[Senate Hearing 113-790]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 113-790
 
                             CYBER SECURITY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS


                             SECOND SESSION

                               ----------                              

          STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE
  CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014

  DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM, 
                             APRIL 2, 2014

                               ----------                              

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




















                                                        S. Hrg. 113-790

                             CYBER SECURITY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS


                             SECOND SESSION

                               __________

          STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE
  CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014

  DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM, 
                             APRIL 2, 2014

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
 
                                    ______
 
                          U.S. GOVERNMENT PUBLISHING OFFICE 
 
 89-521 PDF                     WASHINGTON : 2016 
 -----------------------------------------------------------------------
   For sale by the Superintendent of Documents, U.S. Government Publishing 
   Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
          DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                  THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan                 TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

                  Gabrielle A. Batkin, Staff Director
               John P. Kilvington, Deputy Staff Director
         Mary Beth Schultz, Chief Counsel for Homeland Security
         Stephen R. Vina, Deputy Counsel for Homeland Security
           Matthew R. Grote, Senior Professional Staff Member
     Amanda Slater, Legislative Assistant, Office of Senator Carper
               Keith B. Ashdown, Minority Staff Director
         Christopher J. Barkley, Minority Deputy Staff Director
               Andrew C. Dockham, Minority Chief Counsel
         Daniel P. Lips, Minority Director of Homeland Security
          William H.W. McKenna, Minority Investigative Counsel
            Justin Rood, Minority Director of Investigations
              Cory P. Wilson, U.S. Secret Service Detailee
                     Laura W. Kilbride, Chief Clerk
                   Lauren M. Corcoran, Hearing Clerk
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Carper...............................................1, 175
    Senator Coburn...............................................3, 179
    Senator McCain...............................................   188
Prepared statements:
    Senator Carper..............................................43, 215
    Senator Coburn..............................................46, 217

                               WITNESSES
                       Wednesday, March 26, 2014

Phyllis Schneck, Ph.D., Deputy Under Secretary for Cybersecurity, 
  National Protection and Programs Directorate, U.S. Department 
  of Homeland Security...........................................     5
Donna F. Dodson, Chief Cybersecurity Advisor, National Institute 
  of Standards and Technology, U.S. Department of Commerce.......     7
Stephen L. Caldwell, Director, Homeland Security and Justice 
  Issues, U.S. Government Accountability Office; accompanied by 
  Gregory C. Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office..........................     9
Elayne M. Starkey, Chief Security Officer, Delaware Department of 
  Technology and Information.....................................    27
Steven R. Chabinsky, Chief Risk Officer, CrowdStrike, Inc. 
  (testifying in his personal capacity)..........................    29
Doug Johnson, Vice Chairman, Financial Services Sector 
  Coordinating Council...........................................    31
David Velazquez, Executive Vice President for Power Delivery, 
  Pepco Holdings, Inc............................................    33

                     Alphabetical List of Witnesses

Caldwell, Stephen L.:
    Testimony....................................................     9
    Prepared statement...........................................    63
Chabinsky, Steven R.:
    Testimony....................................................    29
    Prepared statement...........................................    93
Dodson, Donna F.:
    Testimony....................................................     7
    Prepared statement...........................................    55
Johnson, Doug:
    Testimony....................................................    31
    Prepared statement...........................................   103
Schneck, Phyllis, Ph.D.:
    Testimony....................................................     5
    Prepared statement...........................................    49
Starkey, Elayne M.:
    Testimony....................................................    27
    Prepared statement...........................................    85
Velazquez, David:
    Testimony....................................................    33
    Prepared statement...........................................   113

                                APPENDIX

HSGAC minority report............................................   119
ETA statement submitted by Senator Johnson.......................   138
Responses for post-hearing questions for the Record from:
    Ms. Schneck..................................................   144
    Ms. Dodson...................................................   156
    Mr. Caldwell.................................................   157
    Mr. Chabinsky................................................   165
    Mr. Johnson..................................................   169
    Mr. Velazquez................................................   172

