[Senate Hearing 113-295] [From the U.S. Government Publishing Office] S. Hrg. 113-295 THE CYBERSECURITY PARTNERSHIP BETWEEN THE PRIVATE SECTOR AND OUR GOVERNMENT: PROTECTING OUR NATIONAL AND ECONOMIC SECURITY ======================================================================= JOINT HEARING before the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION and the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION __________ MARCH 7, 2013 __________ Printed for the use of the Committee on Commerce, Science, and Transportation ---------- U.S. GOVERNMENT PRINTING OFFICE 88-180 PDF WASHINGTON : 2014 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION JOHN D. ROCKEFELLER IV, West Virginia, Chairman BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking BILL NELSON, Florida ROGER F. WICKER, Mississippi MARIA CANTWELL, Washington ROY BLUNT, Missouri FRANK R. LAUTENBERG, New Jersey MARCO RUBIO, Florida MARK PRYOR, Arkansas KELLY AYOTTE, New Hampshire CLAIRE McCASKILL, Missouri DEAN HELLER, Nevada AMY KLOBUCHAR, Minnesota DAN COATS, Indiana MARK WARNER, Virginia TIM SCOTT, South Carolina MARK BEGICH, Alaska TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii RON JOHNSON, Wisconsin WILLIAM COWAN, Massachusetts Ellen L. Doneski, Staff Director James Reid, Deputy Staff Director John Williams, General Counsel David Schwietert, Republican Staff Director Nick Rossi, Republican Deputy Staff Director Rebecca Seidel, Republican General Counsel and Chief Investigator SENATE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS THOMAS R. CARPER, Delaware, Chairman CARL LEVIN, Michigan TOM COBURN, Oklahoma, Ranking MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio JON TESTER, Montana RAND PAUL, Kentucky MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire HEIDI HEITKAMP, North Dakota Richard J. Kessler, Staff Director John P. Kilvington, Deputy Staff Director Beth M. Grossman, Chief Counsel Keith B. Ashdown, Republican Staff Director Christopher J. Barkley, Republican Deputy Staff Director Andrew C. Dockham, Chief Counsel C O N T E N T S ---------- Page Hearing held on March 7, 2013.................................... 1 Statement of Senator Rockefeller................................. 1 Prepared statement........................................... 3 Statement of Senator Carper...................................... 4 Prepared statement........................................... 6 Statement of Senator Thune....................................... 8 Statement of Senator Coburn...................................... 9 Prepared statement........................................... 10 Statement of Senator Warner...................................... 30 Statement of Senator Cowan....................................... 35 Statement of Senator Johnson..................................... 36 Statement of Senator Baldwin..................................... 38 Statement of Senator Pryor....................................... 40 Statement of Senator Ayotte...................................... 76 Witnesses Hon. Janet Napolitano, Secretary, U.S. Department of Homeland Security....................................................... 11 Prepared statement........................................... 13 Hon. Patrick D. Gallagher, Ph.D., Under Secretary of Commerce for Standards and Technology, U.S. Department of Commerce.......... 19 Prepared statement........................................... 21 David E. Kepler, Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President, The Dow Chemical Company........................................... 42 Prepared statement........................................... 44 Gregory C. Wilshusen, Director, Information Security Issues, U.S. Government Accountability Office............................... 48 Prepared statement........................................... 50 Appendix American Gas Association, prepared statement..................... 83 Response to written questions submitted to Hon. Janet Napolitano by: Hon. Amy Klobuchar........................................... 88 Hon. Kelly Ayotte............................................ 89 Hon. Dan Coats............................................... 92 Hon. Ron Johnson............................................. 98 Response to written questions submitted to Hon. Patrick D. Gallagher by: Hon. Kelly Ayotte............................................ 101 Hon. Dan Coats............................................... 102 Hon. Ron Johnson............................................. 102 Response to written questions submitted to David E. Kepler by: Hon. Amy Klobuchar........................................... 103 Hon. Dan Coats............................................... 104 Hon. Marco Rubio............................................. 105 Hon. Ron Johnson............................................. 106 Response to written questions submitted by Hon. Ron Johnson to Gregory C. Wilshusen........................................... 106 THE CYBERSECURITY PARTNERSHIP BETWEEN THE PRIVATE SECTOR AND OUR GOVERNMENT: PROTECTING OUR NATIONAL AND ECONOMIC SECURITY ---------- THURSDAY, MARCH 7, 2013 U.S. Senate, Committee on Commerce, Science, and Transportation, Committee on Homeland Security and Governmental Affairs, Washington, DC. The Committees met, pursuant to notice, at 2:30 p.m., in room SD-G50, Dirksen Senate Office Building, Hon. John D. Rockefeller IV, Chairman of the Commerce Committee, presiding. OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, U.S. SENATOR FROM WEST VIRGINIA Chairman Rockefeller. Ladies and gentlemen, this hearing will come to order. I have one quick announcement to make--and that is, I was just told that we may have a vote on John Brennan, for the CIA, coming up within a relatively short period of time, so we need to be as efficient as possible. But, on the other hand, we can come back from that. So, let me make my opening statement. And I know that Tom is coming. Long ago, we made the decision in this country that private companies would build, and that they would own, our key transportation, communications, and energy networks. That was, and still is, a good decision. Given the opportunity to earn a reasonable profit on their investment, private companies build our railroads, our wireline telephone network, our aviation system, our pipelines, and so many other physical assets that we have. They were built by private corporations, private money, and are owned by them. But, this isn't just our past, it's our future, too. With the encouragement and support of Federal, State, and local governments, private companies are hard at work today building the broadband network that will be the key to our country's success in the 21st century. What we have always asked these companies for in return is that they serve, not just the interests of their shareholders, but also the broader general interests of the country, however one wants to define that. As those of us who serve on the Commerce Committee know well, getting big things done in this country, and in this body, is slow. It's very slow. And it always takes, on really big stuff, the private sector and the public sector, working together. It just has to be that way. That's the kind of partnership we will need to address the grave new threat that our country faces today, which are cyber attacks, which, 4 years ago, were treated lightly, and today are still treated too lightly, in my judgment, but is the number one national security threat that the country faces. Back in 2009, when I started working on this issue with Senator Olympia Snowe, cybersecurity was just an exotic idea. To some, it still is just that, or it's an idea to push aside and take up later. But, it is not. Almost every day, we read about another company, another Government agency that's been electronically attacked by adversaries trying to cause economic damage or searching for sensitive information, and getting it. It's not a threat that we can address through a traditional military response, of course, and it's not a threat that individual companies can handle through their normal risk mitigation practices. It's a threat that challenges our traditional notion of the public and private spheres. That's what makes it interesting. A cyber attack against a government agency or a defense contractor is an attack against our nation. An attack against a private company dealing with--say, a water company--is an attack against our nation. So is it with an attack on a private company that provides power or clean water to millions of Americans; an attack against any of these pieces, even though they might be privately operated, is an attack against our nation's critical infrastructure and, therefore, against us, as a nation. Since I've been working on this issue, I've had a lot of good and productive sessions with the private sector. But, you know what? We also have wasted an awful lot of time by turning an urgent national security issue into a partisan political fight. How one does that on the number one national security threat, I don't know, but somehow we've managed to do it. Back in 2010, we passed, in the Commerce Committee, a cyber bill. We did it unanimously. And we did that because we didn't have any vote, everybody just agreed, and it zipped right through. However, we couldn't get enough votes, in 2012, to start debate, even, on this issue on the Senate floor even though the whole military and intelligence establishment was going crazy at our lack of movement. The Obama administration got tired of waiting for us. I can't blame them. This is a problem that's growing worse every day. So, on February 12 of this year, the President released an Executive order that takes some very important steps--not enough, because he can't create the law that's necessary for some things, but they worked very hard to make this Executive order a welcoming invitation to the private sector to work together on this problem. It seeks to formalize and to strengthen the working relationships many companies already have with our cybersecurity experts in the Federal Government. The Executive order starts a process with NIST--can NIST be helpful? I think this can be helpful. Some others don't think so, because it's called a ``government agency.'' We're going to hear more about the Executive orders from our witnesses. The Senators sitting in this dais today understand what an urgent issue this is. We all want to do something. We want to come together. We want to be ruled by our common sense, not by other interests. So, we have our work cut out. [The prepared statement of Chairman Rockefeller follows:] Prepared Statement of Hon. John D. Rockefeller IV, U.S. Senator from West Virginia and Chairman, U.S. Senate Committee on Commerce, Science, and Transportation Long ago we made the decision that in this country, private companies would build and own our key transportation, communications, and energy networks. That was and still is a good decision. Given the opportunity to earn a reasonable profit on their investment, private companies built our railroads, our wireline telephone network, our aviation system, our pipelines, and many other physical assets that have fueled our country's phenomenal economic success. This isn't just our past. It's our future too. With the encouragement and support of federal, state, and local governments, private companies are hard at work today building the broadband network that will be key to our country's success in the 21st century. What we have always asked these companies for in return is that they serve not just the narrow interests of their shareholders, but also the broader, general interests of this country. As those of us who serve on the Commerce Committee know very well, getting big things done in this country always requires a partnership between the public and private sectors. That's the kind of partnership we will need to address the grave new threat our country faces today--the threat of cyber attacks. Back in 2009, when I started working on this issue with Senator Snowe, cybersecurity was an exotic idea. Today, four years later, it is a household word. Almost every day, we read about another company, or another government agency, that has been electronically attacked by adversaries trying to cause economic damage or searching for sensitive information. It's not a threat we can address through a traditional military response, and it's not a threat that individual companies can handle through their normal risk mitigation practices. It's a threat that challenges our traditional notion of the public and private spheres. A cyber attack against a government agency or a defense contractor is an attack against our nation. But so is an attack on a private company that provides power or clean water to millions of Americans. An attack against a privately owned and operated piece of our nation's critical infrastructure is an attack on all of us. Since I have been working on this issue, I've had a lot of good, productive discussions with leaders in our business community, our military, and in other government agencies who understand this threat and have good ideas about how we can tackle it. But we've also wasted a lot of time, by turning an urgent national security issue into a partisan political fight. Back in 2010, we passed a cyber bill out of the Commerce Committee unanimously, without a vote. By the fall of 2012, we couldn't even get enough votes to close debate on the Senate floor, even though our country's top national security leaders were urging us to act. The Obama Administration got tired of waiting for us. I can't blame them. This is a problem that is growing worse every day. On February 12, 2013, President Obama released an Executive order that takes some very important steps to start dealing with our cybersecurity problems. The order marshals the resources and the expertise we have in many different Federal agencies to start strengthening our country's ability to defend ourselves from cyber attacks. The Obama Administration worked very hard to make this Executive order a welcoming invitation to the private sector to work together on this problem. It seeks to formalize and strengthen the working relationships many companies already have with our cybersecurity experts in the Federal Government. One of the most important initiatives in the Executive order is to start a process at the National Institute of Standards and Technology (NIST) that will develop cybersecurity standards and best practices with U.S. companies. We are going to hear more about the Executive order from our witnesses today, and we are going hear a lot more about cybersecurity in the 113th Congress. The Senators sitting at this dais today--and many more who are not sitting up here--understand what an urgent issue this is. We understand that some of steps we need to take to defend our people and our critical infrastructure cannot be accomplished by a presidential order. We have to work with each other. We have to trust each other. We have to move forward. And I turn to my distinguished Chairman. And the only--I regret to say this, but this is--since it's not a public meeting, it doesn't hurt me anymore--the only West Virginian--no---- Senator Carper. One of two. Chairman Rockefeller.--one of two in the United States Senate. The one who isn't is the one who's just finished talking. STATEMENT OF HON. THOMAS R. CARPER, U.S. SENATOR FROM DELAWARE Chairman Carper. And the one who is wishes he had his money. [Laughter.] Chairman Carper. Nothing like being born in a log cabin, I'll tell you. I'm thrilled to be here with Senator Rockefeller, our Chair--co-Chair--and Senator Thune and my wingman, here, Tom Coburn, with whom I've worked on a lot of things. I'm delighted with our witnesses. And, Secretary, Pat, we're happy that you could join us today. I'm told that our committees have not held a joint hearing for over 35 years; I guess, since 1975, to be exact. We need to be able to work together; this is a shared responsibility, and not just between government and private sector; this is a shared responsibility here on Capitol Hill: executive branch, legislative branch, and different committees, and different parties. So, this is a great way to get started. I'm happy that we're doing this. But, we're having this hearing today because, as Chairman Rockefeller has said, America's economy and our national security are under attack. This is not the kind of war that some of us served in earlier in our lives or read about in the history books or have watched on television. The war that's occurring today is a war that's occurring in cyberspace, it's occurring in realtime, because, literally as I speak, sophisticated cyber thieves are stealing our ideas, our intellectual property, the very innovation, or the seed corn, if you will, that fuels our economy in years to come. Recent report by Mandiant, an American cybersecurity firm, points the finger for much--not all, but much of the cyber threat thievery that's going on, to a military unit in China. Even more alarming are the reports that hackers are constantly probing the companies that run our nation's critical infrastructure--our electric grid, our gas lines, our waterworks, the banking systems, among others. Since this past summer, for example, websites for a number of major U.S. banks have become the target of repeated cyber attacks that have caused a disruption and service delays. We read about that every week, almost every day. But, once inside a company network, these hackers can do a lot more than steal information or create a temporary nuisance. Among other things, they can shut down our electric grid or release dangerous chemicals into our water supply or into our air. We only have to think about the cyber attack that reportedly destroyed more than 30,000 computers at oil giant Saudi Aramco to know that the threat is real and it is serious. Several of our colleagues, including Senator Rockefeller, Senators Feinstein and Collins, and former Chair of the Committee that I'm now privileged to chair, Joe Lieberman, worked diligently with others to move cybersecurity legislation that Senator Rockefeller has mentioned. Unfortunately, we couldn't come together to pass this vital piece of bipartisan legislation. But, given the growing cyber threats that America faces, we're now more determined than ever to put in place a thoughtful, comprehensive cyber policy to protect our nation, its people, its critical infrastructures, and its economy. Because of Congress's failure to act last year, and the serious nature of the threat, the President has issued, as we know, an Executive order, last month, to better protect our nation's cyber networks. Instead of drafting the order behind closed doors, the White House was very open with the process, conducting numerous listening sessions with companies and trade groups so that the good ideas could be freely shared and adopted, and bad ideas could be rejected. Final product is an order that takes a number of critical steps to improve the security of our critical infrastructure. One of these steps enhances the way we share cyber threat information between the Federal Government and the private sector. For instance, in response to the concerns of many in industry, the order looks to increase the volume, the timeliness, and the quantity of cyber threat information shared with the private sector. The order also relies on public- private partnerships to strengthen the digital backbone of our most sensitive systems. In fact, the order calls on the private sector to lead the development of new security framework, in coordination with NIST, National Institution--National Institute of Standards and Technology. Companies may voluntarily adopt the new cybersecurity framework or work with their current regulations on their solutions. To encourage the adoption of any new framework, though, the order calls for using carrots instead of sticks. For example, the order requires the Department of Homeland Security and other Federal agencies to establish a set of incentives to promote participation in the program. It also requires Homeland Security to expedite the granting of security clearances to the people who run our critical infrastructure, so that industry can better understand the threats that they face. Privacy and civil liberties protections are also a key consideration throughout the order. In fact, agencies are required to incorporate privacy safeguards in all their activities under the order. And, while I commend the President for issuing this important order, there's only so much that he, or any President, could do, using the authorities granted to a President under existing law. Those authorities are simply not enough to get the job done. That's where we come in. Now is the time to begin the process of gathering input from the administration and the broad array of stakeholders in order to ascertain what Congress needs to do, what we need to do, to build on, or fill in the gaps, if you will, around this Executive order so that--that the President has promulgated. For example, we know that what--that more needs to be done on information sharing so that companies can more freely share their best practices and threat information with each other and with our government. We should also consider how we can further improve the protection of our nation's critical infrastructure, including offering incentives, such as liability protection, in certain instances. In addition, we need to be modernize the dated process we have in place to ensure that the security of our Federal network, something that we call FISMA, an area that Senator Coburn and I have worked on for quite some time, along with Senator Collins. It's also important for us to clarify the roles and responsibilities of Federal agencies involved in cybersecurity so that we know who should be held accountable for our successes or failures in tackling this growing threat. And finally, we must also continue to develop the next generation of cyber professionals, grow our own, and better coordinate our cyber research-and-development efforts. A lot of people in this country of ours question, today, whether we're still able to set aside partisan differences or other differences--the stakes are high--and summon the political will to do what's best for America. The stakes are high. And it's important--as the Chairman has said, here--important that we should set aside our difference, whether political or otherwise, and do what's right for our country. And I'm confident, I'm encouraged, that, with the cooperation of the folks that are on these committees and our colleagues with whom we serve, that we're up to the task, and we're going to seize this opportunity. Thank you, Mr. Chairman. [The prepared statement of Chairman Carper follows:] Prepared Statement of Hon. Thomas R. Carper, U.S. Senator from Delaware I am very pleased to be here today with our colleagues from the Senate Commerce Committee hosting a joint hearing on cybersecurity, an incredibly important topic for our country. I would like to thank Chairman Rockefeller, Ranking Member Thune, and my Ranking Member, Dr. Coburn--along with our staff members--for all their work on this hearing. I would also like to thank our witnesses for being here today and for their valuable service to our country. I am told that our Committees have not held a joint hearing for over 35 years--since 1975 to be exact. It is fitting that we have come together again to address this issue because we definitely need a true partnership to pass comprehensive cybersecurity legislation in this Congress--a partnership between Democrats and Republicans, the House and the Senate, Congress and the Administration; and, as the title of this hearing indicates, between government and industry. We are having this hearing today because America's economy and our national security are under attack. This is not the kind of war that some of us served in earlier in our lives, or read about in history books, or watched on TV. This war is occurring in cyberspace and in real time. Literally as I speak, sophisticated cyber thieves are stealing American ideas and intellectual property--the very innovation that fuels our economy. A recent report by Mandiant, an American cybersecurity firm, points the finger for much of this cyber theft to a military unit in China. Even more alarming are the reports that hackers are constantly probing the companies that run our Nation's critical infrastructure--our electrical power grid, gas lines, waterworks, and banking system, among others. Since this past summer, for example, websites for a number of major U.S. banks have become the target of repeated cyber attacks that have caused disruption and service delays. But once inside a company network, these hackers can do a lot more than steal information or create a temporary nuisance. Among other things, they can shut down our electric grid or release dangerous chemicals into our water supply. We only have to think about the cyber attack that reportedly destroyed more than 30,000 computers at oil giant Saudi Aramco to know this threat is real--and serious. Several of our colleagues, including Senators Rockefeller, Feinstein, and Collins, and the former Chairman of the Committee I now chair, Joe Lieberman, worked diligently to move cyber legislation last year. Unfortunately, the Senate could not come together to pass this vital piece of bipartisan legislation. But given the growing cyber threats that America faces, we are now more determined than ever to put in place a comprehensive cyber policy to protect our nation, its people, its critical infrastructure, and its economy. Because of Congress' failure to act last year and the serious nature of the threat, the President issued an Executive Order last month to better protect our Nation's cyber networks. Instead of drafting the Order behind closed doors, the White House was very open with the process, conducting numerous ``listening sessions,'' with companies and trade groups so that good ideas could be freely shared and adopted. The final product is an Order that takes a number of critical steps to improve the security of our critical infrastructure. One of these steps enhances the way we share cyber threat information between the Federal Government and the private sector. For instance, in response to the concerns of many in industry, the Order looks to increase the volume, timeliness, and quality of cyber threat information shared with the private sector. The Order also relies on a public-private partnership to strengthen the digital backbone of our most sensitive systems. In fact, the Order calls on the private sector to lead the development of new security frameworks in coordination with the National Institute of Standards and Technology. Companies may voluntarily adopt the new cybersecurity framework or work with their current regulators on other solutions. To encourage the adoption of any new framework, the Order calls for using carrots instead of sticks. For example, the Order requires the Department of Homeland Security and other Federal agencies to establish a set of incentives to promote participation in the program. It also requires Homeland Security to expedite the granting of security clearances to the people who run our critical infrastructure, so that industry can better understand the threats they face. Privacy and civil liberties protections are also a key consideration throughout the Order. In fact, agencies are required to incorporate privacy safeguards in all their activities under the Order. While I commend the President for issuing this very important Order, there was only so much he could do using the authorities granted to him under existing law. Those authorities are simply not enough to get the job done. Now is the time to begin the process of gathering input from the Administration and a broad array of stakeholders in order to ascertain what Congress needs to do to build on the Executive order that the President has promulgated. For example, we know that more needs to be done on information sharing so that companies can more freely share best practices and threat information with each other, and with the Federal Government. We should also consider how we can further improve the protection of our Nation's critical infrastructure, including offering incentives such as liability protection in certain instances. In addition, we need to modernize the dated process we have in place to ensure the security of our Federal networks. This is an area that I have worked on for years. It is also important for us to clarify the roles and responsibilities of Federal agencies involved in cybersecurity so that we know who should be held accountable for our success or failure in tackling this growing threat. Finally, we must also continue to develop the next generation of cyber professionals and better coordinate our cyber research and development efforts. A lot of people in this country of ours question today whether we're still able to set aside our partisan differences when the stakes are high and summon the political will to do what's best for America. I believe this joint hearing is a good step in showing the American people we can. I look forward to working with our colleagues, as well as with the Administration, industry, and other stakeholders, to pass critically needed cyber legislation. Chairman Rockefeller. The distinguished Ranking Member of the Commerce Committee, Senator Thune. STATEMENT OF HON. JOHN THUNE, U.S. SENATOR FROM SOUTH DAKOTA Senator Thune. Thank you, Mr. Chairman and Chairman Carper. I look forward, along with you and with Senator Coburn and members of both of our committees, to examining the need for a greater cybersecurity partnership between the private sector and the Federal Government. No one can deny the serious threat that we're confronting in cyberspace. Almost daily, we learn of new cyber threats and attacks targeting our government agencies and companies that drive our economy. In these perilous economic times, it's especially troubling that the intellectual capital that fuels our prosperity is being siphoned off by cyber criminals and even nation--states. The National Counterintelligence Executive, the country's chief counterintelligence official, summed it up this way in 2011, and I quote, ``Trade secrets developed over thousands of working hours by our brightest minds are stolen in a split second and transferred to our competitors.'' This large-scale theft cannot be allowed to continue unchecked. We must find solutions that leverage the innovation and know-how of the private sector, as well as the expertise and information held by the Federal Government. And, given the escalating nature of the threat, we should look for solutions that will have an immediate impact. As today's hearing title suggests, one thing we must do is strengthen the partnership between the government and the private sector. As one of our witnesses, David Kepler, of The Dow Chemical Company, observed in his testimony, timely information sharing between government and industry, and among industry peers, is key to this collaboration. The Chair of the House Intelligence Committee has said that, according to intelligence officials, allowing the government to share classified information with private companies could stop up to 90 percent of cyber attacks on U.S. networks. Even if the figure was only 60 to 70 percent, the return would be well worth the effort. Improving research and development is another area where our focus could yield new tools to secure the cyber domain. We should not underestimate the value of R&D. I'm proud to know that South Dakota's own Dakota State University is one of only four schools in the nation designated by the National Security Agency as a National Center of Academic Excellence in Cyber Operations. It's no secret that, during the last Congress, the Senate reached an impasse on cybersecurity legislation. It is my hope--and I suspect that it's our shared hope--that we can avoid another stalemate in this Congress. Today's hearing represents a good start. As we all recognize, this issue crosses the jurisdictional boundaries of many committees, so it is appropriate, if somewhat challenging, that we've joined with our colleagues on the Homeland Security and Governmental Affairs Committee today. Of course, given the importance of this topic and the value of hearing from multiple stakeholders, I look forward to additional sessions in the Commerce Committee as we seek consensus on this vital matter. Our hearing today takes place against the backdrop of the President's recently released Executive order on cybersecurity and related Presidential policy directive. Even though I, like many of my colleagues, was skeptical about executive action, the order's release may provide an opportunity for Congress to find common ground on other steps that will improve our cybersecurity. Of course, we must also conduct meaningful oversight of the Executive order's implementation. I look forward to hearing from Secretary Napolitano and Under Secretary Gallagher today regarding the steps the Department of Homeland Security and the National Institute of Standards and Technology are taking to ensure that the Executive order's promise of improved partnership and collaboration with the private sector is realized in practice. I'm particularly interested in hearing about how the Executive order builds upon or enhances existing mechanism for public- private collaboration. And I'll be interested in the views of our GAO witness, Greg Wilshusen, as to whether the Federal Government is up to the task envisioned by the Executive order, given persistent shortcomings in its own cybersecurity efforts identified by the watchdog agency. Again, Mr. Chairman, I thank you, and I thank all of the witnesses for being here today, and I look forward to hearing their testimony. Chairman Rockefeller. Distinguished Senator from Oklahoma, Tom Coburn. STATEMENT OF HON. TOM COBURN, U.S. SENATOR FROM OKLAHOMA Senator Coburn. Thank you, Mr. Chairman. Welcome, to all the witnesses. I appreciate you being here. Senator Carper and I had a little demonstration or presentation on the Executive order yesterday, and I have to say I was impressed with the thoroughness and the presentation of it. I'm highly disappointed that OMB didn't release the FISMA report. And there's no reason for it, other than it's--shows significant criticism of our ability to manage critical information within the Federal Government. And I will apologize to them vociferously if, in fact--my assessment of that report. But, to not put it out before this hearing is absolutely ridiculous, because we all know--and the GAO's going to testify today what we all know--is the status within our own government on how well we're doing. And so, it's unfortunate that we've chosen not to have a critical piece of information that analyzes a report card on us for this hearing. The--I am appreciative of the leadership of the President and his staff in doing this Executive order. I think it was timely and it was appropriate. And I'll speak to the issue that nobody wants to directly speak to, is--the reason the bill didn't go through the Senate is because there's a--there is a disagreement on the liability protections for business and industry, when they share their information, to protect them against frivolous lawsuits. And in the hearings that Senator Carper and I have had that have been classified thus far, there hasn't been one person who's testified--all administrative witnesses, all administration--who don't agree that those protections are going to have to be there for us to accomplish what we need to do for our country. And so, what we have to do is, we have to get past that one issue, and we have to address the real issues in front of us. The other thing that I would like to emphasize is the fact--and Senator Thune spoke about it, and I know Senator Rockefeller and Senator Carper care immensely about it--and that's the intellectual property loss that this country loses every year. And General Alexander, head of the NSA, has said it's around $400 billion a year. And if we do not create a workable situation, what we're doing is taking the investment that we spend every year, that we want to spend, in terms of RD in this country, and giving it away. So, we have to find a way to solve this problem, in the Senate, and we have to work across the aisle and across the special interest groups that don't want certain things because it might create a lack of a supreme benefit for their cause. What we have to do is what's in the best interests of the nation. And I think the President has shown real leadership with this Executive order, and now we need to come behind it and firm it up. And I appreciate, also, Senator Rockefeller, his cooperation on the witnesses for this. I want to thank you publicly for that. Having a hearing on cybersecurity and not listening to the expert at GAO would be inappropriate. And Mr. Wilshusen is here, and he's knowledgeable, and I look forward to his testimony, on the second panel. Thank you. [The prepared statement of Ranking Member Coburn follows:] Prepared Statement of Hon. Tom Coburn, U.S. Senator from Oklahoma, Ranking Member, U.S. Senate Committee on Homeland Security and Governmental Affairs Thank you, Mr. Chairman. Welcome to all the witnesses. I appreciate you being here. Senator Carper and I had a little demonstration or presentation on the executive order yesterday. And I have to say I was impressed with the thoroughness and the presentation of it. I am highly disappointed that OMB didn't release the FISMA report. There is no reason for it other than it shows significant criticism of our ability to manage critical information within the Federal Government. I will apologize to them vociferously if, in fact, my assessment of that report--but to not put it out before this hearing is absolutely ridiculous, because we all know, and the GAO's going to testify today what we all know, is the status within our own government on how well we're doing, and so it's unfortunate that we have chosen not to have a critical piece of information that analyzes a report card on us for this hearing. I am appreciative of the leadership of the President and his staff in doing this Executive order. I think it was timely and appropriate. I'll speak to the issue that nobody wants directly to speak to, is the reason the bill didn't go through the Senate is because there is a disagreement on the liability protections for business and industry when they share their information to protect them against frivolous lawsuits. In the hearings that Senator Carper and I have had, that have been classified thus far, there hadn't been one person who has testified, all the administrative witnesses--all of administration--who do not agree that those protections are going to have to be there for us to accomplish what we need to do for our country. We have to get past that one issue, and we have to address the issues in front of us. The other thing that I would like to emphasize is the intellectual property loss that this country loses every year. General Alexander, head of the NSA, has said it's around $400 billion a year, and if we do not create a workable situation, what we are doing is taking the investment that we spend every year that we want to spend in terms of R&D in this country, and giving it away. We have to find a way to solve this problem in the Senate, and we have to work across the aisle and across the special interest groups that don't want certain things, because it might create a lack of a supreme benefit for their cause. What we have to do is what's in the best interest of the nation, and I think the President has shown real leadership with this Executive order, and now we need to come behind and firm it up. I appreciate--also, Senator Rockefeller, his cooperation on the witnesses for this. I want to thank you publicly for that. Having a hearing on cybersecurity and not listening to the expert at GAO would be inappropriate, and Mr. Wilshusen is here, and he's knowledgeable, and I look forward to his testimony in the second panel. Thank you. Chairman Rockefeller. Thank you, Senator Coburn. And we now go to our first two witnesses. We're glad they're here. The Honorable Janet Napolitano, who's Secretary, U.S. Department of Homeland Security. I see you at more hearings, on more television, than anybody else within a 10-mile radius of Washington, D.C. But, fortunately, you're here today for us. Please proceed. STATEMENT OF HON. JANET NAPOLITANO, SECRETARY, U.S. DEPARTMENT OF HOMELAND SECURITY Secretary Napolitano. Well, thank you. Thank you, Chairman Rockefeller and Ranking Member Thune and Chairman Carper, Ranking Member Coburn, members of the Committee. I appreciate the opportunity to testify regarding our cybersecurity efforts at the Department of Homeland Security. And I also want to thank Under Secretary Gallagher for our partnership with NIST with the Department of Commerce. This is, as you all have acknowledged, an urgent and important topic. As you know, DHS is responsible for securing unclassified Federal civilian government networks and working with owners and operators of critical infrastructure to help them secure their own networks. We also coordinate the national response to significant cyber incidents, and create and maintain a common operational picture for cyberspace across the government. This is critical, time-sensitive work, because we confront a dangerous combination of known and unknown cyber vulnerabilities and adversaries with strong and rapidly expanding capabilities. Threats range from denial-of-service attacks to theft of valuable intellectual property to intrusions against government networks and systems that control our nation's critical infrastructure. These attacks come from every part of the globe. They come every minute of every day. They are continually increasing in seriousness and sophistication. To protect Federal networks, DHS is deploying technology to detect and to block cyber intrusions, and we are developing continuous diagnostic capabilities while providing guidance on what agencies need to do to protect themselves. We also work closely and regularly with owners and operators of critical infrastructure to strengthen their facilities through onsite risk assessment, mitigation, and incident response, and by sharing risk and threat information. For example, we provided classified cyber threat briefings and technical assistance to help banks improve their defensive capabilities following the recent spate of DDOS attacks. DHS is home to the National Cybersecurity and Communications Integration Center, the NCCIC. The NCCIC is an around-the-clock cyber situational awareness and incident- response center, which, over the past 4 years--and that's as old as it is--has responded to nearly a half a million incident reports and released more than 26,000 actionable cybersecurity alerts to public-and private-sector partners. Last year, the Computer Emergency Readiness Team, US-CERT, resolved approximately 190,000 cyber incidents and issued more than 7,450 alerts--in and of itself, a 68 percent increase from the year before--and our Industrial Control System Cyber Emergency Response Team responded to 177 incidents while completing 89 site visits, deploying 15 teams to respond to significant private-sector cyber incidents involving control systems. Since 2009, DHS components have prevented $10 billion in potential losses through cyber crime investigations. We have arrested more than 5,000 individuals in connection with cyber crime. And we partner closely with the Departments of Justice and Defense to ensure that a call to one is a call to all. So, while each agency operates within the parameters of its authorities, our overall Federal response to cyber incidents of consequence is coordinated among the three agencies. Where agency authorities overlap, as in law enforcement protection and response, we also directly coordinate with and support each other. This synchronization--a call to one is a call to all-- ensures that all of our capabilities are brought to bear against cyber threats, enhances our ability to share timely and actionable information with a variety of partners. But, while our accomplishments are significant and cybersecurity remains a priority for the administration, in order to be able to best meet this growing threat, we need Congress to enact a suite of comprehensive cybersecurity legislation. I appreciate the efforts made in the last Congress to pass bipartisan legislation, but the inability to get this done has, indeed, required the President to take executive action. The EO [Executive order] on Improving Critical Infrastructure Cybersecurity supports more efficient sharing of realtime cyber threat information with the private sector. It directs DHS to develop a voluntary program to promote the adoption of a new cybersecurity framework, and assists the private sector in its implementation. The accompanying Presidential Policy Directive on Critical Infrastructure, Security, and Resilience also directs the executive branch to strengthen our capability to understand and share information about how well critical infrastructure systems are functioning, and the consequence of potential failure. And it calls for a comprehensive research-and-development plan to guide the government's effort to enhance market-based innovation. These two documents, the EO and the PPD, reflect input from stakeholders of all viewpoints across government, industry, and the advocacy community. Their ideas and lessons were incorporated, as were rigorous protections for individual privacy and civil liberties. Importantly, the EO calls us to work within current authorities and increase voluntary cooperation with the private sector. It does not grant any new regulatory authority or establish additional incentives for participation in a voluntary program. Nonetheless, we continue to believe that a comprehensive suite of legislation is necessary to build stronger, more effective public/private partnerships in the realm of cyber. Specifically, Congress should enact legislation to incorporate privacy and civil liberty safeguards into all aspects of cybersecurity, further increase information sharing, and establish and promote the adoption of standards for critical infrastructure, give law enforcement additional tools to fight crime in the Digital Age, create a national data-breach reporting requirement; and, finally, give DHS hiring authority equivalent to that of the NSA. We also know that threats to cyberspace, and the need to address them, do not diminish because of budget cuts. Even in the current fiscal climate, we do not have the luxury of making significant reductions to our capabilities without having significant impacts. Sequester reductions will require us to scale back the development of critical capabilities for the defense of Federal cyber networks. It will disrupt long-term efforts to grow our cybersecurity workforce, and delay the implementation of E3A by approximately 1 year. In addition, sequester has resulted in canceling major cybersecurity exercises by which, involving international, Federal, State, local, private-sector partners, we actually work through the various problem sets and scenarios we confront. The American people expect us to secure the country from a growing cyber threat and to ensure that critical infrastructure is protected. Further action is needed by Congress, including immediate action to address the sequester, if we are to meet our responsibilities. We must act now, not years from now. So, I look forward to working with both committees to make sure we continue to do everything possible to keep the nation safe. I thank you for your continued guidance and support, and for the opportunity to be with you this afternoon. [The prepared statement of Secretary Napolitano follows:] Prepared Statement of Hon. Janet Napolitano, Secretary, U.S. Department of Homeland Security Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn, and Members of the Committees: I am pleased to join you today, and I thank the Committee for your strong support for the Department of Homeland Security (DHS) over the past four years and, indeed, since the Department's founding ten years ago. I can think of no more urgent and important topic in today's interconnected world than cybersecurity, and I appreciate the opportunity to explain the Department's mission in this space and how we continue to improve cybersecurity for the American people as well as work to safeguard the nation's critical infrastructure and protect the Federal Government's networks. Current Threat Landscape Cyberspace is woven into the fabric of our daily lives. According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country--and around the world-- it also has increased the importance and complexity of our shared risk. Our daily life, economic vitality, and national security depend on cyberspace. A vast array of interdependent IT networks, systems, services, and resources are critical to communication, travel, powering our homes, running our economy, and obtaining government services. No country, industry, community or individual is immune to cyber risks. The word ``cybersecurity'' itself encompasses protection against a broad range of malicious activity, from denial of service attacks, to theft of valuable trade secrets, to intrusions against government networks and systems that control our critical infrastructure. The United States confronts a dangerous combination of known and unknown vulnerabilities in cyberspace and strong and rapidly expanding adversary capabilities. Cyber crime has also increased significantly over the last decade. Sensitive information is routinely stolen from both government and private sector networks, undermining the integrity of the data contained within these systems. We currently see malicious cyber activity from foreign nations engaged in espionage and information warfare, terrorists, organized crime, and insiders. Their methods range from distributed denial of service (DDoS) attacks and social engineering to viruses and other malware introduced through thumb drives, supply chain exploitation, and leveraging trusted insiders' access. We have seen motivations for attacks vary from espionage by foreign intelligence services to criminals seeking financial gain and hackers who may seek bragging rights in the hacker community. Industrial control systems are also targeted by a variety of malicious actors who are usually intent on damaging equipment and facilities or stealing data. Foreign actors are also targeting intellectual property with the goal of stealing trade secrets or other sensitive corporate data from U.S. companies in order to gain an unfair competitive advantage in the global market. Cyber attacks and intrusions can have very real consequences in the physical world. Last year, DHS identified a campaign of cyber intrusions targeting natural gas and pipeline companies that was highly targeted, tightly focused and well crafted. Stolen information could provide an attacker with sensitive knowledge about industrial control systems, including information that could allow for unauthorized operation of the systems. As the President has said, we know that our adversaries are seeking to sabotage our power grid, our financial institutions, and our air traffic control systems. These intrusions and attacks are coming all the time and they are coming from different sources and take different forms, all the while increasing in seriousness and sophistication. The U.S. Government has worked closely with the private sector during the recent series of denial-of-service incidents. We have provided classified cyber threat briefings and technical assistance to help banks improve their defensive capabilities and we have increased sharing and coordination among the various government elements in this area. These developments reinforce the need for government, industry, and individuals to reduce the ability for malicious actors to establish and maintain capabilities to carry out such efforts. In addition to these sophisticated attacks and intrusions, we also face a range of traditional crimes that are now perpetrated through cyber networks. These include child pornography and exploitation, as well as banking and financial fraud, all of which pose severe economic and human consequences. For example, in March 2012, the U.S. Secret Service (USSS) worked with U.S. Immigration and Customs Enforcement (ICE) to arrest nearly 20 individuals in its ``Operation Open Market,'' which seeks to combat transnational organized crime, including the buying and selling of stolen personal and financial information through online forums. As Americans become more reliant on modern technology, we also become more vulnerable to cyber exploits such as corporate security breaches, social media fraud, and spear phishing, which targets employees through e-mails that appear to be from colleagues within their own organizations, allowing cyber criminals to steal information. Cybersecurity is a shared responsibility, and each of us has a role to play. Emerging cyber threats require the engagement of our entire society--from government and law enforcement to the private sector and, most importantly, members of the public. The key question, then, is how do we address this problem? This is not an easy question because cybersecurity requires a layered approach. The success of our efforts to reduce cybersecurity risks depends on effective identification of cyber threats and vulnerabilities, analysis, and enhanced information sharing between departments and agencies from all levels of government, the private sector, international entities, and the American public. Roles, Responsibilities, Activities DHS is committed to ensuring cyberspace is supported by a secure and resilient infrastructure that enables open communication, innovation, and prosperity while protecting privacy, confidentiality, and civil rights and civil liberties by design. Securing Federal Civilian Government Networks DHS has operational responsibilities for securing unclassified Federal civilian government networks and working with owners and operators of critical infrastructure to secure their networks through cyber threat analysis, risk assessment, mitigation, and incident response capabilities. We also are responsible for coordinating the national response to significant cyber incidents and for creating and maintaining a common operational picture for cyberspace across the government. DHS directly supports Federal civilian departments and agencies in developing capabilities that will improve their cybersecurity posture in accordance with the Federal Information Security Management Act (FISMA). To protect Federal civilian agency networks, our National Protection and Programs Directorate (NPPD) is deploying technology to detect and block intrusions through the National Cybersecurity Protection System and its EINSTEIN protective capabilities, while providing guidance on what agencies need to do to protect themselves and measuring implementation of those efforts. NPPD is also developing a Continuous Monitoring as a Service capability, which will result in an array of sensors that feed data about an agency's cybersecurity risk and present those risks in an automated and continuously-updated dashboard visible to technical workers and managers to enhance agencies' ability to see and counteract day-to-day cyber threats. This capability will support compliance with Administration policy, be consistent with guidelines set forth by the National Institute of Standards and Technology (NIST), and enable Federal agencies to move from compliance-driven risk management to data-driven risk management. These activities will provide organizations with information necessary to support risk response decisions, security status information, and ongoing insight into effectiveness of security controls. Protecting Critical Infrastructure Critical infrastructure is the backbone of our country's national and economic security. It includes power plants, chemical facilities, communications networks, bridges, highways, and stadiums, as well as the Federal buildings where millions of Americans work and visit each day. DHS coordinates the national protection, prevention, mitigation, and recovery from cyber incidents and works regularly with business owners and operators to take steps to strengthen their facilities and communities. The Department also conducts onsite risk assessments of critical infrastructure and shares risk and threat information with state, local and private sector partners. Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS actively collaborates with public and private sector partners every day to improve the security and resilience of critical infrastructure while responding to and mitigating the impacts of attempted disruptions to the Nation's critical cyber and communications networks and to reduce adverse impacts on critical network systems. DHS enhances situational awareness among stakeholders, including those at the state and local level, as well as industrial control system owners and operators, by providing critical cyber threat, vulnerability, and mitigation data, including through Information Sharing and Analysis Centers, which are cybersecurity resources for critical infrastructure sectors. DHS is also home to the National Cybersecurity & Communications Integration Center (NCCIC), a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement. Responding to Cyber Threats DHS is responsible for coordinating the Federal Government response to significant cyber or physical incidents affecting critical infrastructure. Since 2009, the NCCIC has responded to nearly half a million incident reports and released more than 26,000 actionable cybersecurity alerts to our public and private sector partners. The DHS Office of Intelligence and Analysis is a key partner in NCCIC activities, providing tailored all-source cyber threat intelligence and warning to NCCIC components and public and private critical infrastructure stakeholders to prioritize risk analysis and mitigation. An integral player within the NCCIC, the U.S. Computer Emergency Readiness Team (US-CERT) also provides response support and defense against cyber attacks for Federal civilian agency networks as well as private sector partners upon request. US-CERT collaborates and shares information with state and local government, industry, and international partners, consistent with rigorous privacy, confidentiality, and civil liberties guidelines, to address cyber threats and develop effective security responses. In 2012, US-CERT processed approximately 190,000 cyber incidents involving Federal agencies, critical infrastructure, and our industry partners. This represents a 68 percent increase from 2011. In addition, US-CERT issued over 7,455 actionable cyber-alerts in 2012 that were used by private sector and government agencies to protect their systems, and had over 6,400 partners subscribe to the US-CERT portal to engage in information sharing and receive cyber threat warning information. The Department's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also responded to 177 incidents last year while completing 89 site assistance visits and deploying 15 teams with US-CERT to respond to significant private sector cyber incidents. DHS also empowers owners and operators through a cyber self-evaluation tool, which was used by over 1,000 companies last year, as well as in- person and on-line training sessions. Successful response to dynamic cyber threats requires leveraging homeland security, law enforcement, and military authorities and capabilities, which respectively promote domestic preparedness, criminal deterrence and investigation, and national defense. DHS, the Department of Justice (DOJ), and the Department of Defense (DOD) each play a key role in responding to cybersecurity incidents that pose a risk to the United States. In addition to the aforementioned responsibilities of our Department, DOJ is the lead Federal department responsible for the investigation, attribution, disruption, and prosecution of domestic cybersecurity incidents while DOD is responsible for securing national security and military systems as well as gathering foreign cyber threat information and defending the Nation from attacks in cyberspace. DHS supports our partners in many ways. For example, the United States Coast Guard as an Armed Force has partnered with U.S. Cyber Command and U.S. Strategic Command to conduct military cyberspace operations. While each agency operates within the parameters of its authorities, the U.S. Government's response to cyber incidents of consequence is coordinated among these three agencies such that ``a call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD not only ensures that whole of government capabilities are brought to bear against cyber threats, but also improves government's ability to share timely and actionable cybersecurity information among a variety of partners, including the private sector. Combating Cybercrime DHS employs more law enforcement agents than any other Department in the Federal Government and has personnel stationed in every state and in more than 75 countries around the world. To combat cyber crime, DHS relies upon the skills and resources of the USSS and ICE and works in cooperation with partner organizations to investigate cyber criminals. Since 2009, DHS has prevented $10 billion in potential losses through cyber crime investigations and arrested more than 5,000 individuals for their participation in cyber crime activities. The Department leverages the 31 USSS Electronic Crimes Task Forces (ECTF), which combine the resources of academia, the private sector, and local, state and Federal law enforcement agencies to combat computer-based threats to our financial payment systems and critical infrastructure. A recently executed partnership between ICE Homeland Security Investigations and USSS demonstrates the Department's commitment to leveraging capability and finding efficiencies. Both organizations will expand participation in the existing ECTFs. In addition to strengthening each agency's cyber investigative capabilities, this partnership will produce benefits with respect to the procurement of computer forensic hardware, software licensing, and training that each agency requires. The Department is also a partner in the National Cyber Investigative Joint Task Force, which serves as a collaborative entity that fosters information sharing across the interagency. We work with a variety of international partners to combat cybercrime. For example, through the U.S.-EU Working Group on Cybersecurity and Cybercrime, which was established in 2010, we develop collaborative approaches to a wide range of cybersecurity and cybercrime issues. In 2011, DHS participated in the Cyber Atlantic tabletop exercise, a U.S.-EU effort to enhance international collaboration of incident management and response, and in 2012, DHS and the EU signed a joint statement that advances transatlantic efforts to enhance online safety for children. ICE also works with international partners to seize and destroy counterfeit goods and disrupt websites that sell these goods. Since 2010, ICE and its partners have seized over 2,000 domain names associated with businesses selling counterfeit goods over the Internet. To further these efforts, the Administration issued its Strategy on Mitigating the Theft of U.S. Trade Secrets last month. DHS will act vigorously to support the Strategy's efforts to combat the theft of U.S. trade secrets--especially in cases where trade secrets are targeted through illicit cyber activity by criminal hackers. In addition, the National Computer Forensic Institute has trained more than 1,000 state and local law enforcement officers since 2009 to conduct network intrusion and electronic crimes investigations and forensic functions. Several hundred prosecutors and judges as well as representatives from the private sector have also received training on the impact of network intrusion incident response, electronic crimes investigations, and computer forensics examinations. Building Partnerships DHS serves as the focal point for the Government's cybersecurity outreach and awareness efforts. Raising the cyber education and awareness of the general public creates a more secure environment in which the private or financial information of individuals is better protected. For example, the Multi-State Information Sharing and Analysis Center (MS-ISAC) opened its Cyber Security Operations Center in November 2010, which has enhanced NCCIC situational awareness at the state and local government level and allows the Federal Government to quickly and efficiently provide critical cyber threat, risk, vulnerability, and mitigation data to state and local governments. MS- ISAC has since grown to include all 50 states, three U.S. territories, the District of Columbia, and more than 200 local governments. The Department also has established close working relationships with industry through partnerships like the Protected Critical Infrastructure Information (PCII) Program, which enhances voluntary information sharing between infrastructure owners and operators and the government. The Cyber Information Sharing and Collaboration Program established a systematic approach to cyber threat information sharing and collaboration between critical infrastructure owners and operators across the various sectors. And, in 2010, we launched a national campaign called Stop.Think.Connect to spread public awareness about how to keep our cyber networks safe. In addition, DHS works closely with international partners to enhance information sharing, increase situational awareness, improve incident response capabilities, and coordinate strategic policy issues in support of the Administration's International Strategy for Cyberspace. For example, the Department has fostered international partnerships in support of capacity building for cybersecurity through agreements with Computer Emergency Response and Readiness Teams as well as the DHS Science & Technology Directorate (S&T). Since 2009, DHS has established partnerships with Australia, Canada, Egypt, India, Israel, the Netherlands, and Sweden. Fostering Innovation The Federal Government relies on a variety of stakeholders to pursue effective research and development projects that address increasingly sophisticated cyber threats. This includes research and development activities by the academic and scientific communities to develop capabilities that protect citizens by enhancing the resilience, security, integrity, and accessibility of information systems used by the private sector and other critical infrastructure. DHS supports Centers of Academic Excellence around the country to cultivate a growing number of professionals with expertise in various disciplines, including cybersecurity. DHS S&T is leading efforts to develop and deploy more secure Internet protocols that protect consumers and industry Internet users. We continue to support leap-ahead research and development, targeting revolutionary techniques and capabilities that can be deployed over the next decade with the potential to redefine the state of cybersecurity in response to the Comprehensive National Cybersecurity Initiative. For example, DHS was a leader in the development of protocols at the Internet Engineering Task Force called Domain Name System Security (DNS SEC) Extensions. DNS SEC is necessary to protect Internet users from being covertly redirected to malicious websites and helps prevent theft, fraud, and abuse online by blocking bogus page elements and flagging pages whose Domain Name System (DNS) identity has been hijacked. S&T is also driving improvements through a Transition to Practice Program as well as liability and risk management protections provided by the Support Anti-terrorism by Fostering Effective Technology (SAFETY) Act that promote cyber security technologies and encourage their transition into successful use. Growing and Strengthening our Cyber Workforce We know it only takes a single infected computer to potentially infect thousands and perhaps millions of others. But at the end of the day, cybersecurity is ultimately about people. The most impressive and sophisticated technology is worthless if it's not operated and maintained by informed and conscientious users. To help us achieve our mission, we have created a number of competitive scholarship, fellowship, and internship programs to attract top talent. We are growing our world-class cybersecurity workforce by creating and implementing standards of performance, building and leveraging a cybersecurity talent pipeline with secondary and post- secondary institutions nationwide, and institutionalizing an effective, ongoing capability for strategic management of the Department's cybersecurity workforce. Congress can support this effort by pursuing legislation that provides DHS with the hiring and pay flexibilities we need to secure Federal civilian networks, protect critical infrastructure, respond to cyber threats, and combat cybercrime. Recent Executive Actions As discussed above, America's national security and economic prosperity are increasingly dependent upon the cybersecurity of critical infrastructure. With today's physical and cyber infrastructure growing more inextricably linked, critical infrastructure and emergency response functions are inseparable from the information technology systems that support them. The government's role in this effort is to share information and encourage enhanced security and resilience, while identifying and addressing gaps not filled by the marketplace. Last month, President Obama issued Executive Order 13636 on Improving Critical Infrastructure Cybersecurity as well as Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, which will strengthen the security and resilience of critical infrastructure through an updated and overarching national framework that acknowledges the increased role of cybersecurity in securing physical assets. DHS Responsibilities The President's actions mark an important milestone in the Department's ongoing efforts to coordinate the national response to significant cyber incidents while enhancing the efficiency and effectiveness of our work to strengthen the security and resilience of critical infrastructure. The Executive order supports more efficient sharing of cyber threat information with the private sector and directs NIST to develop a Cybersecurity Framework to identify and implement better security practices among critical infrastructure sectors. The Executive order directs DHS to establish a voluntary program to promote the adoption of the Cybersecurity Framework in conjunction with Sector- Specific Agencies and to work with industry to assist companies in implementing the framework. The Executive order also expands the voluntary DHS Enhanced Cybersecurity Service program, which promotes cyber threat information sharing between government and the private sector. This engagement helps critical infrastructure entities protect themselves against cyber threats to the systems upon which so many Americans rely. This program is a good example of information sharing with confidentiality, privacy and civil liberties protections built into its structure. DHS will share with appropriately cleared private sector cybersecurity providers the same threat indicators that we rely on to protect the .gov domain. Those providers will then be free to contract with critical infrastructure entities and provide cybersecurity services comparable to those provided to the U.S. Government. Through the Executive order, the President also directed agencies to incorporate privacy, confidentiality, and civil liberties protections. It specifically instructs DHS to issue a public report on activities related to implementation, which would therefore enhance the existing privacy policy, compliance, and oversight programs of DHS and the other agencies. In addition, the Presidential Policy Directive directs the Executive Branch to strengthen our capability to understand and efficiently share information about how well critical infrastructure systems are functioning and the consequences of potential failures. It also calls for a comprehensive research and development plan for critical infrastructure to guide the government's effort to enhance market-based innovation. Because the vast majority of U.S. critical infrastructure is owned and operated by private companies, reducing the risk to these vital systems requires a strong partnership between government and industry. There is also a role for state, local, tribal and territorial governments who own a significant portion of the Nation's critical infrastructure. In developing these documents, the Administration sought input from stakeholders of all viewpoints in industry, government, and the advocacy community. Their input has been vital in crafting an order that incorporates the best ideas and lessons learned from public and private sector efforts while ensuring that our information sharing incorporates rigorous protections for individual privacy, confidentiality, and civil liberties. Indeed, as we perform all of our cyber-related work, we are mindful of the need to protect privacy, confidentiality, and civil liberties. The Department has implemented strong privacy and civil rights and civil liberties standards into all its cybersecurity programs and initiatives from the outset. To accomplish the integrated implementation of these two directives, DHS has established an Interagency Task Force made up of representatives from across all levels of government. Continuing Need for Legislation It is important to note that the Executive order directs Federal agencies to work within current authorities and increase voluntary cooperation with the private sector to provide better protection for computer systems critical to our national and economic security. It does not grant new regulatory authority or establish additional incentives for participation in a voluntary program. We continue to believe that a suite of legislation is necessary to implement the full range of steps needed to build a strong public-private partnership, and we will continue to work with Congress to achieve this. The Administration's legislative priorities for the 113th Congress build upon the President's 2011 Cybersecurity Legislative Proposal and take into account two years of public and congressional discourse about how best to improve the Nation's cybersecurity. Congress should enact legislation to incorporate privacy, confidentiality, and civil liberties safeguards into all aspects of cybersecurity; strengthen our critical infrastructure's cybersecurity by further increasing information sharing and promoting the establishment and adoption of standards for critical infrastructure; give law enforcement additional tools to fight crime in the digital age; and create a National Data Breach Reporting requirement. Conclusion The American people expect us to secure the country from the growing danger of cyber threats and ensure the Nation's critical infrastructure is protected. The threats to our cybersecurity are real, they are serious, and they are urgent. I look forward to working with this Committee and the Congress to ensure we continue to take every step necessary to protect cyberspace, in partnership with government at all levels, the private sector, and the American people, and continue to build greater resiliency into critical cyber networks and systems. I appreciate this Committee's guidance and support as together we work to keep our Nation safe. Thank you, again, for the attention you are giving to this urgent matter. Chairman Rockefeller. Thank you, Secretary. Now The Honorable Patrick Gallagher, who's Under Secretary of Commerce for Standards and Technology, and Director of the National Institute of Standards and Technology, which is in the U.S. Department of Commerce, and which is just chock full of Nobel laureates. It's one of the ultimate gems in Washington, D.C., and is not used as it should be. Please proceed, sir. STATEMENT OF HON. PATRICK D. GALLAGHER, Ph.D., UNDER SECRETARY OF COMMERCE FOR STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE Dr. Gallagher. Thank you very much. And it's a real pleasure to be here. Let me begin by thanking both Chairmen Rockefeller and Carper, and both Ranking Members Thune and Coburn, and members of both committees, for the opportunity to testify today. It's a particular pleasure to be joining one of my critical partners in this effort, Secretary Napolitano. Let me very briefly summarize NIST's role in our responsibilities to develop a framework for reducing cyber risk and critical infrastructure under the Executive order. It may be a surprise to some that an agency of the U.S. Department of Commerce has been given this key role in cybersecurity but, in fact, NIST has a long history in this area. We have provided technical support to cybersecurity for over 50 years, working closely with our Federal partners. And also because NIST is a technical, but nonregulatory agency, we provide a unique interface with industry to support their efforts in technical and standards development. Today, NIST has programs in a wide variety of cybersecurity areas, including cryptography, network security, security automation, hardware roots of trust, and identity management. As directed in the Executive order, NIST will work with industry to develop a cybersecurity framework that supports performance goals established by the Department of Homeland Security. DHS, then, in coordination with sector specific agencies, will support the adoption of the cybersecurity framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. To be successful, two major elements have to be part of this approach: First, it will require an effective partnership with DHS. Last month, I signed a Memorandum of Agreement with DHS Under Secretary Rand Beers to ensure that our work was fully coordinated with DHS. Second, the cybersecurity framework must be developed through a process that is industry-led and open and transparent to all stakeholders. By having industry develop their own practices that are responsive to the performance goals, the process will ensure that it is both robust, technically, but also aligned with their business needs. This approach has many advantages. It does not dictate specific solutions to industry, but promotes industry offering their own solutions. It allows solutions to be developed that are compatible with business and market conditions. And, by leveraging industry's own considerable capacity, it brings more talent and expertise to the table to tackle this topic. This is not a new or novel approach for NIST. We have utilized very similar approaches in the recent past to address other pressing national priorities, notable examples being smart grid and cloud computing. We know how to do this. Since this is industry's framework, the NIST role is to act as a convener and technical contributor. By working closely with our Federal partners, we also ensure that industry's work is relevant to their missions to protect the public. So, what is in this framework? The short answer is, whatever is needed to achieve the needed cybersecurity performance, but, in practice, we expect the framework will include standards, methodologies, procedures, and processes that align the business, policy, and technological approaches to address the cyber risk for critical infrastructure. Let me touch, briefly, on the topic of standards and their importance to success in this effort. First, by ``standards,'' I'm using the term as industry does. These are agreed-upon specifications, or norms, that allow compatibility of efforts to achieve a goal. These are not the same thing as regulation. Industry standards are developed through a multi-stakeholder voluntary consensus process, and it is this process that gives these standards their power and their broad acceptance around the world. These standards are not static. They can be changed to meet technological advances and meet new performance requirements. And, in fact, performance-based standards promote innovation specifically because they allow new products--services to be developed in a way that's not a tradeoff. Mr. Chairman, I appreciate the challenge before us. This EO requires the framework to be developed within a year. A preliminary framework, in fact, is due within 8 months. We have already issued a request for information to gather relevant input from industry and other stakeholders. We are actively inviting those stakeholders to participate in the framework process. The early response has been very positive. Over the next few months, we will convene a series of workshops, where we will develop the framework, because this forum allows the necessary collaboration and engagement with industry. Our first organizational workshop will be held on April 3. In May, we will release our initial findings from the request for information, and our analysis of this response. And, by the 8-month point, we will have an initial draft framework, including an initial list of standards, guidance, and practices. The President's Executive order lays out an urgent and ambitious agenda, but it is designed around an active collaboration between the public and private sectors. And I believe that this partnership provides the needed capacity to meet this agenda and it will effectively give us the tools to manage the cybersecurity risk we face. And I appreciate the Committees holding this joint hearing. It's reflective of the partnership we'll need to be successful in this effort. And I look forward to answering any questions you may have. [The prepared statement of Dr. Gallagher follows:] Prepared Statement of Hon. Patrick D. Gallagher, Ph.D., Under Secretary of Commerce for Standards and Technology, U.S. Department of Commerce Introduction Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn, members of the Committees, I am Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and Director of the National Institute of Standards and Technology (NIST), a non-regulatory bureau within the U.S. Department of Commerce. Thank you for this opportunity to testify today on NIST's role under Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity'' and our responsibility to develop a framework for reducing cyber risks to critical infrastructure. The Role of NIST in Cybersecurity Let me begin with a few words on NIST itself: NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Our work in addressing technical challenges related to national priorities has ranged from projects related to the Smart Grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips. In the area of cybersecurity, we have worked with Federal agencies, industry, and academia since 1972 on the development of the Data Encryption Standard. Our role to research, develop and deploy information security standards and technology to protect information systems against threats to the confidentiality, integrity and availability of information and services, was strengthened through the Computer Security Act of 1987 and reaffirmed through the Federal Information Security Management Act of 2002. Consistent with this mission, NIST is actively engaged with industry, academia, and other parts of the Federal Government including the intelligence community, and elements of the law enforcement and national security communities, coordinating and prioritizing cybersecurity research, standards development, standards conformance demonstration and cybersecurity education and outreach. Our broader work in the areas of information security, trusted networks, and software quality is applicable to a wide variety of users, from small and medium enterprises to large private and public organizations including agencies of the Federal Government and companies involved with critical infrastructure. Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity'' On February 13, 2013, the President signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which gave NIST the responsibility to develop a framework to reduce cyber risks to critical infrastructure (the Cybersecurity Framework). As directed in the Executive order, NIST, working with industry, will develop the Cybersecurity Framework and the Department of Homeland Security (DHS) will establish performance goals. DHS, in coordination with sector- specific agencies, will then support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities, through a voluntary program. Our partnership with DHS will drive much of our effort. Last month I signed a Memorandum of Agreement with DHS Under Secretary Rand Beers to ensure that our work with industry for the Cybersecurity Framework, and also with cybersecurity standards, best practices, and metrics, is fully integrated with the information sharing, threat analysis, response, and operational work of DHS. This will enable a more holistic approach to addressing the complex nature of the challenge at hand. A Cybersecurity Framework is an important element in addressing the challenges of improving the cybersecurity of our critical infrastructure. A NIST-coordinated and industry-led Framework will draw on standards and best practices that industry is already involved in developing and adopting. NIST coordination will ensure that the process is open and transparent to all stakeholders, and will ensure a robust technical underpinning to the framework. This approach will significantly bolster the relevance of the resulting Framework to industry, making it more appealing for industry to adopt. Why This Approach? This multi-stakeholder approach leverages the respective strengths of the public and private sectors, and helps develop solutions in which both sides will be invested. The approach does not dictate solutions to industry, but rather facilitates industry coming together to offer and develop solutions that the private sector is best positioned to embrace. I would also like to note that this is not a new or novel approach for NIST. We have utilized very similar approaches in the recent past to address other pressing national priorities. The lessons learned from those experiences are informing how we are planning for and structuring our current effort. In 2009, the Energy Independence and Security Act (EISA) mandated NIST to develop a standards framework to help with the deployment of a nationwide, end-to-end interoperable Smart Grid. Following a similar approach to the one envisioned for the Cybersecurity Framework, NIST coordinated a forward leaning approach involving more than 1500 representatives from approximately 21 distinct domains that now constitute the Smart Grid. This effort led to the development of a framework called the Smart Grid Roadmap that defined the domains of the Smart Grid and the interfaces for those domains, identified existing standards for these domains, prioritized standards needs and identified standards gaps. Many of these standards gaps are currently being addressed in various standards development organizations around the world. We are seeing the results of this effort pay off in many ways. Cybersecurity standards are being developed and adopted to secure different elements of the electrical grid. Standards based deployments of secure Smart Meters are enabling consumers safe and secure access to data about electricity usage. The U.S. Smart Grid Roadmap is being used as a template for frameworks in many countries around the world. Automakers are reaching agreement regarding chargers for electric vehicles. All these developments have helped address important policy objectives while also positioning the U.S. as a leader in Smart Grid development and deployment. Another example of how NIST has brought together the public and private sector to address technical challenges is NIST's work in the area of Cloud Computing technologies. The unique partnership formed by NIST has enabled us to develop important definitions and architectures, and is now enabling broad Federal Government deployment of secure Cloud Computing technologies. What is the Cybersecurity Framework? The Cybersecurity Framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks for critical infrastructure. Once the Framework is established, the Department of Homeland Security (DHS), in coordination with sector-specific agencies, will then support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Regulatory agencies will also review the Cybersecurity Framework to determine if current cybersecurity requirements are sufficient, and propose new actions if it is determined they are insufficient. This approach reflects both the need for enhancing the security of our critical infrastructure and the reality that the bulk of critical infrastructure is owned and operated by the private sector. Any efforts to better protect critical infrastructure need to be supported and implemented by the owners and operators of this infrastructure. It also reflects the reality that many in the private sector are already doing the right things to protect their systems and should not be diverted from those efforts through new requirements. The Important Role of Standards in the Cybersecurity Framework I'd like to explain why this approach relies on standards, methodologies, procedures and processes, and why we believe it to be a critical part of our work under the Executive order. First of all, by standards, I am referring to agreed-upon best practices against which we can benchmark performance. Thus, these are NOT regulations. Typically these standards are the result of industry coming together to develop solutions for market needs and are developed in open discussions and agreed upon by consensus of the participants. This process also gives standards the power of broad acceptance around the world. Standards have a unique and key attribute of scalability. By this I mean, that when we can use solutions that are already adopted by industry, or can readily be adopted and used by industry, then those same solutions reduce transactions costs for our businesses and provide economies of scale when deployed in other markets, which makes our industries more competitive. A partnership with industry to develop, maintain, and implement voluntary consensus standards related to cybersecurity best ensures the interoperability, security and resiliency of this global infrastructure and makes us all more secure. It also allows this infrastructure to evolve in a way that embraces both security and innovation--allowing a market to flourish to create new types of secure products for the benefit of all Americans. Developing the Cybersecurity Framework NIST's initial steps towards implementing the Executive order include issuing a Request for Information (RFI) to gather relevant input from industry and other stakeholders, and asking stakeholders to participate in the Cybersecurity Framework process. This RFI was published last week and we are already getting informal feedback from industry and other stakeholders on the RFI. Given the diversity of sectors in critical infrastructure, these initial efforts will help identify existing cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure. Industry has begun responding to the RFI and is coming to the table to work with us on this analysis. Underlying all of this work, NIST sees its role in developing the Cybersecurity Framework as partnering with industry and other stakeholders to help them develop the Framework. In addition to this critical convening role, our work will be to compile and provide guidance on principles that are applicable across the sectors for the full-range of quickly evolving threats, based on inputs from DHS and other agencies. NIST's unique technical expertise in various aspects of cybersecurity related research, technology development and an established track record of working with a broad cross-section of industry and government agencies in the development of standards and best practices positions us very well to address this significant national challenge in a timely and effective manner. The approach of the Executive order will allow industry to protect our Nation from the growing cybersecurity threat while enhancing America's ability to innovate and compete in a global market. It also helps grow the market for secure, interoperable, innovative products to be used by consumers anywhere. Next Steps The Executive order requirement for the Framework to be developed within one year, and a preliminary framework due within eight months gives this task a sense of urgency. We have already initiated an aggressive outreach program to raise awareness of this issue and begin engaging industry and stakeholders. Over the next few months, NIST will bring many diverse stakeholders to the table through a series of ``deep-dive'' engagements. Throughout the year, you can expect NIST to use its capabilities to gather the input needed to develop the Framework. In addition to the Request for Information (RFI), we are planning a series of workshops and events to ensure that we can cover the breadth of considerations that will be needed to make this national priority a success. Our first workshop will be held in early April to initiate the process of identifying existing resources and gaps, and to prioritize the issues to be addressed as part of the framework. In May, we are planning to release initial findings from early analyses of the responses to the RFI. This will mark a transition into the dialogue regarding the foundations of the framework. In June, the Departments of Commerce, Homeland Security, and Treasury will submit reports regarding incentives designed to increase participation with the voluntary program. NIST will be supporting the report drafted by the Department of Commerce, which will analyze the benefits and relative effectiveness of such incentives. Around the five-month mark, in July, NIST will host a workshop to present initial considerations for the Framework, based on the analysis conducted with the responses to the RFI. This workshop will be the most in-depth of the three, with an emphasis on particular issues that have been identified from the initial work--including the specific needs of different sectors. At eight months, we will have an initial draft Framework that clearly outlines areas of focus and initial lists of standards, guidelines and best practices that fall into those areas In a year's time, once we have developed an initial Framework, there will still be much to do. For example, our partners at the Department of Homeland Security will be working with specific sectors to build strong voluntary programs for specific critical infrastructure areas. Their work will then inform the needs of critical infrastructure and the next versions of the Framework. The goal at the end of this process will be for industry to take and update the Cybersecurity Framework themselves--allowing it to evolve when needed. Conclusion The cybersecurity challenge facing critical infrastructure is greater than it ever has been. The President's Executive order reflects this reality, and lays out an ambitious agenda founded on active collaboration between the public and private sectors. NIST is mindful of the weighty responsibilities with which we have been charged by President Obama, and we are committed to listening to, and working actively with, critical infrastructure owners and operators to develop a Cybersecurity Framework. Thank you, for the opportunity to present NIST's views regarding critical infrastructure cybersecurity security challenges. I appreciate the Committees holding this joint hearing- it is reflective of the working partnership we have with Department of Homeland Security and other agencies to tackle cybersecurity issues. We have a lot of work ahead of us--and I look forward to working with both Committees to help us address these pressing challenges. I will be pleased to answer any questions you may have. Patrick D. Gallagher Dr. Patrick Gallagher was confirmed as the 14th Director of the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) on Nov. 5, 2009. He also serves as Under Secretary of Commerce for Standards and Technology, a new position created in the America COMPETES Reauthorization Act of 2010, signed by President Obama on Jan. 4, 2011. Gallagher provides high-level oversight and direction for NIST. The agency promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST's FY 2012 resources total $750.8 million from the Consolidated and Further Continuing Appropriations Act of 2012 (P.L. 112-55), with an estimated additional annual income of $62.7 million in service fees, and $128.9 million from other agencies. The agency employs about 2,900 scientists, engineers, technicians, support staff, and administrative personnel at two main locations in Gaithersburg, Md., and Boulder, Colo. Gallagher had served as Deputy Director since 2008. Prior to that, he served for four years as Director of the NIST Center for Neutron Research (NCNR), a national user facility for neutron scattering on the NIST Gaithersburg campus. The NCNR provides a broad range of neutron diffraction and spectroscopy capability with thermal and cold neutron beams and is presently the Nation's most used facility of this type. Gallagher received his Ph.D. in Physics at the University of Pittsburgh in 1991. His research interests include neutron and X-ray instrumentation and studies of soft condensed matter systems such as liquids, polymers, and gels. In 2000, Gallagher was a NIST agency representative at the National Science and Technology Council (NSTC). He has been active in the area of U.S. policy for scientific user facilities and was chair of the Interagency Working Group on neutron and light source facilities under the Office of Science and Technology Policy. Currently, he serves as co-Chair of the Standards Subcommittee under the White House National Science and Technology Council. Chairman Rockefeller. Thank you, sir. I'm going to ask a question, and the four who spoke will too, but we'll be very brief, because there are a lot of people here. We're going to go according to the early bird rule. To start, I'm just going to ask one quick question to both of you. There are some people who say, ``Look, the House basically has information sharing in its bill.'' It doesn't have much about workforce, it doesn't have much about standards, it doesn't have much about a lot of things, which I think are critical to a good bill, but it's in their bill, so, in theory, in that most people would agree with that, if you wanted to get a piece of legislation, you could just hold yourself back to information sharing. I think that's wholly insufficient. I don't think that's a wise, useful, constructive approach to the kind of bill that we can't really come back to each and every year. We've got to do our full work this year. So, I'm asking, starting with you, Secretary Napolitano, do you think that information sharing alone is sufficient? Secretary Napolitano. No. I think you've got it right, Mr. Chairman. In terms of the House bill, even in the information-sharing area, I think there were some deficiencies in it. It had no privacy protections built around it, which is very important in the--particularly in the civilian realm. And it resided almost all of the cybersecurity information monitoring responsibilities within the NSA, which, of course, is part of the military. We're talking about a totally different environment here, the domestic environment, the partnership with core critical infrastructure. But, beyond that, what we are looking for is legislation that can, if necessary, put in statute the clarity of the roles and responsibilities now contained in the EO, so that that is preserved, moving forward; a bill that looks at the basic standard-setting that we need for core critical infrastructure of the country; a bill that addresses FISMA as we move, and try to move, from a paperwork-dominated statute to one that requires and embodies continuous diagnostics, in realtime; and increased research and development, among other things. So, as we kind of lay out the topics involved under the umbrella of cybersecurity, information sharing is very, very important. Realtime information sharing is critical, but it is not the only concern we have in this arena. Chairman Rockefeller. Thank you. Secretary Gallagher. Dr. Gallagher. So, I think--it's hard to add to that answer, but I think cybersecurity doesn't lend itself to simple solutions. And I think, in the particular example you gave, even with information sharing, where you're going to provide threat information to the private sector, they have to have the capacity to act on that information. And, to do that, it involves some of the standards and technology issues that we're talking about in the framework. So, I think these things tend to be interdependent and go hand-in-hand. Chairman Rockefeller. Senator Carper. Chairman Carper. Thanks, Mr. Chairman. I'd like to go back a bit in time with each of you, and go back to when the Senate--particularly Senators Lieberman, Collins, Rockefeller, myself, Feinstein--offered the earlier version of our legislation, our comprehensive legislation. And, in it, critics said, ``Well, you've got the standards--with respect to standards,'' that's best practices, if you will, for critical infrastructure--``basically, you've got it mandated, and somebody telling us what to do. That somebody might be DHS.'' They didn't appreciate that very much. And the idea was rejected. So, we changed it. As you know, we changed it so that--we came back and said, ``Well, why don't we say that, for critical infrastructure, the best practices would be, not mandated, but we'd ask the industries--the owners, the operators of the critical infrastructure--to tell us what--or to tell the Department of Homeland Security what the standards ought to be. There would be a dialogue between--that includes DHS, NSA, FBI, others--and they would somehow--in this discussion, this roundtable, they'd figure out what the best practices should be.'' Again, there was a push-back from the--part of the business community said, ``No, no, that's going to end up with--we'll end up with mandated best practices, mandated standards in that.'' And so, we come up with this Executive order. And the Executive order says, as I understand it, ``Your dance partner, owners of critical infrastructure, is not going to be FBI, it's not going to be Homeland Security, it's going to be Assistant Secretary Gallagher and our friends at NIST. And they work with industry all the time on stuff that's related to this, like''-- that's one of the things that you talked about. It's--what you've laid out, here, this framework, suggests to me that each time--it's the third major proposal, here--each time, it's been changed; and each time, it's been changed to reflect, maybe the legitimate concerns, or maybe not so legitimate concerns, that were raised within parts of the business community. But, I think we've moved a long ways, y'all have moved a long ways, and, I think, in smart ways. As my wingman here, Dr. Coburn, has suggested, there are still some concerns about liability protection. My understanding is, on the information-sharing sides, there's not so much--it's not so much an issue anymore. I think there may be bipartisan agreement with respect to punitive damages, and maybe general damages. I think there are some questions about liability protection on the critical infrastructure side. Should it be punitive? Should it be more than punitive? But, there has been a whole lot of movement, as I see it, from the administration and, I think, from a bipartisan group of us in the Senate, to meet the legitimate concerns that have been raised. Here's my question. Two-part. One, as you've gone out and done good work in seeking input, Dr. Gallagher, from the business community, what are you hearing? Is there any acknowledgment that changes have been made? In a sense, the administration is kind of negotiating against itself, but I think we're negotiating after hearing what's being offered by those who have been critical of our earlier approaches. Number one, what are you hearing in response to the changes, this latest iteration? Positive, or not? And, second--this is, maybe, more for our Secretary--on the liability side--general and punitive on the information sharing. That's pretty--most people say that's pretty good, in terms of give to the business community. And the question is, what do we have to do in liability, on the critical infrastructure side, to get their buy-in. Two questions. Chairman Rockefeller. And before those are answered, the vote is premature, but it has started--the cloture motion on John Brennan--so, we're going to work a tag-team thing here. Whether we're Republicans or Democrats, it makes no difference. I'm going to go over. John, you can run faster than I can. Chairman Carper. Mr. Chairman? Chairman Rockefeller. Yes. Chairman Carper. Someone just handed me a note. It says it's going to be--the first vote is on the Brennan nomination, the 3:15. If it's agreed to--and I'm encouraged that it's going to be agreed to---- Chairman Rockefeller. Well, we're 10 minutes into it. It's already started. Chairman Carper. Oh, OK. OK. Fair enough. Chairman Rockefeller. Because we're going to have two votes. Chairman Carper. Good. We're going to have two votes. Fair enough. Chairman Rockefeller. OK. Chairman Carper. All right. Chairman Rockefeller. Go ahead and answer. Chairman Carper [presiding]. Yes. Two questions, please. Thank you. Dr. Gallagher. So, very quickly, let me give you the reaction that I've been hearing from business. I think, generally, it's been very positive. And I think the origin of that reaction has to do with the tension that you've observed as these negotiations on how standards and requirements play off each other. I think one of the reasons the reaction is positive is that I--and Senator Rockefeller mentioned this in his opening remark--the tricky issue here is that there is a public accountability for performance in the forum of critical infrastructure. If it fails, it causes impact to the nation. But, these type of standards and requirements also have business impact; they touch how businesses perform, they touch their business practices, and they affect the markets. And I think, generally, there's a reticence to having the government somehow have an undue impact on their business condition. So, this arrangement allows, really, kind of the ideal choreography, because the Department of Homeland Security lays out the performance expectation--what do we have to achieve, from a cybersecurity-performance view?