading, the physical and
information defensive protection systems guarding our Company. However,
industry must rely on the Federal Government to approach cyber
security, working in partnership with other countries, to deploy an
offensive perspective by preempting attacks when possible and through
the pursuit and prosecution of the criminals behind these threats.
The management systems rely on information and knowledge, and there
is a need for identifying better approaches to work with government in
improving information sharing. Increased focus on real time and
efficient information sharing programs should be improved to foster,
incentivize and increase the sharing of threat activity.
Dow believes that protection of the country's critical
infrastructure can be addressed most effectively by moving forward with
legislation which strengthens the collaboration between the Federal
Government and the private sector. The key principles of this
collaboration are:
Timely information sharing between government and industry
and among industry peers.
Reasonable protection for companies sharing threat or attack
information with the government and their industry peers.
Aggressive pursuit and prosecution of cyber criminals.
IT and telecommunication suppliers must continue to improve the
security of their products and services and be unified in providing
services that their customers can rely on for threat response.
Dow does not support prescriptive regulatory legislation on
specific technologies or methods. Legislation that sets up a system
requiring significant resources to simply comply with a regulatory
scheme diverts resources from addressing the threats and risks in need
of mitigation. Issues surrounding cyber security are in constant flux
and proper management requires a fluid and fast response. Complex
regulatory schemes will only slow the advancement of cyber risk
management systems.
Background
The Internet has become critical to the operations of business,
government and global commerce. It is an open and dynamic venue for the
exchange and collection of ideas and information. For the United States
it has been a key enabler for maintaining the country's
competitiveness. Some elements inside and outside the country, however,
have seized on this open framework and have found innovative ways to
use it for illegal financial gains, victimization of the innocent and
to advance ambitions that are not in the interest of the United States.
Today, companies regularly have to manage major information security
issues, including: corporate espionage, intellectual property theft and
malicious activism. Companies also must be prepared to manage and
mitigate risks such as acts of terrorism or sabotage that could have
severe physical and/or financial consequences. The Dow Chemical
Company, like many large corporations, is regularly attack from sources
that are advanced, persistent and targeting our intellectual property.
In many cases, the highly sophisticated attackers are based in foreign
countries.
Efforts to develop a public-private partnership to protect against
cyber attacks has a long history. In 2003, one of the key objectives of
the National Strategy to Secure Cyberspace was to provide a framework
for public and private partnership including the sharing of
information. Much progress has been made, but today's cyber attacks are
much more advanced and it is clear that more ongoing progress is needed
to ensure the continued prevention of a severe systemic failure of
public or private critical infrastructure. It will require a more
responsive, integrated, and resilient national system to prepare for
and respond to these threats.
Chemical Industry Cyber Security Leadership
Large companies such as Dow are seeing an increase in the risks we
face. The internet, including the growth of social media, has elevated
our exposure to threat actors such as hacktivists (hackers with a
targeted malicious intent to vandalize or stop business as their
protest method) and nation states sponsoring industrial espionage or
cyber criminals. As society and industry move toward increased mobility
and pervasiveness of information technology, the frequency and cost of
cyber-incidents will continue to increase. These risks require a joint
public and private effort to be managed effectively.
In 2001, Dow and other American Chemistry Council (ACC) members
voluntarily adopted the Responsible Care� Security Code (RCSC). The
RCSC is a comprehensive security management program that addresses both
physical and cyber security. It requires a comprehensive assessment of
security vulnerabilities and risks to implement protective measures
across a company's value chain. Since RCSC's inception, ACC members
have invested more than $11 billion in security enhancements including
both physical and cyber security protections. Security, in all its
dimensions, continues to be a top priority for Dow and the chemical
industry. Our record of accomplishment and cooperation with Congress,
DHS and others is undisputed.
Dow has led in several business and public forums which focus on
advancing cyber security within the chemical sector. Dow regularly
provides leadership or participates with the following organizations:
ChemITC
Chemical Information Technology Center (ChemITC�) of
the American Chemistry Council (ACC) is a forum for
companies in and associated with the ACC to address common
IT issues. Through strategic programs and networking groups
dedicated to addressing specific technology issues,
ChemITC� is committed to advancing the cyber security of
its member organizations.
Chemical Sector Coordinating Council (CSCC)
Pursuant to the Homeland Security Act of 2002, the
purpose of the CSCC is to facilitate effective coordination
between Federal infrastructure protection programs, the
infrastructure protection activities of the private sector
and those of state, local, territorial and tribal
governments.
National Infrastructure Advisory Council (NIAC)
The NIAC provides the President, through the Secretary
of Homeland Security, with advice on the security of
critical infrastructures, both physical and cyber,
supporting sectors of the economy.
International Society for Automation (ISA)
ISA has primary responsibility for the development of
the ISA-62443 series of standards addressing cyber security
for industrial automation and control systems (IACS). As
each standard is developed it is submitted simultaneously
to ANSI and IEC as a U.S national and international
standard, respectively.
Cyber Security Management at the Dow Chemical Company
Dow has a comprehensive set of policies, standards and procedures
based on guidance from organizations such as the National Institute of
Standards and Technology (NIST) and established industry standards such
as ISO 27001 and the ISA/IEC 62443 series for industrial automation.
Due to the very fluid nature of cyber threats, Dow is continuously
refreshing its practices and technology based on its experience as well
as the best available information from the government, industry and
other public sources. We frequently benchmark with peer Chemical Sector
and broader Manufacturing Sector companies as well as other industries
to manage the risk of a cyber attack. We also enlist external private
entities to evaluate our security posture.
Dow's information security is based on a multi-layer defense
strategy. This includes continuing to enhance our IT infrastructure to
meet the standards of other companies with high-value security profiles
as well as elevating the protection for the Company's most sensitive
intellectual and physical assets. Dow uses a risk-based approach for
the implementation of these controls. Developing strong partnerships
between Dow's Information Security group and all Dow business units is
vital to managing the flow of sensitive information and protecting
critical infrastructure.
Strong collaboration with security vendors and partnerships with
government agencies have been essential in preventing, detecting and
responding to threats. We work closely with the chemical sector
liaisons from the Department of Homeland Security and in forums such as
the Industrial Control Systems Joint Working Group (ICSJWG). Working
with government agencies has been valuable due to their collaborative
nature. Dow believes that a public-private sector collaborative
approach to cyber security is the best way to achieve common security
goals for individual companies as well as the country. Using a risk-
based approach that leverages the existing work of the international
cyber security community will facilitate implementation of practices
that are both effective and flexible.
Dow's multi-layer defense strategy begins with employees. Our
ongoing security awareness programs help employees understand the ever-
changing threats in the cyber landscape. People are the new perimeter--
our greatest defense, and if not informed and educated, could be our
weakest link. We have an ongoing global awareness campaign to:
(1) Educate users on policies and the risks we face;
(2) Drive commitment to the security program by making security
initiatives a personal responsibility;
We continue to evaluate and improve the technical and non-technical
response capabilities related to cyber threat incidents and we have
made significant investments in state-of-the-art technologies to detect
anomalous cyber activity which is the predecessor to most cyber
attacks. Dow has defined threat response processes to handle these
issues when detected and has established a core team of highly skilled
employees to coordinate response and proactively mitigate risk to the
Company's systems. In order to maintain a highly secure environment,
Dow has a team of security professionals who regularly leverage and
collaborate with security vendors and government resources to implement
and improve security controls.
Private Sector Needs from Congress and the Administration
Dow believes that protection of the country's critical
infrastructure can be addressed most effectively by moving forward with
legislation which strengthens the collaboration between the public and
the private sectors. This collaboration must recognize the benefits of
a risk based and performance based approach, its relationship to
physical security, two-way information sharing, prosecution of cyber
criminals and protection from liability. This should be done in a way
that does not impact the relationships developed over the last decade.
Effective two-way cyber security information sharing between the
public and private sectors must be timely, specific and actionable, and
protected from public disclosure. A public/private partnership will
vastly improve the flow of information and ideas to quickly identify
threats and vulnerabilities. To help promote the flow of information,
information voluntarily provided by the private sector should be
adequately protected from public disclosure. The unintended
consequences of Freedom of Information Act requests must be addressed.
Liability protection for the private sector as a result of a cyber
attack must also be provided as long as appropriate management systems
have been applied to address potential threats. This will help promote
participation amid the more rapid penetration of emerging technologies.
The liability protections afforded under the Support Anti-terrorism by
Fostering Effective Technologies (SAFETY) Act of 2002 are appropriate
to consider.
Companies such as Dow are in a defensive mode when it comes to
cybercrime. There must be better enforcement of U.S. laws against
cybercrime with more aggressive prosecution of cyber criminals in an
attempt to deter the act. U.S. laws should be updated and strengthened
to protect critical infrastructure from cyber attacks and hold those
accountable for perpetrating intentional acts designed to cause harm to
critical infrastructure operating systems or for stealing intellectual
property and personal information for financial gain. Additionally, the
U.S. Federal Government should develop strong international
partnerships that work together to identify international threats.
Without a focused strategy to address the borderless nature of
cybercrime, the private sector will continue to fight an uphill battle.
Dow believes the Federal Government has a role in setting an
example, by ensuring higher quality security-embedded solutions and
services by technology suppliers are built into their systems.
Suppliers of IT products and services are best positioned to address
issues within the solutions they create and have a responsibility to
test and enhance product security, to understand their vulnerability
before releasing items into the marketplace. Information technology
suppliers and software developers must design for critical
infrastructure high-availability and long-lived assets in accordance
with rigorous compliance standards. The IT industry is in the best
position to enhance security controls. If they do not, it passes an
additional burden downstream, and duplicates effort and costs onto the
customers in regulated industries. Just as the chemical sector adopted
the Responsible Care model, the IT and telecommunication industries
must be encouraged by their customer based to create self-regulated
security practices and services.
Legislation
Dow advocates for legislation that codifies the principles outlined
above. In summary, legislation that facilitates information sharing
between industry and government and among industry peers is needed.
Ideal information sharing legislation offers liability protections for
early sharing threat or attack information with the government and
provides antitrust relief to share with industry peers. Information
should include strategic assessments, best practices, and lessons
learned from events and incidents. Cyber criminals and nation state
actors must not be allowed to continue to operate with relative
impunity. They must believe that there are consequences for their
actions. Finally, the IT and Telecommunications industries must create
products which are inherently more secure.
Dow does not support prescriptive regulatory legislation on
specific technologies or methods. Legislation that sets up a system
requiring significant resources to simply comply with a regulatory
scheme diverts resources from addressing the threats and risks in need
of mitigation. Cyber security is a constantly changing portfolio and
proper management requires a fluid and fast response. Complex
regulatory schemes will only slow cyber risk management systems.
Executive Order on Improving Critical Infrastructure Cyber Security
Dow supports the information sharing initiatives included in the
recent Executive order. However, Dow is concerned with the proposed
approach of a voluntary program for critical infrastructure industries
to adopt cybersecurity standards. Voluntary programs, normally, allow
industry to develop their own standards that are risk and performance
based that consider the specific sector environment, and are followed
by a certification system to ensure compliance. Responsible Care
Security code, for one, is a successful example for the Chemical
sector.
Government defined or selected standards can miss the specific
challenges that are required to be addressed by each industry sector.
It is initiated as a voluntary program, but it could develop in such a
way that companies will be forced to adopt prescriptive standards due
to the fact that information on program adoption for ``high risk''
industries may be made public. More concerning this could be done
without a review process and could be used to leverage in ways that may
not be beneficial to lowering overall risk. The president or Congress
should not allow pseudo-regulations without legislation to occur.
Dow will actively participate in industry forums like ACC, Chamber
of Commerce, the Business Roundtable and all government initiatives to
fully support successful implementation of any cyber security efforts
which better protect our communities and industries.
Chairman Rockefeller. Thank you, sir, very much.
Now we go to Greg Wilshusen.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Mr. Wilshusen. Chairman Rockefeller, Chairman Carper,
Ranking Member Coburn, Ranking Member Thune, and other members
of the Committees, thank you very much for the opportunity to
testify today at today's hearing on cybersecurity.
As you know, Federal agencies and our nation's critical
infrastructures have become increasingly dependent on
interconnected systems and networks that carry out essential
operations. While creating significant benefits, this
dependency also introduces vulnerabilities in cyber-based
threats. These threats could have a potentially serious impact
on Federal operations and essential services provided by the
private sector.
Underscoring the importance of this issue, we have once
again designated Federal information security and cyber-
critical infrastructure protection as a governmentwide high-
risk area. Today, I'll discuss the cyber threats confronting
the private sector and Federal Government, several challenges
to securing systems, and our assessment of the national
cybersecurity strategy.
But, before I do, if I may, I'd like to recognize several
of my colleagues who were instrumental in developing the body
of work upon which my statement is based. Attending with me is
Lee McCracken and Jeff Woodward, in the back, in the second
row; in addition, Naba Barkakati, John de Ferrari, Rich Hung,
Nicole Jarvis, and David Plocher made significant
contributions.
Cyber-based threats to systems supporting critical
infrastructure in Federal operations are evolving and growing.
These threats come from a variety of sources, giving--including
employees and other insiders, criminal groups, hackers, and
foreign nations. These sources vary, in terms of their
capabilities, willingness to act, and motives. The unique
nature of cyber-based attacks can vastly enhance their reach
and their impact. They can originate from around the globe and
adversely affect economic and national security, and public
health and safety.
Over the past 6 years, the number of cyber incidents
reported by Federal agencies to US-CERT has increased from
about 5500 in Fiscal Year 2006 to 48,562 in Fiscal Year 2012,
an increase of 782 percent. These incidents, and the recently
reported cyber-based attacks against businesses, further
underscore the need to manage and bolster the security of
Federal systems and our nation's critical cyber assets.
However, the Federal Government continues to face
challenges in effectively securing its systems and those
supporting critical infrastructure. While actions have been
taken to address aspects of these challenges, issues remain. A
longstanding challenge has been designing and implementing
risk-based information security programs at Federal agencies.
Another challenge has been establishing and identifying
standards for critical infrastructures; and other challenges
include detecting, responding to, and mitigating cyber
incidents; securing the use of new technologies; and managing
risk to the global IT supply chain.
Over the past 12 years, the Federal Government has
identified a variety of documents that were intended to
articulate a national cybersecurity strategy; however, it has
not developed an overarching strategy that synthesizes the
relevant portions of these documents or provides a
comprehensive description of the current strategy. In addition,
the strategy documents sometimes did not incorporate desirable
characteristics that enhanced their usefulness. While the
documents have generally included elements such as problem
definition, goals, and subordinate objectives, they have not
always fully addressed milestones and performance measures,
cost and resource information, clearly defined roles and
responsibilities, and linkage with other key strategy
documents.
In our February 2013 report, we recommended that the White
House cybersecurity coordinator develop an overarching
cybersecurity strategy that addresses all key desirable
characteristics and addresses cyber challenge areas.
Also last month, the President issued an Executive order on
improving critical infrastructure cybersecurity. The Executive
order includes actions aimed at addressing challenges in
developing standards for critical infrastructure and sharing
information. Although it is too soon to comment on its
effectiveness, the order assigns specific responsibilities to
specific individuals with specific deadlines; thus, providing
clarity of responsibility and a means for establishing
accountability.
In summary, addressing the ongoing challenges and
implementing effective cybersecurity within the government, as
well in collaboration with the private sector and other
partners, requires the Federal Government to better define and
more effectively implement an integrated national strategy that
fully addresses key characteristics, provides a roadmap for
resolving identified challenges, articulates a clear process
for overseeing agency risk management, and assures
accountability for results.
This concludes my statement. I'll be happy to answer any
questions you may have.
[The prepared statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen, Director, Information
Security Issues, United States Government Accountability Office
``Cybersecurity: A Better Defined and Implemented National Strategy is
Needed to Address Persistent Challenges''
Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn,
and Members of the Committees:
Thank you for the opportunity to testify at today's hearing on the
cybersecurity partnership between the private sector and our
government.
As you know, with the advance of computer technology, Federal
agencies and our nation's critical infrastructures--such as the
electricity grid, water supply, telecommunications, and emergency
services--have become increasingly dependent on computerized
information systems and electronic data to carry out operations and
process, maintain, and report essential information. While bringing
significant benefits, this dependency can also create vulnerabilities
to cyber-based threats. Pervasive and sustained cyber attacks against
the United States could have a potentially serious impact on Federal
and nonfederal systems and operations. Underscoring the importance of
this issue, we have designated Federal information security as a high-
risk area since 1997 and in 2003 expanded this area to include
protecting computerized systems supporting our nation's critical
infrastructure.\1\
---------------------------------------------------------------------------
\1\ See most recently, GAO, High-Risk Series: An Update, GAO-13-283
(Washington, D.C.: Feb. 14, 2013).
---------------------------------------------------------------------------
Federal law and policy call for a risk-based approach to managing
cybersecurity within the government and also specify activities to
enhance the cybersecurity of public and private infrastructures that
are essential to national security, economic security, and public
health and safety. Over the last 12 years, the Federal Government has
developed a number of strategies and plans for addressing cybersecurity
based on this legal framework, including the National Strategy to
Secure Cyberspace, issued in February 2003, and subsequent plans and
strategies that address specific sectors, issues, and revised
priorities.
In my testimony today, I will summarize (1) several challenges
faced by the Federal Government in effectively implementing
cybersecurity, including complying with the Federal Information
Security Management Act, and (2) the extent to which the national
cybersecurity strategy includes key desirable characteristics of
effective strategies. My statement is based on our recently released
report examining the Federal Government's cybersecurity strategies and
the status of Federal efforts to address challenges in implementing
cybersecurity,\2\ as well as other previous work in this area. (Please
see app. I for a list of related GAO products.)
---------------------------------------------------------------------------
\2\ GAO, Cybersecurity: National Strategy, Roles, and
Responsibilities Need to Be Better Defined and More Effectively
Implemented, GAO-13-187 (Feb. 14, 2003).
---------------------------------------------------------------------------
The work on which this statement is based was conducted in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provided a reasonable basis for our findings and conclusions
based on our audit objectives.
Background
Threats to systems supporting critical infrastructure and Federal
information systems are evolving and growing. Advanced persistent
threats--where adversaries possess sophisticated levels of expertise
and significant resources to pursue their objectives repeatedly over an
extended period of time--pose increasing risks. In 2009, the President
declared the cyber threat to be ``[o]ne of the most serious economic
and national security challenges we face as a nation'' and stated that
``America's economic prosperity in the 21st century will depend on
cybersecurity.'' \3\ The Director of National Intelligence has also
warned of the increasing globalization of cyber attacks, including
those carried out by foreign militaries or organized international
crime. In January 2012, he testified that such threats pose a critical
national and economic security concern.\4\ To further highlight the
importance of the threat, on October 11, 2012, the Secretary of Defense
stated that the collective result of attacks on our nation's critical
infrastructure could be ``a cyber Pearl Harbor; an attack that would
cause physical destruction and the loss of life.'' \5\
---------------------------------------------------------------------------
\3\ President Barack Obama, ``Remarks by the President on Securing
Our Nation's Cyber Infrastructure'' (Washington, D.C.: May 29, 2009).
\4\ James R. Clapper, Director of National Intelligence,
``Unclassified Statement for the Record on the Worldwide Threat
Assessment of the U.S. Intelligence Community for the Senate Select
Committee on Intelligence'' (January 31, 2012).
\5\ Secretary of Defense Leon E. Panetta, ``Remarks by Secretary
Panetta on Cybersecurity to the Business Executives for National
Security, New York City'' (New York, NY: Oct. 11, 2012).
---------------------------------------------------------------------------
The evolving array of cyber-based threats facing the nation pose
threats to national security, commerce and intellectual property, and
individuals. These threats can be unintentional or intentional.
Unintentional threats can be caused by software upgrades or defective
equipment that inadvertently disrupt systems. Intentional threats
include both targeted and untargeted attacks from a variety of sources.
These sources include business competitors, corrupt employees, criminal
groups, hackers, and foreign nations engaged in espionage and
information warfare. Such threat sources vary in terms of the types and
capabilities of the actors, their willingness to act, and their
motives. Table 1 shows common sources of adversarial cybersecurity
threats.
------------------------------------------------------------------------
Table 1.--Sources of Adversarial Threats to Cybersecurity
------------------------------------------------------------------------
Threat source Description
------------------------------------------------------------------------
Bot-network operators Bot-network operators use a network, or bot-net,
of compromised, remotely controlled systems to
coordinate attacks and to distribute phishing
schemes, spam, and malware attacks. The services
of these networks are sometimes made available
on underground markets (e.g., purchasing a
denial-of-service attack or services to relay
spam or phishing attacks).
------------------------------------------------------------------------
Business competitors Companies that compete against or do business
with a target company may seek to obtain
sensitive information to improve their
competitive advantage in various areas, such as
pricing, manufacturing, product development, and
contracting.
------------------------------------------------------------------------
Criminal groups Criminal groups seek to attack systems for
monetary gain. Specifically, organized criminal
groups use spam, phishing, and spyware/malware
to commit identity theft, online fraud, and
computer extortion.
------------------------------------------------------------------------
Hackers Hackers break into networks for the thrill of the
challenge, bragging rights in the hacker
community, revenge, stalking, monetary gain, and
political activism, among other reasons. While
gaining unauthorized access once required a fair
amount of skill or computer knowledge, hackers
can now download attack scripts and protocols
from the Internet and launch them against victim
sites. Thus, while attack tools have become more
sophisticated, they have also become easier to
use. According to the Central Intelligence
Agency, the large majority of hackers do not
have the requisite expertise to threaten
difficult targets such as critical U.S.
networks. Nevertheless, the worldwide population
of hackers poses a relatively high threat of an
isolated or brief disruption causing serious
damage.
------------------------------------------------------------------------
Insiders The disgruntled organization insider is a
principal source of computer crime. Insiders may
not need a great deal of knowledge about
computer intrusions because their knowledge of a
target system often allows them to gain
unrestricted access to cause damage to the
system or to steal system data. The insider
threat includes contractors hired by the
organization, as well as careless or poorly
trained employees who may inadvertently
introduce malware into systems.
------------------------------------------------------------------------
International International corporate spies pose a threat to
corporate spies the United States through their ability to
conduct economic and industrial espionage a and
large-scale monetary theft and to hire or
develop hacker talent.
------------------------------------------------------------------------
Nations Nations use cyber tools as part of their
information-gathering and espionage activities.
In addition, several nations are aggressively
working to develop information warfare doctrine,
programs, and capabilities. Such capabilities
enable a single entity to have a significant and
serious impact by disrupting the supply,
communications, and economic infrastructures
that support military power--impacts that could
affect the daily lives of citizens across the
country. In his January 2012 testimony, the
Director of National Intelligence stated that,
among state actors, China and Russia are of
particular concern.
------------------------------------------------------------------------
Phishers Individuals or small groups execute phishing
schemes in an attempt to steal identities or
information for monetary gain. Phishers may also
use spam and spyware or malware to accomplish
their objectives.
------------------------------------------------------------------------
Spammers Individuals or organizations distribute
unsolicited e-mail with hidden or false
information in order to sell products, conduct
phishing schemes, distribute spyware or malware,
or attack organizations (e.g., a denial of
service).
------------------------------------------------------------------------
Spyware or malware Individuals or organizations with malicious
authors intent carry out attacks against users by
producing and distributing spyware and malware.
Several destructive viruses and worms have
harmed files and hard drives, and reportedly
have even caused physical damage to critical
infrastructure, including the Melissa Macro
Virus, the Explore.Zip worm, the CIH (Chernobyl)
Virus, Nimda, and Code Red.
------------------------------------------------------------------------
Terrorists Terrorists seek to destroy, incapacitate, or
exploit critical infrastructures in order to
threaten national security, cause mass
casualties, weaken the economy, and damage
public morale and confidence. Terrorists may use
phishing schemes or spyware/malware in order to
generate funds or gather sensitive information.
------------------------------------------------------------------------
Source: GAO analysis based on data from the Director of National
Intelligence, Department of Justice, Central Intelligence Agency, and
the Software Engineering Institute's CERT� Coordination Center.
a According to the Office of the National Counterintelligence Executive,
industrial espionage, or theft of trade secrets, occurs when an actor,
intending or knowing that his or her offense will injure the owner of
a trade secret of a product produced for or placed in interstate or
foreign commerce, acts with the intent to convert that trade secret to
the economic benefit of anyone other than the owner. See Foreign Spies
Stealing U.S. Economic Secrets in Cyberspace.
These sources of cybersecurity threats make use of various
techniques to compromise information or adversely affect computers,
software, a network, an organization's operation, an industry, or the
Internet itself. Table 2 provides descriptions of common types of cyber
attacks.
------------------------------------------------------------------------
Table 2.--Common Types of Cyber Attacks
------------------------------------------------------------------------
Types of attack Description
------------------------------------------------------------------------
Cross-site scripting An attack that uses third-party web resources to
run a script within the victim's web browser or
scriptable application. This occurs when a
browser visits a malicious website or clicks a
malicious link. The most dangerous consequences
occur when this method is used to exploit
additional vulnerabilities that may permit an
attacker to steal cookies (data exchanged
between a web server and a browser), log key
strokes, capture screen shots, discover and
collect network information, and remotely access
and control the victim's machine.