                        Wednesday, April 2, 2014

Hon. Roy Blunt, United States Senator from the State of Missouri.   178
Hon. Edith Ramirez, Chairwoman, Federal Trade Commission.........   181
William Noonan, Deputy Special Agent in Charge, Criminal 
  Investigative Division, Cyber Operations Branch, U.S. Secret 
  Service, U.S. Department of Homeland Security..................   183
Gregory C. Wilshusen, Director, Information Security Issues, U.S. 
  Government Accountability Office...............................   185
Hon. Tim Pawlenty, Chief Executive Officer, Financial Services 
  Roundtable.....................................................   198
Sandra L. Kennedy, President, Retail Industry Leaders Association   200
Tiffany O. Jones, Senior Vice President and Chief Revenue 
  Officer, iSIGHT Partners, Inc..................................   201

                     Alphabetical List of Witnesses

Blunt, Hon. Roy:
    Testimony....................................................   178
    Prepared statement...........................................   220
Jones, Tiffany O.:
    Testimony....................................................   201
    Prepared statement...........................................   278
Kennedy, Sandra L.:
    Testimony....................................................   200
    Prepared statement...........................................   273
Noonan, William:
    Testimony....................................................   183
    Prepared statement...........................................   239
Pawlenty, Hon. Tim:
    Testimony....................................................   198
    Prepared statement...........................................   267
Ramirez, Hon. Edith:
    Testimony....................................................   181
    Prepared statement...........................................   227
Wilshusen, Gregory C.:
    Testimony....................................................   185
    Prepared statement...........................................   250

                                APPENDIX

Additional statements for the Record from:
    Food Marketing Institute.....................................   282
    Independent Community Bankers of America.....................   284
    National Association of Federal Credit Unions................   286
    National Retail Federation...................................   290
Responses for post-hearing questions for the Record from:
    Ms. Ramirez..................................................   317
    Mr. Noonan...................................................   320
    Mr. Wilshusen................................................   328
    Mr. Pawlenty.................................................   332
    Ms. Kennedy..................................................   339
    Ms. Jones....................................................   342



                      STRENGTHENING PUBLIC-PRIVATE
      PARTNERSHIPS TO REDUCE CYBER RISKS TO OUR NATION'S CRITICAL 
                             INFRASTRUCTURE

                              ----------                              


                       WEDNESDAY, MARCH 26, 2014

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-342, Dirksen Senate Office Building, Hon. Thomas R. Carper, 
Chairman of the Committee, presiding.
    Present: Senators Carper, Coburn, McCain, and Johnson.