--and then charges industry with coming up with the business and cybersecurity practices that meet that goal. And then we try to align our practices. So, in this complicated mix, where you want this to take place, I think this is the best of all possible worlds. NIST is kind of an ideal convener, because we're technical and we're not in charge of anything. So, we can be sort of neutral and be a partner with industry as they develop that. Chairman Carper. Good. Secretary Napolitano, the second half of the question, please. Secretary Napolitano. With respect to liability protection, I think the administration is already on record as having supported the targeted liability protections that were in the bill last year, the bipartisan bill last year. But, the EO also requires us to look at other ways to incentivize businesses to raise their practice to meet the standards that are ultimately seen as optimal. And so, for example, a--exploring, as we are, whether there could be a procurement preference, for example, given; whether there could be some kind of a seal of approval that is given. Now, those are just two ideas that can also provide incentives, because--recognize that the market, in and of itself, has not provided sufficient incentive, yet, for all business to voluntarily raise their standards. Chairman Carper. All right. This vote's started--thank you for--both of you--for those responses--the vote started about 8 minutes--9 minutes ago, and---- Thuney, you want to take a shot? Senator Thune. All right, thank you, Mr. Chairman, I will, and we'll race over there together. Let me just, if I might, Secretary Napolitano, direct this question to you. The Executive order directs the Secretary of Homeland Security--you--to provide performance goals for the cybersecurity framework. We've been told the performance goals are intended to establish the level of security that the framework should meet. Doesn't the ability to set the performance goals put DHS in the driver's seat for this process, no matter how collaborative the initial NIST process may be? Secretary Napolitano. Well, we already do this, in the physical security side, with critical infrastructure. We work with critical infrastructure in 18 separate sectors to work on commonly understood performance goals and standards. So, in a way, Senator, this is simply extending that into the cyber realm. But, we intend, and are pursuing, a realm that is very collaborative in nature. Our goal is to set performance goals. And NIST, then, establishes the framework and the standards of how those goals are reached. So, by way of example, a goal might be for a major--let's say, a utility--if its major server, or servers, is attacked and is nonfunctional--to have the capability to restore service within a certain period of time. What the definition of that certain period of time is, is something that we would be working with, with industry, what makes sense, how would they do it, what are their options, and so forth. But, that would then feed into the framework that NIST will be establishing. Senator Thune. And just to elaborate on that a little bit, how do you intend to ensure that the performance goals are reasonably attainable by your private sector partners? Secretary Napolitano. Well, again, the EO requires us to engage in a collaborative process, and to make sure that all voices are listened to. And we do this in other areas already. So, I would say, again, we will simply take some of the lessons learned from some other things that we have done in the physical infrastructure realm, and continue them into cybersecurity. Senator Thune. All right. Dr. Gallagher, how will NIST ensure that the framework that you're directed to develop with industry and other agencies does not undermine, conflict with, or duplicate existing mandatory--or voluntary, for that matter--government- or industry-led standards for each infrastructure sector? Dr. Gallagher. So, the way we'd like to approach that is by having the industry and the critical infrastructure community put the framework together themselves. I think we've--we've done this approach in smart grid, where--and in cloud computing--where those same stakeholders, who are operating under either mandatory or industry-led standards, are quite willing to put those on the table; and that's actually the starting point for this framework process. This is not NIST developing new or additional material; this is much closer-- much better thought of as a harmonization of what industry is presently doing, itself. So, that's the way of taking care of that conflict. Senator Thune. You mention, in your testimony, that--and I'm going to quote, here--``Many in the private sector are already doing the right things to protect their systems, and should not be diverted from those efforts through new requirements.'' How are you going to work with DHS to ensure the Federal Government is not diverting companies with new requirements? Dr. Gallagher. So, I think the way that this works is--and, in fact, the request for information we just put out asks companies and stakeholders to share with us their current practices and standards that they use. And I think the way this framework is going to look, at the beginning, is, you're going to see areas of overlap or where there's, you know, maybe, existing and--from--existing practices from different sectors that tackled the same problem in different ways. And there's going to be areas where there are gaps. And so, the roadmap is going to have a very interesting sort of--the framework is going to have a roadmap character to it, where, you know, we can use that to address those areas of overlap and see whether that's a problem, or not. And I think the way--industry needs to lead those discussions, not us. And, conversely, when we see areas where there are gaps, then there's going to be the ability to organize and set priorities to address those gaps. So, I think the process is specifically designed to make sure we don't reinvent the wheel. Senator Thune. And one quick question before we go vote-- what's the threshold for sufficient industry feedback and participation in the framework development process? How are you going to ensure that you receive enough industry input? Dr. Gallagher. That's an interesting question. I don't--we haven't had the problem of insufficient industry involvement in the past, so we're anticipating the opposite problem, which is an enormous insurge of participation. And I think what happens at the working level, through most of these efforts, is, you pick up on industry's own consensus-standards processes. And so, the same sort of criteria for whether the right stakeholders are involved and participating applies there. And I think the final analysis is going to determine--is going to look at the quality of their work product. If the right folks were around the table, and the best ideas were brought out, and then we're going to have the most viable product, I guess the final test of all would be the market, you know, pickup. I mean, the real test of the framework is whether it's put into practice. And if insufficient involvement was there, that's not that buy-in, then we're not going to see that adoption. Senator Thune. Mr. Chairman, I think we have to go vote. Chairman Carper. Yes, we do. Senator Thune. Recess? Chairman Carper. We're going to do a short recess, probably 10 minutes. We'll be back in about 10 minutes. Thank you for your patience and letting us go do our nation's work. Thanks so much. We're in recess for 10 minutes. [Recess.] STATEMENT OF HON. MARK WARNER, U.S. SENATOR FROM VIRGINIA Senator Warner [presiding]. Well, this may be the first and only time I get to chair this combined hearing, for the next 20 or 30 years, so I rushed back. We do have a second vote, but it appears that the first vote may take some extended time. There are some folks at the White House. So, hopefully Senator Coburn will be back shortly, as well, and we'll be able to continue to move on. I wanted to look--and I know one of the biggest challenges we've got on this whole question is, you know, how we set appropriate standards, how those standards are nimble enough as a--in a field that is constantly evolving. As somebody who made a living in the technology field, I'm somewhat familiar with that. And I think Senator Coburn raised, appropriately, the right question, how we can then use the information sharing so that firms are able to share in a way that has both-- appropriate protections in place. And one thing that I would just add--since I may have a little bit more time, as folks come back--is that I sense that there is a changing feeling in the business community, because, one, the increased amount of cyber activities, cyber attacks; two, the publicly released Mandiant report, which cited and specified the activities, particularly coming from China, and how pervasive they are, and how much intellectual property is stolen. So, while I, clearly, want to make sure that businesses get the appropriate protections, I think there's an evolving feeling, in the business community, that standards that had some enforcement behind them, other than voluntary, are important. And what I wanted to have, perhaps--Mr. Gallagher, start first--and then Secretary Napolitano address, is this--the free-rider issue. When you have a voluntary set of standards, and you have those businesses, entities that meet these standards, then those that don't, in effect, have that plain economic free rider effect. And is it not the case that, particularly within sectoral industries--take utilities, for a moment--you may have--because the--all the utilities have an enormous interconnection between them--those free riders who don't have appropriate protections in place may end up being an entry point, not only into their own operations, but then into other firms, because the firewalls between common industry partners are not as great. So, if both of you would like a take a crack at this issue of the free riders--whether you see it, whether you're seeing an emerging feeling from the business community on this issue. Dr. Gallagher. So, thank you, Senator Warner. I think that, with regard to the accountability of the standards framework, you know, voluntary sometimes feels soft, as if it's optional. But, the term is used in business--in fact, standards developed through a voluntary consensus process by businesses can be, in fact, fairly muscular. They can include schemes that are there to identify whether products and services conform to those standards. And those conformity assessment vehicles, like product marking or various other things, can be used in their business-to-business relationships; they can be part of contract requirements, they can be part of their own procurement requirements, and so forth. And that's why these standards have such a powerful market effect, is that they start driving these interactions. So, I don't think we should believe that, because business is in charge of the standards environment, that it's going to be weak. I think--as long as the accountability is there for the underlying cybersecurity performance, I think they're going to be inclined to look at making sure that there's a robustness there and they can identify their supply chain as not undermining their credibility. That being said, there is going to be unevenness in adoption, and I think that's going to be one of the things we continue to monitor, both with the stakeholders who are helping us develop the framework and with our Federal partners. In some cases, it's going to be, maybe, willful; in other cases, it may be just the size of the company. Small businesses sometimes face different hurdles, in terms of compliance, than large companies. And hopefully that's a part of the framework and the partnership. Senator Warner. Before Secretary Napolitano answers, I guess the one thing I would just come back to you at little bit is, you know, the analogy, a little bit, breaks down where industry sets a standard, and there may be a marketing advantage. If you get the Good Housekeeping seal of approval, that helps you. A competitive product that doesn't have that Good Housekeeping seal of approval doesn't cause you any risk; whereas, within an industry--again, critical infrastructure, in particular--the weakest link could not only provide a way into your company, even though you've got the Good Housekeeping seal of approval, and cause harm, or, in addition, you know, you may have the weakest link, then cause such a problem that there could be industrywide repercussions even if you got--because you're not going to have any safe harbor provisions. Secretary Napolitano, and then also you want to---- Secretary Napolitano. Well, Senator, I think there is a risk, here. And the risk is the free rider risk, that all who need to be involved won't invest in order to be involved. But, I think it's a measured risk, compared to a process that is an open process, that involves industry from the get-go, and that really aligns well with what we've done on the physical security side, and with what NIST has done, in terms of other types of standard-setting. One of the questions is, why wouldn't a company participate? One reason is that they, themselves, do not have the technical know-how. They don't have the IT personnel, and the like, to really be able to participate. One of the things we will be building and encouraging through this is the exchange of best practices. That exchange, among those actually in the market, actually can help smaller entities or those who have not invested what they should have, already. And finally, as I mentioned in my opening, I think there's not just a Good Housekeeping seal-of-approval sort of incentive that we can build, but, again, looking at things like procurement preferences, acquisitions, and the like, that really, at least to the extent that government is a consumer of these services, can be helpful. But, there is--as you have identified, this is, legitimately, a risk. Senator Warner. Well, I just personally believe that--I think this collaboration ought to be industry-led. I do believe there needs to be an enforcement mechanism, and I do think there needs to be, similar to some of the legislation that was introduced last year, standards that had some teeth to it. And, as Mr. Gallagher said, you can have standards with teeth that's industry-driven, but you've got to have some kind of enforcement tool. I want to follow up, Secretary Napolitano, with your question of ``those entities that might be in a particular sector that don't have the capabilities.'' You know, how do you make sure they are able to get the intellectual product that is being created by, you know, the large utility versus the small rural utility? If the large utility is spending lots of resources getting the best and the most efficient cybersecurity system in place, you know, they're going to be--they may be reluctant to share that benefit with partners who are, again, free riders. How do we get over that---- Secretary Napolitano. I think---- Senator Warner.--challenge? Secretary Napolitano. I think the way to think about that is their participation in the construct of the framework, because NIST really sits as kind of a neutral in the creation of the ultimate framework, but the framework itself provides a way for all entities involved in a particular area to exchange information. And I think we've seen that happen with some of NIST's other activities. So, the process itself could help solve that problem. Senator Warner. I'm not--I want Mr. Gallagher to--I'm not sure I fully got the answer, there, because I'm--you know, this is a very competitive space right now, as people come out with cybersecurity products and services. Some are better than others. You know, you've got--this will constantly be evolving. You know, one of the concerns, I know, is that we end up with a stagnant standard that kind of gets industry-accepted, technology moves ahead, and how do the new movers in that cybersecurity industry break in if you've already got a government-established standard? But, somehow or the other, we've got to figure this out. Do you have any thoughts on it, Mr. Gallagher? Dr. Gallagher. Well, I think--you know, I--that's one of the reason why we don't like to have government set standards in the United States. I think, by law, we have a preference, where Federal agencies look to the private sector standards organizations for their needs as the first preference. And one of the reasons for that is, they tend to be more dynamic, because they're market-attuned, and they're going to keep looking at that. The tension you point out, where it's a very competitive market--I mean, the standards process can be weaponized, as you know. Large companies can come in and want to, you know, take advantage of the--incorporating their technology in a standard because of the--the market advantage that would accrue to them if that was widely adopted. But, the standards processes have learned how to adopt to those kinds of commercial tensions in the process. That's really the kind of diplomatic negotiation that's occurring in the voluntary consensus standards process. And so, we will be, not replacing that function, we'll--the framework process will be engaging existing standards development organizations and leveraging their expertise, and carrying that out. Senator Warner. Well--I've run over my time; I'm still not completely sure how we work that out on the free rider issue. The last quick--very quick question, and I'll turn it back to Senator Coburn--it just--when we think about cyber threats, a lot of what's discussed in the press are those intellectual property threats and those threats that could actually interfere, turn on and off, operations. Do we--do you prioritize nature of threat, those that are simply, in effect, passive stealing versus those threats that are actually able to shut down critical infrastructure, for example? Chairman Carper [presiding]. I'm going to ask our witnesses just to be very brief in your response, please. Secretary Napolitano. In some senses, yes. I can explain later, when there's more time. Chairman Carper. That was good. [Laughter.] Chairman Carper. All right, thanks. Have you made the second vote? Yes, there is a second vote. Final passage. You know? OK. Dr. Coburn. Senator Coburn. Well, thank you. Madam Secretary, I--one of the things--you have this great, big agency--in there--like on FISMA--do you really feel like you have the authorities you need, right now in your position, to actually accomplish what we need to do, especially when it comes to cybersecurity for the government? Secretary Napolitano. I think we can accomplish much with our existing authorities. As I've suggested, Senator, I think some FISMA reform, which would move us out of the paperwork generation into the Digital Age, very helpful, was considered part of the original legislation. The ability to do hiring equivalent, with equivalency to the sorts of hiring that the NSA could do--because, realize, in this realm, civilian capacity needs to be enhanced, because we're going to manage most of this through civilian capacities, with some utilization of the NSA. And we already have those arrangements made. But, on that personnel side, we will need legislative assistance. Senator Coburn. OK. Do you feel comfortable--and I'm not asking this question so you'll make a criticism of the Executive order--do you think we have the proper balance, in terms of intellectual property and protection of critical infrastructure, within the Executive order? We're going to help that, but what's your feeling about that? Secretary Napolitano. I think, overall, yes. And I think our key interests--and it's partially a response to Senator Warner, earlier--is the protection of the country from a cyber event that could cause undue economic loss or, in worst case circumstances, even endanger life. So, we fundamentally need to be concerned with that. That kind of investment may not be as marketable or return- on-investment-oriented as, say, protection against the theft of your intellectual property. I mean, I think there's an easy economic case, ``This is better for us, it's going to be better for our bottom line, it's part of the R&D process and our protection of our intellectual property.'' In the security context, there's a public element to this that is not reflected immediately in the return on investment. That's why, from a standpoint of where we focus most of our efforts--we do the theft of intellectual property, the counterfeiting, the--all of that, those kinds of cases--but, where we are focused within the security of the United States is really on that fundamental attack, that fundamental interference that could shut us down. Senator Coburn. Yes. You have all these areas of responsibility, and a large agency, and we're coming up on a tenth anniversary of your agency. And we had a great conversation, when I came out to visit you. But, there are--you have some real challenges. I mean, they're documented. GAO has documented, your own IG, as well as our investigative subcommittee. Do you--can you assure us you're seeing improvements in all those areas, and you're making the management adjustments those criticisms that have been rightly leveled, in terms of difficulties within the agency? Because your ability to respond to those has a lot to do with your ability to carry out the function that we're going to be giving you under the President's Executive order. Secretary Napolitano. Right. And I think--in terms of management of a Department that was brought together out of 22 agencies and is still relatively young, I think we have worked very closely with the GAO and the IG to really tighten the management and the accountability of the management, departmentwide. I can also share with you that there has been no part of the Department that has expanded so rapidly, in terms of capability and responsibility, than the part that deals with cyber. And that's because of the continuing threat that we face. Now, with the EO, we will take on even more responsibilities. Many of these are continuations of things we've done. Some of them are actual expansions. But, we are fully prepared to do that. Senator Coburn. I have to tell you, I have been thoroughly impressed with the employees and the people that have given us the briefings that we've had. There's no doubt to their competence, their dedication, and their service. And I would just tell you, you should take that back. Before my time's up, which it almost is, I would ask that you leave some people here to hear the GAO testimony after you leave, if you would. I think some of that some of this is spot on; some of it may not be. But, I think having this--the GAO outline where they see the problems, and you hearing--somebody in your agency actually hearing that, and reporting to you what that is--and the flavor, and the insight that they have, I think will be beneficial as you work to implement what you're charged to do. Secretary Napolitano. Happy to do that, Senator. Senator Coburn. Thank you. Chairman Carper. And I second that request. If you could, that would be great. All right, I've been waiting to make this introduction for a while, but--Senator from Massachusetts, Senator Mo Cowan. Senator Cowan. STATEMENT OF HON. WILLIAM COWAN, U.S. SENATOR FROM MASSACHUSETTS Senator Cowan. Thank you, Mr. Chairman. Madam Secretary, Mr. Gallagher. My first question, Madam Secretary, is to you. First of all, before I offer it, I'd preface it by saying thank you for your testimony today, and thank you for your partnership with us up in the Commonwealth of Massachusetts. You and your team have been very helpful to us, and through some difficult times. We really do appreciate that. But, to the issue at hand--and forgive me if I cover a territory that may have been covered while I was away for the vote--but, I want to talk a little bit about the concept about cybersecurity as it relates to, sort of, the concept of the weakest link in the chain. And we're going to hear testimony today from a CIO from a major company about--and this is my description, not his--the--sort of the platinum level of security, or focus on cybersecurity that they employ. And that's a very strong link in the chain. But, while that may be true of Dow Chemical and other companies, is it fair to say that the failure of any market participant, particularly when it comes to critical infrastructure, to improve their defenses, on the cybersecurity side, to a minimum baseline standard leaves us all exposed, notwithstanding those platinum structures in place, and leaves us exposed, not only to some significant costs, but some significant security concerns? Secretary Napolitano. Senator, I think the--our efforts are to have everyone raised to a certain baseline standard. There may be entities that do more than that, but a certain baseline. And that should be attached with greater real time information sharing, because information sharing is a big part of this, and exchange of best practices, new technologies, and the like. But, there is no--there is no mandate, per se, in the Executive order. So, we are getting at this through a cooperative, voluntary regime. Senator Cowan. And through that cooperative, voluntary regime--I just want to be clear--you do believe that there is-- there is value in that minimum baseline standard across all players in this critical sector. Fair to say? Secretary Napolitano. Yes. I think it--there is value, because what we are trying to do is, in a realm where there is an increasing number and sophistication of cyber threats from a variety of actors, making sure we are best prepared, as a country, to prevent or, if necessary, respond, and to mitigate any damage. Senator Cowan. And perhaps--this question, to you, Dr. Gallagher--I've talked to a number of folks with particular knowledge and expertise in this field, including Cynthia LaRose, of Mintz Levin, about privacy in cybersecurity issues, and the point has been made to me that the market participants, obviously, should play an important role with the government in establishing baseline standards that are out there, and there should be--the ability of the market player is to have a significant influence over what those standards are. But, if businesses may be left to their own devices, we may never get to a point where we can ensure ourselves that we've properly, across all critical infrastructure issues, sort of addressed cybersecurity, because of the difference in scale of entities and a difference in focus. Would you agree with that assessment? Dr. Gallagher. I think, if it's not done correctly, that could happen. I think the challenge is--turning to private sector-led standard-setting when the public sector needs those standards means that there's an accountability of the private sector to that performance. In other words, the--it's not the same thing as saying there's an abrogation of responsibility by the public sector by saying we want industry's help in doing it. So, I think the EO correctly lays this out. It starts with a process where we try to articulate the cybersecurity standard of performance that we'd like to engage on. And then we let industry, who knows the market, who understands their technology, who understands the dynamics, attempt to respond to that. In the final analysis, I guess the public sector will have to evaluate whether that meets the public's needs to secure the safety of the U.S. population, and respond accordingly. But, we do this very often. I think, you know, it's not uncommon for government agencies, in procurement and regulation and so forth, to depend on the private sector. And, in fact, the private sector wants to be responsive to that, generally, because they want their efforts to be aligned with those needs. Senator Cowan. Thank you. Chairman Rockefeller [presiding]. Senator Johnson. STATEMENT OF HON. RON JOHNSON, U.S. SENATOR FROM WISCONSIN Senator Johnson. Thank you, Mr. Chairman. Madam Secretary, Mr. Gallagher, thanks for coming before us. Mr. Gallagher, I was actually pleased to see, in your testimony, that you said the approach should not dictate solutions, but, rather, facilitate it. I think that was one of the things that kind of bogged us down last time, when we tried to pass a cybersecurity bill. And this is really a question for both of you. As you have gone around and talked to industry--certainly my input was, I think, last time around, there was an assumption, or a presumption, that business had to be dictated to. You know, I come from industry. I really think businesses want to protect their cyber assets and realize that government really has a real role to play here, and has a lot of valuable information. So, can you just give me your evaluation, in terms of that--I guess, that assessment? How willing is business? How often do they really have to be nudged along a little bit more forcefully? Madam Secretary. Secretary Napolitano. In general, the responsible business players recognize the multiple interests involved, and our work is furthered when there's truly a collaborative atmosphere. We all want to solve problems. No one is benefited if there's a major or successful cyber attack within the United States. So, we're approaching it from that dimension. To the extent this is a national security issue, which it is, and we are leaving it to a collaborative process to help resolve, that is a first. Normally, when security is concerned, it is much more of a government, kind of, top-down, as it were, philosophy. So, this is a grand and bold experiment, in that regard. But, I proceed on the notion that we can make this work, and that we will. Senator Johnson. Thank you. Mr. Gallagher. Dr. Gallagher. I would confirm that. I don't want to talk about the irresponsible players, but, I mean, my reaction, in working with business leaders, particularly in critical infrastructure, is, they acutely feel their obligation to protect the public, and want to perform. I think the underlying issue--and this touches on some comments that Senator Warner raised, as well--is, this will work best of all when good cybersecurity is also good business. And when that alignment occurs, I think that's when the magic happens and this really works very powerfully. And that's related to this discussion on incentives. And I think one of the things that can come out of this process, since this is an industry-led standards development effort, is, we will be monitoring those areas where the standard-setting and adoption seem to be--where there seems to be a headwind that is related to, maybe, disincentives or, you know--and those will be important information for us to pay attention to. But, I think that's where this wins most dramatically, is when good security is also good business. Senator Johnson. Now, last time around, the regulations were stated to be voluntary, but I think businesses viewed that as saying, ``Yes, it was voluntary, but pretty coercive, particularly after 1 year.'' What has changed? Because it sounds like the reaction from businesses has changed pretty dramatically. I mean, what, specifically, did you change, in terms of that voluntary nature of the EO, in your proposals? Secretary Napolitano. I think one of the things that happened is that there was a process, led by the White House, to engage business in the construction of the EO, itself. So, it didn't just kind of spring like, you know, Athena from the head of Zeus, but it was really a collaborative process to begin with. So, it's, you know--and the second thing I would mention, Senator, is, we have--we didn't stop work because the bill failed. I mean, we were already, all summer, you know, working on, How do we make sure that we are looking at adequate cyber performance goals? And what could standard-setting look like in this regime? So--and I think that gave, perhaps, assurance to some in the business community that we truly are engaged in a collaborative process. Senator Johnson. OK. One of my assumptions is that just the word ``comprehensive'' makes things more difficult around here. There are certainly different components to cybersecurity that could potentially--I'm just saying potentially--could be enacted in a step-by-step basis. First of all, do you agree with that? Does it have to be comprehensive? And if it could be a step-by-step approach, do you have a priority? I know, Mr. Gallagher, I think you've listed the five pieces of legislative actions that are required. But, is comprehensive required, or, if it's not possible to get that, can we go step-by-step? Dr. Gallagher. So, I think the problem with cybersecurity, of course, is, you're talking about a system behavior. And so, in the end, you have this problem, where it's a chain of performance, and you're as strong as your weakest link. And that's one of the reasons that you always have to think about the whole. But, you're right, in order to make progress, you can't boil the whole ocean at once, and I think you have to set priorities. I think the Executive order, and this process, will allow that to happen. Clearly, part of this is dealing with known threats and known vulnerabilities, just good cyber hygiene and putting it into practice robustly. Some of this is putting in the tools that allow us to do adaptive cybersecurity. How do we react to the new information, the new threat information, the type of cybersecurity automation tools? And some of this is, how do sector-specific organizations address, you know, their requirements in the--you know, in their context, to protect the public, in the advent of a cyber. So, it's a complicated challenge, in the sense that the whole matters, but you have to work at it in pieces. Senator Johnson. OK, thank you. Chairman Rockefeller. Senator Baldwin. STATEMENT OF HON. TAMMY BALDWIN, U.S. SENATOR FROM WISCONSIN Senator Baldwin. Thank you, Chairman Rockefeller and Ranking Member Thune. Thank you, to my Chairman, Carper, and Ranking Member Coburn. I'm new to the Senate, new to the Homeland Security and Governmental Affairs Committee, but, back in my House service, I had the opportunity to serve on the House Energy and Commerce Committee, where I started to become more aware, and sometimes more alarmed, about our need to protect our critical infrastructure and the threats faced by cyber penetrations, et cetera. And I look forward to the opportunity to be involved in this issue, moving forward, but looking at it more broadly than just the jurisdiction of the Energy and Commerce Committee, although it was pretty broad. In that vein, I wanted to start, Madam Secretary--in your testimony, you briefly referenced the National Cybersecurity and Communications Integration Center, which is a 24/7 response center for potential cyber threats. And I wonder if you could describe for me in greater detail the sort of--the functions of this center, what sort of business it's seeing, and if you could highlight a few stories of success that have been achieved through the creation of the center. Secretary Napolitano. The NCCIC, as we refer to it, is a 24/7 watch center. It has a number of partners on the watch center. Importantly, both the NSA and the FBI are partners there, as we are partners with the FBI in the--their JTTF center, as we partner with the NSA, as well. So, when you think about roles and responsibilities, the DHS, the FBI, and the NSA have really figured out for themselves the lanes in the road and how a call to one is a call to all. It is constantly getting information. It gets reports from the private sector. It sends information out. It deals with mitigation efforts. It deploys teams to help mitigate damage, particularly in the area of industrial control systems. It's a very important subset of this that we've seen a lot of activity in. It really is our key information collection, sharing, collating, analysis area in the cyber realm. One recent area we've been heavily involved in is a whole spate of DDOS attacks against the financial sector, and assisting them in responding, and also helping them to work around the DDOS attacks that they are experiencing. I would invite you or any members of the Committees. We'd be happy to host you at the NCCIC to see what really has been built out there. Senator Baldwin. Thank you. You mentioned, in your response, working with industries that have industrial control systems. And want to sort of ask a related question. I was talking about my experience, in the House, on Energy and Commerce, and the cybersecurity issues that are raised there. I understand, from what I've been learning lately, that the financial services industry has some of the best protections in place against cyber threats, and certain, you know, other sectors that are protecting essential infrastructure have more lax protections in place, how we say. I guess I'm wondering how the best practices from the financial services industry can be applied to other sectors, and to what extent the absence of industrial control systems in that sector hinder the application of those best practices. What's--what can go across sectors and be learned, and the fact that they don't have SCADA systems, you know, that it's not going to be that helpful in the other sectors? Secretary Napolitano. One of the things about cyber is that this is not--although we talk about sectors, they're not stovepiped, they're all interconnected. We live in a interconnected world, in every respect. There are some things that are being done in the financial sector that will easily migrate into performance goals, and, indeed, perhaps even into a framework. There are other things that are not as---- Senator Baldwin. Can you---- Secretary Napolitano.--applicable. Senator Baldwin.--can you outline--or can you mention some of those, just so I get a clear sense of what can migrate easily? Secretary Napolitano. I'd rather not, in an open setting. Senator Baldwin. Oh, OK. Secretary Napolitano. But, we'd be happy to provide a briefing for you. Senator Baldwin. Great. And I cut you off. You were saying, there are some things that migrate easily. Secretary Napolitano. And some that don't. But, to the--you know, one of the things that we will be working on with NIST is, as we set performance goals, and as we engage in this process, what does the framework absorb by way of things that are interconnected and that apply across a broad spectrum. Senator Baldwin. Thank you. Chairman Rockefeller. All right. We go now to Senator Pryor. And then, that'll be the end of the first panel. And I want to apologize to the first panel, because we've kept you here a long time. Part of it was my fault, but I apologize. Senator Pryor. STATEMENT OF HON. MARK PRYOR, U.S. SENATOR FROM ARKANSAS Senator Pryor. Thank you, Mr. Chairmen. And I use that word in the plural. Thank you all for your leadership on this. Secretary Napolitano, always good to see you. Thank you for being here again today. You mentioned, just briefly, something in your opening statement about the sequester and some of the adjustments you're going to have to make this year. Could you elaborate on that? Secretary Napolitano. Well, as you know, the sequester applies virtually account--it does apply account-by-account across the government, and limits our flexibility, in terms of where we put resources. The result is, for example, in our CERT teams, we were looking at, I think, a 10 to 12 percent reduction there, in terms of being able to fill vacancies. We are, importantly, I think, probably going to have to delay the deployment of the next generation of security for the civilian aspect of the Federal Government, the so-called E3A program, for a year, because we just are not going to be able to meet the deadlines, given the lack of resources that had previously been budgeted. So, those are two concrete things I can give you. Senator Pryor. Thank you. Dr. Gallagher, do you have similar impacts from the sequester? Dr. Gallagher. Similar, but not nearly at that scale. So-- -- Senator Pryor. We understand, sure. Dr. Gallagher.--yes, I think, for NIST, the reductions--so, the main role of NIST in the Executive order is one of convening and technical support. So, obviously, those are the two areas. But, by intentionally pivoting this so that this is an industry-driven process, I am hopeful that there is a very minimal impact on our ability to deliver the framework with the sequester. I think the real impact of the budget, in this particular case, is going to be more a long-term one, as-- because I see the framework process as being a continuous one, and I hope it doesn't impact our ability to provide technical support to that ongoing process. Senator Pryor. Yes, that actually was my next question for you, because I assume that, if we do cybersecurity--and I hope we do--that you will have an ongoing role, but, at some point, obviously, resources have to be a consideration for you. So, in a shrinking budget environment, have you thought through how you're going to manage that, or do you have enough information yet? Dr. Gallagher. Well, the way you manage that is by setting some priorities. And I--you know, our priorities, in supporting standards coordination, are to support the highest priorities of other agencies. So, the NIST role in supporting standards is one of direct support to other agencies. So, it's hard to see that cybersecurity's not going to be at the top of that list. So, it may impact other priority areas. Senator Pryor. Right. I understand. And that--I think that's a concern of both committees, here. Dr. Gallagher, next month you're having a--sort of a public workshop in Gaithersburg, I believe. What are you hoping to accomplish with that? And is that going to be the only one, or will others follow? Dr. Gallagher. It will be the one--one of several. We anticipate at least four workshops, over the next 8 months, to develop the framework. We learned, from both our cloud computing efforts and from the smart grid standards efforts, that these type of robust workshops were a very powerful way of bringing together the stakeholders, because you've got to put a mix of stakeholders in a room and hammer out some of these issues. You can get pretty far with calls for information, and people submitting things. But, in the end, there has to be direct negotiation. So, the first meeting is organizational. It's going to be, How do we set up the framework process to be productive? Hopefully, we'll be looking at what the performance objectives from DHS start to look like and how do we organize the effort so that we can produce the initial framework in 8 months. Senator Pryor. And is this a workshop just for public sector, or is it public and private? Dr. Gallagher. We're going to invite everyone who can contribute. Senator Pryor. OK. So, how many people is that going to be, or how many organizations---- Dr. Gallagher. I'm--well, in the case of smart grid, we were up over 1600 people fairly quickly, and this is a broader area, so it could be quite large. Senator Pryor. Do you include--are you including State and local governments---- Dr. Gallagher. Yes. Senator Pryor.