------------------------------------------------------------------------
Denial-of-service An attack that prevents or impairs the authorized
use of networks, systems, or applications by
exhausting resources.
------------------------------------------------------------------------
Distributed denial-of- A variant of the denial-of-service attack that
service uses numerous hosts to perform the attack.
------------------------------------------------------------------------
Logic bombs A piece of programming code intentionally
inserted into a software system that will cause
a malicious function to occur when one or more
specified conditions are met.
------------------------------------------------------------------------
Phishing A digital form of social engineering that uses
authentic-looking, but fake, e-mails to request
information from users or direct them to a fake
website that requests information.
------------------------------------------------------------------------
Passive wiretapping The monitoring or recording of data, such as
passwords transmitted in clear text, while they
are being transmitted over a communications
link. This is done without altering or affecting
the data.
------------------------------------------------------------------------
Structured Query An attack that involves the alteration of a
Language injection database search in a web-based application,
which can be used to obtain unauthorized access
to sensitive information in a database.
------------------------------------------------------------------------
Trojan horse A computer program that appears to have a useful
function, but also has a hidden and potentially
malicious function that evades security
mechanisms by, for example, masquerading as a
useful program that a user would likely execute.
------------------------------------------------------------------------
Virus A computer program that can copy itself and
infect a computer without the permission or
knowledge of the user. A virus might corrupt or
delete data on a computer, use e-mail programs
to spread itself to other computers, or even
erase everything on a hard disk. Unlike a worm,
a virus requires human involvement (usually
unwitting) to propagate.
------------------------------------------------------------------------
War driving The method of driving through cities and
neighborhoods with a wireless-equipped computer-
sometimes with a powerful antenna-searching for
unsecured wireless networks.
------------------------------------------------------------------------
Worm A self-replicating, self-propagating, self-
contained program that uses network mechanisms
to spread itself. Unlike viruses, worms do not
require human involvement to propagate.
------------------------------------------------------------------------
Source: GAO analysis of data from the National Institute of Standards
and Technology, United States Computer Emergency Readiness Team, and
industry reports.
The unique nature of cyber-based attacks can vastly enhance their
reach and impact, resulting in the loss of sensitive information and
damage to economic and national security, the loss of privacy, identity
theft, and the compromise of proprietary information or intellectual
property. The increasing number of incidents reported by Federal
agencies, and the recently reported cyber-based attacks against
individuals, businesses, critical infrastructures, and government
organizations have further underscored the need to manage and bolster
the cybersecurity of our government's information systems and our
Nation's critical infrastructures.
Number of Cyber Incidents Reported by Federal Agencies Continues to
Rise
The number of cyber incidents affecting computer systems and
networks continues to rise. Over the past 6 years, the number of cyber
incidents reported by Federal agencies to the U.S. Computer Emergency
Readiness Team (US-CERT) has increased from 5,503 in Fiscal Year 2006
to 48,562 in Fiscal Year 2012, an increase of 782 percent (see fig. 1).
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: GAO analysis of US-CERT data for fiscal years 2006-2012
Of the incidents occurring in 2012 (not including those that were
reported as under investigation), improper usage,\6\ malicious code,
and unauthorized access were the most widely reported types across the
Federal Government. As indicated in figure 2, which includes a breakout
of incidents reported to US-CERT by agencies in Fiscal Year 2012,
improper usage, malicious code, and unauthorized access accounted for
55 percent of total incidents reported by agencies.
---------------------------------------------------------------------------
\6\ An incident is categorized as ``improper usage'' if a person
violates acceptable computing use policies.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
---------------------------------------------------------------------------
Source: GAO analysis of US-CERT data for fiscal year 2012.
In addition, reports of cyber incidents affecting national
security, intellectual property, and individuals have been widespread,
with reported incidents involving data loss or theft, economic loss,
computer intrusions, and privacy breaches. Such incidents illustrate
the serious impact that cyber attacks can have on Federal and military
operations; critical infrastructure; and the confidentiality,
integrity, and availability of sensitive government, private sector,
and personal information. For example, according to US-CERT, the number
of agency-reported incidents involving personally identifiable
information increased 111 percent from Fiscal Year 2009 to Fiscal Year
2012--from 10,481 to 22,156.
Federal Law and Policy Establish Information Security Responsibilities
for Agencies
The Federal Government's information security responsibilities are
established in law and policy. The Federal Information Security
Management Act of 2002 (FISMA) \7\ sets forth a comprehensive risk-
based framework for ensuring the effectiveness of information security
controls over information resources that support Federal operations and
assets. In order to ensure the implementation of this framework, FISMA
assigns specific responsibilities to agencies, the Office of Management
and Budget (OMB), the National Institute of Standards and Technology
(NIST), and inspectors general:
---------------------------------------------------------------------------
\7\ Title III of the E-Government Act of 2002, Pub. L. No. 107-347,
Dec. 17, 2002; 44 U.S.C 3541, et seq.
Each agency is required to develop, document, and implement
an agency-wide information security program and to report
annually to OMB, selected congressional committees, and the
U.S. Comptroller General on the adequacy of its information
security policies, procedures, practices, and compliance with
---------------------------------------------------------------------------
requirements.
OMB's responsibilities include developing and overseeing the
implementation of policies, principles, standards, and
guidelines on information security in Federal agencies (except
with regard to national security systems \8\). It is also
responsible for reviewing, at least annually, and approving or
disapproving agency information security programs.
---------------------------------------------------------------------------
\8\ As defined in FISMA, the term ``national security system''
means any information system used by or on behalf of a Federal agency
that (1) involves intelligence activities, national security-related
cryptologic activities, command and control of military forces, or
equipment that is an integral part of a weapon or weapons system, or is
critical to the direct fulfillment of military or intelligence missions
(excluding systems used for routine administrative and business
applications); or (2) is protected at all times by procedures
established for handling classified national security information. See
44 U.S.C. Sec. 3542(b)(2).
NIST's responsibilities under FISMA include the development
of security standards and guidelines for agencies that include
standards for categorizing information and information systems
according to ranges of risk levels, minimum security
requirements for information and information systems in risk
categories, guidelines for detection and handling of
information security incidents, and guidelines for identifying
an information system as a national security system.\9\
---------------------------------------------------------------------------
\9\ FISMA limits NIST to developing, in conjunction with the
Department of Defense and the National Security Agency, guidelines for
agencies on identifying an information system as a national security
system, and for ensuring that NIST standards and guidelines are
complementary with standards and guidelines developed for national
security systems.
Agency inspectors general are required to annually evaluate
the information security program and practices of their agency.
The results of these evaluations are to be submitted to OMB,
and OMB is to summarize the results in its reporting to
---------------------------------------------------------------------------
Congress.
In the 10 years since FISMA was enacted into law, Executive Branch
oversight of agency information security has changed. As part of its
FISMA oversight responsibilities, OMB has issued annual guidance to
agencies on implementing FISMA requirements, including instructions for
agency and inspector general reporting. However, in July 2010, the
Director of OMB and the White House Cybersecurity Coordinator \10\
issued a joint memorandum \11\ stating that the Department of Homeland
Security (DHS) was to exercise primary responsibility within the
Executive Branch for the operational aspects of cybersecurity for
Federal information systems that fall within the scope of FISMA.
---------------------------------------------------------------------------
\10\ In December 2009, a Special Assistant to the President was
appointed as Cybersecurity Coordinator to address the recommendations
made in the Obama administration's 2009 Cyberspace Policy Review.
\11\ OMB, Memorandum M-10-28, Clarifying Cybersecurity
Responsibilities and Activities of the Executive Office of the
President and the Department of Homeland Security (Washington, D.C.:
July 6, 2010).
---------------------------------------------------------------------------
The OMB memo also stated that in carrying out these
responsibilities, DHS is to be subject to general OMB oversight in
accordance with the provisions of FISMA. In addition, the memo stated
that the Cybersecurity Coordinator would lead the interagency process
for cybersecurity strategy and policy development. Subsequent to the
issuance of M-10-28, DHS began issuing annual reporting instructions to
agencies in addition to OMB's annual guidance.
Regarding Federal agencies operating national security systems,
National Security Directive 42 \12\ established the Committee on
National Security Systems, an organization chaired by the Department of
Defense (DOD), to, among other things, issue policy directives and
instructions that provide mandatory information security requirements
for national security systems. In addition, the defense and
intelligence communities develop implementing instructions and may add
additional requirements where needed. An effort is underway to
harmonize policies and guidance for national security and non-national
security systems. Representatives from civilian, defense, and
intelligence agencies established a joint task force in 2009, led by
NIST and including senior leadership and subject matter experts from
participating agencies, to publish common guidance for information
systems security for national security and non-national security
systems.\13\
---------------------------------------------------------------------------
\12\ National Security Directive 42, National Policy for the
Security of National Security Telecommunications and Information
Systems (July 5, 1990).
\13\ See GAO, Information Security: Progress Made in Harmonizing
Policies and Guidance for National Security and Non-National Security
Systems, GAO 10 916 (Washington, D.C.: Sept. 15, 2010).
---------------------------------------------------------------------------
Various laws and directives have also given Federal agencies
responsibilities relating to the protection of critical
infrastructures, which are largely owned by private sector
organizations. The Homeland Security Act of 2002 created the Department
of Homeland Security. Among other things, DHS was assigned with the
following critical infrastructure protection responsibilities: (1)
developing a comprehensive national plan for securing the critical
infrastructures of the United States, (2) recommending measures to
protect those critical infrastructures in coordination with other
groups, and (3) disseminating, as appropriate, information to assist in
the deterrence, prevention, and preemption of, or response to,
terrorist attacks.
Homeland Security Presidential Directive 7 (HSPD-7) was issued in
December 2003 and defined additional responsibilities for DHS, sector-
specific agencies, and other departments and agencies. The directive
instructed sector-specific agencies to collaborate with the private
sector to identify, prioritize, and coordinate the protection of
critical infrastructures to prevent, deter, and mitigate the effects of
attacks. It also made DHS responsible for, among other things,
coordinating national critical infrastructure protection efforts and
establishing uniform policies, approaches, guidelines, and
methodologies for integrating Federal infrastructure protection and
risk management activities within and across sectors.
On February 12, 2013, the President issued an executive order on
improving the cybersecurity of critical infrastructure.\14\ Among other
things, it stated that the policy of the U.S. government is to increase
the volume, timeliness, and quality of cyber threat information shared
with U.S. private sector entities and ordered the following actions to
be taken:
---------------------------------------------------------------------------
\14\ Exec. Order No. 13636, 78 Fed. Reg. 11737 (Feb. 19, 2013). The
order is also available at http://www.whitehouse.gov/the-press-office/
2013/02/12/executive-order-improving-critical-infra
structure-cybersecurity.
The Attorney General, the Secretary of Homeland Security,
and the Director of National Intelligence are, within 120 days
of the date of the order, to issue instructions for producing
unclassified reports of cyber threats and establish a process
---------------------------------------------------------------------------
for disseminating these reports to targeted entities.
Agencies are to coordinate their activities under the order
with their senior agency officials for privacy and civil
liberties and ensure that privacy and civil liberties
protections are incorporated into such activities. In addition,
DHS's Chief Privacy Officer and Officer for Civil Rights and
Civil Liberties are to assess the privacy and civil liberties
risks and recommend ways to minimize or mitigate such risks in
a publicly available report to be released with 1 year of the
date of the order.
The Secretary of Homeland Security is to establish a
consultative process to coordinate improvements to the
cybersecurity of critical infrastructure.
The Secretary of Commerce is to direct the Director of NIST
to lead the development of a framework to reduce cyber risks to
critical infrastructure. The framework is to include a set of
standards, methodologies, procedures, and processes that align
policy, business, and technological approaches to address cyber
risks and incorporate voluntary consensus standards and
industry best practices to the fullest extent possible. The
Director is to publish a preliminary version of the framework
within 240 days of the date of the order, and a final version
within 1 year.
The Secretary of Homeland Security, in coordination with
sector-specific agencies, is to establish a voluntary program
to support the adoption of the Cybersecurity Framework by
owners and operators of critical infrastructure and any other
interested entities. Further, the Secretary is to coordinate
the establishment of a set of incentives designed to promote
participation in the program and, along with the Secretaries of
the Treasury and Commerce, make recommendations to the
President that include analysis of the benefits and relative
effectiveness of such incentives, and whether the incentives
would require legislation or can be provided under existing law
and authorities.
The Secretary of Homeland Security, within 150 days of the
date of the order, is to use a risk-based approach to identify
critical infrastructure where a cybersecurity incident could
reasonably result in catastrophic regional or national effects
on public health or safety, economic security, or national
security.
Agencies with responsibilities for regulating the security
of critical infrastructure are to consult with DHS, OMB, and
the National Security Staff to review the preliminary
cybersecurity framework and determine if current cybersecurity
regulatory requirements are sufficient given current and
projected risks. If current regulatory requirements are deemed
to be insufficient, agencies are to propose actions to mitigate
cyber risk, as appropriate, within 90 days of publication of
the final Cybersecurity Framework. In addition, within 2 years
after publication of the final framework, these agencies, in
consultation with owners and operators of critical
infrastructure, are to report to OMB on any critical
infrastructure subject to ineffective, conflicting, or
excessively burdensome cybersecurity requirements.
Also on February 12, 2013, the White House released Presidential
Policy Directive (PPD) 21, on critical infrastructure security and
resilience.\15\ This directive revokes HSPD-7, although it states that
plans developed pursuant to HSPD-7 shall remain in effect until
specifically revoked or superseded. PPD-21 sets forth roles and
responsibilities for DHS, sector-specific agencies, and other Federal
entities with regard to the protection of critical infrastructure from
physical and cyber threats. It also identifies three strategic
imperatives to refine and clarify functional relationships across the
Federal Government (which includes two national critical
infrastructures centers for physical and cyber infrastructure), enable
efficient information exchange by identifying baseline data and systems
requirements, and implement an integration and analysis function to
inform planning and operational decisions.
---------------------------------------------------------------------------
\15\ The White House, Presidential Policy Directive/PPD-21,
Critical Infrastructure Security and Resilience (Feb. 12, 2013), http:/
/www.whitehouse.gov/the-press-office/2013/02/12/presiden
tial-policy-directive-critical-infrastructure-security-and-resil.
---------------------------------------------------------------------------
The directive calls for a number of specific implementation
actions, along with associated time frames, which include developing a
description of the functional relationships within DHS and across the
Federal Government related to critical infrastructure security and
resilience; conducting an analysis of the existing public-private
partnership model; identifying baseline data and system requirements
for the efficient exchange of information and intelligence;
demonstrating a near real-time situational awareness capability for
critical infrastructure; updating the National Infrastructure
Protection Plan; and developing a national critical infrastructure
security and resilience research and development plan. Finally, the
directive identifies 16 critical infrastructure sectors and their
designated Federal sector-specific agencies.
The Federal Government Continues to Face Challenges in Effectively
Implementing Cybersecurity
We and Federal agency inspector general reports have identified
challenges in a number of key areas of the Federal Government's
approach to cybersecurity, including those related to protecting the
Nation's critical infrastructure. While actions have been taken to
address aspects of these challenges, issues remain in each of the
following areas.
Designing and implementing risk-based cybersecurity programs at
Federal agencies. Shortcomings persist in assessing risks, developing
and implementing security controls, and monitoring results at Federal
agencies. Specifically, for Fiscal Year 2012, 19 of 24 major Federal
agencies reported that information security control deficiencies were
either a material weakness or significant deficiency in internal
controls over financial reporting. Further, inspectors general at 22 of
24 agencies cited information security as a major management challenge
for their agency. Most of the 24 major agencies had information
security weaknesses in most of five key control categories:
implementing agency-wide information security management programs that
are critical to identifying control deficiencies, resolving problems,
and managing risks on an ongoing basis; limiting, preventing, and
detecting inappropriate access to computer resources; managing the
configuration of software and hardware; segregating duties to ensure
that a single individual does not control all key aspects of a
computer-related operation; and planning for continuity of operations
in the event of a disaster or disruption (see fig. 3).
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: GAO analysis of agency, inspectors general, and GAO reports
as of December 13, 2012.
As we noted in our October 2011 report on agencies' implementation
of FISMA requirements, an underlying reason for these weaknesses is
that agencies have not fully implemented their information security
programs.\16\ As a result, they have limited assurance that controls
are in place and operating as intended to protect their information
resources, thereby leaving them vulnerable to attack or compromise.
Accordingly, we have continued to make numerous recommendations to
address specific weaknesses in risk management processes at individual
Federal agencies. Recently, some agencies have demonstrated improvement
in this area. For example, we reported in November 2012 that during
Fiscal Year 2012, the Internal Revenue Service (IRS) continued to make
important progress in addressing numerous deficiencies in its
information security controls over its financial reporting systems.\17\
Nonetheless, applying effective controls over agency information and
information systems remains an area of significant concern.
---------------------------------------------------------------------------
\16\ GAO, Information Security: Weaknesses Continue Amid New
Federal Efforts to Implement Requirements, GAO-12-137 (Washington,
D.C.: Oct. 3, 2011).
\17\ GAO, Financial Audit: IRS's Fiscal Years 2012 and 2011
Financial Statements, GAO-13-120 (Washington, D.C.: Nov. 9, 2012).
---------------------------------------------------------------------------
Establishing and identifying standards for critical
infrastructures. As we reported in December 2011, DHS and other
agencies with responsibilities for specific critical infrastructure
sectors have not yet identified cybersecurity guidance applicable to or
widely used in each of the sectors.\18\ Moreover, sectors vary in the
extent to which they are required by law or regulation to comply with
specific cybersecurity requirements. Within the energy sector, for
example, experts have identified a lack of clarity in the division of
responsibility between Federal and state regulators as a challenge in
securing the U.S. electricity grid. We have made recommendations aimed
at furthering efforts by sector-specific agencies to enhance critical
infrastructure protection. The recently issued executive order is also
intended to bolster efforts in this challenge area.
---------------------------------------------------------------------------
\18\ GAO, Critical Infrastructure Protection: Cybersecurity
Guidance Is Available, but More Can Be Done to Promote Its Use, GAO-12-
92 (Washington, D.C.: Dec. 9, 2011).
---------------------------------------------------------------------------
Detecting, responding to, and mitigating cyber incidents. DHS has
made progress in coordinating the Federal response to cyber incidents,
but challenges remain in sharing information among Federal agencies and
key private-sector entities, including critical infrastructure owners.
Difficulties in sharing information and the lack of a centralized
information-sharing system continue to hinder progress. The February
executive order contains provisions aimed at addressing these
difficulties by, for example, establishing a process for disseminating
unclassified reports of threat information. Challenges also persist in
developing a timely cyber analysis and warning capability. While DHS
has taken steps to establish a timely analysis and warning capability,
we have reported that it had yet to establish a predictive analysis
capability and recommended that the department establish such
capabilities.\19\ According to DHS, tools for predictive analysis are
to be tested in Fiscal Year 2013.
---------------------------------------------------------------------------
\19\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in
Establishing a Comprehensive National Capability, GAO-08-588
(Washington, D.C.: July 31, 2008).
---------------------------------------------------------------------------
Promoting education, awareness, and workforce planning. In November
2011, we reported that Federal agencies leading strategic planning
efforts for cybersecurity education and awareness had not identified
details for achieving planned outcomes and that specific tasks and
responsibilities were unclear.\20\ We recommended, among other things,
that these agencies collaborate to clarify responsibilities and
processes for planning and monitoring their activities. We also
reported that only two of eight agencies in our review had developed
cyber workforce plans, and only three of the eight agencies had a
department-wide training program for their cybersecurity workforce. We
recommended that these agencies take steps to improve agency and
government-wide cybersecurity workforce efforts. Agencies concurred
with the majority of our recommendations and outlined steps to address
them.
---------------------------------------------------------------------------
\20\ GAO, Cybersecurity Human Capital: Initiatives Need Better
Planning and Coordination, GAO-12-8 (Washington, D.C.: Nov. 29, 2011).
---------------------------------------------------------------------------
Supporting cyber research and development. The support of targeted
cyber research and development (R&D) has been impeded by implementation
challenges among Federal agencies. In June 2010, we reported that R&D
initiatives were hindered by limited sharing of detailed information
about ongoing research, including the lack of a process for sharing
results of completed projects or a repository to track R&D projects
funded by the Federal Government.\21\ To help facilitate information
sharing about planned and ongoing R&D projects, we recommended
establishing a mechanism for tracking ongoing and completed Federal
cybersecurity R&D projects and their funding, and that this mechanism
be used to develop an ongoing process to share R&D information among
Federal agencies and the private sector. As of September 2012, this
mechanism had not been fully developed.
---------------------------------------------------------------------------
\21\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to
Improve Research and Development, GAO-10-466 (June 3, 2010).
---------------------------------------------------------------------------
Securing the use of new technologies. Addressing security concerns
related to the use of emerging technologies such as cloud computing,
social media, and mobile devices is a continuing challenge. In May
2010, we reported that Federal agencies had not taken adequate steps to
ensure that security concerns were addressed in their use of cloud-
based services, and made several recommendations to address cloud
computing security, which agencies have begun to implement.\22\
Further, we reported in June 2011 that Federal agencies did not always
have adequate policies in place for managing and protecting information
they access and disseminate through social media platforms such as
Facebook and Twitter and recommended that agencies develop such
policies.\23\ Most of the agencies agreed with our recommendations. In
September 2012, we reported that the U.S. Federal Communications
Commission could do more to encourage mobile device manufacturers and
wireless carriers to implement a more complete industry baseline of
mobile security safeguards.\24\ The commission generally concurred with
our recommendations.
---------------------------------------------------------------------------
\22\ GAO, Information Security: Federal Guidance Needed to Address
Control Issues with Implementing Cloud Computing, GAO-10-513
(Washington, D.C.: May 27, 2010).
\23\ GAO, Social Media: Federal Agencies Need Policies and
Procedures for Managing and Protecting Information They Access and
Disseminate, GAO-11-605 (Washington, D.C.: June 28, 2011).
\24\ GAO, Information Security: Better Implementation of Controls
for Mobile Devices Should Be Encouraged, GAO-12-757 (Washington, D.C.:
Sept. 18, 2012).
---------------------------------------------------------------------------
Managing risks to the global information technology supply chain.
Reliance on a global supply chain for information technology products
and services introduces risks to systems, and Federal agencies have not
always addressed these risks. Specifically, in March 2012, we reported
that four national security-related agencies varied in the extent to
which they had defined supply chain protection measures for their
information systems and were not in a position to develop implementing
procedures and monitoring capabilities for such measures.\25\ We
recommended that the agencies take steps as needed to address supply
chain risks, and the departments generally concurred.
---------------------------------------------------------------------------
\25\ GAO, IT Supply Chain: National Security-Related Agencies Need
to Better Address Risks, GAO-12-361 (Washington, D.C.: Mar. 23, 2012).
---------------------------------------------------------------------------
Addressing international cybersecurity challenges. While the
Federal Government has identified the importance of international
cooperation for cybersecurity and has assigned related roles and
responsibilities to Federal agencies, its approach to addressing
international aspects of cybersecurity has not been fully defined or
implemented. We reported in July 2010 that the government faced a
number of challenges in this area, relating to providing top-level
leadership to coordinate actions among agencies, developing a national
strategy, coordinating policy among key Federal entities, ensuring that
international technical standards and policies do not impose
unnecessary trade barriers, participating in international cyber-
incident response efforts, investigating and prosecuting international
cybercrime, and developing international models and norms for
behavior.\26\ We recommended that the government develop a global
cyberspace strategy to help address these challenges. While such a
strategy has been developed and includes goals such as the development
of international cyberspace norms, it does not fully specify outcome-
oriented performance metrics or timeframes for completing activities.
---------------------------------------------------------------------------
\26\ GAO, Cyberspace: United States Faces Challenges in Addressing
Global Cybersecurity and Governance, GAO-10-606 (Washington, D.C.: July
2, 2010).
---------------------------------------------------------------------------
The U.S. National Cybersecurity Strategy Has Evolved over Time but Is
Not Well Defined
The Federal Government has issued a variety of documents over the
last decade that were intended to articulate a national cybersecurity
strategy. The evolution of the Nation's cybersecurity strategy is
summarized in figure 4.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: GAO analysis of federal strategy documents.
These strategy documents address aspects of the above-mentioned
challenge areas. For example, they address priorities for enhancing
cybersecurity within the Federal Government as well as for encouraging
improvements in the cybersecurity of critical infrastructures within
the private sector.
However, as we noted in our February 2013 report, the government
has not developed an overarching national cybersecurity strategy that
synthesizes the relevant portions of these documents or provides a
comprehensive description of the current strategy.\27\ The Obama
administration's 2009 Cyberspace Policy Review recommended a number of
actions, including updating the 2003 National Cybersecurity Strategy.