              OPENING STATEMENT OF CHAIRMAN CARPER

    Chairman Carper. This hearing will come to order. Welcome, 
everyone.
    This is a day that I would describe for us here in the 
Senate, I suspect for Dr. Coburn and me as well, it is like 
fitting a size 13 foot into a size 10 shoe, how we are going to 
make all this work. We just had a bunch of votes added this 
morning and this afternoon, and somehow we are going to do our 
best to get everything done. But thank you very much for 
joining us. This is an important hearing, and we are delighted 
that you have come.
    A little more than a year ago, President Obama signed an 
Executive Order (EO) which put into place a number of efforts 
intended to enhance our Nation's cybersecurity, and we are here 
today to see what kind of progress has been made in 
implementing the Order and to gather other ideas about better 
securing our critical infrastructure from cyber attacks.
    Every day, sophisticated criminals, hackers, and even 
nation states are probing our government agencies, 
universities, major retailers, and critical infrastructure, and 
they are looking for weak spots in our defenses. They want to 
exploit these weaknesses to cause disruptions, steal our 
personal information and trade secrets, or even worse, to cause 
us physical harm.
    While we have been able to hold off some of these cyber 
attacks, anyone who has examined this issue even casually will 
tell you that our adversaries are getting into our systems 
every day. Earlier this week, for instance, the Washington Post 
reported that Federal agents notified more than 3,000 U.S. 
companies last year that their computer systems had been 
hacked.
    One of the most significant accomplishments over the last 
year though, was the release of a voluntary Cybersecurity 
Framework. This framework provides those who choose to 
implement it--whether they be government entities, utilities, 
or businesses large and small--with a common but flexible set 
of best practices and standards they can use to better secure 
their systems. I tend to think of the framework as a 
``blueprint'' or ``road map'' to lead us toward stronger 
cybersecurity.
    The President's Executive Order called on the National 
Institute of Standards Technology (NIST) including Ms. Dodson 
here today, to work hand-in-hand with industry to develop the 
framework. It is a living document, dynamic, so NIST, working 
with industry, will continue to update the framework to include 
lessons learned and to address the latest cyber threats.
    From what I understand, the development of the framework 
ran very smoothly, and the end result is a product that has 
been well received by many stakeholders, some who were quite 
critical of our efforts in these venues previously.
    In fact, just last week in Delaware, I sat down with a 
group of cybersecurity experts at DuPont Company who were all 
extremely appreciative of the public-private collaboration that 
went into the development of the framework. To NIST and all the 
partners that have worked on this framework together, I just 
want to say ``Bravo Zulu.'' But I think that we can all agree 
that we have not yet crossed the finish line. This is not the 
finish line.
    Right now, many organizations across our Nation are 
actively analyzing the framework to determine how they can use 
it and incorporate it into their own cyber practices. I commend 
those efforts, and I am pleased that we have several witnesses 
with us today who will share their thoughts on using the 
framework.
    Naturally, not every company or State is ready to use the 
framework. Some may not even really understand what it is all 
about. To those organizations, I can say that help is around 
the corner. If you want it, we are there to help.
    Under the leadership of the very talented Dr. Phyllis 
Schneck, the Department of Homeland Security (DHS) has launched 
a new voluntary program to assist organizations in adopting the 
framework. This program will be incredibly important to the 
success of the framework, and we will be closely monitoring its 
progress to ensure it is providing the right tools and 
information to stakeholders. For instance, we need to make sure 
our Nation's small and medium-sized businesses are getting the 
attention that they need to really drill down on the framework.
    At the end of the day, though, I think the question that we 
are all asking is whether or not the framework will help 
improve our Nation's cybersecurity. While it might be too early 
to answer that key question, I do believe that the framework 
itself provides a much needed road map for companies that want 
to improve their cybersecurity, and this is a very good first 
step.
    Of course, the framework will only be successful if 
companies actually use it, so it is time for industry to roll 
up their sleeves and put this roadmap to use to help us make it 
better. It makes business sense, too. In the words of Dr. Pat 
Gallagher, whom I think Donna knows pretty well, the head of 
NIST and now the Acting Deputy Secretary of Commerce, who sat 
right here, Donna, where you are sitting today, and said, 
``good cybersecurity is good business.'' When those two become 
synonymous, we know we have gotten to a very good place.
    When you consider the threats that we are up against, 
however, I think we can all agree that there is much more that 
needs to be done, and that is why we continue to believe that 
bipartisan legislation is the best long-term solution to 
address this growing concern. We have been working hard with 
our Ranking Member, Dr. Coburn, and our staffs, the folks at 
DHS, and others in an attempt to produce such legislation.
    For example, I think we need to modernize the way we 
protect our Federal networks from cyber attacks. There is not 
much argument about that.
    We also need to clarify and strengthen the public-private 
partnership that we want the Department of Homeland Security 
and industry to have regarding cybersecurity.
    And we need to make information sharing easier so that 
companies can freely share best practices and threat 
information with each other and with the Federal Government. 
And, finally, we need to continue to develop the next 
generation of cyber professionals and enhance our cyber 
research and development efforts right here at home.
    Last week, I had the privilege of visiting a new 
cybersecurity class and program at the University of Delaware. 
I was very impressed with the students and was even told--they 
were from not only all over Delaware but all over the country 
and from around the world. But I was told that the class was 
``oversubscribed to both,'' undergraduate and graduate 
students. I think that is a good problem to have.
    The students at the University of Delaware, they get it. 
They understand what cybersecurity means and how important it 
is for our economic and national security. Our friends with us 
today understand it, too. But for some other folks, this is 
just a hard issue to grasp.
    It is my hope that the framework can help us jumpstart a 
new conversation about cybersecurity in this country. And it is 
my hope that we can come together as a government and industry, 
Democrat and Republican--and work together to tackle this 
growing threat that we face.
    With that, let me turn to Dr. Coburn for any remarks that 
he might want to add. Dr. Coburn.