--in that? Good. Mr. Chairman, thank you. That's all I have. Thank you. Chairman Rockefeller. Thank you, Senator Pryor. I think Chairman Carper wants to say something, as you go, but stay, for the moment. Chairman Carper. Real brief. Thanks very much for coming. Thanks very much for your work and the work of a lot of folks that you lead, for getting us this far. A reporter asked me, earlier today, if the Executive order might be seen as an excuse for us not legislating; maybe we don't need to do much heavy lifting on--in the--on the legislative side. And I said, ``No, I think it's an incentive for finishing the work that we began in earnest in the last Congress.'' And I'm encouraged, today, that we've moved even further, and that we're--I'm encouraged that we're going to get this done. So, Mr. Chairman, and to our panel, thank you so much. Chairman Rockefeller. I share similar sentiments. I'm very grateful to you both. Testifying probably is not the thing you most enjoy in life, but you were very helpful. You're both very smart, you both run very important organizations. Thanks a lot. Our second panel will be--now, I pray I get this right; Senator Thune has tried to help me--Mr. Greg Wilshusen--is that a thumbs-up or a thumbs-down? Mr. Wilshusen. Thumbs up. Chairman Rockefeller. Thumbs up, okay--who's Director of Information Security Issues for the U.S. Government Accountability Office. He was invited by Senator Thune and all of us. And also, Mr. David Kepler, who is Chief Sustainability Officer and Chief Information Officer, Business Services and Executive Vice President at a small company called Dow. We welcome you. And why don't you go--are you friends now? [Laughter.] Chairman Rockefeller. OK. Why don't you go first, Mr. Wilshusen. Yes. STATEMENT OF DAVID E. KEPLER, CHIEF SUSTAINABILITY OFFICER, CHIEF INFORMATION OFFICER, BUSINESS SERVICES AND EXECUTIVE VICE PRESIDENT, THE DOW CHEMICAL COMPANY Mr. Kepler. Thank you, Chairman Rockefeller, and thank you, Chairman Carper, as well, and Ranking Member Thune and Ranking Member Coburn. I'm the Chief Information Officer and Chief Sustainability Officer for The Dow Chemical Company, and Dow appreciates the opportunity to provide our view on the state of cybersecurity in the U.S. today. Today's companies regularly have to manage major information security issues, including corporate espionage, intellectual property theft, hactivists, attacks on our systems, and cyber criminals. Companies also have to be prepared to manage and mitigate risks, such as acts of terrorisms or sabotage, that may have severe physical and/or financial consequences. As an example, Dow monitors and logs approximately 300 million generic network events a day. This gets distilled down to about 300 investigations each day, and results in about 10 mitigations we have to address. We manage an incident a month. This requires a major team effort, with a multi-day event--a multi-day team response. So, companies have a vested interest, along with a duty to their stockholders, employees, and communities, to protect and defend their facilities, processes, and intellectual property against these cyber inclusions. However, industry must rely on the Federal Government to approach cybersecurity to deploy an offensive perspective by preempting attacks, when possible, through the pursuit and prosecution of criminals behind these events. Since 9/11, The Dow Chemical Company, and many other chemical companies, have made significant investments in the areas to improve security. For example, the American Chemistry Council, as part of its responsible care approach, devised the security code which requires companies to adhere to the chemical industry best practices for both cyber and physical security. Dow believes that the protection of the country's infrastructure can be addressed most effectively by moving forward with policy which strengthens the collaboration between the Federal Government and the private sector. These key principles of collaboration are, one, advancing more specific and timely information sharing between government, industry, and among industry peers; two, reasonable protection for sharing threat or attack information between the government and other companies; and, finally, it also has to lead to aggressive pursuit and prosecution of criminal--cyber criminals. Dow does not support prescriptive regulation legislation or specific technologies or methods. Legislations that set up a system requiring significant resources to comply with this type of regulatory framework and the resources from addressing the threats and risks we need for mitigation. Issues around cybersecurity are in constant flux, and proper management requires a fluid and fast risk-based response. Complex regulatory mandates will only slow the advancement of cyber risk and management systems. Effective two-way cybersecurity and physical information sharing must be linked together, and it must be timely, specific, and actionable, to help promote the flow of information. Information provided by the private sector and government should be adequately protected. On liability, the protection afforded under the Support Anti- terrorism by Fostering Effective Technologies, or the SAFETY Act of 2002, we think are appropriate for consideration for cybersecurity. I was asked to comment on the Executive order on improving cybersecurity, and Dow supports the information-sharing initiatives included in the order. I believe we need to do more, in the long run. If there is anyplace for new legislation, it is to provide reasonable protection for information sharing to incur a broader-based sharing in the industries with government. Leveraging security standards into the government procurement practice is a good idea. Section 7, describing the cyber framework, I think this reflects a good sentiment and an approach; however, we do need to recognize that sector specific approaches and a clear willingness to build on prior work that private sectors have done is important. And this can't be a one-size-fits-all model, based on the industries we're trying to manage in the critical infrastructure. Section 9, the declaration of risk and managing the criteria for reasonable result in an incident, needs to be better defined. The concern is, we'd create a large list of risks that are not clearly prioritized within a sector, and then push generic standards into that sector that's trying to manage the systems that they have to deal with, both in physical and cybersecurity. Also, there needs to be more clarity on the position, in Section 9, that the Secretary shall not indemnify any commercial information technology products or consumer information technology services under this section. I hope this doesn't mean that the IT industry gets a free pass. We need their help in making this a successful endeavor. The concept of a partnership is to work together on a common goal. The outcome of the effort, in cybersecurity, should not be measured by how many regulations we create, but how much progress we make against a real threat to our country's security in progress. We are here to do our part. Thank you. [The prepared statement of Mr. Kepler follows:] Prepared Statement of David E. Kepler, Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President, The Dow Chemical Company The Dow Chemical Company appreciates the opportunity to submit these written comments to the Senate Committee on Commerce, Science, and Transportation and the Senate Committee on Homeland Security and Government Affairs. We applaud the Committee for holding a hearing on cyber security and the necessary collaboration between government and the private sector. About Dow Dow was founded in Michigan in 1897 and is one of the world's leading manufacturers of chemicals, plastics and advanced materials. Dow combines the power of science and technology to passionately innovate what is essential to human progress. Dow connects chemistry and innovation with the principles of sustainability to help address many of the world's most challenging problems such as the need for clean water, renewable energy generation and conservation, and increasing agricultural productivity. Dow's diversified industry- leading portfolio of specialty chemical, advanced materials, agrosciences and plastics businesses delivers a broad range of technology-based products and solutions to customers in approximately 160 countries and in high growth sectors such as electronics, water, energy, coatings and agriculture. More information about Dow can be found at www.dow.com. Cyber Security: A Manufacturing Company's Perspective Cyber threat activity across the business community and the government has continued to increase over the last decade. The main driver of this change is in the profile of the threat itself which has matured from random acts primarily by individuals to now include well resourced organizations outside the United States. These new threats are targeted in areas that range from commercial espionage to terrorism to activism. Companies have a vested interest--along with a duty to their stockholders, employees and communities--to protect and defend their facilities, processes and intellectual property against these cyber intrusions. The Dow Chemical Company and many other chemical companies have made significant investments in all of these areas to address cyber threats. After 9/11 for example, the American Chemistry Council (ACC), as part of its Responsible Care approach, devised the Responsible Care Security Code which requires companies to adhere to the chemical industry best practices for security, both physical and cyber. Dow has invested heavily in, and is constantly upgrading, the physical and information defensive protection systems guarding our Company. However, industry must rely on the Federal Government to approach cyber security, working in partnership with other countries, to deploy an offensive perspective by preempting attacks when possible and through the pursuit and prosecution of the criminals behind these threats. The management systems rely on information and knowledge, and there is a need for identifying better approaches to work with government in improving information sharing. Increased focus on real time and efficient information sharing programs should be improved to foster, incentivize and increase the sharing of threat activity. Dow believes that protection of the country's critical infrastructure can be addressed most effectively by moving forward with legislation which strengthens the collaboration between the Federal Government and the private sector. The key principles of this collaboration are:Timely information sharing between government and industry and among industry peers. Reasonable protection for companies sharing threat or attack information with the government and their industry peers. Aggressive pursuit and prosecution of cyber criminals. IT and telecommunication suppliers must continue to improve the security of their products and services and be unified in providing services that their customers can rely on for threat response. Dow does not support prescriptive regulatory legislation on specific technologies or methods. Legislation that sets up a system requiring significant resources to simply comply with a regulatory scheme diverts resources from addressing the threats and risks in need of mitigation. Issues surrounding cyber security are in constant flux and proper management requires a fluid and fast response. Complex regulatory schemes will only slow the advancement of cyber risk management systems. Background The Internet has become critical to the operations of business, government and global commerce. It is an open and dynamic venue for the exchange and collection of ideas and information. For the United States it has been a key enabler for maintaining the country's competitiveness. Some elements inside and outside the country, however, have seized on this open framework and have found innovative ways to use it for illegal financial gains, victimization of the innocent and to advance ambitions that are not in the interest of the United States. Today, companies regularly have to manage major information security issues, including: corporate espionage, intellectual property theft and malicious activism. Companies also must be prepared to manage and mitigate risks such as acts of terrorism or sabotage that could have severe physical and/or financial consequences. The Dow Chemical Company, like many large corporations, is regularly attack from sources that are advanced, persistent and targeting our intellectual property. In many cases, the highly sophisticated attackers are based in foreign countries. Efforts to develop a public-private partnership to protect against cyber attacks has a long history. In 2003, one of the key objectives of the National Strategy to Secure Cyberspace was to provide a framework for public and private partnership including the sharing of information. Much progress has been made, but today's cyber attacks are much more advanced and it is clear that more ongoing progress is needed to ensure the continued prevention of a severe systemic failure of public or private critical infrastructure. It will require a more responsive, integrated, and resilient national system to prepare for and respond to these threats. Chemical Industry Cyber Security Leadership Large companies such as Dow are seeing an increase in the risks we face. The internet, including the growth of social media, has elevated our exposure to threat actors such as hacktivists (hackers with a targeted malicious intent to vandalize or stop business as their protest method) and nation states sponsoring industrial espionage or cyber criminals. As society and industry move toward increased mobility and pervasiveness of information technology, the frequency and cost of cyber-incidents will continue to increase. These risks require a joint public and private effort to be managed effectively. In 2001, Dow and other American Chemistry Council (ACC) members voluntarily adopted the Responsible Care Security Code (RCSC). The RCSC is a comprehensive security management program that addresses both physical and cyber security. It requires a comprehensive assessment of security vulnerabilities and risks to implement protective measures across a company's value chain. Since RCSC's inception, ACC members have invested more than $11 billion in security enhancements including both physical and cyber security protections. Security, in all its dimensions, continues to be a top priority for Dow and the chemical industry. Our record of accomplishment and cooperation with Congress, DHS and others is undisputed. Dow has led in several business and public forums which focus on advancing cyber security within the chemical sector. Dow regularly provides leadership or participates with the following organizations: ChemITC Chemical Information Technology Center (ChemITC) of the American Chemistry Council (ACC) is a forum for companies in and associated with the ACC to address common IT issues. Through strategic programs and networking groups dedicated to addressing specific technology issues, ChemITC is committed to advancing the cyber security of its member organizations. Chemical Sector Coordinating Council (CSCC) Pursuant to the Homeland Security Act of 2002, the purpose of the CSCC is to facilitate effective coordination between Federal infrastructure protection programs, the infrastructure protection activities of the private sector and those of state, local, territorial and tribal governments. National Infrastructure Advisory Council (NIAC) The NIAC provides the President, through the Secretary of Homeland Security, with advice on the security of critical infrastructures, both physical and cyber, supporting sectors of the economy. International Society for Automation (ISA) ISA has primary responsibility for the development of the ISA-62443 series of standards addressing cyber security for industrial automation and control systems (IACS). As each standard is developed it is submitted simultaneously to ANSI and IEC as a U.S national and international standard, respectively. Cyber Security Management at the Dow Chemical Company Dow has a comprehensive set of policies, standards and procedures based on guidance from organizations such as the National Institute of Standards and Technology (NIST) and established industry standards such as ISO 27001 and the ISA/IEC 62443 series for industrial automation. Due to the very fluid nature of cyber threats, Dow is continuously refreshing its practices and technology based on its experience as well as the best available information from the government, industry and other public sources. We frequently benchmark with peer Chemical Sector and broader Manufacturing Sector companies as well as other industries to manage the risk of a cyber attack. We also enlist external private entities to evaluate our security posture. Dow's information security is based on a multi-layer defense strategy. This includes continuing to enhance our IT infrastructure to meet the standards of other companies with high-value security profiles as well as elevating the protection for the Company's most sensitive intellectual and physical assets. Dow uses a risk-based approach for the implementation of these controls. Developing strong partnerships between Dow's Information Security group and all Dow business units is vital to managing the flow of sensitive information and protecting critical infrastructure. Strong collaboration with security vendors and partnerships with government agencies have been essential in preventing, detecting and responding to threats. We work closely with the chemical sector liaisons from the Department of Homeland Security and in forums such as the Industrial Control Systems Joint Working Group (ICSJWG). Working with government agencies has been valuable due to their collaborative nature. Dow believes that a public-private sector collaborative approach to cyber security is the best way to achieve common security goals for individual companies as well as the country. Using a risk- based approach that leverages the existing work of the international cyber security community will facilitate implementation of practices that are both effective and flexible. Dow's multi-layer defense strategy begins with employees. Our ongoing security awareness programs help employees understand the ever- changing threats in the cyber landscape. People are the new perimeter-- our greatest defense, and if not informed and educated, could be our weakest link. We have an ongoing global awareness campaign to: (1) Educate users on policies and the risks we face; (2) Drive commitment to the security program by making security initiatives a personal responsibility; We continue to evaluate and improve the technical and non-technical response capabilities related to cyber threat incidents and we have made significant investments in state-of-the-art technologies to detect anomalous cyber activity which is the predecessor to most cyber attacks. Dow has defined threat response processes to handle these issues when detected and has established a core team of highly skilled employees to coordinate response and proactively mitigate risk to the Company's systems. In order to maintain a highly secure environment, Dow has a team of security professionals who regularly leverage and collaborate with security vendors and government resources to implement and improve security controls. Private Sector Needs from Congress and the Administration Dow believes that protection of the country's critical infrastructure can be addressed most effectively by moving forward with legislation which strengthens the collaboration between the public and the private sectors. This collaboration must recognize the benefits of a risk based and performance based approach, its relationship to physical security, two-way information sharing, prosecution of cyber criminals and protection from liability. This should be done in a way that does not impact the relationships developed over the last decade. Effective two-way cyber security information sharing between the public and private sectors must be timely, specific and actionable, and protected from public disclosure. A public/private partnership will vastly improve the flow of information and ideas to quickly identify threats and vulnerabilities. To help promote the flow of information, information voluntarily provided by the private sector should be adequately protected from public disclosure. The unintended consequences of Freedom of Information Act requests must be addressed. Liability protection for the private sector as a result of a cyber attack must also be provided as long as appropriate management systems have been applied to address potential threats. This will help promote participation amid the more rapid penetration of emerging technologies. The liability protections afforded under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002 are appropriate to consider. Companies such as Dow are in a defensive mode when it comes to cybercrime. There must be better enforcement of U.S. laws against cybercrime with more aggressive prosecution of cyber criminals in an attempt to deter the act. U.S. laws should be updated and strengthened to protect critical infrastructure from cyber attacks and hold those accountable for perpetrating intentional acts designed to cause harm to critical infrastructure operating systems or for stealing intellectual property and personal information for financial gain. Additionally, the U.S. Federal Government should develop strong international partnerships that work together to identify international threats. Without a focused strategy to address the borderless nature of cybercrime, the private sector will continue to fight an uphill battle. Dow believes the Federal Government has a role in setting an example, by ensuring higher quality security-embedded solutions and services by technology suppliers are built into their systems. Suppliers of IT products and services are best positioned to address issues within the solutions they create and have a responsibility to test and enhance product security, to understand their vulnerability before releasing items into the marketplace. Information technology suppliers and software developers must design for critical infrastructure high-availability and long-lived assets in accordance with rigorous compliance standards. The IT industry is in the best position to enhance security controls. If they do not, it passes an additional burden downstream, and duplicates effort and costs onto the customers in regulated industries. Just as the chemical sector adopted the Responsible Care model, the IT and telecommunication industries must be encouraged by their customer based to create self-regulated security practices and services. Legislation Dow advocates for legislation that codifies the principles outlined above. In summary, legislation that facilitates information sharing between industry and government and among industry peers is needed. Ideal information sharing legislation offers liability protections for early sharing threat or attack information with the government and provides antitrust relief to share with industry peers. Information should include strategic assessments, best practices, and lessons learned from events and incidents. Cyber criminals and nation state actors must not be allowed to continue to operate with relative impunity. They must believe that there are consequences for their actions. Finally, the IT and Telecommunications industries must create products which are inherently more secure. Dow does not support prescriptive regulatory legislation on specific technologies or methods. Legislation that sets up a system requiring significant resources to simply comply with a regulatory scheme diverts resources from addressing the threats and risks in need of mitigation. Cyber security is a constantly changing portfolio and proper management requires a fluid and fast response. Complex regulatory schemes will only slow cyber risk management systems. Executive Order on Improving Critical Infrastructure Cyber Security Dow supports the information sharing initiatives included in the recent Executive order. However, Dow is concerned with the proposed approach of a voluntary program for critical infrastructure industries to adopt cybersecurity standards. Voluntary programs, normally, allow industry to develop their own standards that are risk and performance based that consider the specific sector environment, and are followed by a certification system to ensure compliance. Responsible Care Security code, for one, is a successful example for the Chemical sector. Government defined or selected standards can miss the specific challenges that are required to be addressed by each industry sector. It is initiated as a voluntary program, but it could develop in such a way that companies will be forced to adopt prescriptive standards due to the fact that information on program adoption for ``high risk'' industries may be made public. More concerning this could be done without a review process and could be used to leverage in ways that may not be beneficial to lowering overall risk. The president or Congress should not allow pseudo-regulations without legislation to occur. Dow will actively participate in industry forums like ACC, Chamber of Commerce, the Business Roundtable and all government initiatives to fully support successful implementation of any cyber security efforts which better protect our communities and industries. Chairman Rockefeller. Thank you, sir, very much. Now we go to Greg Wilshusen. STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Wilshusen. Chairman Rockefeller, Chairman Carper, Ranking Member Coburn, Ranking Member Thune, and other members of the Committees, thank you very much for the opportunity to testify today at today's hearing on cybersecurity. As you know, Federal agencies and our nation's critical infrastructures have become increasingly dependent on interconnected systems and networks that carry out essential operations. While creating significant benefits, this dependency also introduces vulnerabilities in cyber-based threats. These threats could have a potentially serious impact on Federal operations and essential services provided by the private sector. Underscoring the importance of this issue, we have once again designated Federal information security and cyber- critical infrastructure protection as a governmentwide high- risk area. Today, I'll discuss the cyber threats confronting the private sector and Federal Government, several challenges to securing systems, and our assessment of the national cybersecurity strategy. But, before I do, if I may, I'd like to recognize several of my colleagues who were instrumental in developing the body of work upon which my statement is based. Attending with me is Lee McCracken and Jeff Woodward, in the back, in the second row; in addition, Naba Barkakati, John de Ferrari, Rich Hung, Nicole Jarvis, and David Plocher made significant contributions. Cyber-based threats to systems supporting critical infrastructure in Federal operations are evolving and growing. These threats come from a variety of sources, giving--including employees and other insiders, criminal groups, hackers, and foreign nations. These sources vary, in terms of their capabilities, willingness to act, and motives. The unique nature of cyber-based attacks can vastly enhance their reach and their impact. They can originate from around the globe and adversely affect economic and national security, and public health and safety. Over the past 6 years, the number of cyber incidents reported by Federal agencies to US-CERT has increased from about 5500 in Fiscal Year 2006 to 48,562 in Fiscal Year 2012, an increase of 782 percent. These incidents, and the recently reported cyber-based attacks against businesses, further underscore the need to manage and bolster the security of Federal systems and our nation's critical cyber assets. However, the Federal Government continues to face challenges in effectively securing its systems and those supporting critical infrastructure. While actions have been taken to address aspects of these challenges, issues remain. A longstanding challenge has been designing and implementing risk-based information security programs at Federal agencies. Another challenge has been establishing and identifying standards for critical infrastructures; and other challenges include detecting, responding to, and mitigating cyber incidents; securing the use of new technologies; and managing risk to the global IT supply chain. Over the past 12 years, the Federal Government has identified a variety of documents that were intended to articulate a national cybersecurity strategy; however, it has not developed an overarching strategy that synthesizes the relevant portions of these documents or provides a comprehensive description of the current strategy. In addition, the strategy documents sometimes did not incorporate desirable characteristics that enhanced their usefulness. While the documents have generally included elements such as problem definition, goals, and subordinate objectives, they have not always fully addressed milestones and performance measures, cost and resource information, clearly defined roles and responsibilities, and linkage with other key strategy documents. In our February 2013 report, we recommended that the White House cybersecurity coordinator develop an overarching cybersecurity strategy that addresses all key desirable characteristics and addresses cyber challenge areas. Also last month, the President issued an Executive order on improving critical infrastructure cybersecurity. The Executive order includes actions aimed at addressing challenges in developing standards for critical infrastructure and sharing information. Although it is too soon to comment on its effectiveness, the order assigns specific responsibilities to specific individuals with specific deadlines; thus, providing clarity of responsibility and a means for establishing accountability. In summary, addressing the ongoing challenges and implementing effective cybersecurity within the government, as well in collaboration with the private sector and other partners, requires the Federal Government to better define and more effectively implement an integrated national strategy that fully addresses key characteristics, provides a roadmap for resolving identified challenges, articulates a clear process for overseeing agency risk management, and assures accountability for results. This concludes my statement. I'll be happy to answer any questions you may have. [The prepared statement of Mr. Wilshusen follows:] Prepared Statement of Gregory C. Wilshusen, Director, Information Security Issues, United States Government Accountability Office ``Cybersecurity: A Better Defined and Implemented National Strategy is Needed to Address Persistent Challenges'' Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn, and Members of the Committees: Thank you for the opportunity to testify at today's hearing on the cybersecurity partnership between the private sector and our government. As you know, with the advance of computer technology, Federal agencies and our nation's critical infrastructures--such as the electricity grid, water supply, telecommunications, and emergency services--have become increasingly dependent on computerized information systems and electronic data to carry out operations and process, maintain, and report essential information. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Pervasive and sustained cyber attacks against the United States could have a potentially serious impact on Federal and nonfederal systems and operations. Underscoring the importance of this issue, we have designated Federal information security as a high- risk area since 1997 and in 2003 expanded this area to include protecting computerized systems supporting our nation's critical infrastructure.\1\ --------------------------------------------------------------------------- \1\ See most recently, GAO, High-Risk Series: An Update, GAO-13-283 (Washington, D.C.: Feb. 14, 2013). --------------------------------------------------------------------------- Federal law and policy call for a risk-based approach to managing cybersecurity within the government and also specify activities to enhance the cybersecurity of public and private infrastructures that are essential to national security, economic security, and public health and safety. Over the last 12 years, the Federal Government has developed a number of strategies and plans for addressing cybersecurity based on this legal framework, including the National Strategy to Secure Cyberspace, issued in February 2003, and subsequent plans and strategies that address specific sectors, issues, and revised priorities. In my testimony today, I will summarize (1) several challenges faced by the Federal Government in effectively implementing cybersecurity, including complying with the Federal Information Security Management Act, and (2) the extent to which the national cybersecurity strategy includes key desirable characteristics of effective strategies. My statement is based on our recently released report examining the Federal Government's cybersecurity strategies and the status of Federal efforts to address challenges in implementing cybersecurity,\2\ as well as other previous work in this area. (Please see app. I for a list of related GAO products.) --------------------------------------------------------------------------- \2\ GAO, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, GAO-13-187 (Feb. 14, 2003). --------------------------------------------------------------------------- The work on which this statement is based was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. Background Threats to systems supporting critical infrastructure and Federal information systems are evolving and growing. Advanced persistent threats--where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives repeatedly over an extended period of time--pose increasing risks. In 2009, the President declared the cyber threat to be ``[o]ne of the most serious economic and national security challenges we face as a nation'' and stated that ``America's economic prosperity in the 21st century will depend on cybersecurity.'' \3\ The Director of National Intelligence has also warned of the increasing globalization of cyber attacks, including those carried out by foreign militaries or organized international crime. In January 2012, he testified that such threats pose a critical national and economic security concern.\4\ To further highlight the importance of the threat, on October 11, 2012, the Secretary of Defense stated that the collective result of attacks on our nation's critical infrastructure could be ``a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life.'' \5\ --------------------------------------------------------------------------- \3\ President Barack Obama, ``Remarks by the President on Securing Our Nation's Cyber Infrastructure'' (Washington, D.C.: May 29, 2009). \4\ James R. Clapper, Director of National Intelligence, ``Unclassified Statement for the Record on the Worldwide Threat Assessment of the U.S. Intelligence Community for the Senate Select Committee on Intelligence'' (January 31, 2012). \5\ Secretary of Defense Leon E. Panetta, ``Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City'' (New York, NY: Oct. 11, 2012). --------------------------------------------------------------------------- The evolving array of cyber-based threats facing the nation pose threats to national security, commerce and intellectual property, and individuals. These threats can be unintentional or intentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems. Intentional threats include both targeted and untargeted attacks from a variety of sources. These sources include business competitors, corrupt employees, criminal groups, hackers, and foreign nations engaged in espionage and information warfare. Such threat sources vary in terms of the types and capabilities of the actors, their willingness to act, and their motives. Table 1 shows common sources of adversarial cybersecurity threats. ------------------------------------------------------------------------ Table 1.--Sources of Adversarial Threats to Cybersecurity ------------------------------------------------------------------------ Threat source Description ------------------------------------------------------------------------ Bot-network operators Bot-network operators use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial-of-service attack or services to relay spam or phishing attacks). ------------------------------------------------------------------------ Business competitors Companies that compete against or do business with a target company may seek to obtain sensitive information to improve their competitive advantage in various areas, such as pricing, manufacturing, product development, and contracting. ------------------------------------------------------------------------ Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer extortion. ------------------------------------------------------------------------ Hackers Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain, and political activism, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. ------------------------------------------------------------------------ Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat includes contractors hired by the organization, as well as careless or poorly trained employees who may inadvertently introduce malware into systems. ------------------------------------------------------------------------ International International corporate spies pose a threat to corporate spies the United States through their ability to conduct economic and industrial espionage a and large-scale monetary theft and to hire or develop hacker talent. ------------------------------------------------------------------------ Nations Nations use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power--impacts that could affect the daily lives of citizens across the country. In his January 2012 testimony, the Director of National Intelligence stated that, among state actors, China and Russia are of particular concern. ------------------------------------------------------------------------ Phishers Individuals or small groups execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware or malware to accomplish their objectives. ------------------------------------------------------------------------ Spammers Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service). ------------------------------------------------------------------------ Spyware or malware Individuals or organizations with malicious authors intent carry out attacks against users by producing and distributing spyware and malware. Several destructive viruses and worms have harmed files and hard drives, and reportedly have even caused physical damage to critical infrastructure, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, and Code Red. ------------------------------------------------------------------------ Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information. ------------------------------------------------------------------------ Source: GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, and the Software Engineering Institute's CERT Coordination Center. a According to the Office of the National Counterintelligence Executive, industrial espionage, or theft of trade secrets, occurs when an actor, intending or knowing that his or her offense will injure the owner of a trade secret of a product produced for or placed in interstate or foreign commerce, acts with the intent to convert that trade secret to the economic benefit of anyone other than the owner. See Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. These sources of cybersecurity threats make use of various techniques to compromise information or adversely affect computers, software, a network, an organization's operation, an industry, or the Internet itself. Table 2 provides descriptions of common types of cyber attacks. ------------------------------------------------------------------------ Table 2.--Common Types of Cyber Attacks ------------------------------------------------------------------------ Types of attack Description ------------------------------------------------------------------------ Cross-site scripting An attack that uses third-party web resources to run a script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine. ------------------------------------------------------------------------ Denial-of-service An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. ------------------------------------------------------------------------ Distributed denial-of- A variant of the denial-of-service attack that service uses numerous hosts to perform the attack. ------------------------------------------------------------------------ Logic bombs A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met. ------------------------------------------------------------------------ Phishing A digital form of social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information. ------------------------------------------------------------------------ Passive wiretapping The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data. ------------------------------------------------------------------------ Structured Query An attack that involves the alteration of a Language injection database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database. ------------------------------------------------------------------------ Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute. ------------------------------------------------------------------------ Virus A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. Unlike a worm, a virus requires human involvement (usually unwitting) to propagate. ------------------------------------------------------------------------ War driving The method of driving through cities and neighborhoods with a wireless-equipped computer- sometimes with a powerful antenna-searching for unsecured wireless networks. ------------------------------------------------------------------------ Worm A self-replicating, self-propagating, self- contained program that uses network mechanisms to spread itself. Unlike viruses, worms do not require human involvement to propagate. ------------------------------------------------------------------------ Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness Team, and industry reports. The unique nature of cyber-based attacks can vastly enhance their reach and impact, resulting in the loss of sensitive information and damage to economic and national security, the loss of privacy, identity theft, and the compromise of proprietary information or intellectual property. The increasing number of incidents reported by Federal agencies, and the recently reported cyber-based attacks against individuals, businesses, critical infrastructures, and government organizations have further underscored the need to manage and bolster the cybersecurity of our government's information systems and our Nation's critical infrastructures. Number of Cyber Incidents Reported by Federal Agencies Continues to Rise The number of cyber incidents affecting computer systems and networks continues to rise. Over the past 6 years, the number of cyber incidents reported by Federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in Fiscal Year 2006 to 48,562 in Fiscal Year 2012, an increase of 782 percent (see fig. 1). [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Source: GAO analysis of US-CERT data for fiscal years 2006-2012 Of the incidents occurring in 2012 (not including those that were reported as under investigation), improper usage,\6\ malicious code, and unauthorized access were the most widely reported types across the Federal Government. As indicated in figure 2, which includes a breakout of incidents reported to US-CERT by agencies in Fiscal Year 2012, improper usage, malicious code, and unauthorized access accounted for 55 percent of total incidents reported by agencies. --------------------------------------------------------------------------- \6\ An incident is categorized as ``improper usage'' if a person violates acceptable computing use policies. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] --------------------------------------------------------------------------- Source: GAO analysis of US-CERT data for fiscal year 2012. In addition, reports of cyber incidents affecting national security, intellectual property, and individuals have been widespread, with reported incidents involving data loss or theft, economic loss, computer intrusions, and privacy breaches. Such incidents illustrate the serious impact that cyber attacks can have on Federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information. For example, according to US-CERT, the number of agency-reported incidents involving personally identifiable information increased 111 percent from Fiscal Year 2009 to Fiscal Year 2012--from 10,481 to 22,156. Federal Law and Policy Establish Information Security Responsibilities for Agencies The Federal Government's information security responsibilities are established in law and policy. The Federal Information Security Management Act of 2002 (FISMA) \7\ sets forth a comprehensive risk- based framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets. In order to ensure the implementation of this framework, FISMA assigns specific responsibilities to agencies, the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and inspectors general: --------------------------------------------------------------------------- \7\ Title III of the E-Government Act of 2002, Pub. L. No. 107-347, Dec. 17, 2002; 44 U.S.C 3541, et seq. Each agency is required to develop, document, and implement an agency-wide information security program and to report annually to OMB, selected congressional committees, and the U.S. Comptroller General on the adequacy of its information security policies, procedures, practices, and compliance with --------------------------------------------------------------------------- requirements. OMB's responsibilities include developing and overseeing the implementation of policies, principles, standards, and guidelines on information security in Federal agencies (except with regard to national security systems \8\). It is also responsible for reviewing, at least annually, and approving or disapproving agency information security programs. --------------------------------------------------------------------------- \8\ As defined in FISMA, the term ``national security system'' means any information system used by or on behalf of a Federal agency that (1) involves intelligence activities, national security-related cryptologic activities, command and control of military forces, or equipment that is an integral part of a weapon or weapons system, or is critical to the direct fulfillment of military or intelligence missions (excluding systems used for routine administrative and business applications); or (2) is protected at all times by procedures established for handling classified national security information. See 44 U.S.C. Sec. 3542(b)(2). NIST's responsibilities under FISMA include the development of security standards and guidelines for agencies that include standards for categorizing information and information systems according to ranges of risk levels, minimum security requirements for information and information systems in risk categories, guidelines for detection and handling of information security incidents, and guidelines for identifying an information system as a national security system.\9\ --------------------------------------------------------------------------- \9\ FISMA limits NIST to developing, in conjunction with the Department of Defense and the National Security Agency, guidelines for agencies on identifying an information system as a national security system, and for ensuring that NIST standards and guidelines are complementary with standards and guidelines developed for national security systems. Agency inspectors general are required to annually evaluate the information security program and practices of their agency. The results of these evaluations are to be submitted to OMB, and OMB is to summarize the results in its reporting to --------------------------------------------------------------------------- Congress. In the 10 years since FISMA was enacted into law, Executive Branch oversight of agency information security has changed. As part of its FISMA oversight responsibilities, OMB has issued annual guidance to agencies on implementing FISMA requirements, including instructions for agency and inspector general reporting. However, in July 2010, the Director of OMB and the White House Cybersecurity Coordinator \10\ issued a joint memorandum \11\ stating that the Department of Homeland Security (DHS) was to exercise primary responsibility within the Executive Branch for the operational aspects of cybersecurity for Federal information systems that fall within the scope of FISMA. --------------------------------------------------------------------------- \10\ In December 2009, a Special Assistant to the President was appointed as Cybersecurity Coordinator to address the recommendations made in the Obama administration's 2009 Cyberspace Policy Review. \11\ OMB, Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (Washington, D.C.: July 6, 2010). --------------------------------------------------------------------------- The OMB memo also stated that in carrying out these responsibilities, DHS is to be subject to general OMB oversight in accordance with the provisions of FISMA. In addition, the memo stated that the Cybersecurity Coordinator would lead the interagency process for cybersecurity strategy and policy development. Subsequent to the issuance of M-10-28, DHS began issuing annual reporting instructions to agencies in addition to OMB's annual guidance. Regarding Federal agencies operating national security systems, National Security Directive 42 \12\ established the Committee on National Security Systems, an organization chaired by the Department of Defense (DOD), to, among other things, issue policy directives and instructions that provide mandatory information security requirements for national security systems. In addition, the defense and intelligence communities develop implementing instructions and may add additional requirements where needed. An effort is underway to harmonize policies and guidance for national security and non-national security systems. Representatives from civilian, defense, and intelligence agencies established a joint task force in 2009, led by NIST and including senior leadership and subject matter experts from participating agencies, to publish common guidance for information systems security for national security and non-national security systems.\13\ --------------------------------------------------------------------------- \12\ National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems (July 5, 1990). \13\ See GAO, Information Security: Progress Made in Harmonizing Policies and Guidance for National Security and Non-National Security Systems, GAO 10 916 (Washington, D.C.: Sept. 15, 2010). --------------------------------------------------------------------------- Various laws and directives have also given Federal agencies responsibilities relating to the protection of critical infrastructures, which are largely owned by private sector organizations. The Homeland Security Act of 2002 created the Department of Homeland Security. Among other things, DHS was assigned with the following critical infrastructure protection responsibilities: (1) developing a comprehensive national plan for securing the critical infrastructures of the United States, (2) recommending measures to protect those critical infrastructures in coordination with other groups, and (3) disseminating, as appropriate, information to assist in the deterrence, prevention, and preemption of, or response to, terrorist attacks. Homeland Security Presidential Directive 7 (HSPD-7) was issued in December 2003 and defined additional responsibilities for DHS, sector- specific agencies, and other departments and agencies. The directive instructed sector-specific agencies to collaborate with the private sector to identify, prioritize, and coordinate the protection of critical infrastructures to prevent, deter, and mitigate the effects of attacks. It also made DHS responsible for, among other things, coordinating national critical infrastructure protection efforts and establishing uniform policies, approaches, guidelines, and methodologies for integrating Federal infrastructure protection and risk management activities within and across sectors. On February 12, 2013, the President issued an executive order on improving the cybersecurity of critical infrastructure.\14\ Among other things, it stated that the policy of the U.S. government is to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities and ordered the following actions to be taken: --------------------------------------------------------------------------- \14\ Exec. Order No. 13636, 78 Fed. Reg. 11737 (Feb. 19, 2013). The order is also available at http://www.whitehouse.gov/the-press-office/ 2013/02/12/executive-order-improving-critical-infra structure-cybersecurity. The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence are, within 120 days of the date of the order, to issue instructions for producing unclassified reports of cyber threats and establish a process --------------------------------------------------------------------------- for disseminating these reports to targeted entities. Agencies are to coordinate their activities under the order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. In addition, DHS's Chief Privacy Officer and Officer for Civil Rights and Civil Liberties are to assess the privacy and civil liberties risks and recommend ways to minimize or mitigate such risks in a publicly available report to be released with 1 year of the date of the order. The Secretary of Homeland Security is to establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. The Secretary of Commerce is to direct the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure. The framework is to include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks and incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Director is to publish a preliminary version of the framework within 240 days of the date of the order, and a final version within 1 year. The Secretary of Homeland Security, in coordination with sector-specific agencies, is to establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. Further, the Secretary is to coordinate the establishment of a set of incentives designed to promote participation in the program and, along with the Secretaries of the Treasury and Commerce, make recommendations to the President that include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities. The Secretary of Homeland Security, within 150 days of the date of the order, is to use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. Agencies with responsibilities for regulating the security of critical infrastructure are to consult with DHS, OMB, and the National Security Staff to review the preliminary cybersecurity framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. If current regulatory requirements are deemed to be insufficient, agencies are to propose actions to mitigate cyber risk, as appropriate, within 90 days of publication of the final Cybersecurity Framework. In addition, within 2 years after publication of the final framework, these agencies, in consultation with owners and operators of critical infrastructure, are to report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. Also on February 12, 2013, the White House released Presidential Policy Directive (PPD) 21, on critical infrastructure security and resilience.