However, no updated strategy document has been issued. In May 2011, the
White House announced that it had completed all the near-term actions
outlined in the 2009 policy review, including the update to the 2003
national strategy. According to the administration's fact sheet on
cybersecurity accomplishments,\28\ the 2009 policy review itself serves
as the updated strategy. The fact sheet stated that the direction and
needs highlighted in the Cyberspace Policy Review and the previous
national cybersecurity strategy were still relevant, and it noted that
the administration had updated its strategy on two subordinate cyber
issues, identity management and international engagement. Nonetheless,
these actions do not fulfill the recommendation that an updated
strategy be prepared for the President's approval. As a result, no
overarching strategy exists to show how the various goals and
activities articulated in current documents form an integrated
strategic approach.
---------------------------------------------------------------------------
\27\ GAO-13-187.
\28\ The White House, ``Fact Sheet: The Administration's
Cybersecurity Accomplishments'' (May 12, 2011), accessed on July 26,
2012, http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-
administrations-cybersecurity-accomplishments.
---------------------------------------------------------------------------
In addition to lacking an integrated strategy, the government's
current approach to cybersecurity lacks key desirable characteristics
of a national strategy. In 2004, we developed a set of desirable
characteristics that can enhance the usefulness of national strategies
in allocating resources, defining policies, and helping to ensure
accountability.\29\ Table 3 summarizes these key desirable
characteristics.
---------------------------------------------------------------------------
\29\ See GAO, Combating Terrorism: Evaluation of Selected
Characteristics in National Strategies Related to Terrorism, GAO-04-
408T (Washington, D.C.: Feb. 3, 2004).
--------------------------------------------------------------------------
Table 3.--Desirable Characteristics for a National Strategy
------------------------------------------------------------------------
Desirable
characteristic Description
------------------------------------------------------------------------
Purpose, scope, and Addresses why the strategy was produced, the
methodology scope of its coverage, and the process by which
it was developed.
------------------------------------------------------------------------
Problem definition and Addresses the particular national problems and
risk assessment threats the strategy is directed toward.
------------------------------------------------------------------------
Goals, subordinate Addresses what the strategy is trying to achieve
objectives, and steps to achieve those results, as well as
activities, and the priorities, milestones, and performance
performance measures measures to gauge results.
------------------------------------------------------------------------
Resources, Addresses what implementation of the strategy
investments, and risk will cost, the sources and types of resources
management and investments needed, and where resources and
investments should be targeted based on
balancing risk reductions with costs.
------------------------------------------------------------------------
Organizational roles, Addresses who will be implementing the strategy,
responsibilities, and what their roles will be compared to others,
coordination and mechanisms for them to coordinate their
efforts.
------------------------------------------------------------------------
Linkage to other Addresses how a national strategy relates to
strategies and other strategies' goals, objectives, and
implementation activities, and to subordinate levels of
government and their plans to implement the
strategy.
------------------------------------------------------------------------
Source: GAO.
Existing cybersecurity strategy documents have included selected
elements of these desirable characteristics, such as setting goals and
subordinate objectives, but have generally lacked other key elements.
The missing elements include the following:
Milestones and performance measures. The government's strategy
documents include few milestones or performance measures,
making it difficult to track progress in accomplishing stated
goals and objectives. This lack of milestones and performance
measures at the strategic level is mirrored in similar
shortcomings within key programs that are part of the
government-wide strategy. For example, in 2011 the DHS
inspector general recommended that the department develop and
implement performance measures to track and evaluate the
effectiveness of actions defined in its strategic plan,\30\
which the department had yet to do as of January 2012.
---------------------------------------------------------------------------
\30\ DHS, Office of Inspector General, Planning, Management, and
Systems Issues Hinder DHS' Efforts to Protect Cyberspace and the
Nation's Cyber Infrastructure, OIG-11-89 (Washington, D.C.: June 2011).
Cost and resources. While past strategy documents linked
certain activities to Federal agency budget requests, none have
fully addressed cost and resources, including justifying the
required investment, which is critical to gaining support for
implementation. Specifically, none of the strategy documents
provided full assessments of anticipated costs and how
---------------------------------------------------------------------------
resources might be allocated to meet them.
Roles and responsibilities. Cybersecurity strategy documents
have assigned high-level roles and responsibilities but have
left important details unclear. Several GAO reports have
likewise demonstrated that the roles and responsibilities of
key agencies charged with protecting the cyber assets of the
United States are inadequately defined. For example, the
chartering directives for several offices within the Department
of Defense assign overlapping roles and responsibilities for
preparing for and responding to domestic cyber incidents. In an
October 2012 report, we recommended that the department update
its guidance on preparing for and responding to domestic cyber
incidents to include a description of roles and
responsibilities.\31\ Further, in March 2010, we reported that
agencies had overlapping and uncoordinated responsibilities
within the Comprehensive National Cybersecurity Initiative and
recommended that OMB better define roles and responsibilities
for all key participants.\32\
---------------------------------------------------------------------------
\31\ GAO, Homeland Defense: DOD Needs to Address Gaps in Homeland
Defense and Civil Support Guidance, GAO-13-128 (Washington, D.C.: Oct.
24, 2012).
\32\ GAO, Cybersecurity: Progress Made but Challenges Remain in
Defining and Coordinating the Comprehensive National Initiative, GAO-
10-338 (Washington, D.C.: Mar. 5, 2010).
In addition, while the law gives OMB responsibility for
oversight of Federal information security, OMB transferred
several of its oversight responsibilities to DHS. OMB officials
stated that enlisting DHS to perform these responsibilities has
allowed OMB to have more visibility into agencies'
cybersecurity activities because of the additional resources
and expertise provided by DHS. While OMB's decision to transfer
these responsibilities is not consistent with FISMA, it may
have had beneficial practical results, such as leveraging
resources from DHS. Nonetheless, with these responsibilities
now divided between the two organizations, it is remains
unclear how they are to share oversight of individual
departments and agencies. Additional legislation could clarify
---------------------------------------------------------------------------
these responsibilities.
Linkage with other key strategy documents. Existing
cybersecurity strategy documents vary in terms of priorities
and structure, and do not specify how they link to or supersede
other documents. Nor do they describe how they fit into an
overarching national cybersecurity strategy. For example, in
2012, the Obama administration identified three cross-agency
cybersecurity priorities, but no explanation was given as to
how these priorities related to those established in other
strategy documents.
Actions Needed to Ensure More Effective Implementation of Cybersecurity
Given the range and sophistication of the threats and potential
exploits that confront government agencies and the Nation's cyber
critical infrastructure, it is critical that the government adopt a
comprehensive strategic approach to mitigating the risks of successful
cybersecurity attacks. In our February report, we recommended that the
White House Cybersecurity Coordinator develop an overarching Federal
cybersecurity strategy that includes all key elements of the desirable
characteristics of a national strategy.\33\ Such a strategy, we
believe, will provide a more effective framework for implementing
cybersecurity activities and better ensure that such activities will
lead to progress in securing systems and information. This strategy
should also better ensure that Federal Government departments and
agencies are held accountable for making significant improvements in
cybersecurity challenge areas by, among other things, clarifying how
oversight will be carried out by OMB and other Federal entities. In the
absence of such an integrated strategy, the documents that comprise the
government's current strategic approach are of limited value as a tool
for mobilizing actions to mitigate the most serious threats facing the
Nation.
---------------------------------------------------------------------------
\33\ GAO-13-187.
---------------------------------------------------------------------------
In addition, many of the recommendations previously made by us and
agency inspectors general have not yet been fully addressed, leaving
much room for more progress in addressing cybersecurity challenges. In
many cases, the causes of these challenges are closely related to the
key elements that are missing from the government's cybersecurity
strategy. For example, the persistence of shortcomings in agency
cybersecurity risk management processes indicates that agencies have
not been held accountable for effectively implementing such processes
and that oversight mechanisms have not been clear. It is just such
oversight and accountability that is poorly defined in cybersecurity
strategy documents.
In light of this limited oversight and accountability, we also
stated in our report that Congress should consider legislation to
better define roles and responsibilities for implementing and
overseeing Federal information security programs and protecting the
Nation's critical cyber assets. Such legislation could clarify the
respective responsibilities of OMB and DHS, as well as those of other
key Federal departments and agencies.
In commenting on a draft of the report, the Executive Office of the
President agreed that more needs to be done to develop a coherent and
comprehensive strategy on cybersecurity but did not believe producing
another strategy document would be beneficial. Specifically, the office
stated that remaining flexible and focusing on achieving measurable
improvements in cybersecurity would be more beneficial than developing
``yet another strategy on top of existing strategies.'' We agree that
flexibility and a focus on achieving measurable improvements in
cybersecurity is critically important and that simply preparing another
document, if not integrated with previous documents, would not be
helpful. The focus of our recommendation is to develop an overarching
strategy that integrates the numerous strategy documents, establishes
milestones and performance measures, and better ensures that Federal
departments and agencies are held accountable for making significant
improvements in cybersecurity challenge areas. The Executive Office of
the President also agreed that Congress should consider enhanced
cybersecurity legislation that addresses information sharing and
baseline standards for critical infrastructure, among other things.
In summary, addressing the ongoing challenges in implementing
effective cybersecurity within the government, as well as in
collaboration with the private sector and other partners, requires the
Federal Government to define and implement a coherent and comprehensive
national strategy that includes key desirable elements and provides
accountability for results. Recent efforts, such as the 2012 cross-
agency priorities and the executive order on improving cybersecurity
for critical infrastructure, could provide parts of a strategic
approach. For example, the executive order includes actions aimed at
addressing challenges in developing standards for critical
infrastructure and sharing information, in addition to assigning
specific responsibilities to specific individuals that are to be
completed within specific timeframes, thus providing clarity of
responsibility and a means for establishing accountability. However,
these efforts need to be integrated into an overarching strategy that
includes a clearer process for oversight of agency risk management and
a roadmap for improving the cybersecurity challenge areas in order for
the government to make significant progress in furthering its strategic
goals and lessening persistent weaknesses.
Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn,
and Members of the Committees, this concludes my statement. I would be
happy to answer any questions you may have.
GAO Contacts and Acknowledgments
If you have any questions regarding this statement, please contact
Gregory C. Wilshusen ([email protected]) or Dr. Nabajyoti Barkakati
([email protected]). Other key contributors to this statement include
John de Ferrari (Assistant Director), Richard B. Hung (Assistant
Director), Nicole Jarvis, Lee McCracken, David F. Plocher, and Jeffrey
Woodward.
Appendix I: Related GAO Products
Cybersecurity: National Strategy, Roles, and Responsibilities Need
to Be Better Defined and More Effectively Implemented. GAO-13-187.
Washington, D.C.: February 14, 2013.
High-Risk Series: An Update. GAO-13-283. Washington, D.C.: February
14, 2013.
Information Security: Federal Communications Commission Needs to
Strengthen Controls over Enhanced Secured Network Project. GAO-13-155.
Washington, D.C.: January 25, 2013.
Information Security: Actions Needed by Census Bureau to Address
Weaknesses. GAO-13-63. Washington, D.C.: January 22, 2013.
Information Security: Better Implementation of Controls for Mobile
Devices Should Be Encouraged. GAO-12-757. Washington, D.C.: September
18, 2012.
Mobile Device Location Data: Additional Federal Actions Could Help
Protect Consumer Privacy. GAO-12-903. Washington, D.C.: September 11,
2012.
Medical Devices: FDA Should Expand Its Consideration of Information
Security for Certain Types of Devices. GAO-12-816. August 31, 2012.
Cybersecurity: Challenges in Securing the Electricity Grid. GAO-12-
926T. Washington, D.C.: July 17, 2012.
Electronic Warfare: DOD Actions Needed to Strengthen Management and
Oversight. GAO-12-479. Washington, D.C.: July 9, 2012.
Information Security: Cyber Threats Facilitate Ability to Commit
Economic Espionage. GAO-12-876T. Washington, D.C.: June 28, 2012.
Cybersecurity: Threats Impacting the Nation. GAO-12-666T.
Washington, D.C.: April 24, 2012.
IT Supply Chain: National Security-Related Agencies Need to Better
Address Risks. GAO-12-361. Washington, D.C.: March 23, 2012.
Information Security: IRS Needs to Further Enhance Internal Control
over Financial Reporting and Taxpayer Data. GAO-12-393. Washington,
D.C.: March 16, 2012.
Cybersecurity: Challenges in Securing the Modernized Electricity
Grid. GAO-12-507T. Washington, D.C.: February 28, 2012.
Critical Infrastructure Protection: Cybersecurity Guidance Is
Available, but More Can Be Done to Promote Its Use. GAO-12-92.
Washington, D.C.: December 9, 2011.
Cybersecurity Human Capital: Initiatives Need Better Planning and
Coordination. GAO-12-8. Washington, D.C.: November 29, 2011.
Information Security: Additional Guidance Needed to Address Cloud
Computing Concerns. GAO-12-130T. Washington, D.C.: October 6, 2011.
Information Security: Weaknesses Continue Amid New Federal Efforts
to Implement Requirements. GAO-12-137. Washington, D.C.: October 3,
2011.
Personal ID Verification: Agencies Should Set a Higher Priority on
Using the Capabilities of Standardized Identification Cards. GAO-11-
751. Washington, D.C.: September 20, 2011.
Information Security: FDIC Has Made Progress, but Further Actions
Are Needed to Protect Financial Data. GAO-11-708. Washington, D.C.:
August 12, 2011.
Cybersecurity: Continued Attention Needed to Protect Our Nation's
Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.
Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber
Activities. GAO-11-75. Washington, D.C.: July 25, 2011.
Information Security: State Has Taken Steps to Implement a
Continuous Monitoring Application, but Key Challenges Remain. GAO-11-
149. Washington, D.C.: July 8, 2011.
Social Media: Federal Agencies Need Policies and Procedures for
Managing and Protecting Information They Access and Disseminate. GAO-
11-605. Washington, D.C.: June 28, 2011.
Cybersecurity: Continued Attention Needed to Protect Our Nation's
Critical Infrastructure and Federal Information Systems. GAO-11-463T.
Washington, D.C.: March 16, 2011.
Information Security: IRS Needs to Enhance Internal Control Over
Financial Reporting and Taxpayer Data. GAO-11-308. Washington, D.C.:
March 15, 2011.
Electricity Grid Modernization: Progress Being Made on
Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed.
GAO-11-117. Washington, D.C.: January 12, 2011.
Information Security: National Nuclear Security Administration
Needs to Improve Contingency Planning for Its Classified Supercomputing
Operations. GAO-11-67. Washington, D.C.: December 9, 2010.
Information Security: Federal Agencies Have Taken Steps to Secure
Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43.
Washington, D.C.: November 30, 2010.
Information Security: Federal Deposit Insurance Corporation Needs
to Mitigate Control Weaknesses. GAO-11-29. Washington, D.C.: November
30, 2010.
Information Security: National Archives and Records Administration
Needs to Implement Key Program Elements and Controls. GAO-11-20.
Washington, D.C.: October 21, 2010.
Cyberspace Policy: Executive Branch Is Making Progress Implementing
2009 Policy Review Recommendations, but Sustained Leadership Is Needed.
GAO-11-24. Washington, D.C.: October 6, 2010.
Information Security: Progress Made on Harmonizing Policies and
Guidance for National Security and Non-National Security Systems. GAO-
10-916. Washington, D.C.: September 15, 2010.
Information Management: Challenges in Federal Agencies' Use of Web
2.0 Technologies. GAO-10-872T. Washington, D.C.: July 22, 2010.
Critical Infrastructure Protection: Key Private and Public Cyber
Expectations Need to Be Consistently Addressed. GAO-10-628. Washington,
D.C.: July 15, 2010.
Cyberspace: United States Faces Challenges in Addressing Global
Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2,
2010.
Information Security: Governmentwide Guidance Needed to Assist
Agencies in Implementing Cloud Computing. GAO-10-855T. Washington,
D.C.: July 1, 2010.
Cybersecurity: Continued Attention Is Needed to Protect Federal
Information Systems from Evolving Threats. GAO-10-834T. Washington,
D.C.: June 16, 2010.
Cybersecurity: Key Challenges Need to Be Addressed to Improve
Research and Development. GAO-10-466. Washington, D.C.: June 3, 2010.
Information Security: Federal Guidance Needed to Address Control
Issues with Implementing Cloud Computing. GAO-10-513. Washington, D.C.:
May 27, 2010.
Information Security: Opportunities Exist for the Federal Housing
Finance Agency to Improve Control. GAO-10-528. Washington, D.C.: April
30, 2010.
Information Security: Concerted Response Needed to Resolve
Persistent Weaknesses. GAO-10-536T.Washington, D.C.: March 24, 2010.
Information Security: IRS Needs to Continue to Address Significant
Weaknesses. GAO-10-355. Washington, D.C.: March 19, 2010.
Information Security: Concerted Effort Needed to Consolidate and
Secure Internet Connections at Federal Agencies. GAO-10-237.
Washington, D.C.: March 12, 2010.
Information Security: Agencies Need to Implement Federal Desktop
Core Configuration Requirements. GAO-10-202. Washington, D.C.: March
12, 2010.
Cybersecurity: Progress Made but Challenges Remain in Defining and
Coordinating the Comprehensive National Initiative. GAO-10-338.
Washington, D.C.: March 5, 2010.
Critical Infrastructure Protection: Update to National
Infrastructure Protection Plan Includes Increased Emphasis on Risk
Management and Resilience. GAO-10-296. Washington, D.C.: March 5, 2010.
Department of Veterans Affairs' Implementation of Information
Security Education Assistance Program. GAO-10-170R. Washington, D.C.:
December 18, 2009.
Cybersecurity: Continued Efforts Are Needed to Protect Information
Systems from Evolving Threats. GAO-10-230T. Washington, D.C.: November
17, 2009.
Information Security: Concerted Effort Needed to Improve Federal
Performance Measures. GAO-10-159T. Washington, D.C.: October 29, 2009.
Critical Infrastructure Protection: OMB Leadership Needed to
Strengthen Agency Planning Efforts to Protect Federal Cyber Assets.
GAO-10-148. Washington, D.C.: October 15, 2009.
Information Security: NASA Needs to Remedy Vulnerabilities in Key
Networks. GAO-10-4. Washington, D.C.: October 15, 2009.
Information Security: Actions Needed to Better Manage, Protect, and
Sustain Improvements to Los Alamos National Laboratory's Classified
Computer Network. GAO-10-28. Washington, D.C.: October 14, 2009.
Critical Infrastructure Protection: Current Cyber Sector-Specific
Planning Approach Needs Reassessment. GAO-09-969. Washington, D.C.:
September 24, 2009.
Information Security: Federal Information Security Issues. GAO-09-
817R. Washington, D.C.: June 30, 2009.
Information Security: Concerted Effort Needed to Improve Federal
Performance Measures. GAO-09-617. Washington, D.C.: September 14, 2009.
Information Security: Agencies Continue to Report Progress, but
Need to Mitigate Persistent Weaknesses. GAO-09-546. Washington, D.C.:
July 17, 2009.
National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture. GAO-09-432T. Washington, D.C.: March
10, 2009.
Information Technology: Federal Laws, Regulations, and Mandatory
Standards to Securing Private Sector Information Technology Systems and
Data in Critical Infrastructure Sectors. GAO-08-1075R. Washington,
D.C.: September 16, 2008.
Cyber Analysis and Warning: DHS Faces Challenges in Establishing a
Comprehensive National Capability. GAO-08-588. Washington, D.C.: July
31, 2008.
Information Security: Federal Agency Efforts to Encrypt Sensitive
Information Are Under Way, but Work Remains. GAO-08-525. Washington,
D.C.: June 27, 2008.
Privacy: Lessons Learned about Data Breach Notification. GAO-07-
657. Washington, D.C.: April 30, 2007.
Chairman Rockefeller. Thank you very much.
This could be to either of you, or both of you. And this is
on the question of what I consider a desperately bad situation,
in terms of trained work force, for cybersecurity across the
nation.
I was with a business executive, who's a very good friend
of mine, whose company I know very well, and he came in to see
me, not about this subject, but about what his company had a
concern about. And I asked him, ``So, how are you fixed to take
care of yourself on cybersecurity?'' And he's, ``We're fine.''
He said, ``We're fine.''
I don't want to be a psychiatrist, but I know him well
enough--you can read body language, you can read voice
inflection--and I really didn't believe that he meant to say
that. I think he meant to say it, but I didn't believe it.
There wasn't any demonstrated interest in it. His was one of
the most vulnerable of all industries that could be affected
by, you know, attacks--cyber attacks. And so, I didn't say
anything about it, but I just--I noted, in my mind, that there
was a lack of self-confidence, the lack of interest, and it
wasn't believable. And, of course, I might have been absolutely
wrong.
But, that just leads me to this question. There are so many
huge things that we have to do in cybersecurity, but none of
them come to anything unless there is a workforce out there
which is trained, and trained to the specificity of everything
from, you know, standards to what do you do about intellectual
property--I mean, just the whole range. And, you know, sort of
like when we were starting with the E-Rate or the Internet. I
mean, people didn't know anything about it. They knew it was
important, but they didn't know anything about it. Then,
gradually, that took hold.
What, in your mind, should be done to get our country up to
speed on training cybersecurity workforce?
Mr. Wilshusen. Well, I guess I'll take first stab at it. I
think you're absolutely correct, this is an issue for the
nation and certainly for the Federal workforce. We did a review
and issued a report, last year, on human-capital workforce
issues as it relates to cybersecurity. We did work at several
agencies. One of the key themes that we identified is that,
while agencies were generally able to fill many of their
information security positions, they had the most challenge in
identifying those individuals that had the technical skills in
order to effectively implement security at a technical level.
There are a couple of initiatives underway that are
intended to help improve the cyber workforce, to ensure better
training of individuals, as well as to improve societal
knowledge of cybersecurity, beginning early on, through K-12
and onward. One of them is the National Initiative for
Cybersecurity Education that's run by DHS and NIST, who are key
partners in that particular effort.
Chairman Rockefeller. So, they put it into early
curriculum.
Mr. Wilshusen. Yes. And that's one of the areas where the
younger generation's probably more technically literate than I
was at that time, and include it in curriculum early on, and
carry throughout their education.
And then, within the Federal workforce, make sure we have
the appropriate technical training and expertise that we can
develop and grow our own workforce to address the cybersecurity
challenges of today.
Chairman Rockefeller. OK. Well, the Feds are part of it,
private sector is another part of it.
Mr. Kepler. Yes. What I would say is, when you look at the
force we've had to put in our company, it's very technically-
oriented, in terms of engineers, computer scientists. And I
think the key thing the country needs to do, in general, is
still foster the development of that kind of capability. And
we're short of that, not only cybersecurity, but in a lot of
the aspects of the science and technology that we need, to
compete globally.
I think some of the early challenges has been that people
have addressed this as purely an enforcement issue, and so the
basis has been more security oriented than the technology
underlying in content. And so, it's a mix of people who have
thought about this from an enforcement point of view.
But, I think the general view of--the skills are going to
change over time; they change, year over year, what we have to
address. So, having grounded background in computer technology,
in science and math, these are the things that you need to get
people to work on to solve these problems. But, I think the
company--or, country can do well, invested in that in a lot of
different aspects of our prosperity.
Chairman Rockefeller. So, if you do everything you want to
do, how many years will it take for Dow, which is, obviously,
one of the most sophisticated companies in the country, to get
to where you want to be on work force security?
Mr. Kepler. With work--I think we can hire the--you know,
with paying a premium for that. We have almost 150 people, now,
between direct people and contractors, that work in this space.
It's getting the workforce for, actually, the next generation
and the next decade to compete and work in our plants and our
laboratories. And I think that's a critical issue for the
government that's going to take a decade to address, Senator.
Chairman Rockefeller. Which is where we've got to educate--
--
Mr. Kepler. Yes.
Chairman Rockefeller.--how dangerous this is.
Thank you.
Mr. Chairman.
Chairman Carper. Thanks. Thanks, Senator Rockefeller.
Mr. Wilshusen, Senator Coburn suggested you'd be a good
witness, and, boy, he was right.
And, Mr. Kepler, I think you may have been invited by
Senator Thune, as I understand it, and we thank him for
inviting you, and you for coming. We're honored, in Delaware,
that Dow has a significant presence in our state, and think of
you as a--we're fortunate to have you as one of our corporate
citizens.
I think the first question I'm going to ask would be for
either of them, but maybe we start with Mr. Wilshusen, if I
could.
You have a disadvantage, you and the colleagues that you
recognize. Not necessarily--not everybody recognizes the team
that helped put together an effort, and I know a lot of people
were involved in this; we've got great people at GAO, and we
thank you for all that you all do to help us do our jobs--but,
had the disadvantage of preparing your report, which you
released recently, before the administration, sort of, showed
their hand on the Executive order. And just--if you had known
what the Executive order was going to look like, and maybe had
the benefit of this kind of testimony from the Secretary and
from Mr. Gallagher, what would you have--how would your report
have changed, if at all? I think it might have changed some,
but your--in your testimony today, how might it have changed a
bit?
Mr. Wilshusen. Well, actually I don't know if our report
would change much, other than to identify the Executive order
as another strategy-related document that has been developed by
the administration. The Executive order certainly addresses one
of the key challenge areas that we have identified in the past,
in terms of identifying and establishing standards for
cybersecurity in the critical infrastructures. And it also will
help, in terms of another challenge, as it relates to providing
and sharing information to, particularly, those in the private
sector.