              OPENING STATEMENT OF SENATOR COBURN

    Senator Coburn. Thank you, Mr. Chairman, and thank you for 
this hearing. I cannot let you get away with mentioning 
Delaware without mentioning the University of Tulsa, one of the 
leaders in cybersecurity in the country, and they are doing 
phenomenal work.
    I also want to praise the administration for the Executive 
Order. I have done it before, but it shows what happens when 
government actually goes out to listen to industry and then 
works with industry to try to solve problems. And the whole 
framework for the Executive Order came out of this meeting of 
minds of what is the problem, what are the potential solutions, 
how do we get about that. And so this hearing today is an 
important hearing for us in terms of critical infrastructure 
and cybersecurity.
    But we also have tremendous weaknesses. Dr. Schneck, this 
is the first time I have gotten to meet you. Everything I hear 
is great. I hope to come back out there and actually work with 
you directly at your facility. But, we run United States 
Computer Emergency Readiness Team (US-CERT) from Homeland 
Security, and they put out a notice on Windows XP. It is not 
going to be maintained anymore. But guess what agency has the 
largest number of Windows XP programs? Homeland Security.
    And that is not to be critical. That is to say the problems 
are so big, and Homeland Security was brought together, and we 
are just now getting to the able-bodied capability that we need 
there to start addressing some of these internal problems.
    The other thing that Senator Carper, and I have and we are 
working on the other side as well, is we are going to get you 
the capability to hire the people you need, and that is going 
to be on our next markup, I have been assured, and we are going 
to help that flow through Congress and gets to the President's 
desk, because one of the things you have to do is be able to 
compete with private industry for all these oversubscribed 
classes.
    So I look forward to our hearings. I look forward to our 
second panel as well. I would also note we have a vote at 11 
o'clock that is going to tie us up for 45 minutes to an hour, 
because there is a multitude of votes. So maybe we should get 
with it, and I will submit a written statement\1\ for the 
record.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Coburn appears in the 
Appendix on page 46.
---------------------------------------------------------------------------
    Chairman Carper. Sounds great.
    Very briefly, our witnesses: Dr. Schneck, is Deputy Under 
Secretary for Cybersecurity and Communications for the National 
Protection and Programs Directorate (NPPD) at the Department of 
Homeland Security. In this role, she is the chief cybersecurity 
official for DHS. Prior to joining DHS, Dr. Schneck worked at 
McAfee, Incorporated, where she was the chief technology 
officer for the global public sector.
    Our second witness is Donna Dodson. Ms. Dodson is Chief 
Cybersecurity Officer for the National Institute of Standards 
and Technology at the Department of Commerce. Ms. Dodson also 
serves as the Division Chief of the Computer Security Division 
and Acting Executive Director of the National Cybersecurity 
Center of Excellence. In her position, Ms. Dodson oversees 
research programs to develop cybersecurity standards for 
Federal agencies and promotes the broader adoption of 
cybersecurity standards through public-private collaborations. 
Good to see you.
    Our final witness is Stephen Caldwell. Mr. Caldwell is 
Director of Homeland Security and Justice Issues team at the 
Government Accountability Office (GAO). In his capacity he has 
worked on recent reports regarding the protection of critical 
infrastructure and the promotion of resiliency. Mr. Caldwell 
has over 30 years of experience at GAO, and we thank him and 
all of our witnesses for joining us today.
    I want to thank Senator Johnson for joining us today. Very 
nice to see you.
    Senator Coburn. I would just like unanimous consent to put 
into the record a report on the Federal Government's track 
record on cybersecurity and critical infrastructure\1\ that was 
from February 4, 2014.
---------------------------------------------------------------------------
    \1\ The report submitted by Senator Coburn appears in the Appendix 
on page 119.
---------------------------------------------------------------------------
    Chairman Carper. Without objection.
    All right. Dr. Schneck, you are the lead-off hitter. Swing 
away.