\15\ This directive revokes HSPD-7, although it states that plans developed pursuant to HSPD-7 shall remain in effect until specifically revoked or superseded. PPD-21 sets forth roles and responsibilities for DHS, sector-specific agencies, and other Federal entities with regard to the protection of critical infrastructure from physical and cyber threats. It also identifies three strategic imperatives to refine and clarify functional relationships across the Federal Government (which includes two national critical infrastructures centers for physical and cyber infrastructure), enable efficient information exchange by identifying baseline data and systems requirements, and implement an integration and analysis function to inform planning and operational decisions. --------------------------------------------------------------------------- \15\ The White House, Presidential Policy Directive/PPD-21, Critical Infrastructure Security and Resilience (Feb. 12, 2013), http:/ /www.whitehouse.gov/the-press-office/2013/02/12/presiden tial-policy-directive-critical-infrastructure-security-and-resil. --------------------------------------------------------------------------- The directive calls for a number of specific implementation actions, along with associated time frames, which include developing a description of the functional relationships within DHS and across the Federal Government related to critical infrastructure security and resilience; conducting an analysis of the existing public-private partnership model; identifying baseline data and system requirements for the efficient exchange of information and intelligence; demonstrating a near real-time situational awareness capability for critical infrastructure; updating the National Infrastructure Protection Plan; and developing a national critical infrastructure security and resilience research and development plan. Finally, the directive identifies 16 critical infrastructure sectors and their designated Federal sector-specific agencies. The Federal Government Continues to Face Challenges in Effectively Implementing Cybersecurity We and Federal agency inspector general reports have identified challenges in a number of key areas of the Federal Government's approach to cybersecurity, including those related to protecting the Nation's critical infrastructure. While actions have been taken to address aspects of these challenges, issues remain in each of the following areas. Designing and implementing risk-based cybersecurity programs at Federal agencies. Shortcomings persist in assessing risks, developing and implementing security controls, and monitoring results at Federal agencies. Specifically, for Fiscal Year 2012, 19 of 24 major Federal agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting. Further, inspectors general at 22 of 24 agencies cited information security as a major management challenge for their agency. Most of the 24 major agencies had information security weaknesses in most of five key control categories: implementing agency-wide information security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis; limiting, preventing, and detecting inappropriate access to computer resources; managing the configuration of software and hardware; segregating duties to ensure that a single individual does not control all key aspects of a computer-related operation; and planning for continuity of operations in the event of a disaster or disruption (see fig. 3). [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Source: GAO analysis of agency, inspectors general, and GAO reports as of December 13, 2012. As we noted in our October 2011 report on agencies' implementation of FISMA requirements, an underlying reason for these weaknesses is that agencies have not fully implemented their information security programs.\16\ As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. Accordingly, we have continued to make numerous recommendations to address specific weaknesses in risk management processes at individual Federal agencies. Recently, some agencies have demonstrated improvement in this area. For example, we reported in November 2012 that during Fiscal Year 2012, the Internal Revenue Service (IRS) continued to make important progress in addressing numerous deficiencies in its information security controls over its financial reporting systems.\17\ Nonetheless, applying effective controls over agency information and information systems remains an area of significant concern. --------------------------------------------------------------------------- \16\ GAO, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements, GAO-12-137 (Washington, D.C.: Oct. 3, 2011). \17\ GAO, Financial Audit: IRS's Fiscal Years 2012 and 2011 Financial Statements, GAO-13-120 (Washington, D.C.: Nov. 9, 2012). --------------------------------------------------------------------------- Establishing and identifying standards for critical infrastructures. As we reported in December 2011, DHS and other agencies with responsibilities for specific critical infrastructure sectors have not yet identified cybersecurity guidance applicable to or widely used in each of the sectors.\18\ Moreover, sectors vary in the extent to which they are required by law or regulation to comply with specific cybersecurity requirements. Within the energy sector, for example, experts have identified a lack of clarity in the division of responsibility between Federal and state regulators as a challenge in securing the U.S. electricity grid. We have made recommendations aimed at furthering efforts by sector-specific agencies to enhance critical infrastructure protection. The recently issued executive order is also intended to bolster efforts in this challenge area. --------------------------------------------------------------------------- \18\ GAO, Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use, GAO-12- 92 (Washington, D.C.: Dec. 9, 2011). --------------------------------------------------------------------------- Detecting, responding to, and mitigating cyber incidents. DHS has made progress in coordinating the Federal response to cyber incidents, but challenges remain in sharing information among Federal agencies and key private-sector entities, including critical infrastructure owners. Difficulties in sharing information and the lack of a centralized information-sharing system continue to hinder progress. The February executive order contains provisions aimed at addressing these difficulties by, for example, establishing a process for disseminating unclassified reports of threat information. Challenges also persist in developing a timely cyber analysis and warning capability. While DHS has taken steps to establish a timely analysis and warning capability, we have reported that it had yet to establish a predictive analysis capability and recommended that the department establish such capabilities.\19\ According to DHS, tools for predictive analysis are to be tested in Fiscal Year 2013. --------------------------------------------------------------------------- \19\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588 (Washington, D.C.: July 31, 2008). --------------------------------------------------------------------------- Promoting education, awareness, and workforce planning. In November 2011, we reported that Federal agencies leading strategic planning efforts for cybersecurity education and awareness had not identified details for achieving planned outcomes and that specific tasks and responsibilities were unclear.\20\ We recommended, among other things, that these agencies collaborate to clarify responsibilities and processes for planning and monitoring their activities. We also reported that only two of eight agencies in our review had developed cyber workforce plans, and only three of the eight agencies had a department-wide training program for their cybersecurity workforce. We recommended that these agencies take steps to improve agency and government-wide cybersecurity workforce efforts. Agencies concurred with the majority of our recommendations and outlined steps to address them. --------------------------------------------------------------------------- \20\ GAO, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination, GAO-12-8 (Washington, D.C.: Nov. 29, 2011). --------------------------------------------------------------------------- Supporting cyber research and development. The support of targeted cyber research and development (R&D) has been impeded by implementation challenges among Federal agencies. In June 2010, we reported that R&D initiatives were hindered by limited sharing of detailed information about ongoing research, including the lack of a process for sharing results of completed projects or a repository to track R&D projects funded by the Federal Government.\21\ To help facilitate information sharing about planned and ongoing R&D projects, we recommended establishing a mechanism for tracking ongoing and completed Federal cybersecurity R&D projects and their funding, and that this mechanism be used to develop an ongoing process to share R&D information among Federal agencies and the private sector. As of September 2012, this mechanism had not been fully developed. --------------------------------------------------------------------------- \21\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development, GAO-10-466 (June 3, 2010). --------------------------------------------------------------------------- Securing the use of new technologies. Addressing security concerns related to the use of emerging technologies such as cloud computing, social media, and mobile devices is a continuing challenge. In May 2010, we reported that Federal agencies had not taken adequate steps to ensure that security concerns were addressed in their use of cloud- based services, and made several recommendations to address cloud computing security, which agencies have begun to implement.\22\ Further, we reported in June 2011 that Federal agencies did not always have adequate policies in place for managing and protecting information they access and disseminate through social media platforms such as Facebook and Twitter and recommended that agencies develop such policies.\23\ Most of the agencies agreed with our recommendations. In September 2012, we reported that the U.S. Federal Communications Commission could do more to encourage mobile device manufacturers and wireless carriers to implement a more complete industry baseline of mobile security safeguards.\24\ The commission generally concurred with our recommendations. --------------------------------------------------------------------------- \22\ GAO, Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing, GAO-10-513 (Washington, D.C.: May 27, 2010). \23\ GAO, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate, GAO-11-605 (Washington, D.C.: June 28, 2011). \24\ GAO, Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged, GAO-12-757 (Washington, D.C.: Sept. 18, 2012). --------------------------------------------------------------------------- Managing risks to the global information technology supply chain. Reliance on a global supply chain for information technology products and services introduces risks to systems, and Federal agencies have not always addressed these risks. Specifically, in March 2012, we reported that four national security-related agencies varied in the extent to which they had defined supply chain protection measures for their information systems and were not in a position to develop implementing procedures and monitoring capabilities for such measures.\25\ We recommended that the agencies take steps as needed to address supply chain risks, and the departments generally concurred. --------------------------------------------------------------------------- \25\ GAO, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks, GAO-12-361 (Washington, D.C.: Mar. 23, 2012). --------------------------------------------------------------------------- Addressing international cybersecurity challenges. While the Federal Government has identified the importance of international cooperation for cybersecurity and has assigned related roles and responsibilities to Federal agencies, its approach to addressing international aspects of cybersecurity has not been fully defined or implemented. We reported in July 2010 that the government faced a number of challenges in this area, relating to providing top-level leadership to coordinate actions among agencies, developing a national strategy, coordinating policy among key Federal entities, ensuring that international technical standards and policies do not impose unnecessary trade barriers, participating in international cyber- incident response efforts, investigating and prosecuting international cybercrime, and developing international models and norms for behavior.\26\ We recommended that the government develop a global cyberspace strategy to help address these challenges. While such a strategy has been developed and includes goals such as the development of international cyberspace norms, it does not fully specify outcome- oriented performance metrics or timeframes for completing activities. --------------------------------------------------------------------------- \26\ GAO, Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance, GAO-10-606 (Washington, D.C.: July 2, 2010). --------------------------------------------------------------------------- The U.S. National Cybersecurity Strategy Has Evolved over Time but Is Not Well Defined The Federal Government has issued a variety of documents over the last decade that were intended to articulate a national cybersecurity strategy. The evolution of the Nation's cybersecurity strategy is summarized in figure 4. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Source: GAO analysis of federal strategy documents. These strategy documents address aspects of the above-mentioned challenge areas. For example, they address priorities for enhancing cybersecurity within the Federal Government as well as for encouraging improvements in the cybersecurity of critical infrastructures within the private sector. However, as we noted in our February 2013 report, the government has not developed an overarching national cybersecurity strategy that synthesizes the relevant portions of these documents or provides a comprehensive description of the current strategy.\27\ The Obama administration's 2009 Cyberspace Policy Review recommended a number of actions, including updating the 2003 National Cybersecurity Strategy. However, no updated strategy document has been issued. In May 2011, the White House announced that it had completed all the near-term actions outlined in the 2009 policy review, including the update to the 2003 national strategy. According to the administration's fact sheet on cybersecurity accomplishments,\28\ the 2009 policy review itself serves as the updated strategy. The fact sheet stated that the direction and needs highlighted in the Cyberspace Policy Review and the previous national cybersecurity strategy were still relevant, and it noted that the administration had updated its strategy on two subordinate cyber issues, identity management and international engagement. Nonetheless, these actions do not fulfill the recommendation that an updated strategy be prepared for the President's approval. As a result, no overarching strategy exists to show how the various goals and activities articulated in current documents form an integrated strategic approach. --------------------------------------------------------------------------- \27\ GAO-13-187. \28\ The White House, ``Fact Sheet: The Administration's Cybersecurity Accomplishments'' (May 12, 2011), accessed on July 26, 2012, http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet- administrations-cybersecurity-accomplishments. --------------------------------------------------------------------------- In addition to lacking an integrated strategy, the government's current approach to cybersecurity lacks key desirable characteristics of a national strategy. In 2004, we developed a set of desirable characteristics that can enhance the usefulness of national strategies in allocating resources, defining policies, and helping to ensure accountability.\29\ Table 3 summarizes these key desirable characteristics. --------------------------------------------------------------------------- \29\ See GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, GAO-04- 408T (Washington, D.C.: Feb. 3, 2004). -------------------------------------------------------------------------- Table 3.--Desirable Characteristics for a National Strategy ------------------------------------------------------------------------ Desirable characteristic Description ------------------------------------------------------------------------ Purpose, scope, and Addresses why the strategy was produced, the methodology scope of its coverage, and the process by which it was developed. ------------------------------------------------------------------------ Problem definition and Addresses the particular national problems and risk assessment threats the strategy is directed toward. ------------------------------------------------------------------------ Goals, subordinate Addresses what the strategy is trying to achieve objectives, and steps to achieve those results, as well as activities, and the priorities, milestones, and performance performance measures measures to gauge results. ------------------------------------------------------------------------ Resources, Addresses what implementation of the strategy investments, and risk will cost, the sources and types of resources management and investments needed, and where resources and investments should be targeted based on balancing risk reductions with costs. ------------------------------------------------------------------------ Organizational roles, Addresses who will be implementing the strategy, responsibilities, and what their roles will be compared to others, coordination and mechanisms for them to coordinate their efforts. ------------------------------------------------------------------------ Linkage to other Addresses how a national strategy relates to strategies and other strategies' goals, objectives, and implementation activities, and to subordinate levels of government and their plans to implement the strategy. ------------------------------------------------------------------------ Source: GAO. Existing cybersecurity strategy documents have included selected elements of these desirable characteristics, such as setting goals and subordinate objectives, but have generally lacked other key elements. The missing elements include the following: Milestones and performance measures. The government's strategy documents include few milestones or performance measures, making it difficult to track progress in accomplishing stated goals and objectives. This lack of milestones and performance measures at the strategic level is mirrored in similar shortcomings within key programs that are part of the government-wide strategy. For example, in 2011 the DHS inspector general recommended that the department develop and implement performance measures to track and evaluate the effectiveness of actions defined in its strategic plan,\30\ which the department had yet to do as of January 2012. --------------------------------------------------------------------------- \30\ DHS, Office of Inspector General, Planning, Management, and Systems Issues Hinder DHS' Efforts to Protect Cyberspace and the Nation's Cyber Infrastructure, OIG-11-89 (Washington, D.C.: June 2011). Cost and resources. While past strategy documents linked certain activities to Federal agency budget requests, none have fully addressed cost and resources, including justifying the required investment, which is critical to gaining support for implementation. Specifically, none of the strategy documents provided full assessments of anticipated costs and how --------------------------------------------------------------------------- resources might be allocated to meet them. Roles and responsibilities. Cybersecurity strategy documents have assigned high-level roles and responsibilities but have left important details unclear. Several GAO reports have likewise demonstrated that the roles and responsibilities of key agencies charged with protecting the cyber assets of the United States are inadequately defined. For example, the chartering directives for several offices within the Department of Defense assign overlapping roles and responsibilities for preparing for and responding to domestic cyber incidents. In an October 2012 report, we recommended that the department update its guidance on preparing for and responding to domestic cyber incidents to include a description of roles and responsibilities.\31\ Further, in March 2010, we reported that agencies had overlapping and uncoordinated responsibilities within the Comprehensive National Cybersecurity Initiative and recommended that OMB better define roles and responsibilities for all key participants.\32\ --------------------------------------------------------------------------- \31\ GAO, Homeland Defense: DOD Needs to Address Gaps in Homeland Defense and Civil Support Guidance, GAO-13-128 (Washington, D.C.: Oct. 24, 2012). \32\ GAO, Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative, GAO- 10-338 (Washington, D.C.: Mar. 5, 2010). In addition, while the law gives OMB responsibility for oversight of Federal information security, OMB transferred several of its oversight responsibilities to DHS. OMB officials stated that enlisting DHS to perform these responsibilities has allowed OMB to have more visibility into agencies' cybersecurity activities because of the additional resources and expertise provided by DHS. While OMB's decision to transfer these responsibilities is not consistent with FISMA, it may have had beneficial practical results, such as leveraging resources from DHS. Nonetheless, with these responsibilities now divided between the two organizations, it is remains unclear how they are to share oversight of individual departments and agencies. Additional legislation could clarify --------------------------------------------------------------------------- these responsibilities. Linkage with other key strategy documents. Existing cybersecurity strategy documents vary in terms of priorities and structure, and do not specify how they link to or supersede other documents. Nor do they describe how they fit into an overarching national cybersecurity strategy. For example, in 2012, the Obama administration identified three cross-agency cybersecurity priorities, but no explanation was given as to how these priorities related to those established in other strategy documents. Actions Needed to Ensure More Effective Implementation of Cybersecurity Given the range and sophistication of the threats and potential exploits that confront government agencies and the Nation's cyber critical infrastructure, it is critical that the government adopt a comprehensive strategic approach to mitigating the risks of successful cybersecurity attacks. In our February report, we recommended that the White House Cybersecurity Coordinator develop an overarching Federal cybersecurity strategy that includes all key elements of the desirable characteristics of a national strategy.\33\ Such a strategy, we believe, will provide a more effective framework for implementing cybersecurity activities and better ensure that such activities will lead to progress in securing systems and information. This strategy should also better ensure that Federal Government departments and agencies are held accountable for making significant improvements in cybersecurity challenge areas by, among other things, clarifying how oversight will be carried out by OMB and other Federal entities. In the absence of such an integrated strategy, the documents that comprise the government's current strategic approach are of limited value as a tool for mobilizing actions to mitigate the most serious threats facing the Nation. --------------------------------------------------------------------------- \33\ GAO-13-187. --------------------------------------------------------------------------- In addition, many of the recommendations previously made by us and agency inspectors general have not yet been fully addressed, leaving much room for more progress in addressing cybersecurity challenges. In many cases, the causes of these challenges are closely related to the key elements that are missing from the government's cybersecurity strategy. For example, the persistence of shortcomings in agency cybersecurity risk management processes indicates that agencies have not been held accountable for effectively implementing such processes and that oversight mechanisms have not been clear. It is just such oversight and accountability that is poorly defined in cybersecurity strategy documents. In light of this limited oversight and accountability, we also stated in our report that Congress should consider legislation to better define roles and responsibilities for implementing and overseeing Federal information security programs and protecting the Nation's critical cyber assets. Such legislation could clarify the respective responsibilities of OMB and DHS, as well as those of other key Federal departments and agencies. In commenting on a draft of the report, the Executive Office of the President agreed that more needs to be done to develop a coherent and comprehensive strategy on cybersecurity but did not believe producing another strategy document would be beneficial. Specifically, the office stated that remaining flexible and focusing on achieving measurable improvements in cybersecurity would be more beneficial than developing ``yet another strategy on top of existing strategies.'' We agree that flexibility and a focus on achieving measurable improvements in cybersecurity is critically important and that simply preparing another document, if not integrated with previous documents, would not be helpful. The focus of our recommendation is to develop an overarching strategy that integrates the numerous strategy documents, establishes milestones and performance measures, and better ensures that Federal departments and agencies are held accountable for making significant improvements in cybersecurity challenge areas. The Executive Office of the President also agreed that Congress should consider enhanced cybersecurity legislation that addresses information sharing and baseline standards for critical infrastructure, among other things. In summary, addressing the ongoing challenges in implementing effective cybersecurity within the government, as well as in collaboration with the private sector and other partners, requires the Federal Government to define and implement a coherent and comprehensive national strategy that includes key desirable elements and provides accountability for results. Recent efforts, such as the 2012 cross- agency priorities and the executive order on improving cybersecurity for critical infrastructure, could provide parts of a strategic approach. For example, the executive order includes actions aimed at addressing challenges in developing standards for critical infrastructure and sharing information, in addition to assigning specific responsibilities to specific individuals that are to be completed within specific timeframes, thus providing clarity of responsibility and a means for establishing accountability. However, these efforts need to be integrated into an overarching strategy that includes a clearer process for oversight of agency risk management and a roadmap for improving the cybersecurity challenge areas in order for the government to make significant progress in furthering its strategic goals and lessening persistent weaknesses. Chairmen Rockefeller and Carper, Ranking Members Thune and Coburn, and Members of the Committees, this concludes my statement. I would be happy to answer any questions you may have. GAO Contacts and Acknowledgments If you have any questions regarding this statement, please contact Gregory C. Wilshusen ([email protected]) or Dr. Nabajyoti Barkakati ([email protected]). Other key contributors to this statement include John de Ferrari (Assistant Director), Richard B. Hung (Assistant Director), Nicole Jarvis, Lee McCracken, David F. Plocher, and Jeffrey Woodward. Appendix I: Related GAO Products Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented. GAO-13-187. Washington, D.C.: February 14, 2013. High-Risk Series: An Update. GAO-13-283. Washington, D.C.: February 14, 2013. Information Security: Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project. GAO-13-155. Washington, D.C.: January 25, 2013. Information Security: Actions Needed by Census Bureau to Address Weaknesses. GAO-13-63. Washington, D.C.: January 22, 2013. Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged. GAO-12-757. Washington, D.C.: September 18, 2012. Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy. GAO-12-903. Washington, D.C.: September 11, 2012. Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. GAO-12-816. August 31, 2012. Cybersecurity: Challenges in Securing the Electricity Grid. GAO-12- 926T. Washington, D.C.: July 17, 2012. Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight. GAO-12-479. Washington, D.C.: July 9, 2012. Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage. GAO-12-876T. Washington, D.C.: June 28, 2012. Cybersecurity: Threats Impacting the Nation. GAO-12-666T. Washington, D.C.: April 24, 2012. IT Supply Chain: National Security-Related Agencies Need to Better Address Risks. GAO-12-361. Washington, D.C.: March 23, 2012. Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data. GAO-12-393. Washington, D.C.: March 16, 2012. Cybersecurity: Challenges in Securing the Modernized Electricity Grid. GAO-12-507T. Washington, D.C.: February 28, 2012. Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use. GAO-12-92. Washington, D.C.: December 9, 2011. Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination. GAO-12-8. Washington, D.C.: November 29, 2011. Information Security: Additional Guidance Needed to Address Cloud Computing Concerns. GAO-12-130T. Washington, D.C.: October 6, 2011. Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements. GAO-12-137. Washington, D.C.: October 3, 2011. Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards. GAO-11- 751. Washington, D.C.: September 20, 2011. Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data. GAO-11-708. Washington, D.C.: August 12, 2011. Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011. Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities. GAO-11-75. Washington, D.C.: July 25, 2011. Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain. GAO-11- 149. Washington, D.C.: July 8, 2011. Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate. GAO- 11-605. Washington, D.C.: June 28, 2011. Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems. GAO-11-463T. Washington, D.C.: March 16, 2011. Information Security: IRS Needs to Enhance Internal Control Over Financial Reporting and Taxpayer Data. GAO-11-308. Washington, D.C.: March 15, 2011. Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed. GAO-11-117. Washington, D.C.: January 12, 2011. Information Security: National Nuclear Security Administration Needs to Improve Contingency Planning for Its Classified Supercomputing Operations. GAO-11-67. Washington, D.C.: December 9, 2010. Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43. Washington, D.C.: November 30, 2010. Information Security: Federal Deposit Insurance Corporation Needs to Mitigate Control Weaknesses. GAO-11-29. Washington, D.C.: November 30, 2010. Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls. GAO-11-20. Washington, D.C.: October 21, 2010. Cyberspace Policy: Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed. GAO-11-24. Washington, D.C.: October 6, 2010. Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems. GAO- 10-916. Washington, D.C.: September 15, 2010. Information Management: Challenges in Federal Agencies' Use of Web 2.0 Technologies. GAO-10-872T. Washington, D.C.: July 22, 2010. Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed. GAO-10-628. Washington, D.C.: July 15, 2010. Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2, 2010. Information Security: Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing. GAO-10-855T. Washington, D.C.: July 1, 2010. Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats. GAO-10-834T. Washington, D.C.: June 16, 2010. Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development. GAO-10-466. Washington, D.C.: June 3, 2010. Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. GAO-10-513. Washington, D.C.: May 27, 2010. Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Control. GAO-10-528. Washington, D.C.: April 30, 2010. Information Security: Concerted Response Needed to Resolve Persistent Weaknesses. GAO-10-536T.Washington, D.C.: March 24, 2010. Information Security: IRS Needs to Continue to Address Significant Weaknesses. GAO-10-355. Washington, D.C.: March 19, 2010. Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies. GAO-10-237. Washington, D.C.: March 12, 2010. Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements. GAO-10-202. Washington, D.C.: March 12, 2010. Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative. GAO-10-338. Washington, D.C.: March 5, 2010. Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience. GAO-10-296. Washington, D.C.: March 5, 2010. Department of Veterans Affairs' Implementation of Information Security Education Assistance Program. GAO-10-170R. Washington, D.C.: December 18, 2009. Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats. GAO-10-230T. Washington, D.C.: November 17, 2009. Information Security: Concerted Effort Needed to Improve Federal Performance Measures. GAO-10-159T. Washington, D.C.: October 29, 2009. Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets. GAO-10-148. Washington, D.C.: October 15, 2009. Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks. GAO-10-4. Washington, D.C.: October 15, 2009. Information Security: Actions Needed to Better Manage, Protect, and Sustain Improvements to Los Alamos National Laboratory's Classified Computer Network. GAO-10-28. Washington, D.C.: October 14, 2009. Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment. GAO-09-969. Washington, D.C.: September 24, 2009. Information Security: Federal Information Security Issues. GAO-09- 817R. Washington, D.C.: June 30, 2009. Information Security: Concerted Effort Needed to Improve Federal Performance Measures. GAO-09-617. Washington, D.C.: September 14, 2009. Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses. GAO-09-546. Washington, D.C.: July 17, 2009. National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture. GAO-09-432T. Washington, D.C.: March 10, 2009. Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors. GAO-08-1075R. Washington, D.C.: September 16, 2008. Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability. GAO-08-588. Washington, D.C.: July 31, 2008. Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains. GAO-08-525. Washington, D.C.: June 27, 2008. Privacy: Lessons Learned about Data Breach Notification. GAO-07- 657. Washington, D.C.: April 30, 2007. Chairman Rockefeller. Thank you very much. This could be to either of you, or both of you. And this is on the question of what I consider a desperately bad situation, in terms of trained work force, for cybersecurity across the nation. I was with a business executive, who's a very good friend of mine, whose company I know very well, and he came in to see me, not about this subject, but about what his company had a concern about. And I asked him, ``So, how are you fixed to take care of yourself on cybersecurity?'' And he's, ``We're fine.'' He said, ``We're fine.'' I don't want to be a psychiatrist, but I know him well enough--you can read body language, you can read voice inflection--and I really didn't believe that he meant to say that. I think he meant to say it, but I didn't believe it. There wasn't any demonstrated interest in it. His was one of the most vulnerable of all industries that could be affected by, you know, attacks--cyber attacks. And so, I didn't say anything about it, but I just--I noted, in my mind, that there was a lack of self-confidence, the lack of interest, and it wasn't believable. And, of course, I might have been absolutely wrong. But, that just leads me to this question. There are so many huge things that we have to do in cybersecurity, but none of them come to anything unless there is a workforce out there which is trained, and trained to the specificity of everything from, you know, standards to what do you do about intellectual property--I mean, just the whole range. And, you know, sort of like when we were starting with the E-Rate or the Internet. I mean, people didn't know anything about it. They knew it was important, but they didn't know anything about it. Then, gradually, that took hold. What, in your mind, should be done to get our country up to speed on training cybersecurity workforce? Mr. Wilshusen. Well, I guess I'll take first stab at it. I think you're absolutely correct, this is an issue for the nation and certainly for the Federal workforce. We did a review and issued a report, last year, on human-capital workforce issues as it relates to cybersecurity. We did work at several agencies. One of the key themes that we identified is that, while agencies were generally able to fill many of their information security positions, they had the most challenge in identifying those individuals that had the technical skills in order to effectively implement security at a technical level. There are a couple of initiatives underway that are intended to help improve the cyber workforce, to ensure better training of individuals, as well as to improve societal knowledge of cybersecurity, beginning early on, through K-12 and onward. One of them is the National Initiative for Cybersecurity Education that's run by DHS and NIST, who are key partners in that particular effort. Chairman Rockefeller. So, they put it into early curriculum. Mr. Wilshusen. Yes. And that's one of the areas where the younger generation's probably more technically literate than I was at that time, and include it in curriculum early on, and carry throughout their education. And then, within the Federal workforce, make sure we have the appropriate technical training and expertise that we can develop and grow our own workforce to address the cybersecurity challenges of today. Chairman Rockefeller. OK. Well, the Feds are part of it, private sector is another part of it. Mr. Kepler. Yes. What I would say is, when you look at the force we've had to put in our company, it's very technically- oriented, in terms of engineers, computer scientists. And I think the key thing the country needs to do, in general, is still foster the development of that kind of capability. And we're short of that, not only cybersecurity, but in a lot of the aspects of the science and technology that we need, to compete globally. I think some of the early challenges has been that people have addressed this as purely an enforcement issue, and so the basis has been more security oriented than the technology underlying in content. And so, it's a mix of people who have thought about this from an enforcement point of view. But, I think the general view of--the skills are going to change over time; they change, year over year, what we have to address. So, having grounded background in computer technology, in science and math, these are the things that you need to get people to work on to solve these problems. But, I think the company--or, country can do well, invested in that in a lot of different aspects of our prosperity. Chairman Rockefeller. So, if you do everything you want to do, how many years will it take for Dow, which is, obviously, one of the most sophisticated companies in the country, to get to where you want to be on work force security? Mr. Kepler. With work--I think we can hire the--you know, with paying a premium for that. We have almost 150 people, now, between direct people and contractors, that work in this space. It's getting the workforce for, actually, the next generation and the next decade to compete and work in our plants and our laboratories. And I think that's a critical issue for the government that's going to take a decade to address, Senator. Chairman Rockefeller. Which is where we've got to educate-- -- Mr. Kepler. Yes. Chairman Rockefeller.--how dangerous this is. Thank you. Mr. Chairman. Chairman Carper. Thanks. Thanks, Senator Rockefeller. Mr. Wilshusen, Senator Coburn suggested you'd be a good witness, and, boy, he was right. And, Mr. Kepler, I think you may have been invited by Senator Thune, as I understand it, and we thank him for inviting you, and you for coming. We're honored, in Delaware, that Dow has a significant presence in our state, and think of you as a--we're fortunate to have you as one of our corporate citizens. I think the first question I'm going to ask would be for either of them, but maybe we start with Mr. Wilshusen, if I could. You have a disadvantage, you and the colleagues that you recognize. Not necessarily--not everybody recognizes the team that helped put together an effort, and I know a lot of people were involved in this; we've got great people at GAO, and we thank you for all that you all do to help us do our jobs--but, had the disadvantage of preparing your report, which you released recently, before the administration, sort of, showed their hand on the Executive order. And just--if you had known what the Executive order was going to look like, and maybe had the benefit of this kind of testimony from the Secretary and from Mr. Gallagher, what would you have--how would your report have changed, if at all? I think it might have changed some, but your--in your testimony today, how might it have changed a bit? Mr. Wilshusen. Well, actually I don't know if our report would change much, other than to identify the Executive order as another strategy-related document that has been developed by the administration. The Executive order certainly addresses one of the key challenge areas that we have identified in the past, in terms of identifying and establishing standards for cybersecurity in the critical infrastructures. And it also will help, in terms of another challenge, as it relates to providing and sharing information to, particularly, those in the private sector. But, it's part of an overall strategy, though. It's still, like other strategy documents, focused on just one component of an overall national strategy. We still believe that the White House cybersecurity coordinator should develop an overarching strategy that integrates this Executive order with the other strategies. One of the positive things that we noted with the Executive order is that it does assign specific responsibilities to individuals. And that's a plus. It also gives them specific deadlines in order to perform those activities. That's another plus. But, it still remains to be seen, in terms of the extent to which there's follow through to make sure that those activities are implemented, and implemented effectively. Chairman Carper. OK. Well, my hope is, before we're done, and we have done our job on the legislative side, that--or, you put the two together, what the administration has laid out and suggested and what we have done, hopefully, in response, to kind of fill out the package--that you'll say, ``Yes, that's a pretty good strategy, and now the key is to implement it well.'' If I could, Mr. Kepler, the--I think you mentioned the word ``protection,'' the kind of--you or maybe one of our earlier witnesses talked about the kind of protections that--whether it's the chemical industry, whether it's other segments of our business industry, that they're looking for needing--I asked Secretary Napolitano about liability--punitive, general, other kinds of liability protection. She mentioned that there's more than just liability that can be afforded as an incentive or a protection for the--for industry. She mentioned--oh, gosh, I think she might have mentioned security--you know, expedited security clearances, so more information would be available to our key stakeholders. Talk about what--the kind of protection that Dow or others in the chemical industry are looking for, and that they need in order to feel more comfortable with what you're being invited to participate in. Mr. Kepler. Yes. And I would make the point that I think the information protection goes both ways. I think one of the things that we would look at over the years is, we'd build up a technology base and, I think, a reasonable operating system base, but the key thing to make this all work is, you need competitive intelligence. And we get very little of that, and we don't have the resources or structure to make that happen. And so, the ability to get government to feel comfortable to share, with industry, specific areas that we can address, so we can get focused, is a critical issue. So, I think if you contemplate legislation, it should think about it in both ways. I think there are issues, when we go across on--not only on liability, but the concerns, sometimes, of sharing information on antitrust, and that the--when companies get to start to share information when there's an incident or an issue, and it gets into shipments or it gets into some other areas, how to make sure that we can manage those type of issues in that, as well. So, I think the view of liability, you know, in our view, is that there--early on, within physical, but it actually can apply to cyber--there's the SAFETY Act that allowed--if you had a good management system in place, that was reviewed, you could actually get liability coverage on that. And we've submitted that, and actually are--fall under that Act, for us. Chairman Carper. Good. Thank you. My thanks to you both. Senator Thune. Senator Thune. Thank you, Mr. Chairman. The GAO's recent report--of course, already talked about-- highlighted some of the persistent shortcomings of the Federal Government's management of its own cybersecurity, which, I think, begs the question about them directing what the private sector should do. And I want to go back, actually, to a 2010 report in which GAO reported that private-sector expectations are not being met for receiving usable cyber threat and cyber alert information from the government. For example, GAO reported that only 27 percent of private sector survey respondents were receiving actionable cyber threat information and alerts that met their expectations to a great or moderate extent. Of those receiving information, there were concerns that the information received is not tailored to each sector's needs, or the information does not have enough information to be useful. So, my question--I would direct this, at least first, to you, Mr. Wilshusen--and that is, in what areas has the government made progress in sharing relevant information with the private sector? And do you have further recommendations? Mr. Wilshusen. Yes, that's a good question. We have followed up on our recommendations made in that report, and we have found that DHS has started to implement a couple of them. But, it remains a challenge area. DHS has taken a number of steps. I know the Secretary, earlier, mentioned about the NCCIC, and that's one area in which it has started to improve the sharing of information through that mechanism. I had also heard where the DHS has issued a relatively large number of security clearances, which can help facilitate the sharing of information. But challenges still remain. We still find that, for example, it has not yet developed a predictive analysis capability, which would help lead to providing timely threat information, alert information, to private industry. And, as Mr. Kepler indicated in his prior remarks, it seems like that is still an area of improvement that can be made on the part of DHS and other Federal partners. Senator Thune. Mr. Kepler, do you feel you're receiving timely and usable cyber threat and cyber alert information from the government? Mr. Kepler. We don't receive content. I think we cooperate together, but there's a--we do not get specific information. And when we get attacked or get to a point that we can mitigate something, to try to go back and understand who it was and where it was and how we go address it in the future, that is rarely, if ever, given, and--or known, I don't know. So, I'd say, you know, we talked about industrial espionage; there's clearly, from the government's viewpoint, I think, nation-sponsored espionage going on. I can't--I need the help of the government to address that. And so, that type of information, and how to deal with that collaboratively, we do not get. Senator Thune. Do you have any---- Mr. Wilshusen. And if I may---- Senator Thune. Yes, go ahead. Mr. Wilshusen. Excuse me. If I may just add one comment, too. Senator Thune. Yes. Mr. Wilshusen. One of the elements that is probably missing is making sure that DHS or the Federal partners have a feedback mechanism, or a loop, where they can solicit and receive feedback from the private sector partners on how well they're doing in providing this type of information. It might be illuminating. Senator Thune. Yes. If I might, too, Mr. Kepler, how important is information sharing peer-to-peer among others in the industry? And how's that working today? What's needed to improve it? Liability, antitrust protections, that sort of thing. Mr. Kepler. Yes, I would say that most of the industries that got stood up under its critical infrastructure have learned how to work together within their industries. The challenge is to start to work across industries. You know, obviously, if you look at cascading issues with power or with IT, it's to be able to share information. And I think the ability to bridge those stovepipes is the area that needs to be improved. Senator Thune. What's your biggest concern about the Executive order implementation process? Mr. Kepler. Well, I think there are two areas, as I pointed out. One concern is, to my--just a point, a minute ago--this is cascading. So, when you think about a significant failure, which is part of the risk that the Executive order is supposed to be--address, the--to me, the thing that we have to rely on is the IT suppliers and the government to have--to make sure that the communications networks work. And that seems to be-- we're focusing more downstream than upstream on what the fundamental issue is. So, I hope, when we look at this, that most of the area needs to be around cyber in the infrastructure that we're building around the Internet and how that's being managed, because we all rely on that, including the government, to work on. And the second thing I think--the standards has been talked a lot, but I think the viewpoint and transparency of how we're going to do risk assessment--because there's the gross risk of what could happen, but there's also understanding what's already been mitigated. So, I get concerned about how you develop the list of high-priority risks, to identify, to start to apply the resources you're going to apply. So, you can create an environment where you create a list of, kind of, generic issues and risk things, that we don't know how to get off that risk list. You know, we've been under CFATS and the physical side, and we've yet to get, you know, sites completely authorized, in terms of getting assessment against their authority. And so, you add cyber into that--I just think, in the next, you know, half a year to a year, to try to get all that risk assessment done, I think that's the area that we can have some unintended consequences in, Senator, unless we think through that clearly. Senator Thune. Thank you, Mr. Chairman. Thank you very much. Chairman Carper. Dr. Coburn? Senator Coburn. Well, let me follow up on that. You know, CFATS, as far as I'm concerned, so far, has been a failure. I don't know if that's your assessment to it, but we've spent billions of dollars, and we have very limited accomplishments there. It's not because we don't intend to. It's not. And cyber's five to six times more complex than that. And one of the questions is, If DHS can't implement CFATS, and there hasn't been the same type of cooperative work upward, in terms of standards--in other words, one of the things--one of the great things about the Executive order is, the President did have his staff say, ``Bring industry in, tell us what we need to do.'' In other words, there was upward communication from the people who actually know it. And that was somewhat lacking, in terms of the CFATS, and is still lacking, in my opinion. So, do--given your experience on CFATS, what's your confidence level on DHS on cyber? Mr. Kepler. I guess that's my point. Senator Coburn. Yes. Mr. Kepler. I think you look at CFATS as--the way it's laid out and put together, I think, is a sound thought process of how to work. So, we support the concept of CFATS. Do you have the right mindset to go--actually set standards and evaluate? Do you have the personnel to work on that? So, I think the industry, as it relates to standards, the reality is, they're out there on cyber. We've worked a lot on process control systems, on management systems, on technology and networks. The previous panel described that. The issue is, Are--Do we have a confident structure to evaluate those risks? And then do the assessment in government to collaborate with it. And I think that's where you need to improve. So, my view has been, it's more an oversight issue than it is a legislation issue. Senator Coburn. All right, thank you. Mr. Wilshusen, I made, in my opening statement, a comment that we've not seen the report on FISMA. But, you all found that only 8 of 22 agencies are in compliance with that. And that's a decline from 13 agencies in 2010. What's the problem? Mr. Wilshusen. We also are looking forward to receiving OMB's FISMA report. It usually provides a lot of useful information, particularly the portion where the IGs conduct their evaluations of their agency's information security programs. One of the issues that we have found over the years and why we have been designating Federal information security as a high-risk area since 1987 is because of agencies'--I won't say ``inability,'' but their lack of meaningful success in securing their systems and meeting many of the requirements for securing their systems. Senator Coburn. Let me explain---- Mr. Wilshusen. In your particular---- Senator Coburn. Let me explain what that means---- Mr. Wilshusen. Sure. Senator Coburn.