But, it's part of an overall strategy, though. It's still,
like other strategy documents, focused on just one component of
an overall national strategy. We still believe that the White
House cybersecurity coordinator should develop an overarching
strategy that integrates this Executive order with the other
strategies.
One of the positive things that we noted with the Executive
order is that it does assign specific responsibilities to
individuals. And that's a plus. It also gives them specific
deadlines in order to perform those activities. That's another
plus. But, it still remains to be seen, in terms of the extent
to which there's follow through to make sure that those
activities are implemented, and implemented effectively.
Chairman Carper. OK. Well, my hope is, before we're done,
and we have done our job on the legislative side, that--or, you
put the two together, what the administration has laid out and
suggested and what we have done, hopefully, in response, to
kind of fill out the package--that you'll say, ``Yes, that's a
pretty good strategy, and now the key is to implement it
well.''
If I could, Mr. Kepler, the--I think you mentioned the word
``protection,'' the kind of--you or maybe one of our earlier
witnesses talked about the kind of protections that--whether
it's the chemical industry, whether it's other segments of our
business industry, that they're looking for needing--I asked
Secretary Napolitano about liability--punitive, general, other
kinds of liability protection. She mentioned that there's more
than just liability that can be afforded as an incentive or a
protection for the--for industry. She mentioned--oh, gosh, I
think she might have mentioned security--you know, expedited
security clearances, so more information would be available to
our key stakeholders.
Talk about what--the kind of protection that Dow or others
in the chemical industry are looking for, and that they need in
order to feel more comfortable with what you're being invited
to participate in.
Mr. Kepler. Yes. And I would make the point that I think
the information protection goes both ways. I think one of the
things that we would look at over the years is, we'd build up a
technology base and, I think, a reasonable operating system
base, but the key thing to make this all work is, you need
competitive intelligence. And we get very little of that, and
we don't have the resources or structure to make that happen.
And so, the ability to get government to feel comfortable to
share, with industry, specific areas that we can address, so we
can get focused, is a critical issue.
So, I think if you contemplate legislation, it should think
about it in both ways.
I think there are issues, when we go across on--not only on
liability, but the concerns, sometimes, of sharing information
on antitrust, and that the--when companies get to start to
share information when there's an incident or an issue, and it
gets into shipments or it gets into some other areas, how to
make sure that we can manage those type of issues in that, as
well.
So, I think the view of liability, you know, in our view,
is that there--early on, within physical, but it actually can
apply to cyber--there's the SAFETY Act that allowed--if you had
a good management system in place, that was reviewed, you could
actually get liability coverage on that. And we've submitted
that, and actually are--fall under that Act, for us.
Chairman Carper. Good. Thank you.
My thanks to you both.
Senator Thune.
Senator Thune. Thank you, Mr. Chairman.
The GAO's recent report--of course, already talked about--
highlighted some of the persistent shortcomings of the Federal
Government's management of its own cybersecurity, which, I
think, begs the question about them directing what the private
sector should do.
And I want to go back, actually, to a 2010 report in which
GAO reported that private-sector expectations are not being met
for receiving usable cyber threat and cyber alert information
from the government. For example, GAO reported that only 27
percent of private sector survey respondents were receiving
actionable cyber threat information and alerts that met their
expectations to a great or moderate extent. Of those receiving
information, there were concerns that the information received
is not tailored to each sector's needs, or the information does
not have enough information to be useful.
So, my question--I would direct this, at least first, to
you, Mr. Wilshusen--and that is, in what areas has the
government made progress in sharing relevant information with
the private sector? And do you have further recommendations?
Mr. Wilshusen. Yes, that's a good question. We have
followed up on our recommendations made in that report, and we
have found that DHS has started to implement a couple of them.
But, it remains a challenge area. DHS has taken a number of
steps. I know the Secretary, earlier, mentioned about the
NCCIC, and that's one area in which it has started to improve
the sharing of information through that mechanism.
I had also heard where the DHS has issued a relatively
large number of security clearances, which can help facilitate
the sharing of information.
But challenges still remain. We still find that, for
example, it has not yet developed a predictive analysis
capability, which would help lead to providing timely threat
information, alert information, to private industry. And, as
Mr. Kepler indicated in his prior remarks, it seems like that
is still an area of improvement that can be made on the part of
DHS and other Federal partners.
Senator Thune. Mr. Kepler, do you feel you're receiving
timely and usable cyber threat and cyber alert information from
the government?
Mr. Kepler. We don't receive content. I think we cooperate
together, but there's a--we do not get specific information.
And when we get attacked or get to a point that we can mitigate
something, to try to go back and understand who it was and
where it was and how we go address it in the future, that is
rarely, if ever, given, and--or known, I don't know.
So, I'd say, you know, we talked about industrial
espionage; there's clearly, from the government's viewpoint, I
think, nation-sponsored espionage going on. I can't--I need the
help of the government to address that. And so, that type of
information, and how to deal with that collaboratively, we do
not get.
Senator Thune. Do you have any----
Mr. Wilshusen. And if I may----
Senator Thune. Yes, go ahead.
Mr. Wilshusen. Excuse me. If I may just add one comment,
too.
Senator Thune. Yes.
Mr. Wilshusen. One of the elements that is probably missing
is making sure that DHS or the Federal partners have a feedback
mechanism, or a loop, where they can solicit and receive
feedback from the private sector partners on how well they're
doing in providing this type of information. It might be
illuminating.
Senator Thune. Yes.
If I might, too, Mr. Kepler, how important is information
sharing peer-to-peer among others in the industry? And how's
that working today? What's needed to improve it? Liability,
antitrust protections, that sort of thing.
Mr. Kepler. Yes, I would say that most of the industries
that got stood up under its critical infrastructure have
learned how to work together within their industries. The
challenge is to start to work across industries. You know,
obviously, if you look at cascading issues with power or with
IT, it's to be able to share information. And I think the
ability to bridge those stovepipes is the area that needs to be
improved.
Senator Thune. What's your biggest concern about the
Executive order implementation process?
Mr. Kepler. Well, I think there are two areas, as I pointed
out. One concern is, to my--just a point, a minute ago--this is
cascading. So, when you think about a significant failure,
which is part of the risk that the Executive order is supposed
to be--address, the--to me, the thing that we have to rely on
is the IT suppliers and the government to have--to make sure
that the communications networks work. And that seems to be--
we're focusing more downstream than upstream on what the
fundamental issue is.
So, I hope, when we look at this, that most of the area
needs to be around cyber in the infrastructure that we're
building around the Internet and how that's being managed,
because we all rely on that, including the government, to work
on.
And the second thing I think--the standards has been talked
a lot, but I think the viewpoint and transparency of how we're
going to do risk assessment--because there's the gross risk of
what could happen, but there's also understanding what's
already been mitigated. So, I get concerned about how you
develop the list of high-priority risks, to identify, to start
to apply the resources you're going to apply. So, you can
create an environment where you create a list of, kind of,
generic issues and risk things, that we don't know how to get
off that risk list. You know, we've been under CFATS and the
physical side, and we've yet to get, you know, sites completely
authorized, in terms of getting assessment against their
authority. And so, you add cyber into that--I just think, in
the next, you know, half a year to a year, to try to get all
that risk assessment done, I think that's the area that we can
have some unintended consequences in, Senator, unless we think
through that clearly.
Senator Thune. Thank you, Mr. Chairman.
Thank you very much.
Chairman Carper. Dr. Coburn?
Senator Coburn. Well, let me follow up on that. You know,
CFATS, as far as I'm concerned, so far, has been a failure. I
don't know if that's your assessment to it, but we've spent
billions of dollars, and we have very limited accomplishments
there. It's not because we don't intend to. It's not. And
cyber's five to six times more complex than that.
And one of the questions is, If DHS can't implement CFATS,
and there hasn't been the same type of cooperative work upward,
in terms of standards--in other words, one of the things--one
of the great things about the Executive order is, the President
did have his staff say, ``Bring industry in, tell us what we
need to do.'' In other words, there was upward communication
from the people who actually know it. And that was somewhat
lacking, in terms of the CFATS, and is still lacking, in my
opinion.
So, do--given your experience on CFATS, what's your
confidence level on DHS on cyber?
Mr. Kepler. I guess that's my point.
Senator Coburn. Yes.
Mr. Kepler. I think you look at CFATS as--the way it's laid
out and put together, I think, is a sound thought process of
how to work. So, we support the concept of CFATS. Do you have
the right mindset to go--actually set standards and evaluate?
Do you have the personnel to work on that?
So, I think the industry, as it relates to standards, the
reality is, they're out there on cyber. We've worked a lot on
process control systems, on management systems, on technology
and networks. The previous panel described that.
The issue is, Are--Do we have a confident structure to
evaluate those risks? And then do the assessment in government
to collaborate with it. And I think that's where you need to
improve.
So, my view has been, it's more an oversight issue than it
is a legislation issue.
Senator Coburn. All right, thank you.
Mr. Wilshusen, I made, in my opening statement, a comment
that we've not seen the report on FISMA. But, you all found
that only 8 of 22 agencies are in compliance with that. And
that's a decline from 13 agencies in 2010. What's the problem?
Mr. Wilshusen. We also are looking forward to receiving
OMB's FISMA report. It usually provides a lot of useful
information, particularly the portion where the IGs conduct
their evaluations of their agency's information security
programs. One of the issues that we have found over the years
and why we have been designating Federal information security
as a high-risk area since 1987 is because of agencies'--I won't
say ``inability,'' but their lack of meaningful success in
securing their systems and meeting many of the requirements for
securing their systems.
Senator Coburn. Let me explain----
Mr. Wilshusen. In your particular----
Senator Coburn. Let me explain what that means----
Mr. Wilshusen. Sure.
Senator Coburn.--so everybody understands. Only eight
Federal agencies, at this time, out of 22, meet the guidelines
for securing their network.
Mr. Wilshusen. And that's actually one of the statistics
for assessing the risk----
Senator Coburn. Right.
Mr. Wilshusen.--which kind of gets to Mr. Kepler's point,
in that it's one of the challenge areas for agencies. It's not
an easy job, in terms of implementing effective security over
time, because the environment is constantly changing, new
technologies are being implemented into the computing
environment, the threats are becoming more sophisticated, and
business practices are changing.
But, at the same time, it's important that agencies
implement the appropriate processes to assess their risk, and
then, based on that risk, select the appropriate controls to
cost-effectively reduce those risks to an acceptable level, and
then assure that those controls are effectively implemented,
tested, and remain appropriate over time.
If agencies don't assess their cyber risks appropriately at
the very beginning and regularly thereafter, it has a cascading
effect, in terms of the effectiveness of other controls.
Senator Coburn. Plus, it wastes a ton of money. You know,
in the Federal Government, we spend $64 billion a year on IT,
and, essentially, 50 percent of it is wasted, because we don't
assess risks, and we don't contract appropriately.
Let me--in 2003, President Bush issued HSPD-7, which
assigned several tasks to DHS pertaining to critical
infrastructure and cybersecurity, including information sharing
with the private sector--this was 2003; that's 10 years ago--
and compiling a list of critical infrastructure.
The Executive order and the Presidential directive issued
by the White House assigns DHS several tasks similar to those
the agency was given in 2003. What's different?
Mr. Wilshusen. I think there are a couple of differences
between the Executive order and HSPD-7. One is that HSPD-7
primarily focused on terrorist activities and counterterrorism;
whereas, this particular Executive order is looking at a more
broadbased threat factor, if you will, and to include
resiliency and the like.
The other big difference here is that NIST is responsible--
or has responsibility for creating the cybersecurity framework.
Senator Coburn. Yes. Actually, they're responsible for
creating the standards, correct?
Mr. Wilshusen. Right. And----
Senator Coburn. The voluntary standards that are going to
be maybe not so voluntary after they're created.
Mr. Wilshusen. Well, their label is a voluntary
cybersecurity framework.
Senator Coburn. Yes.
Mr. Wilshusen. And I believe it's up to DHS and the sector-
specific agencies to develop a program to help encourage
adoption of that framework.
Senator Coburn. I'm over my time, Mr. Chairman, but I
just----
I would like for you to make recommendations to Senator
Carper and I, if you would, on what you would see as the best
oversight function that we could have in looking how the
Presidential directive and the Executive order is carried out.
You know, this is a complex area. None of us are computer
engineers or electrical engineers. And having that guidance
from you would be very helpful to this committee.
Mr. Wilshusen. I'd be happy to talk to your staff to do
that, Dr. Coburn.
Senator Coburn. All right. Thank you.
Chairman Carper. And I'd amend that request to ask that we
share that information, as well, with our two compadres on my
left, Senator Rockefeller and Senator Thune.
All right, next in order--I think Senator Cowan is next in
order, followed by the Senator from New Hampshire, Senator
Ayotte.
Senator Cowan. Thank you, Mr. Chairman.
Gentlemen, thank you for your appearance and testimony
today.
My first question--actually, my first couple of questions
are to you, Mr. Kepler. First, we thank you for coming, and
hope you didn't mind me referring to your--you having a
platinum system in place.
Just a couple of things, and I wonder if you'd tell me if
you agree. It's been said that 85 percent of our nation's
critical infrastructure is owned by the private sector. You--
and, if that is the case, would you agree that, if the owners
of that critical infrastructure fail to harden their systems
and we are subject to a cyber attack, that disruption or
destruction of those systems could carry catastrophic
consequences, not just to the private industry, but to the
government sectors that rely upon it? Do you agree with that?
Mr. Kepler. Yes.
Senator Cowan. And there has been a lot of talk and, I
think, a lot of agreement, frankly, that there's a need for
more and better information sharing, and the issues that are,
necessarily, surrounding that. Do you think--are you satisfied,
from your perspective--and you're someone who looks at these
issues, not just for Dow, but I imagine you think about them
for your industry, as a whole, or private industry--do you
think, if we just have better information sharing and some of
those protections, alone, we will have done enough to sort of
ensure that, at least at a minimum level, we're doing enough,
both in the government and private sector, to thwart cyber
threats?
Mr. Kepler. I think the information sharing is one that
lags the most, so the reality is, I think, though--if you think
about how you mitigate issue--a risk, in general, it's around
applying technology, putting operating disciplines, which you
could call ``standards,'' and management systems in place, and
then having information sharing about what's going on
externally, or competitive intelligence.
I think, over the last 10 years, we've built up a fair
amount of capability, and, really, the standards have evolved a
lot, and the understanding of how to be responsive around those
standards. And the industries that have developed operating
discipline around this, I think, is pretty healthy.
I think the key thing that's missing right now is the
ability to share tactical information. We're getting attacked,
and don't know who from, and we don't have the resources to
work on that. I think the threat has changed in the last 5
years, and--to come from outsources with well-resourced
resources that need to be addressed.
So, I think the information sharing is a key area. I think
the management system around this--because we've got a lot of
rules--I think the management system--I think government has to
help step up and address.
Senator Cowan. When you talk about the rules--actually, in
your testimony, you talked about your concern about overly
prescriptive legislation. In my prior job in State government,
one of the things I had to do was to sort of oversee the
regulatory process. I used to tell the team that the agency
heads, before you regulate, hesitate, to think about the cost
and the impact on businesses and others.
As you think about the--when you say ``overly
prescriptive,'' what, in particular, concerns you that you
don't want to see in legislation, or you're concerned that
legislation might do?
Mr. Kepler. Well, I think, when you start looking at
these--when you talk to companies like ours, and big companies
in structure, you know, you go to some of these sectors, and
there are 40,000 or 50,000 companies that you have to deal
with, or community structures, if you're in water. And one size
does not fit all in that. And you have to be able to assess the
risk. So, while you have all the infrastructure, it's not all
linked. And so, you have to prioritize this. And, to me, that's
the key area that you have to work with the sectors on. If
there's any area we need more area is--what enemy are we trying
to fight, what problem are we trying to solve, and where are
the highest risks in this activity to work on? That's a key
area that I--needs to be addressed, or we'll be applying
standards and structure to areas that probably have a low
priority of risk in that approach.
Senator Cowan. Do you have any viewpoint whether, if we
just had a floor, a baseline that everyone--that everyone could
look to or try to adhere to, that might better aid us to do--
or, to address the concerns?
Mr. Kepler. Yes. And that's my point on--therefore, you
have to have some commitment on--some base floor on the
products that you provide people, and how they get configured,
and then the responsibility and operating base of how you work
on it. So, Dow can bring these resources in, and technologies
in, and set them, but a small business that may be linked into
this thing, or linked into a supply chain of a critical
infrastructure, can't do that. And I think that's where some of
this--the industries that supply those products do have to be
involved, because the--on the smaller businesses, the same
technologies that the consumers use.
Senator Cowan. A question to you, in the first instance,
Mr. Kepler, and then, Mr. Wilshusen--and maybe you can answer
it, as well. And this--sort of picking up off of the Executive
order that the President issued last month--and Mr. Gallagher
spoke about, sort of, the collaborative effort between industry
and government to come together and work together on some
issues--I'm--I wonder if either of you have an opinion about
how useful it might be to create a task force composed of
government cybersecurity experts, security researchers, and
tech vendors to contribute to a database of cyber threats that
could be accessed by critical infrastructure industries, in
realtime, or issue alerts. When you talk about information
sharing, is that something you're thinking of, conceptually?
Mr. Kepler. Well, conceptually, we have US-CERT, that tries
to drive that, for private/public partnership. We have NIAC to
look at the policy structures. We have the standard committees
to work through.
I think there's a cultural issue on information sharing, is
that government does--and I--you know, government doesn't want
to share it, and business is reluctant to share it. So, I think
the legislation has to go at that cultural aspect and deal with
the issues that become the excuses in their liability, on our
side, that is important, right?--and their--you know, the IP
protection, and those things.
On government, there's a--from an enforcement point of
view, you're really nervous about giving up your pursuit of the
criminal. And government, by definition, is nervous about
trying to manage secrets. So, we have to create an environment
where we can share key information on the specific threats.
That's, to me, the critical issue here, not the new
organization structures. We have a lot of those.
Mr. Wilshusen. And I would just add that there is
precedence, to some extent, in that there is a database that's
maintained by NIST. It's called the ``National Vulnerability
Database.'' It's not a database of threats, but it is a
database of vulnerabilities that include, for example, software
defects, or defective software, and misconfigurations. That
database is available to the public to review. And, indeed,
many of the tools that are used to scan network devices may
draw from that database to look for particular vulnerabilities
and misconfigurations in systems.
Senator Cowan. Thank you.
And please forgive my indulgence, Mr. Chairman, for going
over my time. Thank you.
Chairman Carper. No, no, that's fine. Thank you for coming
early and staying late----
Senator Cowan. Thank you.
Chairman Carper.--Senator Cowan.
Senator Ayotte.
STATEMENT OF HON. KELLY AYOTTE,
U.S. SENATOR FROM NEW HAMPSHIRE
Senator Ayotte. Thank you, Mr. Chairman. I appreciate it.
And I want to thank the witnesses for being here today on
such an important issue.
I serve on the Armed Services Committee, as well, and I was
inquiring about our top manufacturer in New Hampshire, BAE
Systems, just to get a sense of what they've invested in. Just
as one company in our state, they've invested over $100 million
in their cyber defenses, which, compared to Dow, is probably
small, but, I think one thing that they brought to my attention
is that they believed, through the interaction they have with
the Pentagon, that they have a world class ability to share
information. Now, they're a defense contractor, so you can
understand why that would be a natural partnership there and
that there was a very good collaborative model. While I'm new
to this committee, and certainly want to understand the work
done by others, one of the worries, I've had, in thinking about
this, as I look at the GAO report that was issued, Mr.
Wilshusen, and I appreciate the work that you did on this, is
the information-sharing difficulties in DHS. And so, we've been
talking about some of the concerns we have about DHS's
capabilities. Are we trying to use any of the models or
patterns from the Pentagon?
And also, it worries me that we're going to have to
replicate something that apparently, in the Pentagon, we're
doing fairly effectively. And so, how do we take those lessons?
And can DHS really get to a point where it is, frankly, as
effective as some of the work being done at the Pentagon?
Mr. Wilshusen. That's an excellent question. And, indeed,
the pilot programs that you're referring to are called the DIB
cyber pilot programs. I think they may have another name as
well. And DIB being the Defense Industrial Base. Last year, GAO
issued a report over those programs and made several
recommendations to enhance them. And, as it so happens, we also
plan to issue another report that will be coming out soon. The
recently issued Executive order has a line in it under--I think
it's under the information-sharing section--that asks DHS to
look at those programs involving the DIB--the Defense cyber
pilot programs--and expand them to the other critical
infrastructure sectors. And so, that is one of the activities
that is planned.
Senator Ayotte. Do you think DHS will have the capability
to do that? The Pentagon is obviously in a situation where
they're dealing with the national security threats, but
industries like Dow are dealing with this, a national security
threat. So, what's your assessment on DHS's ability? I
understand that there's a sort of command to do that in the
Executive order, but how can we help them do that? What's your
opinion on what the difficulties will be with that? I don't
think any of us want to invest in replicating things that
already exist in the government, particularly in the fiscal
constraints we find ourselves in.
Mr. Wilshusen. No, it's usually a good practice to learn
from the efforts of others, to learn both the mistakes, what
did not work, as well as what did work, and then apply those
lessons as you perform your own. And so, certainly there is a
lot of benefit for DHS to do this, and learn from that
particular pilot program by DOD.
In terms of DHS's capability to do that, well, I guess
we'll actually find out, because I must say that I can't really
give you a clear answer on that, because we haven't examined
that particular issue. But its success in other programs,
previously has been mixed. The department has made some
progress in several areas, but, as GAO often reports, more
needs to be done.
Senator Ayotte. So, that worries me, and I hope----
Mr. Wilshusen. Yes.
Senator Ayotte.--that's something we talk about more in
this committee, because this is such an important threat to our
country that it can't be, ``We're just not sure,'' and, ``We
don't know how this is going to work out,'' because, obviously,
we need to all work together to make sure we can prevent the
threats that are facing the country as well as those facing our
businesses and our economic growth.
And I would say, Mr. Kepler, I certainly am reviewing the
Executive order, and want to understand it, but, in my prior
life, I was an attorney general and thinking about liability
protection for the private sector. How does any Executive order
really fully get at the type of liability protection that the
private sector needs, in light of the fact that, presumably,
it's not just liability protection between the government and
the industry that's being regulated, but it's also the
liability protection to third parties.
Mr. Kepler. Well, I think that's the challenge. And I think
that's one--in my comments, I said that that's one area where I
think legislation may be needed to address that.
If you think about major things, like terrorism or
whatever, I think there are some vehicles that you can use,
with the SAFETY Act, but, if you're trying to look at--you
know, I think there are a lot of issues also around
intellectual property and legal things that are already
defined. When you start looking at issues around espionage and
nation state-sponsored commercial espionage, I don't know how--
you know, I think that is something you have to think through
from a legislative point of view, not an Executive order point
of view.
Senator Ayotte. Well, the prior legislation failed in the
Senate so I think all of us want to come to a resolution to
find a bipartisan way forward to address these issues, but
there certainly seemed to be some areas of difficulty. I know
that the liability protection issue is one that Dr. Coburn has
already talked about, and of the difficulties there. But, I'm
of the view that, since we do a lot of comprehensive work
around here, if there are certain areas that we can come to
agreement on, then we should move those immediately, and then
come back to the other areas that we have to address. So, I'm
hoping that this committee, as we work together, will do that,
and continue, as soon as we can get a piece that's important to
industry and important to us, moving forward, to having that
cooperation, that we will move it.
So, that's my commentary on it. And I'm sure that my time
is expired, but I appreciate that both of you are here today,
and I look forward to following up with you and learning more
about how we can effectively accomplish that.
Chairman Carper. I thought those were good questions.
Senator Ayotte. Thank you.
Chairman Carper. I--we're going to have another round, if
it's OK with you, maybe--I'd like to, maybe, do another round.
It's not going to take but maybe 15 minutes. Does that work OK
with your schedule?
Mr. Kepler. Sure.
Chairman Carper. We want to be mindful of your schedules.
Mr. Kepler. No problem, Senator.
Chairman Carper. Good. How about another two rounds?
Mr. Kepler. Whatever you need.
Chairman Carper. We'll start with one.
One of the things I like to do at the end of the hearing is
sometimes to ask witnesses what you've learned--what you've
learned by listening to one another, from our questions and
some of our statements, what maybe you've learned from the
earlier panel. So, just be thinking about what--I mean, what
are your take aways from this?
The other thing I would ask you to share with us is what
should be our take aways. And when I speak to a group,
sometimes I like to tell them what I'm going to tell them, then
I tell them, and then I tell them what I've told them. And so,
you've had a chance to do at least part of that, and I'm going
to ask you, before you leave, to just kind of give that little
sum-up at the end, what should be some our key take aways.