TESTIMONY OF PHYLLIS SCHNECK,\2\ PH.D., DEPUTY UNDER SECRETARY 
      FOR CYBERSECURITY, NATIONAL PROTECTION AND PROGRAMS 
       DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Schneck. Thank you, and thank you for your very kind 
words. Good morning, again, Chairman Carper, Ranking Member 
Coburn, and distinguished Members of the Committee. It is an 
honor and a pleasure to be here before you today to talk about 
the Department of Homeland Security's----
---------------------------------------------------------------------------
    \2\ The prepared statement of Ms. Schneck appears in the Appendix 
on page 49.
---------------------------------------------------------------------------
    Chairman Carper. Is this the first time you have testified 
before a committee?
    Ms. Schneck. It is my first time as a government witness, 
sir.
    Chairman Carper. OK. Fair enough.
    Ms. Schneck. Which I have heard is a bit different. But it 
is a pleasure to be here to talk about the Department's work in 
cybersecurity and critical infrastructure.
    We face a cyber adversary that is fast. They have no 
lawyers, no laws, nothing to protect, and they share 
information very easily. They execute when they want with an 
alacrity that we envy, and it is greater than ours. So in that 
spirit today, I will speak to you about our vision for the 
Department of Homeland Security, our work with the Executive 
Order, and with the fine people at NIST, and our implementation 
of the voluntary program, which we call the Critical 
Infrastructure Cybersecurity Community--C3 Voluntary Program.
    I came to DHS 6 months ago. I came for the mission. I came 
to bridge the public and private. I come from a technical 
background in the private sector, and I was the authorizing 
person to share information with the government. That was hard. 
It was based in trust, and we knew we had to do it. And now 
that I have been in government, I have a whole new perspective 
of the challenges in government, and a top priority for me at 
the Department will be enhancing the trust that we have with 
our private sector stakeholders, as well as our Federal 
Government, our State and local stakeholders as well. Building 
that public confidence, leveraging the internal sibling 
organizations that we have with the U.S. Secret Service 
cybersecurity, the Coast Guard, the TSA, the Federal Emergency 
Management Agency (FEMA), our research and development, and, of 
course, our homeland security investigations, our internal law 
enforcement as well as our external partners with the Federal 
Bureau of Investigations (FBI) and the intelligence community, 
it is vital.
    What we need to really improve our infrastructure 
resilience is speed. It is how do we increase that alacrity, 
and in that process I envision our National Cybersecurity and 
Communications Integration Center (NCCIC), as the core of that. 
How we have the government indicators that we get from our 
programs, such as EINSTEIN, Continuous Diagnostics and 
Mitigation, how we pull those together that only we can see 
because it is government, how we leverage our strengths and 
privacy and civil liberties, our ability to show the world 
everything that we do, full transparency, and work with the 
private sector through that trust that we need to build better 
partnerships, to create that common operating picture that the 
President requested.
    We are already partway there in creating indicators, what I 
call a weather map. This is what the adversary cannot do, that 
situational awareness to turn our networks into more self-
healing. Your body does not have a meeting to fight a cold. In 
the same way, our networks should not pass bad traffic. Right 
now we are passing malicious traffic at 320 gigs per second on 
world-class carrier grade routers to good people, and we need 
to work together in partnership. And one way we do that is with 
this framework.
    I was on the first 6 months of this process with the great 
people at NIST as the private sector where all of our companies 
put our finest scientists to work with the government to create 
this broad set of guidelines for cybersecurity so that large 
companies could take what they know and put good practices into 
their suppliers, into their customers, and help raise the level 
of all cybersecurity to make our country safer.
    One of the first things I did when I got to the Department 
is work with a team to take money to pay for Managed Security 
Services for State and local governments when they adopt the 
framework, logic being that in a year or so, when they are 
protected, because they sit on critical infrastructure 
information, private citizen information, and they know how 
much they have to protect but they are woefully underbudgeted. 
We will be protecting them while they use the concepts in the 
framework and the voluntary program and all the resources of 
DHS that come with adopting the framework--cyber resilience 
reviews, technical assistance--they will now be able to take 
that cybersecurity discussion to a level of risk-consequence, 
and likely have better budgeting decisions. Same with small to 
medium businesses to whom we have released a request for 
information saying how can you go forth and innovate, do what 
our country does best, take leadership and make elite security, 
new security products, services, things that protect us, but 
things that are affordable to those small to medium businesses, 
so that we all raise our level of security together.
    We look forward to having that tie back to our vision 
because in that partnership, as we look at security 
holistically, as part of keeping the lights on and maintaining 
our way of life, part of infrastructure resilience, we build 
that trust and partnership across all sectors, that NCCIC 
continues to get information, that we cannot only provide in a 
weather map picture, which we already do, but also put out in 
real time so that when traffic is passed, networks know whether 
or not they should accept it. That is where we outdo the 
current alacrity of our adversary.
    We have enjoyed the support of you and your Committee. We 
thank you for the confirmation of our Under Secretary Suzanne 
Spaulding. What we need is some statutory clarification of our 
role. To react more proactively and with greater alacrity, we 
need to spend less time proving through a patchwork of 
legislation to our partners what our role actually is and more 
time just getting to it more quickly. That would help a lot, 
and also thank you for your kind words in the beginning about 
our workforce. I have had the opportunity and the honor to 
visit with Secretary Johnson some universities and some 
students. There is fine talent out there, and I know with our 
mission we could actually use our mission and outdo some of 
those salaries they are offered. But we have to have the 
flexibility and some additional competitiveness to bring them 
inside and see what we do and get them on board. That is our 
future.
    So I thank you for the opportunity to briefly share our 
vision, to talk about the Executive Order, and I look forward 
to working more with you to make our country safer and more 
resilient. Thank you.
    Chairman Carper. That was an impressive debut.
    Ms. Schneck. Thank you.
    Chairman Carper. Thank you.
    Ms. Dodson, very nice to see you. Welcome. Please proceed.