--so everybody understands. Only eight Federal agencies, at this time, out of 22, meet the guidelines for securing their network. Mr. Wilshusen. And that's actually one of the statistics for assessing the risk---- Senator Coburn. Right. Mr. Wilshusen.--which kind of gets to Mr. Kepler's point, in that it's one of the challenge areas for agencies. It's not an easy job, in terms of implementing effective security over time, because the environment is constantly changing, new technologies are being implemented into the computing environment, the threats are becoming more sophisticated, and business practices are changing. But, at the same time, it's important that agencies implement the appropriate processes to assess their risk, and then, based on that risk, select the appropriate controls to cost-effectively reduce those risks to an acceptable level, and then assure that those controls are effectively implemented, tested, and remain appropriate over time. If agencies don't assess their cyber risks appropriately at the very beginning and regularly thereafter, it has a cascading effect, in terms of the effectiveness of other controls. Senator Coburn. Plus, it wastes a ton of money. You know, in the Federal Government, we spend $64 billion a year on IT, and, essentially, 50 percent of it is wasted, because we don't assess risks, and we don't contract appropriately. Let me--in 2003, President Bush issued HSPD-7, which assigned several tasks to DHS pertaining to critical infrastructure and cybersecurity, including information sharing with the private sector--this was 2003; that's 10 years ago-- and compiling a list of critical infrastructure. The Executive order and the Presidential directive issued by the White House assigns DHS several tasks similar to those the agency was given in 2003. What's different? Mr. Wilshusen. I think there are a couple of differences between the Executive order and HSPD-7. One is that HSPD-7 primarily focused on terrorist activities and counterterrorism; whereas, this particular Executive order is looking at a more broadbased threat factor, if you will, and to include resiliency and the like. The other big difference here is that NIST is responsible-- or has responsibility for creating the cybersecurity framework. Senator Coburn. Yes. Actually, they're responsible for creating the standards, correct? Mr. Wilshusen. Right. And---- Senator Coburn. The voluntary standards that are going to be maybe not so voluntary after they're created. Mr. Wilshusen. Well, their label is a voluntary cybersecurity framework. Senator Coburn. Yes. Mr. Wilshusen. And I believe it's up to DHS and the sector- specific agencies to develop a program to help encourage adoption of that framework. Senator Coburn. I'm over my time, Mr. Chairman, but I just---- I would like for you to make recommendations to Senator Carper and I, if you would, on what you would see as the best oversight function that we could have in looking how the Presidential directive and the Executive order is carried out. You know, this is a complex area. None of us are computer engineers or electrical engineers. And having that guidance from you would be very helpful to this committee. Mr. Wilshusen. I'd be happy to talk to your staff to do that, Dr. Coburn. Senator Coburn. All right. Thank you. Chairman Carper. And I'd amend that request to ask that we share that information, as well, with our two compadres on my left, Senator Rockefeller and Senator Thune. All right, next in order--I think Senator Cowan is next in order, followed by the Senator from New Hampshire, Senator Ayotte. Senator Cowan. Thank you, Mr. Chairman. Gentlemen, thank you for your appearance and testimony today. My first question--actually, my first couple of questions are to you, Mr. Kepler. First, we thank you for coming, and hope you didn't mind me referring to your--you having a platinum system in place. Just a couple of things, and I wonder if you'd tell me if you agree. It's been said that 85 percent of our nation's critical infrastructure is owned by the private sector. You-- and, if that is the case, would you agree that, if the owners of that critical infrastructure fail to harden their systems and we are subject to a cyber attack, that disruption or destruction of those systems could carry catastrophic consequences, not just to the private industry, but to the government sectors that rely upon it? Do you agree with that? Mr. Kepler. Yes. Senator Cowan. And there has been a lot of talk and, I think, a lot of agreement, frankly, that there's a need for more and better information sharing, and the issues that are, necessarily, surrounding that. Do you think--are you satisfied, from your perspective--and you're someone who looks at these issues, not just for Dow, but I imagine you think about them for your industry, as a whole, or private industry--do you think, if we just have better information sharing and some of those protections, alone, we will have done enough to sort of ensure that, at least at a minimum level, we're doing enough, both in the government and private sector, to thwart cyber threats? Mr. Kepler. I think the information sharing is one that lags the most, so the reality is, I think, though--if you think about how you mitigate issue--a risk, in general, it's around applying technology, putting operating disciplines, which you could call ``standards,'' and management systems in place, and then having information sharing about what's going on externally, or competitive intelligence. I think, over the last 10 years, we've built up a fair amount of capability, and, really, the standards have evolved a lot, and the understanding of how to be responsive around those standards. And the industries that have developed operating discipline around this, I think, is pretty healthy. I think the key thing that's missing right now is the ability to share tactical information. We're getting attacked, and don't know who from, and we don't have the resources to work on that. I think the threat has changed in the last 5 years, and--to come from outsources with well-resourced resources that need to be addressed. So, I think the information sharing is a key area. I think the management system around this--because we've got a lot of rules--I think the management system--I think government has to help step up and address. Senator Cowan. When you talk about the rules--actually, in your testimony, you talked about your concern about overly prescriptive legislation. In my prior job in State government, one of the things I had to do was to sort of oversee the regulatory process. I used to tell the team that the agency heads, before you regulate, hesitate, to think about the cost and the impact on businesses and others. As you think about the--when you say ``overly prescriptive,'' what, in particular, concerns you that you don't want to see in legislation, or you're concerned that legislation might do? Mr. Kepler. Well, I think, when you start looking at these--when you talk to companies like ours, and big companies in structure, you know, you go to some of these sectors, and there are 40,000 or 50,000 companies that you have to deal with, or community structures, if you're in water. And one size does not fit all in that. And you have to be able to assess the risk. So, while you have all the infrastructure, it's not all linked. And so, you have to prioritize this. And, to me, that's the key area that you have to work with the sectors on. If there's any area we need more area is--what enemy are we trying to fight, what problem are we trying to solve, and where are the highest risks in this activity to work on? That's a key area that I--needs to be addressed, or we'll be applying standards and structure to areas that probably have a low priority of risk in that approach. Senator Cowan. Do you have any viewpoint whether, if we just had a floor, a baseline that everyone--that everyone could look to or try to adhere to, that might better aid us to do-- or, to address the concerns? Mr. Kepler. Yes. And that's my point on--therefore, you have to have some commitment on--some base floor on the products that you provide people, and how they get configured, and then the responsibility and operating base of how you work on it. So, Dow can bring these resources in, and technologies in, and set them, but a small business that may be linked into this thing, or linked into a supply chain of a critical infrastructure, can't do that. And I think that's where some of this--the industries that supply those products do have to be involved, because the--on the smaller businesses, the same technologies that the consumers use. Senator Cowan. A question to you, in the first instance, Mr. Kepler, and then, Mr. Wilshusen--and maybe you can answer it, as well. And this--sort of picking up off of the Executive order that the President issued last month--and Mr. Gallagher spoke about, sort of, the collaborative effort between industry and government to come together and work together on some issues--I'm--I wonder if either of you have an opinion about how useful it might be to create a task force composed of government cybersecurity experts, security researchers, and tech vendors to contribute to a database of cyber threats that could be accessed by critical infrastructure industries, in realtime, or issue alerts. When you talk about information sharing, is that something you're thinking of, conceptually? Mr. Kepler. Well, conceptually, we have US-CERT, that tries to drive that, for private/public partnership. We have NIAC to look at the policy structures. We have the standard committees to work through. I think there's a cultural issue on information sharing, is that government does--and I--you know, government doesn't want to share it, and business is reluctant to share it. So, I think the legislation has to go at that cultural aspect and deal with the issues that become the excuses in their liability, on our side, that is important, right?--and their--you know, the IP protection, and those things. On government, there's a--from an enforcement point of view, you're really nervous about giving up your pursuit of the criminal. And government, by definition, is nervous about trying to manage secrets. So, we have to create an environment where we can share key information on the specific threats. That's, to me, the critical issue here, not the new organization structures. We have a lot of those. Mr. Wilshusen. And I would just add that there is precedence, to some extent, in that there is a database that's maintained by NIST. It's called the ``National Vulnerability Database.'' It's not a database of threats, but it is a database of vulnerabilities that include, for example, software defects, or defective software, and misconfigurations. That database is available to the public to review. And, indeed, many of the tools that are used to scan network devices may draw from that database to look for particular vulnerabilities and misconfigurations in systems. Senator Cowan. Thank you. And please forgive my indulgence, Mr. Chairman, for going over my time. Thank you. Chairman Carper. No, no, that's fine. Thank you for coming early and staying late---- Senator Cowan. Thank you. Chairman Carper.--Senator Cowan. Senator Ayotte. STATEMENT OF HON. KELLY AYOTTE, U.S. SENATOR FROM NEW HAMPSHIRE Senator Ayotte. Thank you, Mr. Chairman. I appreciate it. And I want to thank the witnesses for being here today on such an important issue. I serve on the Armed Services Committee, as well, and I was inquiring about our top manufacturer in New Hampshire, BAE Systems, just to get a sense of what they've invested in. Just as one company in our state, they've invested over $100 million in their cyber defenses, which, compared to Dow, is probably small, but, I think one thing that they brought to my attention is that they believed, through the interaction they have with the Pentagon, that they have a world class ability to share information. Now, they're a defense contractor, so you can understand why that would be a natural partnership there and that there was a very good collaborative model. While I'm new to this committee, and certainly want to understand the work done by others, one of the worries, I've had, in thinking about this, as I look at the GAO report that was issued, Mr. Wilshusen, and I appreciate the work that you did on this, is the information-sharing difficulties in DHS. And so, we've been talking about some of the concerns we have about DHS's capabilities. Are we trying to use any of the models or patterns from the Pentagon? And also, it worries me that we're going to have to replicate something that apparently, in the Pentagon, we're doing fairly effectively. And so, how do we take those lessons? And can DHS really get to a point where it is, frankly, as effective as some of the work being done at the Pentagon? Mr. Wilshusen. That's an excellent question. And, indeed, the pilot programs that you're referring to are called the DIB cyber pilot programs. I think they may have another name as well. And DIB being the Defense Industrial Base. Last year, GAO issued a report over those programs and made several recommendations to enhance them. And, as it so happens, we also plan to issue another report that will be coming out soon. The recently issued Executive order has a line in it under--I think it's under the information-sharing section--that asks DHS to look at those programs involving the DIB--the Defense cyber pilot programs--and expand them to the other critical infrastructure sectors. And so, that is one of the activities that is planned. Senator Ayotte. Do you think DHS will have the capability to do that? The Pentagon is obviously in a situation where they're dealing with the national security threats, but industries like Dow are dealing with this, a national security threat. So, what's your assessment on DHS's ability? I understand that there's a sort of command to do that in the Executive order, but how can we help them do that? What's your opinion on what the difficulties will be with that? I don't think any of us want to invest in replicating things that already exist in the government, particularly in the fiscal constraints we find ourselves in. Mr. Wilshusen. No, it's usually a good practice to learn from the efforts of others, to learn both the mistakes, what did not work, as well as what did work, and then apply those lessons as you perform your own. And so, certainly there is a lot of benefit for DHS to do this, and learn from that particular pilot program by DOD. In terms of DHS's capability to do that, well, I guess we'll actually find out, because I must say that I can't really give you a clear answer on that, because we haven't examined that particular issue. But its success in other programs, previously has been mixed. The department has made some progress in several areas, but, as GAO often reports, more needs to be done. Senator Ayotte. So, that worries me, and I hope---- Mr. Wilshusen. Yes. Senator Ayotte.--that's something we talk about more in this committee, because this is such an important threat to our country that it can't be, ``We're just not sure,'' and, ``We don't know how this is going to work out,'' because, obviously, we need to all work together to make sure we can prevent the threats that are facing the country as well as those facing our businesses and our economic growth. And I would say, Mr. Kepler, I certainly am reviewing the Executive order, and want to understand it, but, in my prior life, I was an attorney general and thinking about liability protection for the private sector. How does any Executive order really fully get at the type of liability protection that the private sector needs, in light of the fact that, presumably, it's not just liability protection between the government and the industry that's being regulated, but it's also the liability protection to third parties. Mr. Kepler. Well, I think that's the challenge. And I think that's one--in my comments, I said that that's one area where I think legislation may be needed to address that. If you think about major things, like terrorism or whatever, I think there are some vehicles that you can use, with the SAFETY Act, but, if you're trying to look at--you know, I think there are a lot of issues also around intellectual property and legal things that are already defined. When you start looking at issues around espionage and nation state-sponsored commercial espionage, I don't know how-- you know, I think that is something you have to think through from a legislative point of view, not an Executive order point of view. Senator Ayotte. Well, the prior legislation failed in the Senate so I think all of us want to come to a resolution to find a bipartisan way forward to address these issues, but there certainly seemed to be some areas of difficulty. I know that the liability protection issue is one that Dr. Coburn has already talked about, and of the difficulties there. But, I'm of the view that, since we do a lot of comprehensive work around here, if there are certain areas that we can come to agreement on, then we should move those immediately, and then come back to the other areas that we have to address. So, I'm hoping that this committee, as we work together, will do that, and continue, as soon as we can get a piece that's important to industry and important to us, moving forward, to having that cooperation, that we will move it. So, that's my commentary on it. And I'm sure that my time is expired, but I appreciate that both of you are here today, and I look forward to following up with you and learning more about how we can effectively accomplish that. Chairman Carper. I thought those were good questions. Senator Ayotte. Thank you. Chairman Carper. I--we're going to have another round, if it's OK with you, maybe--I'd like to, maybe, do another round. It's not going to take but maybe 15 minutes. Does that work OK with your schedule? Mr. Kepler. Sure. Chairman Carper. We want to be mindful of your schedules. Mr. Kepler. No problem, Senator. Chairman Carper. Good. How about another two rounds? Mr. Kepler. Whatever you need. Chairman Carper. We'll start with one. One of the things I like to do at the end of the hearing is sometimes to ask witnesses what you've learned--what you've learned by listening to one another, from our questions and some of our statements, what maybe you've learned from the earlier panel. So, just be thinking about what--I mean, what are your take aways from this? The other thing I would ask you to share with us is what should be our take aways. And when I speak to a group, sometimes I like to tell them what I'm going to tell them, then I tell them, and then I tell them what I've told them. And so, you've had a chance to do at least part of that, and I'm going to ask you, before you leave, to just kind of give that little sum-up at the end, what should be some our key take aways. For me, one of the key takeaways has been--and I think it was our friend from NIST, Pat--I think he said something like, ``When cybersecurity strategy is good business strategy, then we'll know that we've really gotten somewhere.'' And the--there has been a lot of back-and-forth on information sharing. And Senator Ayotte said she, in her previous life, was attorney general for her state. And I asked some of our staff, ``Why don't we do a better job at information sharing from the government side to the private sector?'' And someone used this as an example, said, ``If you're the FBI, and you're trying to bust a drug ring, and you know--you may let a deal go down, let it happen, just in an effort to move up the food chain and then go after the bigger catches.'' And I don't know if that's what's going on here, or not, but the--I--one of the messages-- for me, one of the take aways is, information flow has to be a two-way street. And so, I take that away. And on--in terms of the capability of DHS--Dr. Coburn's gone now, but he's--you know, I've been hosting a series of classified briefings, where we have DHS coming in, we have the FBI, we have the National Security Agency coming in. And both he and I have been impressed by the improved capabilities at DHS. This is not your grandfather's Oldsmobile, this is not where they were 10 years ago, 5 years ago. They're--they've gotten some good people, and they've enhanced their capabilities. I always like to say that the road to improvement is always under construction, so obviously they have more to do. Everything I do, I know I can do better. And certainly that's true for them. All right. With that having been said, what did you all learn? And, second, what are some good take aways that you would have us to be--just be reinforced with? Mr. Kepler. Well, I'd follow up your--just your first point to--or, last point--to comment that I do--when I look at the scope of DHS, and the challenge they have, it's daunting, and I appreciate the work they're doing. And I do agree that the competency of the organization has improved over the years and stuff. One of the challenges I would say is, we do keep changing the rules a little bit on the number of commissions and structures and groups and things. And so, we're--I'm pleading a little bit for, maybe, stabilization of that and really doing a little bit more oversight on the process, and learning from it. I think the things I learned--I think we came in feeling that the Executive order had--was in the right spirit of what we were trying to do. We certainly like the concepts of the information sharing. We were very big on standards, to begin with, and we've been that. And I'm very good to see how the Senate, here, is looking at embracing that, and the Executive order has embraced that, and I think they really listened well to the organization. So, I think the spirit of how we want to get there is there. If you ask me what the two take aways I'd you to leave with, I think is--this risk management, to me, and how we define that, is more important than the standards. I think the standards momentum is there, so we can, you know, put a stamp on it. But, I believe it's used effectively in government and in industry. So, the real issue is, are we really targeting what problem we want to solve? And I think that's really putting definition around ``risk management,'' if you will. So, how do we solve the problems? Who's our real threat? And really make sure form policy around that. Chairman Carper. Thanks, Mr. Kepler. Mr. Wilshusen. Mr. Wilshusen. Yes, I would say one of the take aways would be just to continue providing the oversight and emphasizing followthrough. One of the challenges in the past with the cybersecurity strategies and the different aspects of them has been seeing them all the way through and making sure that there's follow-up, that there are feedback loops. In terms of the agencies, making sure that what they're doing is the right thing to do. The keys for this particular committee is to provide the oversight that it has in the past, and I imagine will continue to do. And certainly, in our role as GAO, it's to continue to help agencies evaluate their progress, and make recommendations, where appropriate. Chairman Carper. Senator Thune? Senator Thune. Yes, just one last question, if I might, Mr. Chairman, for Mr. Kepler. And I'm interested in knowing what's the most common cyber attack that your company faces, and how that threat could best be alleviated. Mr. Kepler. Yes. If you look at the higher risk ones to--I mean, so you--these numbers sound bizarre, but when you look at the things that used to be a big deal, like viruses--there are still hundreds of thousands of those, and we can protect those pretty well. I think if you tell--you know, what we're challenged with the most is the threats from highly resourced organizations today that are--targeted us and persistent with us. And the concern is, because those are developed, that they end up going down and get learned, and they can migrate down into less sophisticated hands and stuff to work through. So, I think the fact that we have large organizations--and by--not by my--by my reading, those are some countries and organized criminal organizations--that's a big problem, and it's something that I think government needs to, you know, kind of step in and help business, and actually the country, work on. Senator Thune. IP theft? Mr. Kepler. You know, I think IP, in general, company to company, it's--the framework of government today manages that. It's this issue now of international and, I think, country- supported IP theft, in doing that, as well as, you know, basically, just general intelligence gathering into companies that had never really happened to the extent we're seeing it now. Senator Thune. Thank you all very much. Appreciate it. Thank you, Mr. Chairman. Chairman Carper. You bet. One last question, if I could, for Mr. Kepler. What is your CEO's name? Andrew---- Mr. Kepler. Liveris--Andrew Liveris. Chairman Carper. Liveris? Well, he came and spoke to a group of us, not long ago. Very impressive. I think he's--may hold a leadership position in the Business Roundtable. Is that true? Mr. Kepler. Yes, he does. Chairman Carper. And do you know what that is, by chance? Mr. Kepler. What his position is? I think he's chairing it, right now, sir. Chairman Carper. I think he is, as well. The--we appreciate very much, and need, the continued input from the Business Roundtable. We welcome the input from the Chamber of Commerce-- U.S. Chamber of Commerce, and other business groups, as well. But, we're very mindful of the contribution that Business Roundtable can make, and would ask that you pass along our thanks to your CEO and say we'd like to hear more of that, going forward. Well, it's been a good hearing. And, Senator Thune, whom I affectionately call ``Thuney,'' we are here to the bitter end, but it has not been bitter at all. Not even bittersweet. It has been good. And I--these are--this is a hard issue. Senator Thune and my staff have heard me say this before. This is not an easy issue for me to get my head around. And I--a couple of months ago, I felt like I almost reached the point where I knew enough to be dangerous. And after this hearing today, I know enough to be really dangerous, so--hopefully, really helpful. And we--it's a shared responsibility, here. It can't be the legislative side to--just on our own. It can't be just the executive branch. It just can't be the key stakeholders, including the business community. So, it's all of us, together, and--because we have a shared responsibility--and if we do this right, we're going to help our country a whole lot. And we--Senator Thune and I, our colleagues, Senator Rockefeller and Thune, others who serve on our committees, we want to do this right, and your help--testimony today has certainly helped in that regard. So, many thanks to you. And I understand that the hearing record is going to be open for another 14 years. [Laughter.] Chairman Carper. No, not really. Another 14 days, because we're on a short--we're on a short time frame here. Fourteen days for any additional questions or statements from our colleagues. If you get anything, then respond promptly; we'd be most grateful. Anything else for the record, Senator Thune? Senator Thune. No, sir. Chairman Carper. With that having been said, it's a wrap. This hearing is adjourned. Thank you. [Whereupon, at 5:05 p.m., the hearing was adjourned.] A P P E N D I X Prepared Statement of the American Gas Association The American Gas Association (AGA) is pleased to submit this statement for the record for the U.S Senate Committee on Commerce, Science, and Transportation and Committee on Homeland Security and Governmental Affairs joint hearing on The Cybersecurity Partnership Between the Private Sector and Our Government: Protecting our National and Economic Security (March 7, 2013). In AGA's view, natural gas is the foundation fuel for a clean and secure energy future providing benefits for the economy, our environment, and our energy security. Alongside the economic and environmental opportunity natural gas offers our country comes great responsibility to protect its distribution pipeline systems from cyber attacks. Technological advances over the last decade have made natural gas utilities more cost-effective, safer, and better able to serve our customers via web-based programs and tools. Unfortunately, the opportunity cost of a more connected, more efficient industry is that we have become an attractive target for increasingly sophisticated cyber terrorists and cyber thieves. This said, America's investor-owned natural gas utilities are meeting the threat daily via skilled personnel, robust cybersecurity system protections, an industry commitment to security, and a successful ongoing cybersecurity partnership with the Federal Government. AGA, founded in 1918, represents more than 200 local energy companies that deliver clean natural gas throughout the United States. There are more than 71 million residential, commercial and industrial natural gas customers in the U.S., of which 92 percent--more than 65 million customers--receive their gas from AGA members. AGA is an advocate for local natural gas utility companies and provides a broad range of programs and services for member natural gas pipelines, marketers, gatherers, international gas companies and industry associates. Today, natural gas meets almost one-fourth of the United States' energy needs. Government-Private Partnerships and Cybersecurity Management: A Process that Works for Natural Gas Utilities America's natural gas delivery system is the safest, most reliable energy delivery system in the nation. This said, industry operators recognize there are inherent vulnerabilities with employing web-based software and hardware applications for both industrial control systems and business operating systems. Because of this, gas utilities apply myriad cyber standards, guidelines, and related regulations in their cybersecurity portfolios and participate in an array of government- sponsored and industry-sponsored cybersecurity initiatives. However, the most important overall cybersecurity mechanism is the existing cybersecurity partnership between the government intelligence community and industry operators. This two-way information sharing provides for an exchange of vital cybersecurity information within a flexible framework which allows all stakeholders to be proactive and adapt quickly to dynamic cybersecurity risks. Background: The Homeland Security Act of 2002 provides the basis for Department of Homeland Security (DHS) responsibilities in protecting the Nation's critical infrastructure and key resources (CIKR). The Act assigns DHS the responsibility for developing a comprehensive national plan for securing CIKR. This plan, known as the National Infrastructure Protection Plan (NIPP), identifies 18 critical infrastructure sectors within which natural gas transportation is a subsector of the Energy and Transportation Sectors. The NIPP states that more than 80 percent of the country's energy infrastructure is owned by the private sector, and the Federal Government has a statutory responsibility to safeguard critical infrastructure. For this reason, information-sharing amongst industry operators and the government intelligence community is critical to cyber infrastructure protection. Process: Natural gas utilities are working with government at every level to detect and mitigate cyber attacks. In particular, the natural gas transportation subsector works specifically with the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reinforce two-way sharing of cybersecurity awareness, detection, and mitigation programs. This process calls on operators to submit suspicious cyber activity reports to ICS-CERT, while ICS-CERT, in turn, advises operators of noted cyber vulnerabilities, mitigation strategies, and forensic analyses. This open communication has proven over the years to be an effective, uncomplicated mechanism that bolsters the industry's overall cybersecurity posture, while advancing the mission of ICS-CERT. In simple terms, the government intelligence community understands cyber vulnerabilities; natural gas utilities understand their operations; and the two come together in a constructive partnership to protect targeted critical infrastructure. AGA-Government Cybersecurity Partnerships: AGA works closely with the DHS Transportation Security Administration (TSA), Pipeline Security Division within a government-private industry partnership framework for cybersecurity information sharing. The Aviation and Transportation Security Act of 2001 gives the TSA Pipeline Security Division regulatory authority over pipeline security for both physical security and cybersecurity. The TSA Pipeline Security Division has over the past decade chosen to partner with pipeline operators in an environment of guidance rather than regulation/compliance. Partnering has benefitted all stakeholders because it allows government and pipeline owner/ operators to exchange valuable cybersecurity information typically not shared in a compliance-driven environment. AGA also strongly encourages industry participation in DHS-led training programs, workshops, and system evaluation programs, available via our partnership with the ICS-CERT and TSA Pipeline Security Division, as well as relevant cybersecurity programs operated by other agencies. Moreover, DHS officials regularly meet with industry groups, such as the AGA board of directors, as well as individual member companies specifically to review and assess ongoing cyberthreats. Bottom line, as cybersecurity threats evolve and related risks to gas industry operations change, our long-standing public-private partnership with DHS allows natural gas utilities to successfully collaborate with the government on overall cybersecurity in a fashion that benefits both parties. The following is a sample list of government-natural gas industry cybersecurity partnerships: DHS Classified and Unclassified Cyber Security Briefings. Industry operators participate in DHS-sponsored classified and unclassified briefings to receive threat and risk information and analytics. These briefings are in the form of monthly teleconferences and semi-annual face-to-face meetings between the private sector and government intelligence community analysts. The briefings provide information on the state of the subsector in reference to emerging threats, security incidences, and trends. Additionally, AGA is leading the collaborative effort between the government intelligence community and private industry to improve on timely, credible, and actionable information sharing. DHS Control Systems Security Program. DHS offers various opportunities to enhance industry operator knowledge on control system cybersecurity. Industry operators participate in DHS ICS-CERT training, online forums, recommended practices, advisories, and interactive live assistance focused specifically on control system cybersecurity. Industry operators also receive DHS United States Computer Emergency Readiness Team (US-CERT) monthly activity summaries and secured portal advisory communications, submit incident reports for analysis, and engage in the Industrial Control Systems Joint Working Group for information exchange. Oil & Natural Gas Sector Coordinating Council (ONG SCC) Cyber Security Working Group. Industry operators participate in this DHS-sponsored forum for effective coordination of oil and natural gas cybersecurity strategies and activities, policy, and communication across the sector to support the Nation's homeland security mission. The ONG SCC provides a venue for operators to mutually plan, implement, and execute sufficient and necessary sector-wide security programs, procedures and processes; exchange information; and assess accomplishments and progress toward protecting the sector's critical infrastructure. TSA Cyber Security CARMA Program. Sponsored by TSA, this program is intended to develop a nationally-scoped cyber risk management framework to help industry operators identify where internal risk management activities align with industry-wide risk management activities. AGA co-chairs this collaborative effort and facilitates operator participation and contribution. Coordination of Federal Government Risk Assessment Programs. AGA is proactively coordinating meetings of the Department of Energy, Federal Regulatory Energy Commission, TSA, and ICS-CERT in an effort to encourage all government entities to align their various cybersecurity risk assessment programs. The objective is to compare/contrast the programs and identify where synergies may be made. AGA-Industry-Government Cybersecurity Guidelines: Partnership between the private sector and the government is critical to address cybersecurity threats to our Nation's critical infrastructure. As such, AGA and industry operators also collaborate with government partners to produce effective cybersecurity practices and guidelines. Below are a few examples: DHS Transportation Security Administration (TSA), Pipeline Security Guidelines. Guidelines developed through the collaborative effort of government and pipeline asset owners to be used by natural gas and hazardous liquid transmission pipeline companies, natural gas distribution companies, and liquefied natural gas facility operators as a framework for the protection of critical and non-critical pipeline infrastructure. AGA contributed as subject matter experts, in particular to the cybersecurity chapter. DHS Control Systems Security Program, Cyber Security Evaluation Tool (CSET). A desktop software tool that guides users through a step-by-step process for assessing the cybersecurity posture of their industrial control system and enterprise information technology networks. AGA participated in the development, testing, and distribution of this material and contributes to continual improvements to this resource. Department of Energy (DOE), Roadmap to Achieve Energy Delivery Systems Cybersecurity. A strategic framework to improve cybersecurity within the energy sector through a collaborative vision of industry, vendors, academia, and government stakeholders. This vision is supported by goals and time-based milestones for achievement over the next decade. AGA has been a contributor to this resource since its inception in 2006 with its preliminary release as DOE, Roadmap to Secure Control Systems in the Energy Sector. Interstate Natural Gas Association of America (INGAA), Control System Cyber Security Guidelines for the Natural Gas Pipeline Industry. A set of guidelines designed to assist operators of natural gas pipelines in managing control systems cybersecurity requirements. Aligns with TSA Pipeline Security Guidelines and other guidelines/standards commonly used across the oil and natural gas industries. AGA contributed to the review and comment phase and promotes its availability as a valuable resource to operators and government. AGA and INGAA, Security Practices Guidelines, Natural Gas Industry Transmission and Distribution. Guidelines that provide an overview of the recommended physical security and cybersecurity practices and procedures for the transmission and distribution segments of the natural gas industry. AGA and the Interstate Natural Gas Association of America lead the initiative to develop this guidance for natural gas pipeline and utility operators. Non-Standardization of Cybersecurity Practices is Paramount In the recent past, concerns over increasing cyber attacks-- successful or not--on critical infrastructure have led to legislative efforts to create a set of top-down cybersecurity regulations. AGA remains concerned that prescriptive cybersecurity regulations, while well-intentioned, will have little practical impact on cybersecurity and, in fact, will hinder implementation of robust cybersecurity programs. First and foremost, prescriptive cybersecurity regulations would fundamentally transform the productive cybersecurity relationship natural gas utilities have with the TSA Pipeline Security Division from a successful partnership to a more standard regulator-regulated mode, forcing companies to focus more resources on compliance activities than on cybersecurity itself. Also, from a practical perspective, it is unlikely that any set of cybersecurity regulations will be dynamic enough to help companies fight constantly changing and increasingly sophisticated threats. Across the natural gas industry, cybersecurity effectiveness is maximized through the diversity of individual company cybersecurity approaches, e.g., Defense in Depth strategies and customized detection and mitigation systems appropriate for individual company networks. Furthermore, because gas utility control system operations vary amongst operators, companies adhere to cyber standards, guidelines and related regulations most relevant to their specific network functions and vulnerabilities. Companies also turn lessons learned from government- private industry cybersecurity information sharing partnerships into actions designed to protect their specific systems. In sum, as cybersecurity risks and threats change, so do vulnerabilities. Ongoing implementation of new and diverse cybersecurity tools and procedures, based on unique individual company requirements, helps companies adapt to a dynamic cyberthreat environment and bolsters the overall gas utility industry cybersecurity posture. The Cybersecurity Executive Order Considered The Administration's Executive Order (EO), Improving Critical Infrastructure Cybersecurity, is a data collection exercise, standards setting program, and outline for future legislative and regulatory action. In sum, the EO directs the government to: (1) identify all critical infrastructure entities, (2) prepare ``voluntary'' cybersecurity standards for identified critical infrastructure, (3) develop incentives designed to entice entities to adopt the cybersecurity standards, and (4) tasks agencies with existing cybersecurity authorities to determine whether their current regulations are sufficient or if new, more prescriptive, cybersecurity regulation is necessary. Clearly, Congress will be a not-so-silent partner in implementing this EO, particularly if agencies with cybersecurity responsibilities, having found current programs inadequate, lack the authority necessary to further regulate cybersecurity requirements in their sector. In addition, while the EO does seek to strengthen the public-private cybersecurity information sharing partnership, liability and information security protections necessary for critical infrastructure owners and operators to fully participate will require new statutory authority. Overall, the EO is simply the beginning of a long march to improve national cybersecurity. AGA is hopeful, and will work to ensure, that throughout this policy process gas utility industry cybersecurity concerns will be addressed. To that end, below are a few of our specific concerns with the EO. Identifying Critical Infrastructure. The executive order confines itself largely to ``critical infrastructure'', a categorization that undoubtedly will include natural gas utilities. Critical infrastructure is defined in Section 2 of the EO as ``systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.'' Note that the EO does not define many terms included in the definition (``debilitating impact'', ``economic uncertainty'', etc.), potentially opening an ongoing debate over what systems may be considered critical or not critical. In addition, AGA strongly suggests that the identification process include the active and informed participation of critical infrastructure owner/operators from the start rather than after the assignment of ``critical'' has been determined by the government. By doing this, the government avoids placing the owner/operator in a defensive position with the burden to demonstrate non-criticality. Further, any list must be secured with appropriate information protection mechanisms. Cybersecurity Information Sharing Program. Section 4 of the EO creates a cybersecurity information sharing program, directing DHS, the Department of Justice, and the Office of the Director of National Intelligence to set up cyber threat information sharing processes with targeted private sector entities. Without question, improved information sharing can and will benefit critical infrastructure cybersecurity. However, for industry to fully engage in an information sharing program, information protection mechanisms (safe harbors) and liability protections must be afforded to owners/operators who participate in the program. Without such protections, companies may be unwilling to participate because of the possibility of information leaks as well as due to competitive concerns and legal liability pressures. NIST ``Cybersecurity Framework''. Section 7 of the EO directs the National Institutes of Standards and Technology (NIST) to develop, via an open review process, a ``Cybersecurity Framework'' designed to improve critical infrastructure cybersecurity. The Framework will utilize risk and performance based standards/best practices; technology neutral applications; voluntary consensus standards and industry best practices; and cross-sector security standards applicable to all critical infrastructure. Ultimately, NIST's goal is to create a framework that is ``prioritized, flexible, repeatable, performance- based, and cost-effective'' to help critical infrastructure owner/ operators manage cyber risk. Good intentions notwithstanding, questions remain, including: Given the complexity of the subject, will NIST be able to meet notice and comment timelines? Will the final Framework be flexible enough to address every critical infrastructure sector? How much influence will critical infrastructure sectors have in developing the Framework? Will the Framework morph into mandatory standards? Industry Adoption of Cybersecurity Framework. Section 8 of the EO directs DHS to create a ``voluntary'' program to spur critical infrastructure entities to adopt the NIST Framework. Specifically, DHS will work with other agencies to review the Framework and develop implementation guidance to address sector-specific operating environments. More importantly, DHS will work with the Departments of Commerce and Treasury to report on existing incentives that might spur industry participation in the voluntary program as well as any additional incentives (i.e., liability protections) that would require new statutory authority. Sector agencies will also report annually on which critical infrastructure owner/operators participate in the program. Overall, just how ``voluntary'' this program ends up becoming is an open question. As AGA and other critical infrastructure industries have argued, voluntary