For me, one of the key takeaways has been--and I think it
was our friend from NIST, Pat--I think he said something like,
``When cybersecurity strategy is good business strategy, then
we'll know that we've really gotten somewhere.'' And the--there
has been a lot of back-and-forth on information sharing. And
Senator Ayotte said she, in her previous life, was attorney
general for her state. And I asked some of our staff, ``Why
don't we do a better job at information sharing from the
government side to the private sector?'' And someone used this
as an example, said, ``If you're the FBI, and you're trying to
bust a drug ring, and you know--you may let a deal go down, let
it happen, just in an effort to move up the food chain and then
go after the bigger catches.'' And I don't know if that's
what's going on here, or not, but the--I--one of the messages--
for me, one of the take aways is, information flow has to be a
two-way street. And so, I take that away.
And on--in terms of the capability of DHS--Dr. Coburn's
gone now, but he's--you know, I've been hosting a series of
classified briefings, where we have DHS coming in, we have the
FBI, we have the National Security Agency coming in. And both
he and I have been impressed by the improved capabilities at
DHS. This is not your grandfather's Oldsmobile, this is not
where they were 10 years ago, 5 years ago. They're--they've
gotten some good people, and they've enhanced their
capabilities.
I always like to say that the road to improvement is always
under construction, so obviously they have more to do.
Everything I do, I know I can do better. And certainly that's
true for them.
All right. With that having been said, what did you all
learn? And, second, what are some good take aways that you
would have us to be--just be reinforced with?
Mr. Kepler. Well, I'd follow up your--just your first point
to--or, last point--to comment that I do--when I look at the
scope of DHS, and the challenge they have, it's daunting, and I
appreciate the work they're doing. And I do agree that the
competency of the organization has improved over the years and
stuff.
One of the challenges I would say is, we do keep changing
the rules a little bit on the number of commissions and
structures and groups and things. And so, we're--I'm pleading a
little bit for, maybe, stabilization of that and really doing a
little bit more oversight on the process, and learning from it.
I think the things I learned--I think we came in feeling
that the Executive order had--was in the right spirit of what
we were trying to do. We certainly like the concepts of the
information sharing. We were very big on standards, to begin
with, and we've been that. And I'm very good to see how the
Senate, here, is looking at embracing that, and the Executive
order has embraced that, and I think they really listened well
to the organization. So, I think the spirit of how we want to
get there is there.
If you ask me what the two take aways I'd you to leave
with, I think is--this risk management, to me, and how we
define that, is more important than the standards. I think the
standards momentum is there, so we can, you know, put a stamp
on it. But, I believe it's used effectively in government and
in industry. So, the real issue is, are we really targeting
what problem we want to solve? And I think that's really
putting definition around ``risk management,'' if you will. So,
how do we solve the problems? Who's our real threat? And really
make sure form policy around that.
Chairman Carper. Thanks, Mr. Kepler.
Mr. Wilshusen.
Mr. Wilshusen. Yes, I would say one of the take aways would
be just to continue providing the oversight and emphasizing
followthrough. One of the challenges in the past with the
cybersecurity strategies and the different aspects of them has
been seeing them all the way through and making sure that
there's follow-up, that there are feedback loops. In terms of
the agencies, making sure that what they're doing is the right
thing to do. The keys for this particular committee is to
provide the oversight that it has in the past, and I imagine
will continue to do. And certainly, in our role as GAO, it's to
continue to help agencies evaluate their progress, and make
recommendations, where appropriate.
Chairman Carper. Senator Thune?
Senator Thune. Yes, just one last question, if I might, Mr.
Chairman, for Mr. Kepler.
And I'm interested in knowing what's the most common cyber
attack that your company faces, and how that threat could best
be alleviated.
Mr. Kepler. Yes. If you look at the higher risk ones to--I
mean, so you--these numbers sound bizarre, but when you look at
the things that used to be a big deal, like viruses--there are
still hundreds of thousands of those, and we can protect those
pretty well. I think if you tell--you know, what we're
challenged with the most is the threats from highly resourced
organizations today that are--targeted us and persistent with
us. And the concern is, because those are developed, that they
end up going down and get learned, and they can migrate down
into less sophisticated hands and stuff to work through.
So, I think the fact that we have large organizations--and
by--not by my--by my reading, those are some countries and
organized criminal organizations--that's a big problem, and
it's something that I think government needs to, you know, kind
of step in and help business, and actually the country, work
on.
Senator Thune. IP theft?
Mr. Kepler. You know, I think IP, in general, company to
company, it's--the framework of government today manages that.
It's this issue now of international and, I think, country-
supported IP theft, in doing that, as well as, you know,
basically, just general intelligence gathering into companies
that had never really happened to the extent we're seeing it
now.
Senator Thune. Thank you all very much. Appreciate it.
Thank you, Mr. Chairman.
Chairman Carper. You bet.
One last question, if I could, for Mr. Kepler. What is your
CEO's name? Andrew----
Mr. Kepler. Liveris--Andrew Liveris.
Chairman Carper. Liveris? Well, he came and spoke to a
group of us, not long ago. Very impressive. I think he's--may
hold a leadership position in the Business Roundtable. Is that
true?
Mr. Kepler. Yes, he does.
Chairman Carper. And do you know what that is, by chance?
Mr. Kepler. What his position is? I think he's chairing it,
right now, sir.
Chairman Carper. I think he is, as well. The--we appreciate
very much, and need, the continued input from the Business
Roundtable. We welcome the input from the Chamber of Commerce--
U.S. Chamber of Commerce, and other business groups, as well.
But, we're very mindful of the contribution that Business
Roundtable can make, and would ask that you pass along our
thanks to your CEO and say we'd like to hear more of that,
going forward.
Well, it's been a good hearing. And, Senator Thune, whom I
affectionately call ``Thuney,'' we are here to the bitter end,
but it has not been bitter at all. Not even bittersweet. It has
been good. And I--these are--this is a hard issue. Senator
Thune and my staff have heard me say this before. This is not
an easy issue for me to get my head around. And I--a couple of
months ago, I felt like I almost reached the point where I knew
enough to be dangerous. And after this hearing today, I know
enough to be really dangerous, so--hopefully, really helpful.
And we--it's a shared responsibility, here. It can't be the
legislative side to--just on our own. It can't be just the
executive branch. It just can't be the key stakeholders,
including the business community. So, it's all of us, together,
and--because we have a shared responsibility--and if we do this
right, we're going to help our country a whole lot.
And we--Senator Thune and I, our colleagues, Senator
Rockefeller and Thune, others who serve on our committees, we
want to do this right, and your help--testimony today has
certainly helped in that regard.
So, many thanks to you.
And I understand that the hearing record is going to be
open for another 14 years.
[Laughter.]
Chairman Carper. No, not really. Another 14 days, because
we're on a short--we're on a short time frame here. Fourteen
days for any additional questions or statements from our
colleagues. If you get anything, then respond promptly; we'd be
most grateful.
Anything else for the record, Senator Thune?
Senator Thune. No, sir.
Chairman Carper. With that having been said, it's a wrap.
This hearing is adjourned.
Thank you.
[Whereupon, at 5:05 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of the American Gas Association
The American Gas Association (AGA) is pleased to submit this
statement for the record for the U.S Senate Committee on Commerce,
Science, and Transportation and Committee on Homeland Security and
Governmental Affairs joint hearing on The Cybersecurity Partnership
Between the Private Sector and Our Government: Protecting our National
and Economic Security (March 7, 2013). In AGA's view, natural gas is
the foundation fuel for a clean and secure energy future providing
benefits for the economy, our environment, and our energy security.
Alongside the economic and environmental opportunity natural gas offers
our country comes great responsibility to protect its distribution
pipeline systems from cyber attacks.
Technological advances over the last decade have made natural gas
utilities more cost-effective, safer, and better able to serve our
customers via web-based programs and tools. Unfortunately, the
opportunity cost of a more connected, more efficient industry is that
we have become an attractive target for increasingly sophisticated
cyber terrorists and cyber thieves. This said, America's investor-owned
natural gas utilities are meeting the threat daily via skilled
personnel, robust cybersecurity system protections, an industry
commitment to security, and a successful ongoing cybersecurity
partnership with the Federal Government.
AGA, founded in 1918, represents more than 200 local energy
companies that deliver clean natural gas throughout the United States.
There are more than 71 million residential, commercial and industrial
natural gas customers in the U.S., of which 92 percent--more than 65
million customers--receive their gas from AGA members. AGA is an
advocate for local natural gas utility companies and provides a broad
range of programs and services for member natural gas pipelines,
marketers, gatherers, international gas companies and industry
associates. Today, natural gas meets almost one-fourth of the United
States' energy needs.
Government-Private Partnerships and Cybersecurity Management: A
Process that Works for Natural Gas Utilities
America's natural gas delivery system is the safest, most reliable
energy delivery system in the nation. This said, industry operators
recognize there are inherent vulnerabilities with employing web-based
software and hardware applications for both industrial control systems
and business operating systems. Because of this, gas utilities apply
myriad cyber standards, guidelines, and related regulations in their
cybersecurity portfolios and participate in an array of government-
sponsored and industry-sponsored cybersecurity initiatives. However,
the most important overall cybersecurity mechanism is the existing
cybersecurity partnership between the government intelligence community
and industry operators. This two-way information sharing provides for
an exchange of vital cybersecurity information within a flexible
framework which allows all stakeholders to be proactive and adapt
quickly to dynamic cybersecurity risks.
Background: The Homeland Security Act of 2002 provides the basis
for Department of Homeland Security (DHS) responsibilities in
protecting the Nation's critical infrastructure and key resources
(CIKR). The Act assigns DHS the responsibility for developing a
comprehensive national plan for securing CIKR. This plan, known as the
National Infrastructure Protection Plan (NIPP), identifies 18 critical
infrastructure sectors within which natural gas transportation is a
subsector of the Energy and Transportation Sectors. The NIPP states
that more than 80 percent of the country's energy infrastructure is
owned by the private sector, and the Federal Government has a statutory
responsibility to safeguard critical infrastructure. For this reason,
information-sharing amongst industry operators and the government
intelligence community is critical to cyber infrastructure protection.
Process: Natural gas utilities are working with government at every
level to detect and mitigate cyber attacks. In particular, the natural
gas transportation subsector works specifically with the DHS Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) to reinforce
two-way sharing of cybersecurity awareness, detection, and mitigation
programs. This process calls on operators to submit suspicious cyber
activity reports to ICS-CERT, while ICS-CERT, in turn, advises
operators of noted cyber vulnerabilities, mitigation strategies, and
forensic analyses. This open communication has proven over the years to
be an effective, uncomplicated mechanism that bolsters the industry's
overall cybersecurity posture, while advancing the mission of ICS-CERT.
In simple terms, the government intelligence community understands
cyber vulnerabilities; natural gas utilities understand their
operations; and the two come together in a constructive partnership to
protect targeted critical infrastructure.
AGA-Government Cybersecurity Partnerships: AGA works closely with
the DHS Transportation Security Administration (TSA), Pipeline Security
Division within a government-private industry partnership framework for
cybersecurity information sharing. The Aviation and Transportation
Security Act of 2001 gives the TSA Pipeline Security Division
regulatory authority over pipeline security for both physical security
and cybersecurity. The TSA Pipeline Security Division has over the past
decade chosen to partner with pipeline operators in an environment of
guidance rather than regulation/compliance. Partnering has benefitted
all stakeholders because it allows government and pipeline owner/
operators to exchange valuable cybersecurity information typically not
shared in a compliance-driven environment.
AGA also strongly encourages industry participation in DHS-led
training programs, workshops, and system evaluation programs, available
via our partnership with the ICS-CERT and TSA Pipeline Security
Division, as well as relevant cybersecurity programs operated by other
agencies. Moreover, DHS officials regularly meet with industry groups,
such as the AGA board of directors, as well as individual member
companies specifically to review and assess ongoing cyberthreats.
Bottom line, as cybersecurity threats evolve and related risks to gas
industry operations change, our long-standing public-private
partnership with DHS allows natural gas utilities to successfully
collaborate with the government on overall cybersecurity in a fashion
that benefits both parties. The following is a sample list of
government-natural gas industry cybersecurity partnerships:
DHS Classified and Unclassified Cyber Security Briefings.
Industry operators participate in DHS-sponsored classified and
unclassified briefings to receive threat and risk information
and analytics. These briefings are in the form of monthly
teleconferences and semi-annual face-to-face meetings between
the private sector and government intelligence community
analysts. The briefings provide information on the state of the
subsector in reference to emerging threats, security
incidences, and trends. Additionally, AGA is leading the
collaborative effort between the government intelligence
community and private industry to improve on timely, credible,
and actionable information sharing.
DHS Control Systems Security Program. DHS offers various
opportunities to enhance industry operator knowledge on control
system cybersecurity. Industry operators participate in DHS
ICS-CERT training, online forums, recommended practices,
advisories, and interactive live assistance focused
specifically on control system cybersecurity. Industry
operators also receive DHS United States Computer Emergency
Readiness Team (US-CERT) monthly activity summaries and secured
portal advisory communications, submit incident reports for
analysis, and engage in the Industrial Control Systems Joint
Working Group for information exchange.
Oil & Natural Gas Sector Coordinating Council (ONG SCC)
Cyber Security Working Group. Industry operators participate in
this DHS-sponsored forum for effective coordination of oil and
natural gas cybersecurity strategies and activities, policy,
and communication across the sector to support the Nation's
homeland security mission. The ONG SCC provides a venue for
operators to mutually plan, implement, and execute sufficient
and necessary sector-wide security programs, procedures and
processes; exchange information; and assess accomplishments and
progress toward protecting the sector's critical
infrastructure.
TSA Cyber Security CARMA Program. Sponsored by TSA, this
program is intended to develop a nationally-scoped cyber risk
management framework to help industry operators identify where
internal risk management activities align with industry-wide
risk management activities. AGA co-chairs this collaborative
effort and facilitates operator participation and contribution.
Coordination of Federal Government Risk Assessment Programs.
AGA is proactively coordinating meetings of the Department of
Energy, Federal Regulatory Energy Commission, TSA, and ICS-CERT
in an effort to encourage all government entities to align
their various cybersecurity risk assessment programs. The
objective is to compare/contrast the programs and identify
where synergies may be made.
AGA-Industry-Government Cybersecurity Guidelines: Partnership
between the private sector and the government is critical to address
cybersecurity threats to our Nation's critical infrastructure. As such,
AGA and industry operators also collaborate with government partners to
produce effective cybersecurity practices and guidelines. Below are a
few examples:
DHS Transportation Security Administration (TSA), Pipeline
Security Guidelines. Guidelines developed through the
collaborative effort of government and pipeline asset owners to
be used by natural gas and hazardous liquid transmission
pipeline companies, natural gas distribution companies, and
liquefied natural gas facility operators as a framework for the
protection of critical and non-critical pipeline
infrastructure. AGA contributed as subject matter experts, in
particular to the cybersecurity chapter.
DHS Control Systems Security Program, Cyber Security
Evaluation Tool (CSET). A desktop software tool that guides
users through a step-by-step process for assessing the
cybersecurity posture of their industrial control system and
enterprise information technology networks. AGA participated in
the development, testing, and distribution of this material and
contributes to continual improvements to this resource.
Department of Energy (DOE), Roadmap to Achieve Energy
Delivery Systems Cybersecurity. A strategic framework to
improve cybersecurity within the energy sector through a
collaborative vision of industry, vendors, academia, and
government stakeholders. This vision is supported by goals and
time-based milestones for achievement over the next decade. AGA
has been a contributor to this resource since its inception in
2006 with its preliminary release as DOE, Roadmap to Secure
Control Systems in the Energy Sector.
Interstate Natural Gas Association of America (INGAA),
Control System Cyber Security Guidelines for the Natural Gas
Pipeline Industry. A set of guidelines designed to assist
operators of natural gas pipelines in managing control systems
cybersecurity requirements. Aligns with TSA Pipeline Security
Guidelines and other guidelines/standards commonly used across
the oil and natural gas industries. AGA contributed to the
review and comment phase and promotes its availability as a
valuable resource to operators and government.
AGA and INGAA, Security Practices Guidelines, Natural Gas
Industry Transmission and Distribution. Guidelines that provide
an overview of the recommended physical security and
cybersecurity practices and procedures for the transmission and
distribution segments of the natural gas industry. AGA and the
Interstate Natural Gas Association of America lead the
initiative to develop this guidance for natural gas pipeline
and utility operators.
Non-Standardization of Cybersecurity Practices is Paramount
In the recent past, concerns over increasing cyber attacks--
successful or not--on critical infrastructure have led to legislative
efforts to create a set of top-down cybersecurity regulations. AGA
remains concerned that prescriptive cybersecurity regulations, while
well-intentioned, will have little practical impact on cybersecurity
and, in fact, will hinder implementation of robust cybersecurity
programs. First and foremost, prescriptive cybersecurity regulations
would fundamentally transform the productive cybersecurity relationship
natural gas utilities have with the TSA Pipeline Security Division from
a successful partnership to a more standard regulator-regulated mode,
forcing companies to focus more resources on compliance activities than
on cybersecurity itself. Also, from a practical perspective, it is
unlikely that any set of cybersecurity regulations will be dynamic
enough to help companies fight constantly changing and increasingly
sophisticated threats.
Across the natural gas industry, cybersecurity effectiveness is
maximized through the diversity of individual company cybersecurity
approaches, e.g., Defense in Depth strategies and customized detection
and mitigation systems appropriate for individual company networks.
Furthermore, because gas utility control system operations vary amongst
operators, companies adhere to cyber standards, guidelines and related
regulations most relevant to their specific network functions and
vulnerabilities. Companies also turn lessons learned from government-
private industry cybersecurity information sharing partnerships into
actions designed to protect their specific systems. In sum, as
cybersecurity risks and threats change, so do vulnerabilities. Ongoing
implementation of new and diverse cybersecurity tools and procedures,
based on unique individual company requirements, helps companies adapt
to a dynamic cyberthreat environment and bolsters the overall gas
utility industry cybersecurity posture.
The Cybersecurity Executive Order Considered
The Administration's Executive Order (EO), Improving Critical
Infrastructure Cybersecurity, is a data collection exercise, standards
setting program, and outline for future legislative and regulatory
action. In sum, the EO directs the government to: (1) identify all
critical infrastructure entities, (2) prepare ``voluntary''
cybersecurity standards for identified critical infrastructure, (3)
develop incentives designed to entice entities to adopt the
cybersecurity standards, and (4) tasks agencies with existing
cybersecurity authorities to determine whether their current
regulations are sufficient or if new, more prescriptive, cybersecurity
regulation is necessary.
Clearly, Congress will be a not-so-silent partner in implementing
this EO, particularly if agencies with cybersecurity responsibilities,
having found current programs inadequate, lack the authority necessary
to further regulate cybersecurity requirements in their sector. In
addition, while the EO does seek to strengthen the public-private
cybersecurity information sharing partnership, liability and
information security protections necessary for critical infrastructure
owners and operators to fully participate will require new statutory
authority.
Overall, the EO is simply the beginning of a long march to improve
national cybersecurity. AGA is hopeful, and will work to ensure, that
throughout this policy process gas utility industry cybersecurity
concerns will be addressed. To that end, below are a few of our
specific concerns with the EO.
Identifying Critical Infrastructure. The executive order confines
itself largely to ``critical infrastructure'', a categorization that
undoubtedly will include natural gas utilities. Critical infrastructure
is defined in Section 2 of the EO as ``systems and assets, whether
physical or virtual, so vital to the United States that the incapacity
or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health
and safety, or any combination of those matters.'' Note that the EO
does not define many terms included in the definition (``debilitating
impact'', ``economic uncertainty'', etc.), potentially opening an
ongoing debate over what systems may be considered critical or not
critical. In addition, AGA strongly suggests that the identification
process include the active and informed participation of critical
infrastructure owner/operators from the start rather than after the
assignment of ``critical'' has been determined by the government. By
doing this, the government avoids placing the owner/operator in a
defensive position with the burden to demonstrate non-criticality.
Further, any list must be secured with appropriate information
protection mechanisms.
Cybersecurity Information Sharing Program. Section 4 of the EO
creates a cybersecurity information sharing program, directing DHS, the
Department of Justice, and the Office of the Director of National
Intelligence to set up cyber threat information sharing processes with
targeted private sector entities. Without question, improved
information sharing can and will benefit critical infrastructure
cybersecurity. However, for industry to fully engage in an information
sharing program, information protection mechanisms (safe harbors) and
liability protections must be afforded to owners/operators who
participate in the program. Without such protections, companies may be
unwilling to participate because of the possibility of information
leaks as well as due to competitive concerns and legal liability
pressures.
NIST ``Cybersecurity Framework''. Section 7 of the EO directs the
National Institutes of Standards and Technology (NIST) to develop, via
an open review process, a ``Cybersecurity Framework'' designed to
improve critical infrastructure cybersecurity. The Framework will
utilize risk and performance based standards/best practices; technology
neutral applications; voluntary consensus standards and industry best
practices; and cross-sector security standards applicable to all
critical infrastructure. Ultimately, NIST's goal is to create a
framework that is ``prioritized, flexible, repeatable, performance-
based, and cost-effective'' to help critical infrastructure owner/
operators manage cyber risk. Good intentions notwithstanding, questions
remain, including:
Given the complexity of the subject, will NIST be able to
meet notice and comment timelines?
Will the final Framework be flexible enough to address every
critical infrastructure sector?
How much influence will critical infrastructure sectors have
in developing the Framework?
Will the Framework morph into mandatory standards?
Industry Adoption of Cybersecurity Framework. Section 8 of the EO
directs DHS to create a ``voluntary'' program to spur critical
infrastructure entities to adopt the NIST Framework. Specifically, DHS
will work with other agencies to review the Framework and develop
implementation guidance to address sector-specific operating
environments. More importantly, DHS will work with the Departments of
Commerce and Treasury to report on existing incentives that might spur
industry participation in the voluntary program as well as any
additional incentives (i.e., liability protections) that would require
new statutory authority. Sector agencies will also report annually on
which critical infrastructure owner/operators participate in the
program. Overall, just how ``voluntary'' this program ends up becoming
is an open question. As AGA and other critical infrastructure
industries have argued, voluntary government programs often morph into
de facto mandatory compliance programs because companies feel compelled
to participate rather than risk opening themselves up to litigation for
not engaging in a program that has the imprimatur of the Federal
Government.
Agency Adoption of NIST Cybersecurity Framework. Section 10 of the
EO notes that once the NIST Framework has been preliminarily drafted
agencies with cybersecurity regulatory responsibilities will review
their existing authorities to determine whether they are sufficient
given the cyberthreat landscape, and whether they can implement the
NIST Framework via regulation. If agencies determine that their current
cybersecurity regulatory requirements are insufficient then they shall
propose new ``actions'' to mitigate cyber risks. This section clearly
pushes sector agencies to create new cybersecurity regulations. These
new requirements would, at a minimum, be based upon the NIST
Cybersecurity Framework; however, there is plenty of suggestion in
Section 10 that agencies move beyond the framework, or seek the
authority to do so. We are hopeful this will not lead to regulation for
regulations sake. For example, despite having the statutory authority
necessary, TSA Pipeline Security Division has chosen not to issue
cybersecurity regulations for natural gas utilities in large part
because of the successful security partnership we have collectively
developed.
The Case for Cybersecurity Legislation
Despite our concerns about prescriptive cybersecurity standards,
AGA does believe that there is a role for cybersecurity legislation,
particularly as it relates to improving public-private cybersecurity
information sharing and related liability protections.
Information Sharing. To help counter cyber attacks and protect
networks against future incursions, critical infrastructure needs
government to help them identify, block and/or eliminate cyberthreats
as rapidly and reliably as possible. From a functional perspective,
this will require expediting security clearances for critical
infrastructure personnel as well as streamlining the process by which
actionable threat intelligence is shared with private industry.
Harnessing the cybersecurity capabilities of the government
intelligence community on behalf of private sector networks will go a
long way towards overall network security. The recently introduced H.R.
624, The Cyber Intelligence Sharing and Protection Act (CISPA) begins
to flesh out this process by establishing a cybersecurity partnership
between critical infrastructure and the intelligence community.
However, there is certainly a role the Department of Homeland Security
can play, as a sector specific agency, in distributing cyberthreat
information, interpreting potential threat impacts, and working with
critical infrastructure entities to keep their networks safe. This
would particularly be the case for those industries, like natural gas
utilities, that already have a cybersecurity partnership with TSA.
Liability Protection, SAFETY Act. Another avenue for legislation
surrounds offering liability protection for companies with robust
cybersecurity programs--standards, products, processes, etc. The
Administration's recent executive order (EO) on cybersecurity
underscores this need. The EO directs sector agencies, the intelligence
and law enforcement community to establish a cybersecurity information
sharing partnership; tasks the National Institute of Standards and
Technology with establishing a quasi-regulatory set of cybersecurity
standards (a ``cybersecurity framework''); and orders DHS to
incentivize critical infrastructure to adhere to the NIST standards.
What the EO cannot do is provide liability protections for critical
infrastructure entities that make the effort to participate in a
public-private cybersecurity program, regardless of whether it is
created via EO or some future law.
AGA supports employing the SAFETY Act as an appropriate avenue for
providing companies that participate in a government-private industry
cybersecurity partnership with liability coverage from the impacts of
cyberterrorism. SAFETY Act applicability in this area seems plain:
The SAFETY Act exists in current law, and a related office
at DHS has been reviewing and approving applications for
liability coverage in the event of an act of terrorism or cyber
attack for over a decade. This office utilizes an existing
review and approval process which would allow for immediate
granting of liability protections from cyber attacks.
Because the SAFETY Act can apply to a variety of areas
ranging from cybersecurity standards (cyber best practices,
etc.), to procurement practices and related equipment (SCADA,
software, firewalls, etc.) companies can layer their liability
protection.
We are aware of no other existing statute that offers
similar liability protections. Moreover, we do not see the need
to write new law to address liability protections from cyber
incidents when the SAFETY Act is already applicable.
This said, there are some areas where we believe the SAFETY Act
could be a little stronger as it applies to cyber matters. First, and
foremost, the statute could be expanded to make specific reference to
liability protections from ``cyber'' events (cyber attacks, cyber
terrorism, etc.) and more specific reference to coverage for
cybersecurity equipment, policies, information sharing programs, and
procedures. While there is coverage under the Act currently for cyber
attacks, specifically identifying ``cyber attacks'' as a trigger for
liability protections would strengthen the overall concept.
The Natural Gas Utility Cybersecurity Posture
AGA's policy priorities for cybersecurity include preserving our
current cybersecurity partnership with the Transportation Security
Administration, Pipeline Security Division, enhancing government-
private industry cybersecurity information sharing, opposing burdensome
or counterproductive cybersecurity regulation, and supporting robust
liability protections for entities that are serious about protecting
their networks. If ultimately achieved, these items will only bolster
an already solid industry cybersecurity commitment.
America's natural gas utilities are cognizant of enduring cyber
threats and the continued need for vigilance through cybersecurity
protection, detection, and mitigation mechanisms. Industry operators
apply numerous cyber standards, guidelines, and related regulations in
their cybersecurity portfolios and participate in a variety of
government-sponsored cybersecurity initiatives. There is no single
solution for absolute system protection. However, through a combination
of cybersecurity processes and timely and credible information-sharing
amongst the government intelligence community and industry operators,
America's natural gas delivery system remains protected, safe and
reliable, and will remain so well into the future.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Hon. Janet Napolitano
Question. The Executive Order requires agencies to incorporate
privacy and civil liberties safeguards into their activities. Yet the
fact that a Federal Government-private sector cyber information-sharing
program must be streamlined and rapid in order to be effective poses
unique privacy challenges. Can you provide concrete examples of how DHS
and other agencies will implement these safeguards even as they
increase information sharing with the private sector? The Fair
Information Practice Principles of an individual's access to collected
data and the preservation of the integrity of that data would seem to
be particularly difficult to ensure in the pursuit of sophisticated
cyber threats. How will the need for a better flow of information,
sometimes including classified information, be balanced with these
principles? Do you believe that current law adequately protects privacy
rights in cyberspace, particularly if information-sharing between the
government and private sector is increased? Do you believe that cyber
legislation focusing solely on the issue of information sharing that
has been previously proposed in Congress, such as the Cyber Information
Sharing and Protection Act (CISPA), adequately address these privacy
and civil liberties concerns?
Answer. In recognition of the privacy and civil liberties concerns
associated with the efforts called for in Executive Order (EO) 13636,
the Administration directed Departments and Agencies to assess
activities required by EO 13636 for potential privacy and civil
liberties risks. In developing this and other documents, the
Administration sought input from stakeholders of all viewpoints in
industry, government, and the advocacy community. Their input has been
vital in crafting an order that incorporates the best ideas and lessons
learned from public and private sector efforts while ensuring that our
information sharing incorporates rigorous protections for individual
privacy, confidentiality, and civil liberties. Indeed, as we perform
all of our cyber-related work, we are mindful of the need to protect
privacy, and civil liberties. The Department has implemented strong
privacy and civil rights and civil liberties standards into all its
cybersecurity programs and initiatives from the outset.
Rather than simply attempting to balance information sharing with
privacy concerns, Departments and Agencies will use the Fair
Information Practice Principles (FIPPs) as an analytical framework to
assess privacy risks and integrate privacy protections into their
cybersecurity programs. The FIPPs help agencies recognize the
importance of data minimization, that is, that agencies should only
collect information that is relevant and necessary to accomplish agency
missions. Not only does this ensure privacy, but it also facilitates
more effective protection of critical cybersecurity infrastructure. A
concrete example of how DHS implements the FIPPs is by conducting
Privacy Impact Assessments (PIAs) on the Department's cyber systems and
programs. DHS published the Enhanced Cybersecurity Services (ECS) PIA
in January of this year and will continue to update or conduct PIAs on
cyber operations on an ongoing basis. The ECS PIA describes the
operational processes and privacy and security oversight required to
share unclassified and classified cyber threat indicators with
companies that provide internet, network and communications services to
enable those companies to enhance their service to protect U.S.
Critical Infrastructure entities.
In addition, the Federal Government will ensure that privacy and
civil liberties safeguards are incorporated into cyber activities
through the work of the recently formed Assessments Working Group (WG)
under the Integrated Task Force (ITF), which leads the Administration's
implementation efforts of the requirements laid out in the EO and
Presidential Policy Directive-21 (PPD-21). The WG is an interagency
body whose participants represent Senior Agency Officials for Privacy
and Civil Liberties. The WG is responsible for providing support to
Departments and Agencies as they conduct the privacy and civil
liberties assessments required by Section 5 of EO 13636. The WG will
serve as a forum for sharing approaches to conducting these
assessments. Separately, the DHS Privacy Office and Office for Civil
Rights and Civil Liberties (CRCL) will conduct assessments of DHS
activities undertaken pursuant to the EO, and will compile other
Departments' and Agencies' assessments for inclusion in an annual
report. In compiling the report, the Privacy Office and Office for
Civil Rights and Civil Liberties (CRCL) will consult with the Privacy
and Civil Liberties Oversight Board and coordinate with the Office of
Management and Budget, consistent with the requirements set forth in EO
13636.
In addition, the DHS Privacy Office and Office for Civil Rights and
Civil Liberties has hosted a series of five meetings for privacy and
civil liberties advocates that began in April 2013 to provide
additional transparency into the operation of the ITF Working Groups.
It is important to note that the Executive order does not grant new
regulatory or other authority to increase voluntary cooperation with
the private sector or to establish additional incentives for
participation in the Voluntary Critical Infrastructure Cybersecurity
Program established in the EO. New approaches to cybersecurity are
urgently needed, and we are committed to working with Congress for
passage of a comprehensive suite of legislation.
The Administration's legislative priorities for the 113th Congress
build upon the President's 2011 Cybersecurity Legislative Proposal and
take into account two years of public and congressional discourse about
how best to improve the Nation's cybersecurity. Congress should enact
legislation to incorporate privacy and civil liberties safeguards into
all aspects of cybersecurity; strengthen our critical infrastructure's
cybersecurity by further increasing responsible information sharing and
promoting the establishment and adoption of standards for critical
infrastructure; giving law enforcement additional tools to fight crime
in the digital age; and creating a National Data Breach Reporting
requirement.
______
Response to Written Questions Submitted by Hon. Kelly Ayotte to
Hon. Janet Napolitano
Question 1. The issue of cyber security is far too important not to
find common ground and move forward with legislation that would make us
safer today. Some like to blame different associations or trade groups
for the inability to get legislation through both bodies of Congress,
but I would argue that Republicans and Democrats agree on a vast
majority of the issues being debated. Why can't we pass what we all
agree on, such as information sharing and then roll up our sleeves and
see if we can find consensus on the issues where there may not be as
much common ground? Too much is at stake to have an all-or-nothing
mentality.
Answer. Both sides of the aisle are united in their recognition
that cybersecurity must be strengthened. While the Administration has
taken significant steps to protect against evolving cyber threats, we
must acknowledge that the current threat outpaces current authorities.
In the current landscape, DHS must execute its cybersecurity mission
under an amalgam of existing statutory and executive authorities that
have failed to keep up with the responsibilities. Cybersecurity
activities have made clear that certain laws that govern cybersecurity
activities must be updated.
In February 2013, President Obama issued Executive Order 13636 on
Improving Critical Infrastructure Cybersecurity as well as Presidential
Policy Directive 21 on Critical Infrastructure Security and Resilience,
which will strengthen the security and resilience of critical
infrastructure through an updated and overarching national framework
that acknowledges the increased role of cybersecurity in securing
physical assets. These directives create a foundation for legislative
action by implementing concepts set forth in the President's 2009
Cyberspace Policy Review, and policies drawn from the recommendations
of the House Republican Cybersecurity Task Force and the bipartisan
Commission on Cybersecurity for the 44th Presidency.
It is important to note that the Executive order directs Federal
agencies to work within current authorities and increase voluntary
cooperation with the private sector to provide better protection for
computer systems critical to our national and economic security. It
does not grant new regulatory authority or establish additional
incentives for participation in a voluntary program. New approaches to
cybersecurity are urgently needed, and we are committed to working with
Congress for passage of a comprehensive suite of legislation.
The Administration's legislative priorities for the 113th Congress
build upon the President's 2011 Cybersecurity Legislative Proposal and
take into account two years of public and congressional discourse about
how best to improve the Nation's cybersecurity. Congress should enact
legislation to incorporate privacy, confidentiality, and civil
liberties safeguards into all aspects of cybersecurity; strengthen our
critical infrastructure's cybersecurity by further increasing
information sharing and promoting the establishment and adoption of
standards for critical infrastructure; give law enforcement additional
tools to fight crime in the digital age; and create a National Data
Breach Reporting requirement.
Question 2. If the Federal Government deems a business as covered
critical infrastructure, but that business disputes whether or not it
should be covered, what is the appeal process? Do businesses have any
recourse or is DHS judge and jury in this instance?
Answer. Under Executive Order (EO) 13636, private sector
participation in cybersecurity matters with the Department of Homeland
Security (DHS) is carried out on a voluntary basis and supports more
efficient sharing of cyber threat information. The EO directs the
National Institute of Standards and Technology to develop a
Cybersecurity Framework to identify cybersecurity practices among
critical infrastructure sectors and directs DHS to develop a Voluntary
Program to encourage adoption of the Framework. While the intent of the
EO is to offer additional cybersecurity capabilities to assist owners
and operators of critical infrastructure, with the expectation that
accepting this assistance will be in the firms' best interest, EO 13636
creates no new legal obligation for businesses to adopt any
cybersecurity measures.
Because the vast majority of U.S. critical infrastructure is owned
and operated by private companies, reducing the risk to these vital
systems requires a strong partnership between government and industry.
To implement EO 13636, DHS engaged in a consultative process with
public and private sector partners to identify critical infrastructure
that if impacted by a cybersecurity incident could reasonably cause
catastrophic impacts to our national security, economic security,
public health and safety. Specifically, EO 13636 requires consultation
with the Critical Infrastructure Partnership Advisory Council; Sector
Coordinating Councils; critical infrastructure owners and operators;
Sector Specific Agencies; other relevant agencies; independent
regulatory agencies; state, local, territorial, and tribal governments;
universities; and outside experts.
DHS will confidentially notify owners and operators of critical
infrastructure identified under this process and ensure identified
owners and operators are provided the basis for the determination. The
Department is also required to establish an administrative appeals
process through which owners and operators of critical infrastructure
may submit relevant information and request reconsideration of their
identification as ``critical infrastructure of greatest risk.''
Question 3. Earlier this month in a Senate Armed Services hearing,
Gen. James Mattis, the Commander of U.S. Central Command testified that
with the increasing role of our adversaries in cyberspace, it only adds
more urgency to expand our presence, capabilities and authorities to
maintain an advantage in cyberspace. Threat networks, including those
posed by Iran and China, are adjusting opportunistically. What role do
you envision DHS playing to destabilize cyber activities that lead to,
among other things, transfer of illicit arms, espionage and aid
transferred to support malign actors seeking to undermine our security?
What forums exist and what forums are you considering using to put more
urgency and high level attention into the DHS-CYBERCOM cyber security
dialogue?
Answer. The United States confronts a dangerous combination of
known and unknown vulnerabilities in cyberspace and strong and rapidly
expanding adversary capabilities. Successful response to dynamic cyber
threats requires a whole of government approach leveraging homeland
security, law enforcement, and military authorities and capabilities,
which respectively promote domestic preparedness, criminal deterrence
and investigation, and national defense. While each agency operates
within the parameters of its authorities, the U.S. Government's
response to cyber incidents of consequence is coordinated among the
Department of Homeland Security (DHS), Department of Justice (DOJ), and
the Department of Defense (DOD) such that ``a call to one is a call to
all.''
DHS is responsible for coordinating the Federal Government response
to significant cyber or physical incidents affecting critical
infrastructure, consistent with statutory authorities. The Department
is the largest law enforcement agency in the Federal Government, with
personnel stationed in every state and in more than 75 countries around
the world. To combat cyber crime, DHS relies upon the skills and
resources of the United States Secret Service (USSS), U.S. Immigration
and Customs Enforcement (ICE), U.S. Coast Guard, and U.S. Customs and
Border Protection (CBP) and works in cooperation with partner
organizations, including international partners, to investigate and
prosecute cyber criminals and works in cooperation with partner
organizations, including international partners, to investigate and
prosecute cyber criminals. (Pursuant to section 1030 of the Title 18 of
the United States Code, the Federal Bureau of Investigation has primary
authority to investigate cyber crimes with a national security,
counterintelligence, or espionage nexus.)
Additionally, there are several key ways in which DHS leverages the
capabilities of the DOD. DHS is able to draw upon specific classified
cyber threat intelligence that can be utilized in enhancing the
protection of Federal networks and private critical infrastructure
networks under cooperative partnerships. The DHS-DOD relationship also
includes a Memorandum of Agreement for exchanges of personnel as well
as shared technical expertise. I meet regularly with Director Mueller
and General Alexander to coordinate and align operational strategies.
DHS has administrative security authorities that allow it to defend
government networks, to share and receive threat information with
private, State, local and tribal entities, and to coordinate with our
intelligence community and law enforcement agency partners and to
leverage government cybersecurity expertise and render technical
assistance when needed.
Synchronization among DHS, DOJ, and DOD ensures that all of
government's capabilities are brought to bear against cyber threats and
enhances government's ability to share timely and actionable
cybersecurity information with a variety of partners, especially the
private sector.
Question 4. A new report from the Pentagon's Defense Science Board
on cyber threats has raised some grave concerns. Among its findings,
our cyber capabilities at the Pentagon are ``fragmented'' and the
Defense Department is not prepared to defend against this threat.'' It
goes on to say that the Pentagon cannot be confident that its military
computer systems are not compromised because some use components made
in countries with high-end cyber-capabilities such as China and Russia.
Do you share the concerns of this Pentagon Report?
Answer. The Department of Homeland Security (DHS) has reviewed the
report and values this contribution provided by the Defense Science
Board. We agree that the cyber threat is serious, that public and
private networks in all countries are built on inherently insecure
architectures, and that the United States should lead the way by taking
positive action to increase the security and confidence in the
information technology systems we depend on. We have reviewed the
recommendations and findings of the report and are working to apply
lessons learned to our own mission to protect Federal Civilian
Executive branch networks. Additionally, DHS, along with interagency
partners, is aggressively implementing the National Strategy for Global
Supply Chain Security of January 2012, which seeks to protect the
welfare and interests of the American people and secure our Nation's
economic prosperity by promoting the secure movement of goods and
fostering a resilient supply chain.
Question 5. Do you feel countries like China and Russia are ahead
of the U.S. on the technology scale when it comes to cyber? How
confident are you that the computer systems used by your agency are not
vulnerable since so many are made overseas?
Answer. We would be happy to provide a threat briefing in a
classified setting.
Question 6. What is DHS's working relationship and division of
labor between Cyber Command and DHS?
Answer. Ensuring the Nation's cybersecurity is a shared
responsibility. Successful response to dynamic cyber threats requires a
whole of government approach leveraging homeland security, law
enforcement, and military authorities and capabilities, which
respectively promote domestic preparedness, criminal deterrence and
investigation, and national defense. While each agency operates within
the parameters of its authorities, the U.S. Government's response to
cyber incidents of consequence is coordinated among DHS, the Department
of Justice (DOJ), and Department of Defense (DOD) such that ``a call to
one is a call to all.''
As with all threats to the United States, our allies, and our
interests in other domains, the DOD has the mission to defend the
Nation against foreign attacks. Its national security mission demands
that it defend, deter, and take decisive action in cyberspace to defend
our national interests. DHS is responsible for securing unclassified
Federal civilian government networks and working with owners and
operators of critical infrastructure to secure their networks through
risk assessment, mitigation, and incident response capabilities.
While each department has its own separate role, there is a high
level of cooperation on cybersecurity activities including the U.S.
Cyber Command, DHS/NCCIC, and NSA's Threat Operations Center.
Collaboration between these designated `cyber centers' has been
maturing since the approval of HSPD-23/NSPD-54 in 2007. To further
cooperation between DOD and DHS, a memorandum of agreement was signed
in October 2010 that formalized coordination processes, embeds DOD
cybersecurity analysts within DHS and puts DHS leaders and analysts
inside the National Security Agency to foster operational coordination.
(This agreement was codified in the National Defense Authorization Act
for Fiscal Year 2012, P.L. 112-81, Sec. 1090.) Additionally, I meet
regularly with General Alexander to coordinate and align operational
strategies.
______
Response to Written Questions Submitted by Hon. Dan Coats to
Hon. Janet Napolitano
Question 1. The President's Executive Order focuses on threats to
the Nation's critical infrastructure, and yet numerous open source
reports indicate state sponsored industrial and economic espionage
against American businesses is an equal if not greater threat to
America's national and economic security. For example, last year
General Keith Alexander spoke at an AEI event and called industrial
cyberespionage and intellectual property theft ``the greatest transfer
of wealth in our Nation's history.'' He estimated the costs to the
American economy to be $388 billion, and a 2011 report from the Office
of National Counter-Intelligence Executive estimated the costs to the
American economy to be in the $400 billion range, with Chinese actors
as the world's most active perpetrators of industrial cyberespionage.
As you also know, the cybersecurity firm Mandiant released a report
this year documenting the problem of Chinese economic/industrial
espionage, specifically looking at the ``advanced persistent threat''
(APT) from one of the Chinese People's Liberation Army (PLA)
cyberattack units. How would you compare the threat to our economic
interests to the threat to critical infrastructure?
Answer. The Department of Homeland Security (DHS) continues to be
concerned about the effects of cyber-enabled theft of intellectual
property, trade secrets and commercial data, and works daily with
interagency partners and the private sector to address the threat.
Additionally, while the consequences of wide-scale intellectual
property theft may be different than those from a destructive or
disruptive cyber attack to critical infrastructure, techniques that
adversaries may use to steal sensitive business information also expose
vulnerabilities that could be used to destroy or disrupt critical
systems and services. Both are very real threats of potentially high
consequence, and we take them very seriously. In fact the things we
must do to address them both are quite similar.
To combat cyber crime, DHS relies upon the skills and resources of
the United States Secret Service (USSS), U.S. Immigration and Customs
Enforcement (ICE), U.S. Coast Guard (USCG), and U.S. Customs and Border
Protection (CBP) and works in cooperation with partner organizations to
investigate cyber criminals. Since 2009, DHS has prevented $10 billion
in potential losses through cyber crime investigations and arrested
more than 5,000 individuals for their participation in cyber crime
activities. The Department leverages the 31 USSS Electronic Crimes Task
Forces (ECTF), which combine the resources of academia, the private
sector, and local, state and Federal law enforcement agencies to combat
computer-based threats to our financial payment systems and critical
infrastructure. The Department is also a partner in the National Cyber
Investigative Joint Task Force, which serves as the national focal
point for U.S. Government coordination, integration, and sharing of
information relating to all domestic national security cyber
investigations sharing across the interagency. To further these
efforts, the Administration issued its Strategy on Mitigating the Theft
of U.S. Trade Secrets in February of this year. DHS will act vigorously
to support the Strategy's efforts to combat the theft of U.S. trade
secrets--especially in cases where trade secrets are targeted through
illicit cyber activity by criminal hackers.
In addition, DHS works with its interagency partners to distribute
relevant technical threat data to industry partners enabling them to
take action to prevent and mitigate potential network intrusions and
cyber-enabled theft. The DHS Enhanced Cybersecurity Services (ECS)
program is one of many efforts to increase this sharing of technical
threat data. Under ECS, DHS provides classified and sensitive threat
information to qualified cybersecurity providers, who then utilize this
information to offer enhanced cybersecurity services to many businesses
that qualify as critical infrastructure entities. However, just as with
addressing threats to physical critical infrastructure, we must have
two-way and real-time information exchange among government agencies,
network owners and operators, and others in order to more fully
understand what malicious cyber activity is occurring and how to best
address it. We look forward to working with Congress to find ways to
further increase this critical information sharing relationship and
incentivize the adoption of cybersecurity best practices by critical
infrastructure partners.
Question 2. A GAO report released last month found that
cybersecurity incidents at Federal agencies were on the rise. And while
there is an uptick in these incidents, challenges remain in how DHS is
carrying out responsibilities in sharing information among Federal
agencies and key private sector entities such as critical
infrastructure owners. The GAO report also found that DHS is not
``developing a timely analysis and warning capability,'' citing that
the Inspector General at DHS recommended that DHS establish a
``consolidated, multiple-classification-level portal to share incident
response related information'' which DHS says will not be ready until
2018. The report also found that Federal Information Security
Management Act compliance is inadequate, with only 8 of 22 agencies
being in compliance with FISMA standards in 2011 (down from 13 out of
24 agencies in 2010) and that 9 agencies ``had not fully developed
required policies for monitoring security on a continuous basis.''
Since, according to GAO and various agency Inspectors General, the
Federal Government has demonstrated it is unable to meet its
requirements under FISMA, what confidences should we have that it is
prepared to regulate and oversee private sector operations of critical
infrastructure?
Answer. Significant progress has been made in improving information
sharing among the Department of Homeland Security's (DHS) Office of
Cybersecurity and Communication, Federal agencies, and other partners
and constituents. DHS provided documentation of its improved public-
private cybersecurity information sharing activities to Government
Accountability Office (GAO) in August 2011, promptly answered
subsequent questions, and are awaiting GAO's closure of the associated
recommendations under GAO's report on Key Private and Public Cyber
Expectations Need to be Consistently Addressed. Additionally, GAO
closed all ten recommendations under the Cyber Analysis and Warning
report.
Protecting critical infrastructure against growing and evolving
cyber threats requires a layered approach. DHS is committed to ensuring
cyberspace is supported by a secure and resilient infrastructure that
enables open communication, innovation, and prosperity while protecting
privacy, confidentiality, and civil rights and civil liberties. The
Department has operational responsibilities for securing unclassified
Federal civilian government networks and working with owners and
operators of critical infrastructure to secure their networks through
cyber threat analysis, risk assessment, mitigation, and incident
response capabilities. DHS is also responsible for coordinating the
national response to significant cyber incidents and for creating and
maintaining a common operational picture for cyberspace across the
government.
In September 2012, DHS finalized the Strategic National Risk
Assessment (SNSRA) Report for Communications in coordination with
public and private sector partners and is currently working with
industry to develop plans for mitigating risks identified in the SNSRA,
which will determine the path forward in developing outcome-oriented
performance measures for cyber protection activities related to the
Nation's core and access communications networks. In addition, in
February 2013, the President issued Executive Order 13636 on Improving
Critical Infrastructure Cybersecurity as well as Presidential Policy
Directive 21 on Critical Infrastructure Security and Resilience, which
will strengthen the security and resilience of critical infrastructure
through an updated and overarching national framework that acknowledges
the increased role of cybersecurity in securing physical assets.
Executive Order 13636 expands the voluntary DHS Enhanced Cybersecurity
Service program, which promotes cyber threat information sharing
between government and the private sector. This engagement helps
critical infrastructure entities protect themselves against cyber
threats to the systems upon which so many Americans rely.
DHS actively collaborates with public and private sector partners
every day to improve the security and resilience of critical
infrastructure while responding to and mitigating the impacts of
attempted disruptions to the Nation's critical cyber and communications
networks and to reduce adverse impacts on critical network systems.
Such partnerships, combined with existing DHS critical infrastructure
cybersecurity programs, assure that DHS will have the relationships and
expertise to implement an oversight and compliance regime. Examples of
existing programs include the Cyber Information Sharing, and
Collaboration Program, which enables regular and trusted sharing of
actionable cybersecurity threat indicators that those owners and
operators can immediately use for computer network defense activities.
Additionally, DHS has long served as the Sector Specific Agency for
both the Information Technology and Communications sectors. This
trusted partnership has enabled further collaborative initiatives such
as the Information Technology Sector Risk Assessment, the Cybersecurity
Evaluation Program, which conducts voluntary cybersecurity assessments
across all critical infrastructure sectors, and the Critical
Infrastructure-Cyber Security program that leads efforts with public
and private sector partners to promote an assured and resilient U.S.
cyber infrastructure.