government programs often morph into de facto mandatory compliance programs because companies feel compelled to participate rather than risk opening themselves up to litigation for not engaging in a program that has the imprimatur of the Federal Government. Agency Adoption of NIST Cybersecurity Framework. Section 10 of the EO notes that once the NIST Framework has been preliminarily drafted agencies with cybersecurity regulatory responsibilities will review their existing authorities to determine whether they are sufficient given the cyberthreat landscape, and whether they can implement the NIST Framework via regulation. If agencies determine that their current cybersecurity regulatory requirements are insufficient then they shall propose new ``actions'' to mitigate cyber risks. This section clearly pushes sector agencies to create new cybersecurity regulations. These new requirements would, at a minimum, be based upon the NIST Cybersecurity Framework; however, there is plenty of suggestion in Section 10 that agencies move beyond the framework, or seek the authority to do so. We are hopeful this will not lead to regulation for regulations sake. For example, despite having the statutory authority necessary, TSA Pipeline Security Division has chosen not to issue cybersecurity regulations for natural gas utilities in large part because of the successful security partnership we have collectively developed. The Case for Cybersecurity Legislation Despite our concerns about prescriptive cybersecurity standards, AGA does believe that there is a role for cybersecurity legislation, particularly as it relates to improving public-private cybersecurity information sharing and related liability protections. Information Sharing. To help counter cyber attacks and protect networks against future incursions, critical infrastructure needs government to help them identify, block and/or eliminate cyberthreats as rapidly and reliably as possible. From a functional perspective, this will require expediting security clearances for critical infrastructure personnel as well as streamlining the process by which actionable threat intelligence is shared with private industry. Harnessing the cybersecurity capabilities of the government intelligence community on behalf of private sector networks will go a long way towards overall network security. The recently introduced H.R. 624, The Cyber Intelligence Sharing and Protection Act (CISPA) begins to flesh out this process by establishing a cybersecurity partnership between critical infrastructure and the intelligence community. However, there is certainly a role the Department of Homeland Security can play, as a sector specific agency, in distributing cyberthreat information, interpreting potential threat impacts, and working with critical infrastructure entities to keep their networks safe. This would particularly be the case for those industries, like natural gas utilities, that already have a cybersecurity partnership with TSA. Liability Protection, SAFETY Act. Another avenue for legislation surrounds offering liability protection for companies with robust cybersecurity programs--standards, products, processes, etc. The Administration's recent executive order (EO) on cybersecurity underscores this need. The EO directs sector agencies, the intelligence and law enforcement community to establish a cybersecurity information sharing partnership; tasks the National Institute of Standards and Technology with establishing a quasi-regulatory set of cybersecurity standards (a ``cybersecurity framework''); and orders DHS to incentivize critical infrastructure to adhere to the NIST standards. What the EO cannot do is provide liability protections for critical infrastructure entities that make the effort to participate in a public-private cybersecurity program, regardless of whether it is created via EO or some future law. AGA supports employing the SAFETY Act as an appropriate avenue for providing companies that participate in a government-private industry cybersecurity partnership with liability coverage from the impacts of cyberterrorism. SAFETY Act applicability in this area seems plain: The SAFETY Act exists in current law, and a related office at DHS has been reviewing and approving applications for liability coverage in the event of an act of terrorism or cyber attack for over a decade. This office utilizes an existing review and approval process which would allow for immediate granting of liability protections from cyber attacks. Because the SAFETY Act can apply to a variety of areas ranging from cybersecurity standards (cyber best practices, etc.), to procurement practices and related equipment (SCADA, software, firewalls, etc.) companies can layer their liability protection. We are aware of no other existing statute that offers similar liability protections. Moreover, we do not see the need to write new law to address liability protections from cyber incidents when the SAFETY Act is already applicable. This said, there are some areas where we believe the SAFETY Act could be a little stronger as it applies to cyber matters. First, and foremost, the statute could be expanded to make specific reference to liability protections from ``cyber'' events (cyber attacks, cyber terrorism, etc.) and more specific reference to coverage for cybersecurity equipment, policies, information sharing programs, and procedures. While there is coverage under the Act currently for cyber attacks, specifically identifying ``cyber attacks'' as a trigger for liability protections would strengthen the overall concept. The Natural Gas Utility Cybersecurity Posture AGA's policy priorities for cybersecurity include preserving our current cybersecurity partnership with the Transportation Security Administration, Pipeline Security Division, enhancing government- private industry cybersecurity information sharing, opposing burdensome or counterproductive cybersecurity regulation, and supporting robust liability protections for entities that are serious about protecting their networks. If ultimately achieved, these items will only bolster an already solid industry cybersecurity commitment. America's natural gas utilities are cognizant of enduring cyber threats and the continued need for vigilance through cybersecurity protection, detection, and mitigation mechanisms. Industry operators apply numerous cyber standards, guidelines, and related regulations in their cybersecurity portfolios and participate in a variety of government-sponsored cybersecurity initiatives. There is no single solution for absolute system protection. However, through a combination of cybersecurity processes and timely and credible information-sharing amongst the government intelligence community and industry operators, America's natural gas delivery system remains protected, safe and reliable, and will remain so well into the future. ______ Response to Written Question Submitted by Hon. Amy Klobuchar to Hon. Janet Napolitano Question. The Executive Order requires agencies to incorporate privacy and civil liberties safeguards into their activities. Yet the fact that a Federal Government-private sector cyber information-sharing program must be streamlined and rapid in order to be effective poses unique privacy challenges. Can you provide concrete examples of how DHS and other agencies will implement these safeguards even as they increase information sharing with the private sector? The Fair Information Practice Principles of an individual's access to collected data and the preservation of the integrity of that data would seem to be particularly difficult to ensure in the pursuit of sophisticated cyber threats. How will the need for a better flow of information, sometimes including classified information, be balanced with these principles? Do you believe that current law adequately protects privacy rights in cyberspace, particularly if information-sharing between the government and private sector is increased? Do you believe that cyber legislation focusing solely on the issue of information sharing that has been previously proposed in Congress, such as the Cyber Information Sharing and Protection Act (CISPA), adequately address these privacy and civil liberties concerns? Answer. In recognition of the privacy and civil liberties concerns associated with the efforts called for in Executive Order (EO) 13636, the Administration directed Departments and Agencies to assess activities required by EO 13636 for potential privacy and civil liberties risks. In developing this and other documents, the Administration sought input from stakeholders of all viewpoints in industry, government, and the advocacy community. Their input has been vital in crafting an order that incorporates the best ideas and lessons learned from public and private sector efforts while ensuring that our information sharing incorporates rigorous protections for individual privacy, confidentiality, and civil liberties. Indeed, as we perform all of our cyber-related work, we are mindful of the need to protect privacy, and civil liberties. The Department has implemented strong privacy and civil rights and civil liberties standards into all its cybersecurity programs and initiatives from the outset. Rather than simply attempting to balance information sharing with privacy concerns, Departments and Agencies will use the Fair Information Practice Principles (FIPPs) as an analytical framework to assess privacy risks and integrate privacy protections into their cybersecurity programs. The FIPPs help agencies recognize the importance of data minimization, that is, that agencies should only collect information that is relevant and necessary to accomplish agency missions. Not only does this ensure privacy, but it also facilitates more effective protection of critical cybersecurity infrastructure. A concrete example of how DHS implements the FIPPs is by conducting Privacy Impact Assessments (PIAs) on the Department's cyber systems and programs. DHS published the Enhanced Cybersecurity Services (ECS) PIA in January of this year and will continue to update or conduct PIAs on cyber operations on an ongoing basis. The ECS PIA describes the operational processes and privacy and security oversight required to share unclassified and classified cyber threat indicators with companies that provide internet, network and communications services to enable those companies to enhance their service to protect U.S. Critical Infrastructure entities. In addition, the Federal Government will ensure that privacy and civil liberties safeguards are incorporated into cyber activities through the work of the recently formed Assessments Working Group (WG) under the Integrated Task Force (ITF), which leads the Administration's implementation efforts of the requirements laid out in the EO and Presidential Policy Directive-21 (PPD-21). The WG is an interagency body whose participants represent Senior Agency Officials for Privacy and Civil Liberties. The WG is responsible for providing support to Departments and Agencies as they conduct the privacy and civil liberties assessments required by Section 5 of EO 13636. The WG will serve as a forum for sharing approaches to conducting these assessments. Separately, the DHS Privacy Office and Office for Civil Rights and Civil Liberties (CRCL) will conduct assessments of DHS activities undertaken pursuant to the EO, and will compile other Departments' and Agencies' assessments for inclusion in an annual report. In compiling the report, the Privacy Office and Office for Civil Rights and Civil Liberties (CRCL) will consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget, consistent with the requirements set forth in EO 13636. In addition, the DHS Privacy Office and Office for Civil Rights and Civil Liberties has hosted a series of five meetings for privacy and civil liberties advocates that began in April 2013 to provide additional transparency into the operation of the ITF Working Groups. It is important to note that the Executive order does not grant new regulatory or other authority to increase voluntary cooperation with the private sector or to establish additional incentives for participation in the Voluntary Critical Infrastructure Cybersecurity Program established in the EO. New approaches to cybersecurity are urgently needed, and we are committed to working with Congress for passage of a comprehensive suite of legislation. The Administration's legislative priorities for the 113th Congress build upon the President's 2011 Cybersecurity Legislative Proposal and take into account two years of public and congressional discourse about how best to improve the Nation's cybersecurity. Congress should enact legislation to incorporate privacy and civil liberties safeguards into all aspects of cybersecurity; strengthen our critical infrastructure's cybersecurity by further increasing responsible information sharing and promoting the establishment and adoption of standards for critical infrastructure; giving law enforcement additional tools to fight crime in the digital age; and creating a National Data Breach Reporting requirement. ______ Response to Written Questions Submitted by Hon. Kelly Ayotte to Hon. Janet Napolitano Question 1. The issue of cyber security is far too important not to find common ground and move forward with legislation that would make us safer today. Some like to blame different associations or trade groups for the inability to get legislation through both bodies of Congress, but I would argue that Republicans and Democrats agree on a vast majority of the issues being debated. Why can't we pass what we all agree on, such as information sharing and then roll up our sleeves and see if we can find consensus on the issues where there may not be as much common ground? Too much is at stake to have an all-or-nothing mentality. Answer. Both sides of the aisle are united in their recognition that cybersecurity must be strengthened. While the Administration has taken significant steps to protect against evolving cyber threats, we must acknowledge that the current threat outpaces current authorities. In the current landscape, DHS must execute its cybersecurity mission under an amalgam of existing statutory and executive authorities that have failed to keep up with the responsibilities. Cybersecurity activities have made clear that certain laws that govern cybersecurity activities must be updated. In February 2013, President Obama issued Executive Order 13636 on Improving Critical Infrastructure Cybersecurity as well as Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, which will strengthen the security and resilience of critical infrastructure through an updated and overarching national framework that acknowledges the increased role of cybersecurity in securing physical assets. These directives create a foundation for legislative action by implementing concepts set forth in the President's 2009 Cyberspace Policy Review, and policies drawn from the recommendations of the House Republican Cybersecurity Task Force and the bipartisan Commission on Cybersecurity for the 44th Presidency. It is important to note that the Executive order directs Federal agencies to work within current authorities and increase voluntary cooperation with the private sector to provide better protection for computer systems critical to our national and economic security. It does not grant new regulatory authority or establish additional incentives for participation in a voluntary program. New approaches to cybersecurity are urgently needed, and we are committed to working with Congress for passage of a comprehensive suite of legislation. The Administration's legislative priorities for the 113th Congress build upon the President's 2011 Cybersecurity Legislative Proposal and take into account two years of public and congressional discourse about how best to improve the Nation's cybersecurity. Congress should enact legislation to incorporate privacy, confidentiality, and civil liberties safeguards into all aspects of cybersecurity; strengthen our critical infrastructure's cybersecurity by further increasing information sharing and promoting the establishment and adoption of standards for critical infrastructure; give law enforcement additional tools to fight crime in the digital age; and create a National Data Breach Reporting requirement. Question 2. If the Federal Government deems a business as covered critical infrastructure, but that business disputes whether or not it should be covered, what is the appeal process? Do businesses have any recourse or is DHS judge and jury in this instance? Answer. Under Executive Order (EO) 13636, private sector participation in cybersecurity matters with the Department of Homeland Security (DHS) is carried out on a voluntary basis and supports more efficient sharing of cyber threat information. The EO directs the National Institute of Standards and Technology to develop a Cybersecurity Framework to identify cybersecurity practices among critical infrastructure sectors and directs DHS to develop a Voluntary Program to encourage adoption of the Framework. While the intent of the EO is to offer additional cybersecurity capabilities to assist owners and operators of critical infrastructure, with the expectation that accepting this assistance will be in the firms' best interest, EO 13636 creates no new legal obligation for businesses to adopt any cybersecurity measures. Because the vast majority of U.S. critical infrastructure is owned and operated by private companies, reducing the risk to these vital systems requires a strong partnership between government and industry. To implement EO 13636, DHS engaged in a consultative process with public and private sector partners to identify critical infrastructure that if impacted by a cybersecurity incident could reasonably cause catastrophic impacts to our national security, economic security, public health and safety. Specifically, EO 13636 requires consultation with the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector Specific Agencies; other relevant agencies; independent regulatory agencies; state, local, territorial, and tribal governments; universities; and outside experts. DHS will confidentially notify owners and operators of critical infrastructure identified under this process and ensure identified owners and operators are provided the basis for the determination. The Department is also required to establish an administrative appeals process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of their identification as ``critical infrastructure of greatest risk.'' Question 3. Earlier this month in a Senate Armed Services hearing, Gen. James Mattis, the Commander of U.S. Central Command testified that with the increasing role of our adversaries in cyberspace, it only adds more urgency to expand our presence, capabilities and authorities to maintain an advantage in cyberspace. Threat networks, including those posed by Iran and China, are adjusting opportunistically. What role do you envision DHS playing to destabilize cyber activities that lead to, among other things, transfer of illicit arms, espionage and aid transferred to support malign actors seeking to undermine our security? What forums exist and what forums are you considering using to put more urgency and high level attention into the DHS-CYBERCOM cyber security dialogue? Answer. The United States confronts a dangerous combination of known and unknown vulnerabilities in cyberspace and strong and rapidly expanding adversary capabilities. Successful response to dynamic cyber threats requires a whole of government approach leveraging homeland security, law enforcement, and military authorities and capabilities, which respectively promote domestic preparedness, criminal deterrence and investigation, and national defense. While each agency operates within the parameters of its authorities, the U.S. Government's response to cyber incidents of consequence is coordinated among the Department of Homeland Security (DHS), Department of Justice (DOJ), and the Department of Defense (DOD) such that ``a call to one is a call to all.'' DHS is responsible for coordinating the Federal Government response to significant cyber or physical incidents affecting critical infrastructure, consistent with statutory authorities. The Department is the largest law enforcement agency in the Federal Government, with personnel stationed in every state and in more than 75 countries around the world. To combat cyber crime, DHS relies upon the skills and resources of the United States Secret Service (USSS), U.S. Immigration and Customs Enforcement (ICE), U.S. Coast Guard, and U.S. Customs and Border Protection (CBP) and works in cooperation with partner organizations, including international partners, to investigate and prosecute cyber criminals and works in cooperation with partner organizations, including international partners, to investigate and prosecute cyber criminals. (Pursuant to section 1030 of the Title 18 of the United States Code, the Federal Bureau of Investigation has primary authority to investigate cyber crimes with a national security, counterintelligence, or espionage nexus.) Additionally, there are several key ways in which DHS leverages the capabilities of the DOD. DHS is able to draw upon specific classified cyber threat intelligence that can be utilized in enhancing the protection of Federal networks and private critical infrastructure networks under cooperative partnerships. The DHS-DOD relationship also includes a Memorandum of Agreement for exchanges of personnel as well as shared technical expertise. I meet regularly with Director Mueller and General Alexander to coordinate and align operational strategies. DHS has administrative security authorities that allow it to defend government networks, to share and receive threat information with private, State, local and tribal entities, and to coordinate with our intelligence community and law enforcement agency partners and to leverage government cybersecurity expertise and render technical assistance when needed. Synchronization among DHS, DOJ, and DOD ensures that all of government's capabilities are brought to bear against cyber threats and enhances government's ability to share timely and actionable cybersecurity information with a variety of partners, especially the private sector. Question 4. A new report from the Pentagon's Defense Science Board on cyber threats has raised some grave concerns. Among its findings, our cyber capabilities at the Pentagon are ``fragmented'' and the Defense Department is not prepared to defend against this threat.'' It goes on to say that the Pentagon cannot be confident that its military computer systems are not compromised because some use components made in countries with high-end cyber-capabilities such as China and Russia. Do you share the concerns of this Pentagon Report? Answer. The Department of Homeland Security (DHS) has reviewed the report and values this contribution provided by the Defense Science Board. We agree that the cyber threat is serious, that public and private networks in all countries are built on inherently insecure architectures, and that the United States should lead the way by taking positive action to increase the security and confidence in the information technology systems we depend on. We have reviewed the recommendations and findings of the report and are working to apply lessons learned to our own mission to protect Federal Civilian Executive branch networks. Additionally, DHS, along with interagency partners, is aggressively implementing the National Strategy for Global Supply Chain Security of January 2012, which seeks to protect the welfare and interests of the American people and secure our Nation's economic prosperity by promoting the secure movement of goods and fostering a resilient supply chain. Question 5. Do you feel countries like China and Russia are ahead of the U.S. on the technology scale when it comes to cyber? How confident are you that the computer systems used by your agency are not vulnerable since so many are made overseas? Answer. We would be happy to provide a threat briefing in a classified setting. Question 6. What is DHS's working relationship and division of labor between Cyber Command and DHS? Answer. Ensuring the Nation's cybersecurity is a shared responsibility. Successful response to dynamic cyber threats requires a whole of government approach leveraging homeland security, law enforcement, and military authorities and capabilities, which respectively promote domestic preparedness, criminal deterrence and investigation, and national defense. While each agency operates within the parameters of its authorities, the U.S. Government's response to cyber incidents of consequence is coordinated among DHS, the Department of Justice (DOJ), and Department of Defense (DOD) such that ``a call to one is a call to all.'' As with all threats to the United States, our allies, and our interests in other domains, the DOD has the mission to defend the Nation against foreign attacks. Its national security mission demands that it defend, deter, and take decisive action in cyberspace to defend our national interests. DHS is responsible for securing unclassified Federal civilian government networks and working with owners and operators of critical infrastructure to secure their networks through risk assessment, mitigation, and incident response capabilities. While each department has its own separate role, there is a high level of cooperation on cybersecurity activities including the U.S. Cyber Command, DHS/NCCIC, and NSA's Threat Operations Center. Collaboration between these designated `cyber centers' has been maturing since the approval of HSPD-23/NSPD-54 in 2007. To further cooperation between DOD and DHS, a memorandum of agreement was signed in October 2010 that formalized coordination processes, embeds DOD cybersecurity analysts within DHS and puts DHS leaders and analysts inside the National Security Agency to foster operational coordination. (This agreement was codified in the National Defense Authorization Act for Fiscal Year 2012, P.L. 112-81, Sec. 1090.) Additionally, I meet regularly with General Alexander to coordinate and align operational strategies. ______ Response to Written Questions Submitted by Hon. Dan Coats to Hon. Janet Napolitano Question 1. The President's Executive Order focuses on threats to the Nation's critical infrastructure, and yet numerous open source reports indicate state sponsored industrial and economic espionage against American businesses is an equal if not greater threat to America's national and economic security. For example, last year General Keith Alexander spoke at an AEI event and called industrial cyberespionage and intellectual property theft ``the greatest transfer of wealth in our Nation's history.'' He estimated the costs to the American economy to be $388 billion, and a 2011 report from the Office of National Counter-Intelligence Executive estimated the costs to the American economy to be in the $400 billion range, with Chinese actors as the world's most active perpetrators of industrial cyberespionage. As you also know, the cybersecurity firm Mandiant released a report this year documenting the problem of Chinese economic/industrial espionage, specifically looking at the ``advanced persistent threat'' (APT) from one of the Chinese People's Liberation Army (PLA) cyberattack units. How would you compare the threat to our economic interests to the threat to critical infrastructure? Answer. The Department of Homeland Security (DHS) continues to be concerned about the effects of cyber-enabled theft of intellectual property, trade secrets and commercial data, and works daily with interagency partners and the private sector to address the threat. Additionally, while the consequences of wide-scale intellectual property theft may be different than those from a destructive or disruptive cyber attack to critical infrastructure, techniques that adversaries may use to steal sensitive business information also expose vulnerabilities that could be used to destroy or disrupt critical systems and services. Both are very real threats of potentially high consequence, and we take them very seriously. In fact the things we must do to address them both are quite similar. To combat cyber crime, DHS relies upon the skills and resources of the United States Secret Service (USSS), U.S. Immigration and Customs Enforcement (ICE), U.S. Coast Guard (USCG), and U.S. Customs and Border Protection (CBP) and works in cooperation with partner organizations to investigate cyber criminals. Since 2009, DHS has prevented $10 billion in potential losses through cyber crime investigations and arrested more than 5,000 individuals for their participation in cyber crime activities. The Department leverages the 31 USSS Electronic Crimes Task Forces (ECTF), which combine the resources of academia, the private sector, and local, state and Federal law enforcement agencies to combat computer-based threats to our financial payment systems and critical infrastructure. The Department is also a partner in the National Cyber Investigative Joint Task Force, which serves as the national focal point for U.S. Government coordination, integration, and sharing of information relating to all domestic national security cyber investigations sharing across the interagency. To further these efforts, the Administration issued its Strategy on Mitigating the Theft of U.S. Trade Secrets in February of this year. DHS will act vigorously to support the Strategy's efforts to combat the theft of U.S. trade secrets--especially in cases where trade secrets are targeted through illicit cyber activity by criminal hackers. In addition, DHS works with its interagency partners to distribute relevant technical threat data to industry partners enabling them to take action to prevent and mitigate potential network intrusions and cyber-enabled theft. The DHS Enhanced Cybersecurity Services (ECS) program is one of many efforts to increase this sharing of technical threat data. Under ECS, DHS provides classified and sensitive threat information to qualified cybersecurity providers, who then utilize this information to offer enhanced cybersecurity services to many businesses that qualify as critical infrastructure entities. However, just as with addressing threats to physical critical infrastructure, we must have two-way and real-time information exchange among government agencies, network owners and operators, and others in order to more fully understand what malicious cyber activity is occurring and how to best address it. We look forward to working with Congress to find ways to further increase this critical information sharing relationship and incentivize the adoption of cybersecurity best practices by critical infrastructure partners. Question 2. A GAO report released last month found that cybersecurity incidents at Federal agencies were on the rise. And while there is an uptick in these incidents, challenges remain in how DHS is carrying out responsibilities in sharing information among Federal agencies and key private sector entities such as critical infrastructure owners. The GAO report also found that DHS is not ``developing a timely analysis and warning capability,'' citing that the Inspector General at DHS recommended that DHS establish a ``consolidated, multiple-classification-level portal to share incident response related information'' which DHS says will not be ready until 2018. The report also found that Federal Information Security Management Act compliance is inadequate, with only 8 of 22 agencies being in compliance with FISMA standards in 2011 (down from 13 out of 24 agencies in 2010) and that 9 agencies ``had not fully developed required policies for monitoring security on a continuous basis.'' Since, according to GAO and various agency Inspectors General, the Federal Government has demonstrated it is unable to meet its requirements under FISMA, what confidences should we have that it is prepared to regulate and oversee private sector operations of critical infrastructure? Answer. Significant progress has been made in improving information sharing among the Department of Homeland Security's (DHS) Office of Cybersecurity and Communication, Federal agencies, and other partners and constituents. DHS provided documentation of its improved public- private cybersecurity information sharing activities to Government Accountability Office (GAO) in August 2011, promptly answered subsequent questions, and are awaiting GAO's closure of the associated recommendations under GAO's report on Key Private and Public Cyber Expectations Need to be Consistently Addressed. Additionally, GAO closed all ten recommendations under the Cyber Analysis and Warning report. Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS is committed to ensuring cyberspace is supported by a secure and resilient infrastructure that enables open communication, innovation, and prosperity while protecting privacy, confidentiality, and civil rights and civil liberties. The Department has operational responsibilities for securing unclassified Federal civilian government networks and working with owners and operators of critical infrastructure to secure their networks through cyber threat analysis, risk assessment, mitigation, and incident response capabilities. DHS is also responsible for coordinating the national response to significant cyber incidents and for creating and maintaining a common operational picture for cyberspace across the government. In September 2012, DHS finalized the Strategic National Risk Assessment (SNSRA) Report for Communications in coordination with public and private sector partners and is currently working with industry to develop plans for mitigating risks identified in the SNSRA, which will determine the path forward in developing outcome-oriented performance measures for cyber protection activities related to the Nation's core and access communications networks. In addition, in February 2013, the President issued Executive Order 13636 on Improving Critical Infrastructure Cybersecurity as well as Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, which will strengthen the security and resilience of critical infrastructure through an updated and overarching national framework that acknowledges the increased role of cybersecurity in securing physical assets. Executive Order 13636 expands the voluntary DHS Enhanced Cybersecurity Service program, which promotes cyber threat information sharing between government and the private sector. This engagement helps critical infrastructure entities protect themselves against cyber threats to the systems upon which so many Americans rely. DHS actively collaborates with public and private sector partners every day to improve the security and resilience of critical infrastructure while responding to and mitigating the impacts of attempted disruptions to the Nation's critical cyber and communications networks and to reduce adverse impacts on critical network systems. Such partnerships, combined with existing DHS critical infrastructure cybersecurity programs, assure that DHS will have the relationships and expertise to implement an oversight and compliance regime. Examples of existing programs include the Cyber Information Sharing, and Collaboration Program, which enables regular and trusted sharing of actionable cybersecurity threat indicators that those owners and operators can immediately use for computer network defense activities. Additionally, DHS has long served as the Sector Specific Agency for both the Information Technology and Communications sectors. This trusted partnership has enabled further collaborative initiatives such as the Information Technology Sector Risk Assessment, the Cybersecurity Evaluation Program, which conducts voluntary cybersecurity assessments across all critical infrastructure sectors, and the Critical Infrastructure-Cyber Security program that leads efforts with public and private sector partners to promote an assured and resilient U.S. cyber infrastructure. DHS also conducts daily operational, information sharing, incident response, and technical assistance through the National Cybersecurity and Communications Integration Center (NCCIC) and its components. Every day, partners from private sector critical infrastructures, Information Sharing and Analysis Centers, Federal cybersecurity centers, and international governments collaborate on cybersecurity response and information sharing through the NCCIC. DHS directly supports Federal civilian departments and agencies in developing capabilities that will improve their cybersecurity posture in accordance with the Federal Information Security Management Act (FISMA). To protect Federal civilian agency networks, our National Protection and Programs Directorate (NPPD) is deploying technology to detect and block intrusions through the National Cybersecurity Protection System and its EINSTEIN protective capabilities, while providing guidance on what agencies need to do to protect themselves and measuring implementation of those efforts. Under current authorities though, DHS can only monitor, recommend security posture improvements, and report on Federal agencies' compliance with FISMA. As the GAO report notes, the current law should be updated to give DHS the statutory authority it needs to fulfill the responsibilities it has been given. NPPD is also developing a Continuous Monitoring as a Service (CMaaS) capability. Through an automated and continuously updated analytical process, the deployed .gov agency sensors will provide data to a centralized dashboard. Cyber risk related data will be updated and displayed daily for management and technical staff review that will provide insight into network vulnerabilities to more readily prioritize for the purposes of ongoing mitigation. When combined, the overall results from Departments and Agencies will contribute toward improving the agency-specific, as well as the Federal Executive Branch overall cyber risk posture. This capability will support compliance with Administration policy, be consistent with guidelines set forth by the National Institute of Standards and Technology (NIST), and enable Federal agencies to move from compliance-driven risk management to data-driven risk management. These activities will provide organizations with information necessary to support risk response decisions, security status information, and ongoing insight into effectiveness of security controls. DHS partnered with the General Services Administration (GSA) to award a blanket purchase agreement (BPA) under which CDM tools and services can be provided to government entities. The BPA, with an anticipated $6-billion ceiling for the five years (one-year contract with four one-year options), is open to all Federal civilian and defense organizations, as well as state and local government entities. The significant size of the CDM contract was designed to compatibly support not only Federal civilian network protection assigned to DHS, but the large body of cybersecurity requirements for any Federal custom and cloud application over the life of the contract which are funded separately by each department and agency. Congress provided funding in the DHS Appropriations Act, 2013 (P.L. 113-6) to implement Continuous Diagnostics and Mitigation (CDM) across civilian Executive Branch agencies in order increase our ability to identify and track threats, find vulnerabilities, mitigate the worst issues first and report on progress in doing so. CDM and FISMA legislative reforms that provide clear statutory authorities for carrying out the DHS mission would have the following benefits: Improved security posture leading to improved regulatory compliance Standard security configurations across all Federal Executive Branch civilian department and agency critical network infrastructure Improved communication and collaboration methods across diverse stakeholder groups Improved situational awareness creates synergy amongst the Federal cybersecurity workforce and improves communication and information sharing within the Federal enterprise Increased efficiency and security posture through collaboration and streamlining In addition, DHS works with critical infrastructure stakeholders in the private sector through the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These relationships are maintained by ICS-CERT through cybersecurity incident analysis and onsite assistance, training opportunities in control systems security development, and the Industrial Control Systems Joint Working Group (ICSJWG). Question 3. The Executive Order focuses solely on government-to- private-sector information sharing. Many believe, and I agree, that better private-to-government and private-to-private information sharing protocols need to be implemented, and I question how we can get there without better liability protections. What is your plan to encourage better private-to-government and private-to-private information sharing? How will the Framework incentivize private sector partnership without these carrots? Is it possible that private companies may withhold participation in the Framework until such incentives are provided through legislation? Answer. While Executive Order (EO) 13636 on Critical Infrastructure Cybersecurity works to increase information sharing from the government to the private sector, the Department of Homeland Security (DHS) is focused on expanding information sharing relationships both within the government and among the private sector through adherence to three goals: Build trust and credibility among critical infrastructure owners/operators; Build sharing relationships where no sharing is currently occurring; and Incorporate individual owners/operators in the sharing environment and align their cybersecurity and risk management requirements with existing and emerging data flows being developed or optimized. For example, through the Cyber Information Sharing and Collaboration Program (CISCP), DHS has entered into Cooperative Research and Development Agreements with critical infrastructure owners and operators that enable regular and trusted sharing of actionable cybersecurity threat indicators that are immediately used for computer network defense activities. Additionally, DHS has long served as the Sector Specific Agency for both the Information Technology and Communications sectors (as well as eight other sectors). This trusted partnership with private sector and Federal partners has enabled further collaborative initiatives such as the Information Technology Sector Risk Assessment, the Cybersecurity Evaluation Program, which conducts voluntary cybersecurity assessments across all critical infrastructure sectors, and the Critical Infrastructure-Cyber Security program that leads efforts with public and private sector partners to promote an assured and resilient U.S. cyber infrastructure. The Department also has established close working relationships with industry through partnerships like the Protected Critical Infrastructure Information (PCII) Program, which enhances voluntary information sharing between infrastructure owners and operators and the government. Furthermore, DHS conducts daily operational, information sharing, incident response, and technical assistance through the National Cybersecurity and Communications Integration Center (NCCIC) and its components: the United States Computer Emergency Readiness Team, the Industrial Control Systems Cyber Emergency Response Team, and the National Coordinating Center for Communications. Presently, the DHS Science and Technology Directorate (S&T) has ongoing or proposed cooperative activities in the area of cyber security research and development (R&D) to promote the benefits of networked technology globally, and a secure, reliable, and interoperable cyberspace. Information Sharing and Analysis Centers (ISACs) are key partners in these efforts because they, along with similar not-for-profit and commercial entities, are able to serve as trusted providers of data from DHS to their members/customers and to other ISACs and like organizations. In turn, they serve as aggregators as well as anonymizers of their relevant member/customer cybersecurity threat data and provide threat data back to one another without attribution to the source of the data. DHS is supportive of and regularly coordinates with these partners as one way to promote private to private information sharing. The key incentive for all participants in this type of data flow is the potential for generating increased, actionable situational awareness where the individual participants benefit from the experiences of the whole. The ability to achieve visibility of threats that are exploiting other sectors or organizations before that particular threat or a variant of that threat manifests in your networks or systems is a benefit available to all participants. We currently have more than 35 companies, ISACs, and like organizations who are participating in data sharing in this fashion, with more than 50 companies in negotiations to join that program effort, and we do not feel we need to offer specific incentives to join in these types of partnerships with the Government. In response to the EO the DHS and the Departments of Commerce and Treasury provided recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, identifying potential incentives that could be considered as we move forward in this space. Since the agencies submitted their reports, the White House has completed the interagency review process and determined a path forward. Existing programs and authorities are currently under review to determine how we and other Departments can enable more private-to- private and private to government information sharing. As mentioned previously, we have successful models with some ISACs and the CISCP and are looking to expand on that basis and since Congress has previously granted authorities that may be able to be utilized to provide liability protection and address other legal concerns. We do know the administration is looking at a package of incentives outside information sharing for companies that adopt the framework; however, private sector response to development efforts for the framework has been largely positive, and we anticipate that many companies will adopt it without an accompanying incentives package. Question 4. As Secretary of Homeland Security, you were an advocate for the administration's cybersecurity legislation. And last August, when the U.S. Senate considered the Cybersecurity Act of 2012, you urged its passage. I agree with statements you made last year on the shared responsibility and urgency of improving cyber security. Do you still agree that cyber security is a shared responsibility that includes both the public and private sector? What is the role of the Information Technology (IT) sector in this shared responsibility and why did you support a carve-out for the IT sector? Answer. Yes. Cybersecurity is a shared responsibility that includes efforts from both the public and private sectors. Industry and the government have a long history of working together to protect the physical security of many critical assets that reside in private hands, from airports and seaports to national broadcast systems and nuclear power plants. There is no reason we cannot work together in the same way through a shared responsibility to protect critical infrastructure cyber systems upon which so much of our economic well-being, national security, and daily lives depend. The statement in EO 13636 regarding IT products and services reflects our consistent philosophy that cybersecurity standards must be technology neutral, and that the government should not dictate what IT components critical infrastructure owners and operators use in their systems. Furthermore, classifying any product or service as critical infrastructure simply because it is used by critical infrastructure would dilute our efforts to identify the entities whose incapacitation by cyber incident could cause catastrophic economic or national security consequences. We are closely engaged with the IT sector to ensure that critical infrastructure owners and operators across all sectors have the market choices to secure their systems. Question 5. Without additional statutory authority and congressional direction, the information sharing program is little more than directing executive departments and agencies to expedite the sharing of existing information. More importantly, the Executive order focuses only on the sharing of information from the government to the private sector. How do you intend to increase the sharing of information from industry to the government, and within and among industries? Answer. Through the Critical Infrastructure Information Sharing, Analysis, and Collaboration Program, DHS has entered into Cooperative Research and Development Agreements with critical infrastructure owners and operators that enable regular and trusted sharing of actionable cybersecurity threat indicators that are immediately used for computer network defense activities. Additionally, DHS has long served as the Sector Specific Agency for both the Information Technology and Communications sectors. This trusted partnership with private sector and Federal partners has enabled further collaborative initiatives such as the Information Technology Sector Risk Assessment, the Cybersecurity Evaluation Program, which conducts voluntary cybersecurity assessments across all critical infrastructure sectors, and the Critical Infrastructure-Cyber Security program that leads efforts with public and private sector partners to promote an assured and resilient U.S. cyber infrastructure. It is important to note that the Executive order directs Federal agencies to work within current authorities and increase voluntary cooperation with the private sector to provide better protection for computer systems critical to our national and economic security. It does not grant new regulatory authority or establish additional incentives for participation in a voluntary program. We continue to believe that a suite of legislation is necessary to implement the full range of steps needed to build a strong public-private partnership, and we will continue to work with Congress to achieve this. The Department also has established close working relationships with industry through partnerships like the Protected Critical Infrastructure Information (PCII) Program, which enhances voluntary information sharing between infrastructure owners and operators and the government. Furthermore, DHS conducts daily operational, information sharing, incident response, and technical assistance through the National Cybersecurity and Communications Integration Center (NCCIC) and its components: the United States Computer Emergency Readiness Team, the Industrial Control Systems Cyber Emergency Response Team, and the National Coordinating Center for Communications. Every day partners from private sector critical infrastructures, Information Sharing and Analysis Centers, Federal cybersecurity centers, and international governments collaborate on cybersecurity response and information sharing through the NCCIC. These activities take place voluntarily, and