DHS also conducts daily operational, information sharing, incident
response, and technical assistance through the National Cybersecurity
and Communications Integration Center (NCCIC) and its components. Every
day, partners from private sector critical infrastructures, Information
Sharing and Analysis Centers, Federal cybersecurity centers, and
international governments collaborate on cybersecurity response and
information sharing through the NCCIC. DHS directly supports Federal
civilian departments and agencies in developing capabilities that will
improve their cybersecurity posture in accordance with the Federal
Information Security Management Act (FISMA). To protect Federal
civilian agency networks, our National Protection and Programs
Directorate (NPPD) is deploying technology to detect and block
intrusions through the National Cybersecurity Protection System and its
EINSTEIN protective capabilities, while providing guidance on what
agencies need to do to protect themselves and measuring implementation
of those efforts. Under current authorities though, DHS can only
monitor, recommend security posture improvements, and report on Federal
agencies' compliance with FISMA. As the GAO report notes, the current
law should be updated to give DHS the statutory authority it needs to
fulfill the responsibilities it has been given.
NPPD is also developing a Continuous Monitoring as a Service
(CMaaS) capability. Through an automated and continuously updated
analytical process, the deployed .gov agency sensors will provide data
to a centralized dashboard. Cyber risk related data will be updated and
displayed daily for management and technical staff review that will
provide insight into network vulnerabilities to more readily prioritize
for the purposes of ongoing mitigation. When combined, the overall
results from Departments and Agencies will contribute toward improving
the agency-specific, as well as the Federal Executive Branch overall
cyber risk posture. This capability will support compliance with
Administration policy, be consistent with guidelines set forth by the
National Institute of Standards and Technology (NIST), and enable
Federal agencies to move from compliance-driven risk management to
data-driven risk management. These activities will provide
organizations with information necessary to support risk response
decisions, security status information, and ongoing insight into
effectiveness of security controls.
DHS partnered with the General Services Administration (GSA) to
award a blanket purchase agreement (BPA) under which CDM tools and
services can be provided to government entities. The BPA, with an
anticipated $6-billion ceiling for the five years (one-year contract
with four one-year options), is open to all Federal civilian and
defense organizations, as well as state and local government entities.
The significant size of the CDM contract was designed to compatibly
support not only Federal civilian network protection assigned to DHS,
but the large body of cybersecurity requirements for any Federal custom
and cloud application over the life of the contract which are funded
separately by each department and agency.
Congress provided funding in the DHS Appropriations Act, 2013 (P.L.
113-6) to implement Continuous Diagnostics and Mitigation (CDM) across
civilian Executive Branch agencies in order increase our ability to
identify and track threats, find vulnerabilities, mitigate the worst
issues first and report on progress in doing so. CDM and FISMA
legislative reforms that provide clear statutory authorities for
carrying out the DHS mission would have the following benefits:
Improved security posture leading to improved regulatory
compliance
Standard security configurations across all Federal
Executive Branch civilian department and agency critical
network infrastructure
Improved communication and collaboration methods across
diverse stakeholder groups
Improved situational awareness creates synergy amongst the
Federal cybersecurity workforce and improves communication and
information sharing within the Federal enterprise
Increased efficiency and security posture through
collaboration and streamlining
In addition, DHS works with critical infrastructure stakeholders in
the private sector through the Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT). These relationships are maintained
by ICS-CERT through cybersecurity incident analysis and onsite
assistance, training opportunities in control systems security
development, and the Industrial Control Systems Joint Working Group
(ICSJWG).
Question 3. The Executive Order focuses solely on government-to-
private-sector information sharing. Many believe, and I agree, that
better private-to-government and private-to-private information sharing
protocols need to be implemented, and I question how we can get there
without better liability protections. What is your plan to encourage
better private-to-government and private-to-private information
sharing? How will the Framework incentivize private sector partnership
without these carrots? Is it possible that private companies may
withhold participation in the Framework until such incentives are
provided through legislation?
Answer. While Executive Order (EO) 13636 on Critical Infrastructure
Cybersecurity works to increase information sharing from the government
to the private sector, the Department of Homeland Security (DHS) is
focused on expanding information sharing relationships both within the
government and among the private sector through adherence to three
goals:
Build trust and credibility among critical infrastructure
owners/operators;
Build sharing relationships where no sharing is currently
occurring; and
Incorporate individual owners/operators in the sharing
environment and align their cybersecurity and risk management
requirements with existing and emerging data flows being
developed or optimized.
For example, through the Cyber Information Sharing and
Collaboration Program (CISCP), DHS has entered into Cooperative
Research and Development Agreements with critical infrastructure owners
and operators that enable regular and trusted sharing of actionable
cybersecurity threat indicators that are immediately used for computer
network defense activities. Additionally, DHS has long served as the
Sector Specific Agency for both the Information Technology and
Communications sectors (as well as eight other sectors). This trusted
partnership with private sector and Federal partners has enabled
further collaborative initiatives such as the Information Technology
Sector Risk Assessment, the Cybersecurity Evaluation Program, which
conducts voluntary cybersecurity assessments across all critical
infrastructure sectors, and the Critical Infrastructure-Cyber Security
program that leads efforts with public and private sector partners to
promote an assured and resilient U.S. cyber infrastructure.
The Department also has established close working relationships
with industry through partnerships like the Protected Critical
Infrastructure Information (PCII) Program, which enhances voluntary
information sharing between infrastructure owners and operators and the
government. Furthermore, DHS conducts daily operational, information
sharing, incident response, and technical assistance through the
National Cybersecurity and Communications Integration Center (NCCIC)
and its components: the United States Computer Emergency Readiness
Team, the Industrial Control Systems Cyber Emergency Response Team, and
the National Coordinating Center for Communications. Presently, the DHS
Science and Technology Directorate (S&T) has ongoing or proposed
cooperative activities in the area of cyber security research and
development (R&D) to promote the benefits of networked technology
globally, and a secure, reliable, and interoperable cyberspace.
Information Sharing and Analysis Centers (ISACs) are key partners
in these efforts because they, along with similar not-for-profit and
commercial entities, are able to serve as trusted providers of data
from DHS to their members/customers and to other ISACs and like
organizations. In turn, they serve as aggregators as well as
anonymizers of their relevant member/customer cybersecurity threat data
and provide threat data back to one another without attribution to the
source of the data. DHS is supportive of and regularly coordinates with
these partners as one way to promote private to private information
sharing.
The key incentive for all participants in this type of data flow is
the potential for generating increased, actionable situational
awareness where the individual participants benefit from the
experiences of the whole. The ability to achieve visibility of threats
that are exploiting other sectors or organizations before that
particular threat or a variant of that threat manifests in your
networks or systems is a benefit available to all participants. We
currently have more than 35 companies, ISACs, and like organizations
who are participating in data sharing in this fashion, with more than
50 companies in negotiations to join that program effort, and we do not
feel we need to offer specific incentives to join in these types of
partnerships with the Government.
In response to the EO the DHS and the Departments of Commerce and
Treasury provided recommendations to the President, through the
Assistant to the President for Homeland Security and Counterterrorism
and the Assistant to the President for Economic Affairs, identifying
potential incentives that could be considered as we move forward in
this space. Since the agencies submitted their reports, the White House
has completed the interagency review process and determined a path
forward. Existing programs and authorities are currently under review
to determine how we and other Departments can enable more private-to-
private and private to government information sharing. As mentioned
previously, we have successful models with some ISACs and the CISCP and
are looking to expand on that basis and since Congress has previously
granted authorities that may be able to be utilized to provide
liability protection and address other legal concerns. We do know the
administration is looking at a package of incentives outside
information sharing for companies that adopt the framework; however,
private sector response to development efforts for the framework has
been largely positive, and we anticipate that many companies will adopt
it without an accompanying incentives package.
Question 4. As Secretary of Homeland Security, you were an advocate
for the administration's cybersecurity legislation. And last August,
when the U.S. Senate considered the Cybersecurity Act of 2012, you
urged its passage. I agree with statements you made last year on the
shared responsibility and urgency of improving cyber security. Do you
still agree that cyber security is a shared responsibility that
includes both the public and private sector? What is the role of the
Information Technology (IT) sector in this shared responsibility and
why did you support a carve-out for the IT sector?
Answer. Yes. Cybersecurity is a shared responsibility that includes
efforts from both the public and private sectors. Industry and the
government have a long history of working together to protect the
physical security of many critical assets that reside in private hands,
from airports and seaports to national broadcast systems and nuclear
power plants. There is no reason we cannot work together in the same
way through a shared responsibility to protect critical infrastructure
cyber systems upon which so much of our economic well-being, national
security, and daily lives depend.
The statement in EO 13636 regarding IT products and services
reflects our consistent philosophy that cybersecurity standards must be
technology neutral, and that the government should not dictate what IT
components critical infrastructure owners and operators use in their
systems. Furthermore, classifying any product or service as critical
infrastructure simply because it is used by critical infrastructure
would dilute our efforts to identify the entities whose incapacitation
by cyber incident could cause catastrophic economic or national
security consequences. We are closely engaged with the IT sector to
ensure that critical infrastructure owners and operators across all
sectors have the market choices to secure their systems.
Question 5. Without additional statutory authority and
congressional direction, the information sharing program is little more
than directing executive departments and agencies to expedite the
sharing of existing information. More importantly, the Executive order
focuses only on the sharing of information from the government to the
private sector. How do you intend to increase the sharing of
information from industry to the government, and within and among
industries?
Answer. Through the Critical Infrastructure Information Sharing,
Analysis, and Collaboration Program, DHS has entered into Cooperative
Research and Development Agreements with critical infrastructure owners
and operators that enable regular and trusted sharing of actionable
cybersecurity threat indicators that are immediately used for computer
network defense activities. Additionally, DHS has long served as the
Sector Specific Agency for both the Information Technology and
Communications sectors. This trusted partnership with private sector
and Federal partners has enabled further collaborative initiatives such
as the Information Technology Sector Risk Assessment, the Cybersecurity
Evaluation Program, which conducts voluntary cybersecurity assessments
across all critical infrastructure sectors, and the Critical
Infrastructure-Cyber Security program that leads efforts with public
and private sector partners to promote an assured and resilient U.S.
cyber infrastructure.
It is important to note that the Executive order directs Federal
agencies to work within current authorities and increase voluntary
cooperation with the private sector to provide better protection for
computer systems critical to our national and economic security. It
does not grant new regulatory authority or establish additional
incentives for participation in a voluntary program. We continue to
believe that a suite of legislation is necessary to implement the full
range of steps needed to build a strong public-private partnership, and
we will continue to work with Congress to achieve this.
The Department also has established close working relationships
with industry through partnerships like the Protected Critical
Infrastructure Information (PCII) Program, which enhances voluntary
information sharing between infrastructure owners and operators and the
government. Furthermore, DHS conducts daily operational, information
sharing, incident response, and technical assistance through the
National Cybersecurity and Communications Integration Center (NCCIC)
and its components: the United States Computer Emergency Readiness
Team, the Industrial Control Systems Cyber Emergency Response Team, and
the National Coordinating Center for Communications. Every day partners
from private sector critical infrastructures, Information Sharing and
Analysis Centers, Federal cybersecurity centers, and international
governments collaborate on cybersecurity response and information
sharing through the NCCIC. These activities take place voluntarily, and
in recognition of the fact that DHS' unique positioning as the hub for
cybersecurity and critical infrastructure security and resilience makes
it the most effective and trusted point of coordination and
collaboration for all of those stakeholders.
Additionally, the DHS Science and Technology Directorate (S&T) has
formalized 13 international bilateral agreements that allow for
cooperative activities in the area of cyber security research and
development (R&D) to promote the benefits of networked technology
globally, and a secure, reliable, and interoperable cyberspace.
Question 6. The definition of critical infrastructure in the
President's Executive Order (EO) is very broad: ``systems and assets,
whether physical or virtual, so vital to the U.S. that the incapacity
or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health
or safety, or any combination of those matters.'' It is hard to imagine
any industrial sectors that would be excluded from such a definition.
How do you balance security with practicality in implementing this
definition?
Answer. The term ``critical infrastructure'' is statutorily defined
and this language has since been the basis for critical infrastructure
protection activities, including Executive Order (EO) 13636. The
Department of Homeland Security (DHS) has conducted broad engagement
with critical infrastructure owners and operators over the past ten
years that has enhanced the security and resilience of our Nation's
infrastructure.
Under Section 9 of EO 13636, the Department will identify a list of
critical infrastructure whose incapacitation from a cyber incident
would have catastrophic public health and safety, economic or national
security consequences. This is a higher threshold than debilitating
consequences and will focus on a small subset of U.S. infrastructure,
not entire sectors.
This is a criticality-based approach, and will result in limited
Federal resources being focused on critical infrastructure, the failure
of which would pose the greatest hazards.
Question 7. Section 10 of the Executive order directs all sector-
specific agencies to make the Framework mandatory for their respective
sectors of industry. Do you believe that the veiled threat of mandatory
standards with few, if any, strong incentives is the right formula for
a successful public-private partnership?
Answer. With today's physical and cyber infrastructure more
inextricably linked, critical infrastructure and emergency response
functions are inseparable from the information technology systems that
support them. The government's role in this effort is to share
information and encourage enhanced security and resilience, while
identifying and addressing gaps not filled by the market-place. While
some companies have strong cybersecurity policies in place, others
still need to implement improved cybersecurity practices. The framework
will be developed collaboratively with industry and will incorporate
existing international standards, practices, and procedures wherever
possible.
Section 10 of EO 13636 refers to ``Agencies with responsibility for
regulating the security of critical infrastructure,'' which in general
are not sector-specific agencies (SSAs). Not generally having
regulatory authority, the SSAs are better able than regulators to
engage in partnership with industrial sectors. Moreover, EO 13636 only
directs existing regulators under current authorities to examine ways
to increase their sector's cybersecurity; any mandatory participation
here would occur only where regulators already have the authority to
impose security requirements on their respected regulated entities. The
aim is not to compel across-the-board participation, even if such
authorities did exist. Even then, EO 13636 does not dictate a ``one-
size fits all'' approach, but rather promotes collaboration to
encourage innovation and recognize differing needs and challenges
within and among critical infrastructure sectors. Specifically, section
8(d) of the EO requires the Secretaries of Homeland Security, Treasury
and Commerce to each make recommendations on a set of incentives
designed to promote participation in the voluntary cybersecurity
framework. The Department of Homeland Security (DHS) is working
collaboratively with industry as well as staff from Treasury and
Commerce to further develop these recommendations, and the incentives
found in this report will also inform the larger nation-wide
conversation. While DHS can make recommendations, only Congress has the
authority to provide strong incentives and agree with or implement any
recommendations put forward from the three Incentives Reports.
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Hon. Janet Napolitano
Question 1. The Government Accountability Office (GAO) issued a
report in February 2013 entitled, ``National Strategy, Roles, and
Responsibilities Need to be Better Defined and More Effectively
Implemented.'' In this report GAO found that only eight of 22 of
agencies were in compliance with risk management requirements under the
Federal Information Security Management (FISMA) standards in 2011, down
from 13 out of 24 in 2010. Yet the Federal Government reported 782
percent more cyber incidents to the U.S. Computer Emergency Readiness
Team in 2012 than it did in 2006. What is DHS doing to achieve greater
compliance with FISMA standards from Federal agencies? How does the
increase in cyber incidents against the Federal Government, combined
with the decrease in compliance of Federal agencies with FISMA, impact
the cybersecurity posture of the U.S. Government?
Answer. The Department of Homeland Security's (DHS) role in the
implementation of the Federal Information Security Management Act of
2002 (FISMA) is delineated by Office of Management and Budget (OMB)
guidance. Under current authorities, DHS can only monitor, recommend
security posture improvements, and report on Federal agencies'
compliance with FISMA. As the Government Accountability Office (GAO)
report notes, the current law should be updated to give DHS the
statutory authority it needs to fulfill the responsibilities it has
been given. The Administration's May 2011 legislative proposal to
Congress included provisions that would address this issue. The
Administration continues to support legislation that would update
Federal agency network security laws, and codify DHS's cybersecurity
responsibilities.
While FISMA did not envision the scope of today's emerging threats
and cybersecurity challenges, DHS is pursuing a number of initiatives
such as Continuous Diagnostics and Mitigation (CDM), Trusted Internet
Connections, and the Einstein programs to strengthen cyber security
defenses, visibility and situational awareness.
In collaboration with the National Security Staff (NSS) and OMB,
DHS uses its expanded CyberStat program to perform intense, focused
reviews with the 24 Chief Financial Officers Act agencies to identify
and mitigate challenges to agencies' FISMA implementation. This
includes a plan of action and milestones, submitted by the agencies and
accepted by NSS, OMB, and DHS, outlining the approach to correct
identified deficiencies.
Congress provided funding in the DHS Appropriations Act, 2013 (P.L.
113-6) to implement Continuous Diagnostics and Mitigation (CDM) across
civilian Executive Branch agencies in order to increase our ability to
identify and track threats, find vulnerabilities, mitigate issues and
report on progress. Earlier appropriations initiated other DHS security
programs.
DHS continues to encourage Congress to pursue legislation that
would result in:
Improved security posture leading to improved regulatory
compliance;
Standardized security configurations across critical
infrastructure;
Improved communication and collaboration methods across
diverse stakeholder groups;
Improved situational awareness, which creates synergy among
elements of the cybersecurity workforce; improves communication
and facilitates information sharing; and
Increased efficiency and security posture through
collaboration and streamlining.
Question 2. GAO found that DHS is not successfully detecting,
responding to, or mitigating cyber incidents. Specifically, GAO raised
concerns with how DHS shares information among Federal agencies and the
private sector. The DHS OIG recommended that DHS establish a
``consolidated, multiple-classification-level portal to share incident
response related information,'' but DHS will not have this portal ready
until 2018. How will not having this capability until 2018 impact DHS'
role in sharing cyber threat information, as directed in the Executive
order?
Answer. GAO-13-187 highlights important challenges facing Federal
agencies, including DHS, in executing the cyber mission. The report
also highlights the significant and important progress DHS and other
agencies have made in advancing this mission.
As a result of the progress DHS has made in information sharing and
analysis, GAO closed each of the 10 recommendations under its Cyber
Analysis and Warning report. Furthermore, DHS provided GAO with all
documentation requested to close the remaining recommendations under
GAO's report titled Key Private and Public Cyber Expectations Need to
be Consistently Addressed. The National Cybersecurity Protection
System's information-sharing and collaboration environment will address
the recommendation to establish a consolidated multi-classification
information-sharing capability. Funding for this activity is included
in the President's Fiscal Year 2013 budget request. While continuing
the development of a comprehensive information sharing capability is
important, DHS maintains existing capabilities that allow for
information exchange with private sector partners at the classified and
unclassified levels facilitating DHS' role in sharing cyber threat
information, as directed in the Executive order.
The delay in implementation may impact the frequency and timeliness
with which DHS is able to exchange classified cyber information with
partners. Processes leveraged as a workaround until the portal reaches
FOC may be cumbersome to analysts and reduce the amount of time
available to conduct strategic analysis across classified and
unclassified domains. As a result, partners may find other sources for
similar information, which could result in a decrease in their
willingness to engage in the Department's various information sharing
initiatives.
Existing NCPS Information Sharing capabilities will be improved and
new capabilities will be brought online as the Information Sharing
environment matures. The NCPS Information Sharing CONOPs identifies
multiple information sharing capabilities. A capability roadmap has
been developed that identifies dependencies and specifies how these
capabilities will be acquired and implemented. Initial Operating
Capability for this set of capabilities is targeted for FY 2015. Full
Operating Capability, which includes integration of capabilities and
automation of processes across multiple security fabrics, will occur in
FY 2018.
Question 3. GAO found that the Federal Government's strategy for
addressing international cyber security challenges is not sufficient or
outcome oriented. GAO also recommended that the White House
Cybersecurity Coordinator develop an overarching Federal cybersecurity
strategy. GAO indicates that such a strategy would hold Federal
agencies accountable for making improvements in their own house, and
would address international cybersecurity challenges. Do you agree with
the White House that an overarching Federal cybersecurity strategy is
unnecessary? Why or why not?
Answer. The Department of Homeland Security (DHS) executes a whole-
of-government and whole-of-nation approach to cybersecurity. In support
of this, DHS has aligned its cybersecurity goals, initiatives, and
objectives to be consistent with the Administration's priorities for
protecting our Nation's critical information infrastructure and
building a safer and more secure cyber ecosystem. For instance, DHS
worked closely with Federal departments and agencies in developing the
Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the
Homeland Security Enterprise (Blueprint). The Blueprint leverages the
Comprehensive National Cybersecurity Initiative, the President's 2010
National Security Strategy, the Department of Defense's Strategy for
Operating in Cyberspace, and the President's International Strategy for
Cyberspace. Together, these documents take a whole-of-government
approach and reinforce the need for holistic thinking about the many
opportunities and challenges the Nation faces in cyberspace.
Question 4. In Mr. Gallagher's testimony he pointed out the
difference between ``standards'' and ``regulations.'' Do you agree with
Mr. Gallagher that there is a difference between standards and
regulations?
Answer. Yes, the Department of Homeland Security agrees that there
is a difference between standards and regulations. Regulations are
mandatory and binding on regulated parties as required by a particular
authority. Executive Order (EO) 13636 does not give any Federal entity
new authority to impose regulations or mandates on critical
infrastructure owners and operators. One of the many goals of this EO
and Presidential Policy Directive 21 (PPD 21) is to better streamline
the government's interactions with critical infrastructure owners and
operators and state, local, tribal, and territorial partners.
The EO directs the National Institute of Standards and Technology
(NIST) to work with stakeholders to develop a voluntary framework for
reducing cyber risks to critical infrastructure. The Framework will be
created using standards, guidelines, and best practices that promote
the protection of information and information systems supporting
critical infrastructure operations. Standards are voluntary
recommendations established by consensus and are recognized by a
standardization body. NIST will ask stakeholders to identify existing
cybersecurity standards, guidelines, frameworks, and best practices
that are applicable to increase the security of critical infrastructure
sectors and other interested entities. Regulators of critical
infrastructure operations are encouraged to share their insight and
help identify existing standards already developed by industry through
consensus. Those activities would support the development of the
framework and prove useful in identifying any gaps in current practices
given the current and projected cyber risks. Entities that are
unregulated--or where regulators determine that they do not have the
ability under existing law to regulate for cybersecurity--will be
encouraged to voluntarily adopt the framework.
Question 5. Mr. Gallagher stated in his that any approach to
cybersecurity should not ``dictate solutions to industry, but rather
facilitate(s) industry coming together to develop solutions.'' Do you
agree that any approach to a Cybersecurity Framework should not
``dictate'' solutions to industry but rather ``facilitate industry
coming together to develop solutions?'' What potential disadvantage
would there be to government dictating a solution to industry rather
than facilitating it?
Answer. Yes, the Department agrees that any approach to the
Cybersecurity Framework should ``facilitate industry coming together to
develop solutions.''
The Framework will not dictate ``one-size fits all'' technological
solutions. Instead, it will promote a collaborative approach to
encourage innovation and recognize differing needs and challenges
within and among critical infrastructure sectors. The Government
believes that companies driving cybersecurity innovations can help
shape best practices across critical infrastructure, in part because of
the changing nature and dynamic of risk across cyber and critical
infrastructure. Companies looking to strengthen their security would
have the flexibility to decide how best to do so using innovative
products and services available in the marketplace and choosing which
components of the Framework would apply to their business. Companies
that are cyber leaders will be looked to as models for implementing
best practices and driving the creation and implementation of a
Cybersecurity Framework itself.
Question 6. GAO found that Federal cyber strategies lack clear
goals, performance measures, defined costs and resources, established
roles and responsibilities, and do not coordinate with other national
strategies. Yet the EO directs DHS to use a ``risk-based'' approach to
identify ``critical infrastructure'' within 150 days. The EO also
directs DHS to develop performance measures associated with the
Cybersecurity Framework NIST is charged with developing. If Federal
cyber strategies lack goals and performance measures, what experience
does it have to draw on to develop performance measures for the private
sector, as directed in the EO?
Answer. The Department's Blueprint for a Secure Cyber Future has
specific goals and performance measures associated with it. That said,
Section 7(d) of Executive Order (EO) 13636 directs the Department of
Homeland Security (DHS) to provide ``performance goals''--not
performance measures--in connection with the Cybersecurity Framework
that is being prepared by the National Institute of Standards and
Technology (NIST). Critical infrastructure owners and operators that
adopt the goals would then develop their own measures and targets since
each sector and sub-sector has unique characteristics and each owner/
operator is in the best position to tailor the performance goals to its
business model. Separately, NIST's Cybersecurity Framework will include
guidance for measuring the performance of an entity as it implements
the framework. NIST has considerable experience developing similar
guidance through its special publications, and the draft Framework is
being developed through extensive consultation with industry. Further,
they are able to influence the effort through their direct engagement
and input.
Question 7. Why do you believe Federal cyber strategies have failed
to include clear goals, performance measures, defined costs and
resources, established roles and responsibilities, and to coordinate
with other national strategies?