in recognition of the fact that DHS' unique positioning as the hub for cybersecurity and critical infrastructure security and resilience makes it the most effective and trusted point of coordination and collaboration for all of those stakeholders. Additionally, the DHS Science and Technology Directorate (S&T) has formalized 13 international bilateral agreements that allow for cooperative activities in the area of cyber security research and development (R&D) to promote the benefits of networked technology globally, and a secure, reliable, and interoperable cyberspace. Question 6. The definition of critical infrastructure in the President's Executive Order (EO) is very broad: ``systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.'' It is hard to imagine any industrial sectors that would be excluded from such a definition. How do you balance security with practicality in implementing this definition? Answer. The term ``critical infrastructure'' is statutorily defined and this language has since been the basis for critical infrastructure protection activities, including Executive Order (EO) 13636. The Department of Homeland Security (DHS) has conducted broad engagement with critical infrastructure owners and operators over the past ten years that has enhanced the security and resilience of our Nation's infrastructure. Under Section 9 of EO 13636, the Department will identify a list of critical infrastructure whose incapacitation from a cyber incident would have catastrophic public health and safety, economic or national security consequences. This is a higher threshold than debilitating consequences and will focus on a small subset of U.S. infrastructure, not entire sectors. This is a criticality-based approach, and will result in limited Federal resources being focused on critical infrastructure, the failure of which would pose the greatest hazards. Question 7. Section 10 of the Executive order directs all sector- specific agencies to make the Framework mandatory for their respective sectors of industry. Do you believe that the veiled threat of mandatory standards with few, if any, strong incentives is the right formula for a successful public-private partnership? Answer. With today's physical and cyber infrastructure more inextricably linked, critical infrastructure and emergency response functions are inseparable from the information technology systems that support them. The government's role in this effort is to share information and encourage enhanced security and resilience, while identifying and addressing gaps not filled by the market-place. While some companies have strong cybersecurity policies in place, others still need to implement improved cybersecurity practices. The framework will be developed collaboratively with industry and will incorporate existing international standards, practices, and procedures wherever possible. Section 10 of EO 13636 refers to ``Agencies with responsibility for regulating the security of critical infrastructure,'' which in general are not sector-specific agencies (SSAs). Not generally having regulatory authority, the SSAs are better able than regulators to engage in partnership with industrial sectors. Moreover, EO 13636 only directs existing regulators under current authorities to examine ways to increase their sector's cybersecurity; any mandatory participation here would occur only where regulators already have the authority to impose security requirements on their respected regulated entities. The aim is not to compel across-the-board participation, even if such authorities did exist. Even then, EO 13636 does not dictate a ``one- size fits all'' approach, but rather promotes collaboration to encourage innovation and recognize differing needs and challenges within and among critical infrastructure sectors. Specifically, section 8(d) of the EO requires the Secretaries of Homeland Security, Treasury and Commerce to each make recommendations on a set of incentives designed to promote participation in the voluntary cybersecurity framework. The Department of Homeland Security (DHS) is working collaboratively with industry as well as staff from Treasury and Commerce to further develop these recommendations, and the incentives found in this report will also inform the larger nation-wide conversation. While DHS can make recommendations, only Congress has the authority to provide strong incentives and agree with or implement any recommendations put forward from the three Incentives Reports. ______ Response to Written Questions Submitted by Hon. Ron Johnson to Hon. Janet Napolitano Question 1. The Government Accountability Office (GAO) issued a report in February 2013 entitled, ``National Strategy, Roles, and Responsibilities Need to be Better Defined and More Effectively Implemented.'' In this report GAO found that only eight of 22 of agencies were in compliance with risk management requirements under the Federal Information Security Management (FISMA) standards in 2011, down from 13 out of 24 in 2010. Yet the Federal Government reported 782 percent more cyber incidents to the U.S. Computer Emergency Readiness Team in 2012 than it did in 2006. What is DHS doing to achieve greater compliance with FISMA standards from Federal agencies? How does the increase in cyber incidents against the Federal Government, combined with the decrease in compliance of Federal agencies with FISMA, impact the cybersecurity posture of the U.S. Government? Answer. The Department of Homeland Security's (DHS) role in the implementation of the Federal Information Security Management Act of 2002 (FISMA) is delineated by Office of Management and Budget (OMB) guidance. Under current authorities, DHS can only monitor, recommend security posture improvements, and report on Federal agencies' compliance with FISMA. As the Government Accountability Office (GAO) report notes, the current law should be updated to give DHS the statutory authority it needs to fulfill the responsibilities it has been given. The Administration's May 2011 legislative proposal to Congress included provisions that would address this issue. The Administration continues to support legislation that would update Federal agency network security laws, and codify DHS's cybersecurity responsibilities. While FISMA did not envision the scope of today's emerging threats and cybersecurity challenges, DHS is pursuing a number of initiatives such as Continuous Diagnostics and Mitigation (CDM), Trusted Internet Connections, and the Einstein programs to strengthen cyber security defenses, visibility and situational awareness. In collaboration with the National Security Staff (NSS) and OMB, DHS uses its expanded CyberStat program to perform intense, focused reviews with the 24 Chief Financial Officers Act agencies to identify and mitigate challenges to agencies' FISMA implementation. This includes a plan of action and milestones, submitted by the agencies and accepted by NSS, OMB, and DHS, outlining the approach to correct identified deficiencies. Congress provided funding in the DHS Appropriations Act, 2013 (P.L. 113-6) to implement Continuous Diagnostics and Mitigation (CDM) across civilian Executive Branch agencies in order to increase our ability to identify and track threats, find vulnerabilities, mitigate issues and report on progress. Earlier appropriations initiated other DHS security programs. DHS continues to encourage Congress to pursue legislation that would result in: Improved security posture leading to improved regulatory compliance; Standardized security configurations across critical infrastructure; Improved communication and collaboration methods across diverse stakeholder groups; Improved situational awareness, which creates synergy among elements of the cybersecurity workforce; improves communication and facilitates information sharing; and Increased efficiency and security posture through collaboration and streamlining. Question 2. GAO found that DHS is not successfully detecting, responding to, or mitigating cyber incidents. Specifically, GAO raised concerns with how DHS shares information among Federal agencies and the private sector. The DHS OIG recommended that DHS establish a ``consolidated, multiple-classification-level portal to share incident response related information,'' but DHS will not have this portal ready until 2018. How will not having this capability until 2018 impact DHS' role in sharing cyber threat information, as directed in the Executive order? Answer. GAO-13-187 highlights important challenges facing Federal agencies, including DHS, in executing the cyber mission. The report also highlights the significant and important progress DHS and other agencies have made in advancing this mission. As a result of the progress DHS has made in information sharing and analysis, GAO closed each of the 10 recommendations under its Cyber Analysis and Warning report. Furthermore, DHS provided GAO with all documentation requested to close the remaining recommendations under GAO's report titled Key Private and Public Cyber Expectations Need to be Consistently Addressed. The National Cybersecurity Protection System's information-sharing and collaboration environment will address the recommendation to establish a consolidated multi-classification information-sharing capability. Funding for this activity is included in the President's Fiscal Year 2013 budget request. While continuing the development of a comprehensive information sharing capability is important, DHS maintains existing capabilities that allow for information exchange with private sector partners at the classified and unclassified levels facilitating DHS' role in sharing cyber threat information, as directed in the Executive order. The delay in implementation may impact the frequency and timeliness with which DHS is able to exchange classified cyber information with partners. Processes leveraged as a workaround until the portal reaches FOC may be cumbersome to analysts and reduce the amount of time available to conduct strategic analysis across classified and unclassified domains. As a result, partners may find other sources for similar information, which could result in a decrease in their willingness to engage in the Department's various information sharing initiatives. Existing NCPS Information Sharing capabilities will be improved and new capabilities will be brought online as the Information Sharing environment matures. The NCPS Information Sharing CONOPs identifies multiple information sharing capabilities. A capability roadmap has been developed that identifies dependencies and specifies how these capabilities will be acquired and implemented. Initial Operating Capability for this set of capabilities is targeted for FY 2015. Full Operating Capability, which includes integration of capabilities and automation of processes across multiple security fabrics, will occur in FY 2018. Question 3. GAO found that the Federal Government's strategy for addressing international cyber security challenges is not sufficient or outcome oriented. GAO also recommended that the White House Cybersecurity Coordinator develop an overarching Federal cybersecurity strategy. GAO indicates that such a strategy would hold Federal agencies accountable for making improvements in their own house, and would address international cybersecurity challenges. Do you agree with the White House that an overarching Federal cybersecurity strategy is unnecessary? Why or why not? Answer. The Department of Homeland Security (DHS) executes a whole- of-government and whole-of-nation approach to cybersecurity. In support of this, DHS has aligned its cybersecurity goals, initiatives, and objectives to be consistent with the Administration's priorities for protecting our Nation's critical information infrastructure and building a safer and more secure cyber ecosystem. For instance, DHS worked closely with Federal departments and agencies in developing the Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise (Blueprint). The Blueprint leverages the Comprehensive National Cybersecurity Initiative, the President's 2010 National Security Strategy, the Department of Defense's Strategy for Operating in Cyberspace, and the President's International Strategy for Cyberspace. Together, these documents take a whole-of-government approach and reinforce the need for holistic thinking about the many opportunities and challenges the Nation faces in cyberspace. Question 4. In Mr. Gallagher's testimony he pointed out the difference between ``standards'' and ``regulations.'' Do you agree with Mr. Gallagher that there is a difference between standards and regulations? Answer. Yes, the Department of Homeland Security agrees that there is a difference between standards and regulations. Regulations are mandatory and binding on regulated parties as required by a particular authority. Executive Order (EO) 13636 does not give any Federal entity new authority to impose regulations or mandates on critical infrastructure owners and operators. One of the many goals of this EO and Presidential Policy Directive 21 (PPD 21) is to better streamline the government's interactions with critical infrastructure owners and operators and state, local, tribal, and territorial partners. The EO directs the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will be created using standards, guidelines, and best practices that promote the protection of information and information systems supporting critical infrastructure operations. Standards are voluntary recommendations established by consensus and are recognized by a standardization body. NIST will ask stakeholders to identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities. Regulators of critical infrastructure operations are encouraged to share their insight and help identify existing standards already developed by industry through consensus. Those activities would support the development of the framework and prove useful in identifying any gaps in current practices given the current and projected cyber risks. Entities that are unregulated--or where regulators determine that they do not have the ability under existing law to regulate for cybersecurity--will be encouraged to voluntarily adopt the framework. Question 5. Mr. Gallagher stated in his that any approach to cybersecurity should not ``dictate solutions to industry, but rather facilitate(s) industry coming together to develop solutions.'' Do you agree that any approach to a Cybersecurity Framework should not ``dictate'' solutions to industry but rather ``facilitate industry coming together to develop solutions?'' What potential disadvantage would there be to government dictating a solution to industry rather than facilitating it? Answer. Yes, the Department agrees that any approach to the Cybersecurity Framework should ``facilitate industry coming together to develop solutions.'' The Framework will not dictate ``one-size fits all'' technological solutions. Instead, it will promote a collaborative approach to encourage innovation and recognize differing needs and challenges within and among critical infrastructure sectors. The Government believes that companies driving cybersecurity innovations can help shape best practices across critical infrastructure, in part because of the changing nature and dynamic of risk across cyber and critical infrastructure. Companies looking to strengthen their security would have the flexibility to decide how best to do so using innovative products and services available in the marketplace and choosing which components of the Framework would apply to their business. Companies that are cyber leaders will be looked to as models for implementing best practices and driving the creation and implementation of a Cybersecurity Framework itself. Question 6. GAO found that Federal cyber strategies lack clear goals, performance measures, defined costs and resources, established roles and responsibilities, and do not coordinate with other national strategies. Yet the EO directs DHS to use a ``risk-based'' approach to identify ``critical infrastructure'' within 150 days. The EO also directs DHS to develop performance measures associated with the Cybersecurity Framework NIST is charged with developing. If Federal cyber strategies lack goals and performance measures, what experience does it have to draw on to develop performance measures for the private sector, as directed in the EO? Answer. The Department's Blueprint for a Secure Cyber Future has specific goals and performance measures associated with it. That said, Section 7(d) of Executive Order (EO) 13636 directs the Department of Homeland Security (DHS) to provide ``performance goals''--not performance measures--in connection with the Cybersecurity Framework that is being prepared by the National Institute of Standards and Technology (NIST). Critical infrastructure owners and operators that adopt the goals would then develop their own measures and targets since each sector and sub-sector has unique characteristics and each owner/ operator is in the best position to tailor the performance goals to its business model. Separately, NIST's Cybersecurity Framework will include guidance for measuring the performance of an entity as it implements the framework. NIST has considerable experience developing similar guidance through its special publications, and the draft Framework is being developed through extensive consultation with industry. Further, they are able to influence the effort through their direct engagement and input. Question 7. Why do you believe Federal cyber strategies have failed to include clear goals, performance measures, defined costs and resources, established roles and responsibilities, and to coordinate with other national strategies? Answer. Legacy Federal cyber strategies were developed by different agencies at different points in time. However, beginning with the Comprehensive National Cybersecurity Initiative in 2008, which was followed by the Administration's Cyberspace Policy Review in 2009, Federal cyber strategies have increasingly been developed through interagency processes and with the attributes identified above. For example, DHS helped lead development of ``Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program.'' In another example, DHS's Blueprint for a Secure Cyber Future contains goals against which the Department's cybersecurity programs align performance measures, milestones, resources, roles and responsibilities. Future year budget requests and performance measures for emerging programs are developed in alignment with the Blueprint. In addition to the Blueprint, the Administration's international cyber strategy, and the Department of Defense's cybersecurity strategy provide the architecture of ongoing initiatives upon which EO 13636 and Presidential Policy Directive (PPD) 21 are being implemented. With the issuance of EO 13636 and PPD-21, the Administration is providing an opportunity for the Department, other Federal, state and local agencies, and the private sector to discuss and prioritize cybersecurity measures to improve critical infrastructure cybersecurity and ensure overall critical infrastructure security and resilience. These actions direct the Department to create performance goals, consider resourcing, and work with and update national strategies, which will also outline roles and responsibilities for these efforts. ______ Response to Written Question Submitted by Hon. Kelly Ayotte to Hon. Patrick D. Gallagher Question. I've recently read that some CIOs would have higher comfort levels managing cyber security with cloud computing because vendors such as Google and salesforce.com have vastly more resources to protect against cyber threats than smaller companies do. Do you believe and Executive Order or a cyber bill would limit a company's ability to farm out their cyber security needs? Can you address in more detail your thoughts on cloud computing as it relates to cybersecurity? Answer. Cloud computing is a powerful option that, when implemented correctly, allows businesses to use information technology services to meet their business needs while protecting their assets. Cloud computing can provide cybersecurity capabilities that organizations might find more cost-effective and often allow more resources to provide cybersecurity than the organizations might be able to provide themselves. This is generally a measurement of each side's cybersecurity capability, the services offered by the Cloud provider, the cost to provide those services, and the level of needed assurance and visibility of those services by the customer. The Executive Order requires that ``the Cybersecurity Framework will provide guidance that is technology neutral''. As such, the Framework will not limit or put constraints on a company's ability to use a Cloud service provider to meet their needs. The Framework will not require or limit a specific architecture or implementation model. Under its responsibilities in the Federal Information Security Management Act (FISMA), NIST has published several public cybersecurity guides and recommendations on the cybersecurity capabilities of cloud technologies, as well as guidance on cybersecurity considerations when using cloud service providers. NIST also works jointly with other agencies in the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. More detailed information on the NIST work in cloud computing and cybersecurity can be found at the below links: www.fedramp.gov www.nist.gov/itl/cloud/ http://www.nist.gov/itl/cloud/publications.cfm ______ Response to Written Question Submitted by Hon. Dan Coats to Hon. Patrick D. Gallagher Question. NIST is tasked with developing the framework outlined in the EO, which I think is appropriate given NIST's technical expertise. Does NIST have the capacity to develop this framework utilizing its existing resources? Answer. Yes. Given that NIST's philosophy is that industry should lead the development of the Framework, NIST's role with the Framework will be primarily to convene and provide technical expertise, instead of developing new standards and solutions. This ``bottom-up'' approach allows NIST to leverage existing resources, and is similar to its work with industry to address national priorities in a range of topics, ranging from smart grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips. Going forward, our process will continue to be an open one--using an approach to enhance cybersecurity across the sectors through industry consensus. NIST's process will be focused on developing the Framework in such a manner that the standards and practices can apply to the range of sectors, with a full range of operational and business needs. That will allow for increased engagement and flexibility, both for the standards and practices that comprise the framework and for the evolving nature of the threat. In addition to existing resources, in the Administration's FY14 Budget request NIST has an increase of $2M for cybersecurity standards that will support the framework being developed under the Executive Order on Improving Critical Infrastructure Cybersecurity. ______ Response to Written Questions Submitted by Hon. Ron Johnson to Hon. Patrick D. Gallagher Question 1. I was pleased to read in your testimony that the Cybersecurity Framework NIST is charged with developing will be ``NIST- coordinated and industry-led.'' How can we ensure that the best practices and standards industry already has and is developing are utilized in this Framework? Answer. Through a request for information (RFI), NIST asked stakeholders a series of questions about existing standards, practices, and frameworks. NIST received 244 responses to the RFI including responses from individuals, industry groups and associations (to show consensus) and organizations (to be able to provide additional detail on particular responses). NIST will also be hosting a series of workshops to gather more information and develop the Framework, to ensure that those existing standards and best practices are incorporated, and where potential gaps might exist. The first will be held at Carnegie Mellon Campus in Pittsburgh on May 29-31, followed by additional workshops around the country on the weeks of July 15 and September 9. The draft Framework will also be posted for another round of comment by October 10. In between each workshop NIST will publically present findings to ensure additional collaboration. Question 2. What can be done to ensure that the voluntary program DHS is charged with developing for participation in this Framework does not turn into a mandatory regulatory structure? Answer. The Executive Order (E.O. 13636--Improving Critical Infrastructure Cybersecurity) states that the program established by the Department of Homeland Security in coordination with Sector- Specific Agencies shall be voluntary. NIST plans on discussing issues relating to long-term public-private governance to ensure that the framework stays flexible and effective in the dynamic environment of threats and new technologies. The EO encourages voluntary participation and adoption and provides for harmonization among existing regulatory requirements. Question 3. Your testimony states that any approach to cybersecurity should not ``dictate solutions to industry, but rather facilitate(s) industry coming together to develop solutions.'' Do you believe that mandatory regulations in a future Cybersecurity Framework equate to the government dictating a solution to industry? Answer. Some sectors--but not all--of our most critical infrastructure already fall under cybersecurity regulation. The RFI issued by NIST asked a variety of questions about those regulated sectors, to ensure that the Framework would be applicable for parts of industry. In addition, the executive order itself calls for a review of existing cybersecurity regulation. For those sectors, regulatory agencies will use the Cybersecurity Framework to assess whether existing requirements are sufficient to protect against cyber attack. If existing regulations are insufficient or ineffective, then agencies must propose new, cost-effective actions based upon the Cybersecurity Framework. Regulatory agencies will use their existing process to consult with their regulated companies to develop and propose any new regulations, allowing for a collaborative process. Question 4. You state in your testimony that standards are ``agreed-upon best practices against which we can benchmark performance. Thus, these are NOT regulations.'' Can you tell us more about the difference between standards and regulations? Why do you make such a point of clarifying that standards are NOT regulations? Answer. Standards are developed in a consensus process with stakeholders and are voluntary. Technical regulations are set by an authority and are mandatory. My testimony makes that distinction in order to specify that the process under the Executive order will build on the existing solutions that are already used throughout industry, instead of generating regulations. The Executive Order specifies that the Framework must meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised--all laws and policy that dictate how the Federal Government uses standards and participates in standards development. Question 5. What downside is there to turning industry standards into mandatory regulations in a Cybersecurity Framework? Answer. Having industry standards as a part of the Cybersecurity Framework would not turn them into mandatory regulations. The development of the Framework will be done in such a way to encourage adoption of existing standards--focusing on practices that will enhance the security of organizations that easily fit in their current business practices. We expect the Framework to have tools that will satisfy different regulatory and legal requirements with an ``implement once, comply many'' mentality. This would lower regulatory compliance costs while allowing organization to focus on risk management. Question 6. Given your experience, how can the International Organization for Standardization be leveraged to develop voluntary standards for what will be deemed cyber critical infrastructure? Answer. The International Organization for Standardization is one of many industry led, consensus based, transparent Standards Development Organizations (SDOs) that operation in a multinational environment. This type of SDO is essential for large scale, global adoption where both our critical infrastructures and those that supply them with critical IT and equipment operate in a global market. NIST will work with the stakeholders in a public-private partnership on the development of the framework and will identify both when and where the framework or components of the framework are ready for further development as international standards. ______ Response to Written Questions Submitted by Hon. Amy Klobuchar to David E. Kepler Question 1. I think it's important to recognize the proactive steps industry has undertaken to invest in cyber security and independently develop programs and best practices to protect their networks, operations and customers. Do you believe privately-held critical infrastructure companies have a responsibility to secure themselves and their customers from cyber threats to the maximum extent possible? Answer. Yes, cybersecurity risk is important and should be managed by all companies. Companies are limited by the amount of cyber intelligence that government shares, quality and security of IT products, and services provided by the telecommunication sector. These should be an area of emphasis for any new cyber security legislation. Question 2. I appreciate the efforts Dow and the American Chemistry Council have made. Are other major critical infrastructure sectors and companies making similar investments in implementing cyber security procedures and promoting best practices among their employees? Answer. We do not have direct exposure to the initiatives of other sectors. Question 3. Dow Chemical is, of course, a major company with substantial resources to devote to this problem. Do all critical infrastructure sectors and companies have the same level of resources to devote to cyber security? Answer. We are unable to comment on this. Question 4. Do all critical infrastructure sectors and companies share the same deep knowledge and appreciation of the seriousness of cyber security threats as you and your company? Answer. We have participated in some industry forums where other sectors have shared their approach to address cyber security. It seems to be an important risk for American companies. Question 5. If not all critical infrastructure sectors and companies share the same will and capability to address this threat, does the Federal Government have a responsibility to do something to direct or assist measures to protect that critical infrastructure? Answer. We do support legislation that promotes information sharing and provides liability protection. In addition to that, legislation should address the accountability of IT and telecommunication suppliers to produce secure products and be unified in providing services that companies can rely on for threat response. Government, IT industry and telecommunications are the backbone of the internet. Question 6. Are there inter-sector efforts among private critical infrastructure providers to help one another develop cyber security procedures and best practices? It would seem that all sectors and companies ought to be able to agree on some investments in this area that are necessary and wise. Answer. ACC has been promoting information sharing among chemical companies and has defined cyber security expectations for companies that are part of ACC and the Responsible Care program. We do not actively collaborate with other sectors. ______ Response to Written Questions Submitted by Hon. Dan Coats to David E. Kepler Question 1. The EO, as I read it, focuses solely on government-to- private-sector information sharing. My sense is that better private-to- government and private-to-private information sharing protocols need to be implemented, and I question how we can get there without better liability protections. What would you need for better private-to- government and private-to-private information sharing? Answer. Experience would indicate that most of the critical infrastructure sectors have good private-to-private information sharing protocols that have been developed in their industry groups. However, cross industry, regional and national private-to-private information sharing could be improved. The following capabilities would help improve information sharing: A well-established protocol on how information will be recorded and stored. Clarity on which individuals can receive information. Relief from liability for information sharing, provided a proper management system is in place, and liability protection for the private sector as a result of a cyber-attack, as afforded under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002. Protocol on managing anti-trust and FOIA requests. Question 2. Expertise in cybersecurity is a formula (expertise = technical capability + cyber threat information). Where do you turn for expertise now and how might that change under the President's Executive Order? Do you feel private sector cybersecurity is lacking technical capability or cyber threat information? Answer. There has been significant investment in technical skills, expertise and technologies in the chemical industry and at Dow, specifically. We find this to be true in most large companies and critical infrastructure industries. There has also been strong engagement in standard setting. We benchmark and share information with our industry, across industries, with government agencies and with IT and security suppliers. It is not clear to us that this is changing with the Executive order. The one area we think the Executive order falls short is how it will address the information technology community. Effective cyber information sharing policy should be comprehensive in its coverage of all relevant industry parties including the IT sector. ______ Response to Written Questions Submitted by Hon. Marco Rubio to David E. Kepler Question 1. The National Infrastructure Advisory Council (NIAC) provides the President and Secretary Napolitano with advice on the security of the critical infrastructure sectors and their information systems. Based on your experience at the council, are you aware of current programs or efforts that could be leveraged to combat cyber threats, rather than setting up a completely new framework and set of standards? Answer. Cybersecurity policies were set back in 2003 for the nation, with the National Strategy to Secure Cyberspace, and many programs such as NIPP and CFATS in the chemical sector to address cybersecurity. In addition, there are standards already in place that industry is engaged in and implementing, such as ISO 27002 and ISA/IEC 62443 for industrial automation. We would encourage the Administration to engage with industry sectors to build on the systems in place rather than starting from scratch. Question 2. Dow is one of the largest manufacturers of chemicals in the world and a multinational corporation that has its own cybersecurity standards and protections in place. Dow has also invested significantly in its own infrastructure to combat cyber threats. Now the Federal Government is setting up a framework with standards and best practices. This is after there was legislation in the last Congress that would have taken the role of government a step further. As a company with cybersecurity protections in place, with a vested interest in protecting your networks and assets, what do you feel is the proper role of government with regards to cybersecurity? Answer. The role of government is to set effective national security policy. The focus of an Executive Order or legislation should be: Manage government networks according to its own standards. Ensure that the information technology suppliers are working with the communication suppliers and government to harden basic Internet security. Create an environment to safely share information between the government and private sector. Aggressive pursuit and prosecution of cyber criminals (including international crime). Question 3. Your testimony states that Dow has concerns with the Executive order's current approach of a voluntary program for critical infrastructure industries to adopt cybersecurity standards. Is there a concern that government defined standards or selected standards could miss the specific challenges faced by the chemical industry? Dow operates in a dynamic environment and cyber threats are always changing and take on different forms. Why it is important for the voluntary standards to be flexible? Could a static government requirement inhibit your ability to respond to threats? Answer. The industry already works under standards and protocols, such as ISO 27002 and ISA/IEC 62443 for industrial automation, as well as the Responsible Care Security Code, that are not only voluntary but are required to maintain membership in the American Chemistry Council. There is a concern that there will be documentation and publication of any industry or company within critical infrastructure if they choose not to volunteer to a standard. There will be legitimate debate on specific risks and why a variance should be applied or how it should be applied. For example, cyber standards without imbedding and understanding the physical standards and other mitigations do not show the complete mitigation effort. Effectively, setting pseudo regulations may stifle superior cybersecurity systems by impeding quick response or system specific security. Question 4. There has been criticism in Congress directed at the private sector for not doing enough to combat cyber threats. Yet the GAO just found a disturbing trend that Federal agencies are failing to comply with Federal Information Security Management standards, and that DHS has not adequately met its responsibilities. Is Dow alarmed that some of the very agencies that may require more of the company with respect to cybersecurity have been found to be lacking in their own cyber standards and practices? Answer. Yes, a key point is that government should play a more constructive role in setting an example of securing their own networks, sharing information, as well as setting standards for the IT suppliers to help them rather than revisiting critical infrastructure compliance. ______ Response to Written Questions Submitted by Hon. Ron Johnson to David E. Kepler Question 1. How is Dow Chemical, and the chemical industry in general, currently hampered from sharing information among peers and with the government? Answer. We need legislation that covers liability protection for sharing threat or attack information with the government and antitrust relief to share with industry peers. Question 2. How important is it to your industry for Congress to pass information sharing legislation? Answer. It is very important for the industry that government shares more information on cyber security threats and best practices. We fully rely on the government's capabilities. The private sector does not have the resources or expertise to support cyber intelligence activities. Question 3. Would you prefer for Congress to attempt to pass a comprehensive piece of cybersecurity legislation or to attempt to address the low-hanging fruit in a piecemeal fashion? Answer. We do support a ``piecemeal, low-hang fruit approach'' like addressing information sharing. In addition to that, legislation should address the accountability of IT and telecommunication suppliers to produce secure products and be unified in providing services that companies can rely on for threat response. Government, IT industry and telecommunications are the backbone of the internet. Question 4. Mr. Gallagher's testimony stated that any approach to cybersecurity should not ``dictate solutions to industry, but rather facilitate(s) industry coming together to develop solutions.'' Do you believe that mandatory regulations would equate to the government dictating a solution to industry? Answer. Yes, the industry sector does not need prescriptive solutions. All solutions should be risk-based considering the characteristics and the dynamics of different industries. We agree that any approach to cyber security should create an environment where government, IT industry, the telecommunications sector and other industries can collaborate to elevate the overall security of the country. Question 5. You stated in your testimony that Dow adheres to a set of policies and standards from organizations including NIST and established industry standards set forth by the International Organization for Standardization (ISO). Given your experience, how can the ISO be leveraged to develop voluntary standards for what will be deemed cyber critical infrastructure? Answer. We believe that companies, especially critical infrastructure companies, should implement cyber security programs that comply with accepted industry practices like ISO 27001. Some of the companies are multinational, and ISO 27001 standards allow global implementations. ______ Response to Written Questions Submitted by Hon. Ron Johnson to Gregory C. Wilshusen Question 1. The Government Accountability Office (GAO) issued a report in February 2013 entitled, ``National Strategy, Roles, and Responsibilities Need to be Better Defined and More Effectively Implemented.'' In this report GAO found that only eight of 22 of agencies were in compliance with risk management requirements under the Federal Information Security Management (FISMA) standards in 2011, down from 13 out of 24 in 2010. Yet the Federal Government reported 782 percent more cyber incidents to the U.S. Computer Emergency Readiness Team in 2012 than it did in 2006. How does the increase in cyber incidents against the Federal Government, combined with the decrease in compliance of Federal agencies with FISMA, impact the cybersecurity posture of the U.S. Government? Answer. Threats to systems supporting critical infrastructure and Federal operations are evolving and growing, and the increasing risks are demonstrated by the dramatic increase in reports of security incidents. However, several factors make it difficult to directly correlate the number of reported incidents with the overall cybersecurity posture of the U.S. Government. For example, according to the United States computer emergency readiness team (US-CERT), the growth in the total number of reported incidents is attributable, at least in part, to agencies improving their detection and reporting of security incidents on their networks. Further, having better detected incidents, it is possible that agencies are also better implementing appropriate responsive and preventative countermeasures. We have ongoing work to assess agencies' incident response and handling procedures. As we reported, agencies are still challenged in implementing several aspects of their information security programs, including risk management. To help address shortcomings in risk management, the administration has set a cross-agency priority goal to improve continuous monitoring. Continuous monitoring is the process of maintaining an ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Federal agencies are to achieve 95 percent implementation of a continuous monitoring program by 2014. According to the Office of Management and Budget (OMB), in Fiscal Year 2011, implementation of automated continuous monitoring capabilities rose from 56 percent of total assets in Fiscal Year 2010 to 78 percent of total assets in Fiscal Year 2011, although, as we reported, agency inspectors general cited weaknesses in continuous monitoring at a number of agencies. While the mixed results of agency FISMA implementation statistics do not clearly indicate whether the government's cybersecurity posture is deteriorating as a result of an increase in reported incidents, the overall need for agencies to improve their cybersecurity programs is clear. Question 2. On February 12, 2013, the White House issued an Executive Order (EO) entitled ``Improving Critical Infrastructure Cybersecurity.'' In this EO, the White House directs the National Institute for Standards and Technology to develop a Framework to reduce cyber risks to critical infrastructure. At the March 7 hearing, Mr. Gallagher stated that any such framework will be NIST-coordinated but industry-led in order to draw on standards and best practices from industry. He went on to say that any approach should not dictate solutions to industry but rather facilitate industry identifying solutions. How important is it for the development of the Cybersecurity Framework to be ``industry-led?'' Why? Answer. The Executive Order states that the Director of the National Institute of Standards and Technology (NIST) will lead the development of the Cybersecurity Framework, and the NIST Director is accountable for publishing a final version of the framework by February 12, 2014. However, Mr. Gallagher, as noted, interpreted NIST's role to be one of coordinating an industry-led effort. This interpretation is consistent with the executive order's direction that the cybersecurity framework incorporate voluntary consensus standards and industry best practices to the fullest extent possible and employ a consultative process whereby the advice of critical infrastructure owners, among others, is considered. We believe the extent to which industry participates in developing the framework will likely influence the extent to which the framework is adopted by infrastructure owners and operators and has a positive effect in enhancing the security of the Nation's critical infrastructure. Question 3. What are potential downfalls of having a solution be dictated from the government to industry? Answer. Collaboration and the use of a consultative process are critical to the success of the effort to develop and facilitate adoption of the Cybersecurity Framework by critical infrastructure owners and operators. A solution dictated from the government to industry could pose risks that burdensome implementation costs could be imposed on industry, the technical aspects of the solution might be less practical or effective than other options, and industry would be reluctant to implement the framework. For these reasons, the standards- setting process in the United States, as elsewhere in the world, relies on principles of consensus, transparency, balance, due process, and openness to ensure that any framework of standards is as inclusive as possible. Question 4. What issues, both generally and specifically, in your view should Congress perform oversight of over the next year as this Framework is developed? Answer. The executive order specifies several activities that can provide a basis for overseeing the development and implementation of the framework. Within the next year, the emphasis will be on developing the framework. Congress can focus on overseeing NIST's implementation of the consultative process to ensure that industry is heavily involved. This oversight could include reviewing the preliminary version of the framework, which is due 240 days after the order was issued. In addition, recommendations regarding a set of incentives for promoting participation in the program are to be made within 120 days of the order's issuance. Further, within 150 days, the Secretary of Homeland Security is to identify critical infrastructure at greatest risk, using a consultative approach. Congressional oversight can include reviewing these activities to ensure that the requirements specified in the order are met. Question 5. GAO found that Federal cyber strategies lack clear goals, performance measures, defined costs and resources, established roles and responsibilities, and do not coordinate with other national strategies. This failure to coordinate strategies raises concerns over how effective the Administration can be in implementing the new responsibilities laid out in the Executive order. The EO directs DHS to use a ``risk-based'' approach to identify ``critical infrastructure'' within 150 days. The EO also directs DHS to develop performance measures associated with the Cybersecurity Framework NIST is charged with developing. If the government is having a hard time developing performance measures for itself, how will this impact the government's ability to develop performance measures for the private security? How involved should industry be in this process? Answer. Without a proven track record for developing performance measures, the Federal Government will need to engage the private sector to help develop private sector performance measures. While the government has generally not included performance metrics in its national strategy documents, it has developed metrics for measuring the implementation of security controls by Federal agencies. For example, the Department of Homeland Security (DHS) has developed the metrics used in the Cyberscope reporting tool, which captures data on security control implementation at agencies, although it generally did not include a metric that addresses performance targets which would allow agencies to track progress over time. Our report on information security performance measures demonstrated that leading organizations used compliance, effectiveness of controls, and program impact performance metrics for monitoring their information security posture.\1\ --------------------------------------------------------------------------- \1\ GAO, Information Security: Concerted Effort Needed to Improve Federal Performance Measures, GAO-09-617 (Washington, D.C.: Sept. 14, 2009). --------------------------------------------------------------------------- Developing useful performance measures for the private sector's implementation of the Cybersecurity Framework, like the development of the framework itself, relies on collaboration with the private sector. Federal policy, including Presidential Policy Directive 21, Executive Order 13636, and the National Infrastructure Protection Plan (NIPP), establishes a cyber protection approach for the Nation's critical infrastructure sectors that focuses on the development of public- private partnerships. The NIPP sets forth a risk management framework and details the roles and responsibilities of DHS, sector-specific agencies, and other federal, state, regional, local, tribal, territorial, and private sector partners, including how they should use risk management principles to prioritize protection activities within and across sectors.\2\ Further, the NIPP recommends that outcome- oriented metrics be established that are specific and clear as to what they are measuring, practical or feasible in that needed data are available, built on objectively measureable data, and aligned with sector priorities. Direct input from the private sector will be critically important in ensuring that these criteria are met. --------------------------------------------------------------------------- \2\ Presidential Policy Directive 21 directed the Secretary of Homeland Security to update the National Infrastructure Protection Plan by October 2013. ---------------------------------------------------------------------------