Answer. Legacy Federal cyber strategies were developed by different
agencies at different points in time. However, beginning with the
Comprehensive National Cybersecurity Initiative in 2008, which was
followed by the Administration's Cyberspace Policy Review in 2009,
Federal cyber strategies have increasingly been developed through
interagency processes and with the attributes identified above. For
example, DHS helped lead development of ``Trustworthy Cyberspace:
Strategic Plan for the Federal Cybersecurity Research and Development
Program.'' In another example, DHS's Blueprint for a Secure Cyber
Future contains goals against which the Department's cybersecurity
programs align performance measures, milestones, resources, roles and
responsibilities. Future year budget requests and performance measures
for emerging programs are developed in alignment with the Blueprint. In
addition to the Blueprint, the Administration's international cyber
strategy, and the Department of Defense's cybersecurity strategy
provide the architecture of ongoing initiatives upon which EO 13636 and
Presidential Policy Directive (PPD) 21 are being implemented. With the
issuance of EO 13636 and PPD-21, the Administration is providing an
opportunity for the Department, other Federal, state and local
agencies, and the private sector to discuss and prioritize
cybersecurity measures to improve critical infrastructure cybersecurity
and ensure overall critical infrastructure security and resilience.
These actions direct the Department to create performance goals,
consider resourcing, and work with and update national strategies,
which will also outline roles and responsibilities for these efforts.
______
Response to Written Question Submitted by Hon. Kelly Ayotte to
Hon. Patrick D. Gallagher
Question. I've recently read that some CIOs would have higher
comfort levels managing cyber security with cloud computing because
vendors such as Google and salesforce.com have vastly more resources to
protect against cyber threats than smaller companies do. Do you believe
and Executive Order or a cyber bill would limit a company's ability to
farm out their cyber security needs? Can you address in more detail
your thoughts on cloud computing as it relates to cybersecurity?
Answer. Cloud computing is a powerful option that, when implemented
correctly, allows businesses to use information technology services to
meet their business needs while protecting their assets. Cloud
computing can provide cybersecurity capabilities that organizations
might find more cost-effective and often allow more resources to
provide cybersecurity than the organizations might be able to provide
themselves. This is generally a measurement of each side's
cybersecurity capability, the services offered by the Cloud provider,
the cost to provide those services, and the level of needed assurance
and visibility of those services by the customer.
The Executive Order requires that ``the Cybersecurity Framework
will provide guidance that is technology neutral''. As such, the
Framework will not limit or put constraints on a company's ability to
use a Cloud service provider to meet their needs. The Framework will
not require or limit a specific architecture or implementation model.
Under its responsibilities in the Federal Information Security
Management Act (FISMA), NIST has published several public cybersecurity
guides and recommendations on the cybersecurity capabilities of cloud
technologies, as well as guidance on cybersecurity considerations when
using cloud service providers. NIST also works jointly with other
agencies in the Federal Risk and Authorization Management Program
(FedRAMP), a government-wide program that provides a standardized
approach to security assessment, authorization, and continuous
monitoring for cloud products and services.
More detailed information on the NIST work in cloud computing and
cybersecurity can be found at the below links:
www.fedramp.gov
www.nist.gov/itl/cloud/
http://www.nist.gov/itl/cloud/publications.cfm
______
Response to Written Question Submitted by Hon. Dan Coats to
Hon. Patrick D. Gallagher
Question. NIST is tasked with developing the framework outlined in
the EO, which I think is appropriate given NIST's technical expertise.
Does NIST have the capacity to develop this framework utilizing its
existing resources?
Answer. Yes. Given that NIST's philosophy is that industry should
lead the development of the Framework, NIST's role with the Framework
will be primarily to convene and provide technical expertise, instead
of developing new standards and solutions. This ``bottom-up'' approach
allows NIST to leverage existing resources, and is similar to its work
with industry to address national priorities in a range of topics,
ranging from smart grid and electronic health records to atomic clocks,
advanced nanomaterials, and computer chips.
Going forward, our process will continue to be an open one--using
an approach to enhance cybersecurity across the sectors through
industry consensus. NIST's process will be focused on developing the
Framework in such a manner that the standards and practices can apply
to the range of sectors, with a full range of operational and business
needs. That will allow for increased engagement and flexibility, both
for the standards and practices that comprise the framework and for the
evolving nature of the threat.
In addition to existing resources, in the Administration's FY14
Budget request NIST has an increase of $2M for cybersecurity standards
that will support the framework being developed under the Executive
Order on Improving Critical Infrastructure Cybersecurity.
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Hon. Patrick D. Gallagher
Question 1. I was pleased to read in your testimony that the
Cybersecurity Framework NIST is charged with developing will be ``NIST-
coordinated and industry-led.'' How can we ensure that the best
practices and standards industry already has and is developing are
utilized in this Framework?
Answer. Through a request for information (RFI), NIST asked
stakeholders a series of questions about existing standards, practices,
and frameworks. NIST received 244 responses to the RFI including
responses from individuals, industry groups and associations (to show
consensus) and organizations (to be able to provide additional detail
on particular responses). NIST will also be hosting a series of
workshops to gather more information and develop the Framework, to
ensure that those existing standards and best practices are
incorporated, and where potential gaps might exist. The first will be
held at Carnegie Mellon Campus in Pittsburgh on May 29-31, followed by
additional workshops around the country on the weeks of July 15 and
September 9. The draft Framework will also be posted for another round
of comment by October 10. In between each workshop NIST will publically
present findings to ensure additional collaboration.
Question 2. What can be done to ensure that the voluntary program
DHS is charged with developing for participation in this Framework does
not turn into a mandatory regulatory structure?
Answer. The Executive Order (E.O. 13636--Improving Critical
Infrastructure Cybersecurity) states that the program established by
the Department of Homeland Security in coordination with Sector-
Specific Agencies shall be voluntary. NIST plans on discussing issues
relating to long-term public-private governance to ensure that the
framework stays flexible and effective in the dynamic environment of
threats and new technologies. The EO encourages voluntary participation
and adoption and provides for harmonization among existing regulatory
requirements.
Question 3. Your testimony states that any approach to
cybersecurity should not ``dictate solutions to industry, but rather
facilitate(s) industry coming together to develop solutions.'' Do you
believe that mandatory regulations in a future Cybersecurity Framework
equate to the government dictating a solution to industry?
Answer. Some sectors--but not all--of our most critical
infrastructure already fall under cybersecurity regulation. The RFI
issued by NIST asked a variety of questions about those regulated
sectors, to ensure that the Framework would be applicable for parts of
industry. In addition, the executive order itself calls for a review of
existing cybersecurity regulation. For those sectors, regulatory
agencies will use the Cybersecurity Framework to assess whether
existing requirements are sufficient to protect against cyber attack.
If existing regulations are insufficient or ineffective, then agencies
must propose new, cost-effective actions based upon the Cybersecurity
Framework. Regulatory agencies will use their existing process to
consult with their regulated companies to develop and propose any new
regulations, allowing for a collaborative process.
Question 4. You state in your testimony that standards are
``agreed-upon best practices against which we can benchmark
performance. Thus, these are NOT regulations.'' Can you tell us more
about the difference between standards and regulations? Why do you make
such a point of clarifying that standards are NOT regulations?
Answer. Standards are developed in a consensus process with
stakeholders and are voluntary. Technical regulations are set by an
authority and are mandatory. My testimony makes that distinction in
order to specify that the process under the Executive order will build
on the existing solutions that are already used throughout industry,
instead of generating regulations. The Executive Order specifies that
the Framework must meet the requirements of the National Institute of
Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the
National Technology Transfer and Advancement Act of 1995 (Public Law
104-113), and OMB Circular A-119, as revised--all laws and policy that
dictate how the Federal Government uses standards and participates in
standards development.
Question 5. What downside is there to turning industry standards
into mandatory regulations in a Cybersecurity Framework?
Answer. Having industry standards as a part of the Cybersecurity
Framework would not turn them into mandatory regulations. The
development of the Framework will be done in such a way to encourage
adoption of existing standards--focusing on practices that will enhance
the security of organizations that easily fit in their current business
practices. We expect the Framework to have tools that will satisfy
different regulatory and legal requirements with an ``implement once,
comply many'' mentality. This would lower regulatory compliance costs
while allowing organization to focus on risk management.
Question 6. Given your experience, how can the International
Organization for Standardization be leveraged to develop voluntary
standards for what will be deemed cyber critical infrastructure?
Answer. The International Organization for Standardization is one
of many industry led, consensus based, transparent Standards
Development Organizations (SDOs) that operation in a multinational
environment. This type of SDO is essential for large scale, global
adoption where both our critical infrastructures and those that supply
them with critical IT and equipment operate in a global market.
NIST will work with the stakeholders in a public-private
partnership on the development of the framework and will identify both
when and where the framework or components of the framework are ready
for further development as international standards.
______
Response to Written Questions Submitted by Hon. Amy Klobuchar to
David E. Kepler
Question 1. I think it's important to recognize the proactive steps
industry has undertaken to invest in cyber security and independently
develop programs and best practices to protect their networks,
operations and customers. Do you believe privately-held critical
infrastructure companies have a responsibility to secure themselves and
their customers from cyber threats to the maximum extent possible?
Answer. Yes, cybersecurity risk is important and should be managed
by all companies. Companies are limited by the amount of cyber
intelligence that government shares, quality and security of IT
products, and services provided by the telecommunication sector. These
should be an area of emphasis for any new cyber security legislation.
Question 2. I appreciate the efforts Dow and the American Chemistry
Council have made. Are other major critical infrastructure sectors and
companies making similar investments in implementing cyber security
procedures and promoting best practices among their employees?
Answer. We do not have direct exposure to the initiatives of other
sectors.
Question 3. Dow Chemical is, of course, a major company with
substantial resources to devote to this problem. Do all critical
infrastructure sectors and companies have the same level of resources
to devote to cyber security?
Answer. We are unable to comment on this.
Question 4. Do all critical infrastructure sectors and companies
share the same deep knowledge and appreciation of the seriousness of
cyber security threats as you and your company?
Answer. We have participated in some industry forums where other
sectors have shared their approach to address cyber security. It seems
to be an important risk for American companies.
Question 5. If not all critical infrastructure sectors and
companies share the same will and capability to address this threat,
does the Federal Government have a responsibility to do something to
direct or assist measures to protect that critical infrastructure?
Answer. We do support legislation that promotes information sharing
and provides liability protection. In addition to that, legislation
should address the accountability of IT and telecommunication suppliers
to produce secure products and be unified in providing services that
companies can rely on for threat response. Government, IT industry and
telecommunications are the backbone of the internet.
Question 6. Are there inter-sector efforts among private critical
infrastructure providers to help one another develop cyber security
procedures and best practices? It would seem that all sectors and
companies ought to be able to agree on some investments in this area
that are necessary and wise.
Answer. ACC has been promoting information sharing among chemical
companies and has defined cyber security expectations for companies
that are part of ACC and the Responsible Care program. We do not
actively collaborate with other sectors.
______
Response to Written Questions Submitted by Hon. Dan Coats to
David E. Kepler
Question 1. The EO, as I read it, focuses solely on government-to-
private-sector information sharing. My sense is that better private-to-
government and private-to-private information sharing protocols need to
be implemented, and I question how we can get there without better
liability protections. What would you need for better private-to-
government and private-to-private information sharing?
Answer. Experience would indicate that most of the critical
infrastructure sectors have good private-to-private information sharing
protocols that have been developed in their industry groups. However,
cross industry, regional and national private-to-private information
sharing could be improved. The following capabilities would help
improve information sharing:
A well-established protocol on how information will be
recorded and stored.
Clarity on which individuals can receive information.
Relief from liability for information sharing, provided a
proper management system is in place, and liability protection
for the private sector as a result of a cyber-attack, as
afforded under the Support Anti-terrorism by Fostering
Effective Technologies (SAFETY) Act of 2002.
Protocol on managing anti-trust and FOIA requests.
Question 2. Expertise in cybersecurity is a formula (expertise =
technical capability + cyber threat information). Where do you turn for
expertise now and how might that change under the President's Executive
Order? Do you feel private sector cybersecurity is lacking technical
capability or cyber threat information?
Answer. There has been significant investment in technical skills,
expertise and technologies in the chemical industry and at Dow,
specifically. We find this to be true in most large companies and
critical infrastructure industries. There has also been strong
engagement in standard setting. We benchmark and share information with
our industry, across industries, with government agencies and with IT
and security suppliers. It is not clear to us that this is changing
with the Executive order.
The one area we think the Executive order falls short is how it
will address the information technology community. Effective cyber
information sharing policy should be comprehensive in its coverage of
all relevant industry parties including the IT sector.
______
Response to Written Questions Submitted by Hon. Marco Rubio to
David E. Kepler
Question 1. The National Infrastructure Advisory Council (NIAC)
provides the President and Secretary Napolitano with advice on the
security of the critical infrastructure sectors and their information
systems. Based on your experience at the council, are you aware of
current programs or efforts that could be leveraged to combat cyber
threats, rather than setting up a completely new framework and set of
standards?
Answer. Cybersecurity policies were set back in 2003 for the
nation, with the National Strategy to Secure Cyberspace, and many
programs such as NIPP and CFATS in the chemical sector to address
cybersecurity. In addition, there are standards already in place that
industry is engaged in and implementing, such as ISO 27002 and ISA/IEC
62443 for industrial automation. We would encourage the Administration
to engage with industry sectors to build on the systems in place rather
than starting from scratch.
Question 2. Dow is one of the largest manufacturers of chemicals in
the world and a multinational corporation that has its own
cybersecurity standards and protections in place. Dow has also invested
significantly in its own infrastructure to combat cyber threats. Now
the Federal Government is setting up a framework with standards and
best practices. This is after there was legislation in the last
Congress that would have taken the role of government a step further.
As a company with cybersecurity protections in place, with a vested
interest in protecting your networks and assets, what do you feel is
the proper role of government with regards to cybersecurity?
Answer. The role of government is to set effective national
security policy. The focus of an Executive Order or legislation should
be:
Manage government networks according to its own standards.
Ensure that the information technology suppliers are working
with the communication suppliers and government to harden basic
Internet security.
Create an environment to safely share information between
the government and private sector.
Aggressive pursuit and prosecution of cyber criminals
(including international crime).
Question 3. Your testimony states that Dow has concerns with the
Executive order's current approach of a voluntary program for critical
infrastructure industries to adopt cybersecurity standards. Is there a
concern that government defined standards or selected standards could
miss the specific challenges faced by the chemical industry? Dow
operates in a dynamic environment and cyber threats are always changing
and take on different forms. Why it is important for the voluntary
standards to be flexible? Could a static government requirement inhibit
your ability to respond to threats?
Answer. The industry already works under standards and protocols,
such as ISO 27002 and ISA/IEC 62443 for industrial automation, as well
as the Responsible Care Security Code, that are not only voluntary but
are required to maintain membership in the American Chemistry Council.
There is a concern that there will be documentation and publication
of any industry or company within critical infrastructure if they
choose not to volunteer to a standard. There will be legitimate debate
on specific risks and why a variance should be applied or how it should
be applied. For example, cyber standards without imbedding and
understanding the physical standards and other mitigations do not show
the complete mitigation effort.
Effectively, setting pseudo regulations may stifle superior
cybersecurity systems by impeding quick response or system specific
security.
Question 4. There has been criticism in Congress directed at the
private sector for not doing enough to combat cyber threats. Yet the
GAO just found a disturbing trend that Federal agencies are failing to
comply with Federal Information Security Management standards, and that
DHS has not adequately met its responsibilities. Is Dow alarmed that
some of the very agencies that may require more of the company with
respect to cybersecurity have been found to be lacking in their own
cyber standards and practices?
Answer. Yes, a key point is that government should play a more
constructive role in setting an example of securing their own networks,
sharing information, as well as setting standards for the IT suppliers
to help them rather than revisiting critical infrastructure compliance.
______
Response to Written Questions Submitted by Hon. Ron Johnson to
David E. Kepler
Question 1. How is Dow Chemical, and the chemical industry in
general, currently hampered from sharing information among peers and
with the government?
Answer. We need legislation that covers liability protection for
sharing threat or attack information with the government and antitrust
relief to share with industry peers.
Question 2. How important is it to your industry for Congress to
pass information sharing legislation?
Answer. It is very important for the industry that government
shares more information on cyber security threats and best practices.
We fully rely on the government's capabilities. The private sector does
not have the resources or expertise to support cyber intelligence
activities.
Question 3. Would you prefer for Congress to attempt to pass a
comprehensive piece of cybersecurity legislation or to attempt to
address the low-hanging fruit in a piecemeal fashion?
Answer. We do support a ``piecemeal, low-hang fruit approach'' like
addressing information sharing. In addition to that, legislation should
address the accountability of IT and telecommunication suppliers to
produce secure products and be unified in providing services that
companies can rely on for threat response. Government, IT industry and
telecommunications are the backbone of the internet.
Question 4. Mr. Gallagher's testimony stated that any approach to
cybersecurity should not ``dictate solutions to industry, but rather
facilitate(s) industry coming together to develop solutions.'' Do you
believe that mandatory regulations would equate to the government
dictating a solution to industry?
Answer. Yes, the industry sector does not need prescriptive
solutions. All solutions should be risk-based considering the
characteristics and the dynamics of different industries. We agree that
any approach to cyber security should create an environment where
government, IT industry, the telecommunications sector and other
industries can collaborate to elevate the overall security of the
country.
Question 5. You stated in your testimony that Dow adheres to a set
of policies and standards from organizations including NIST and
established industry standards set forth by the International
Organization for Standardization (ISO). Given your experience, how can
the ISO be leveraged to develop voluntary standards for what will be
deemed cyber critical infrastructure?
Answer. We believe that companies, especially critical
infrastructure companies, should implement cyber security programs that
comply with accepted industry practices like ISO 27001. Some of the
companies are multinational, and ISO 27001 standards allow global
implementations.
______
Response to Written Questions Submitted by Hon. Ron Johnson to
Gregory C. Wilshusen
Question 1. The Government Accountability Office (GAO) issued a
report in February 2013 entitled, ``National Strategy, Roles, and
Responsibilities Need to be Better Defined and More Effectively
Implemented.'' In this report GAO found that only eight of 22 of
agencies were in compliance with risk management requirements under the
Federal Information Security Management (FISMA) standards in 2011, down
from 13 out of 24 in 2010. Yet the Federal Government reported 782
percent more cyber incidents to the U.S. Computer Emergency Readiness
Team in 2012 than it did in 2006. How does the increase in cyber
incidents against the Federal Government, combined with the decrease in
compliance of Federal agencies with FISMA, impact the cybersecurity
posture of the U.S. Government?
Answer. Threats to systems supporting critical infrastructure and
Federal operations are evolving and growing, and the increasing risks
are demonstrated by the dramatic increase in reports of security
incidents. However, several factors make it difficult to directly
correlate the number of reported incidents with the overall
cybersecurity posture of the U.S. Government. For example, according to
the United States computer emergency readiness team (US-CERT), the
growth in the total number of reported incidents is attributable, at
least in part, to agencies improving their detection and reporting of
security incidents on their networks. Further, having better detected
incidents, it is possible that agencies are also better implementing
appropriate responsive and preventative countermeasures. We have
ongoing work to assess agencies' incident response and handling
procedures. As we reported, agencies are still challenged in
implementing several aspects of their information security programs,
including risk management. To help address shortcomings in risk
management, the administration has set a cross-agency priority goal to
improve continuous monitoring. Continuous monitoring is the process of
maintaining an ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management
decisions. Federal agencies are to achieve 95 percent implementation of
a continuous monitoring program by 2014. According to the Office of
Management and Budget (OMB), in Fiscal Year 2011, implementation of
automated continuous monitoring capabilities rose from 56 percent of
total assets in Fiscal Year 2010 to 78 percent of total assets in
Fiscal Year 2011, although, as we reported, agency inspectors general
cited weaknesses in continuous monitoring at a number of agencies.
While the mixed results of agency FISMA implementation statistics do
not clearly indicate whether the government's cybersecurity posture is
deteriorating as a result of an increase in reported incidents, the
overall need for agencies to improve their cybersecurity programs is
clear.
Question 2. On February 12, 2013, the White House issued an
Executive Order (EO) entitled ``Improving Critical Infrastructure
Cybersecurity.'' In this EO, the White House directs the National
Institute for Standards and Technology to develop a Framework to reduce
cyber risks to critical infrastructure. At the March 7 hearing, Mr.
Gallagher stated that any such framework will be NIST-coordinated but
industry-led in order to draw on standards and best practices from
industry. He went on to say that any approach should not dictate
solutions to industry but rather facilitate industry identifying
solutions. How important is it for the development of the Cybersecurity
Framework to be ``industry-led?'' Why?
Answer. The Executive Order states that the Director of the
National Institute of Standards and Technology (NIST) will lead the
development of the Cybersecurity Framework, and the NIST Director is
accountable for publishing a final version of the framework by February
12, 2014. However, Mr. Gallagher, as noted, interpreted NIST's role to
be one of coordinating an industry-led effort. This interpretation is
consistent with the executive order's direction that the cybersecurity
framework incorporate voluntary consensus standards and industry best
practices to the fullest extent possible and employ a consultative
process whereby the advice of critical infrastructure owners, among
others, is considered. We believe the extent to which industry
participates in developing the framework will likely influence the
extent to which the framework is adopted by infrastructure owners and
operators and has a positive effect in enhancing the security of the
Nation's critical infrastructure.
Question 3. What are potential downfalls of having a solution be
dictated from the government to industry?
Answer. Collaboration and the use of a consultative process are
critical to the success of the effort to develop and facilitate
adoption of the Cybersecurity Framework by critical infrastructure
owners and operators. A solution dictated from the government to
industry could pose risks that burdensome implementation costs could be
imposed on industry, the technical aspects of the solution might be
less practical or effective than other options, and industry would be
reluctant to implement the framework. For these reasons, the standards-
setting process in the United States, as elsewhere in the world, relies
on principles of consensus, transparency, balance, due process, and
openness to ensure that any framework of standards is as inclusive as
possible.
Question 4. What issues, both generally and specifically, in your
view should Congress perform oversight of over the next year as this
Framework is developed?
Answer. The executive order specifies several activities that can
provide a basis for overseeing the development and implementation of
the framework. Within the next year, the emphasis will be on developing
the framework. Congress can focus on overseeing NIST's implementation
of the consultative process to ensure that industry is heavily
involved. This oversight could include reviewing the preliminary
version of the framework, which is due 240 days after the order was
issued. In addition, recommendations regarding a set of incentives for
promoting participation in the program are to be made within 120 days
of the order's issuance. Further, within 150 days, the Secretary of
Homeland Security is to identify critical infrastructure at greatest
risk, using a consultative approach. Congressional oversight can
include reviewing these activities to ensure that the requirements
specified in the order are met.
Question 5. GAO found that Federal cyber strategies lack clear
goals, performance measures, defined costs and resources, established
roles and responsibilities, and do not coordinate with other national
strategies. This failure to coordinate strategies raises concerns over
how effective the Administration can be in implementing the new
responsibilities laid out in the Executive order. The EO directs DHS to
use a ``risk-based'' approach to identify ``critical infrastructure''
within 150 days. The EO also directs DHS to develop performance
measures associated with the Cybersecurity Framework NIST is charged
with developing. If the government is having a hard time developing
performance measures for itself, how will this impact the government's
ability to develop performance measures for the private security? How
involved should industry be in this process?
Answer. Without a proven track record for developing performance
measures, the Federal Government will need to engage the private sector
to help develop private sector performance measures. While the
government has generally not included performance metrics in its
national strategy documents, it has developed metrics for measuring the
implementation of security controls by Federal agencies. For example,
the Department of Homeland Security (DHS) has developed the metrics
used in the Cyberscope reporting tool, which captures data on security
control implementation at agencies, although it generally did not
include a metric that addresses performance targets which would allow
agencies to track progress over time. Our report on information
security performance measures demonstrated that leading organizations
used compliance, effectiveness of controls, and program impact
performance metrics for monitoring their information security
posture.\1\
---------------------------------------------------------------------------
\1\ GAO, Information Security: Concerted Effort Needed to Improve
Federal Performance Measures, GAO-09-617 (Washington, D.C.: Sept. 14,
2009).
---------------------------------------------------------------------------
Developing useful performance measures for the private sector's
implementation of the Cybersecurity Framework, like the development of
the framework itself, relies on collaboration with the private sector.
Federal policy, including Presidential Policy Directive 21, Executive
Order 13636, and the National Infrastructure Protection Plan (NIPP),
establishes a cyber protection approach for the Nation's critical
infrastructure sectors that focuses on the development of public-
private partnerships. The NIPP sets forth a risk management framework
and details the roles and responsibilities of DHS, sector-specific
agencies, and other federal, state, regional, local, tribal,
territorial, and private sector partners, including how they should use
risk management principles to prioritize protection activities within
and across sectors.\2\ Further, the NIPP recommends that outcome-
oriented metrics be established that are specific and clear as to what
they are measuring, practical or feasible in that needed data are
available, built on objectively measureable data, and aligned with
sector priorities. Direct input from the private sector will be
critically important in ensuring that these criteria are met.
---------------------------------------------------------------------------
\2\ Presidential Policy Directive 21 directed the Secretary of
Homeland Security to update the National Infrastructure Protection Plan
by October 2013.
---------------------------------------------------------------------------