 TESTIMONY OF DONNA F. DODSON,\1\ CHIEF CYBERSECURITY ADVISOR, 
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT 
                          OF COMMERCE

    Ms. Dodson. Thank you. Chairman Carper, Ranking Member 
Coburn, and Senator Johnson, thank you for this opportunity to 
testify today on the National Institute of Standards and 
Technology's work through public-private partnerships in the 
area of cybersecurity.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Dodson appears in the Appendix on 
page 55.
---------------------------------------------------------------------------
    As a scientific organization focused on promoting U.S. 
innovation and industrial competitiveness, we at NIST see 
ourselves as industry's laboratory with strong partnerships 
with the private sector driving all that we do.
    As this Committee is well aware, NIST has spent the last 
year convening critical infrastructure sectors and relevant 
stakeholders to develop the Cybersecurity Framework. On 
February 12, Version 1.0 was released, along with a road map 
for future work in support of this effort.
    From the start, NIST saw the framework as a tool that any 
organization in any one of the very critical infrastructure 
sectors could use to build strong cybersecurity programs. The 
intent was to assess the current capability of the market while 
offering a common language to address and manage cybersecurity 
risks. The voluntary nature of the program and the extensive 
private sector engagement has encouraged the widest set of 
stakeholders to come to the table and work collaboratively. 
This approach, with its reliance on consensus standards, has a 
proven track record. When industries and other private sector 
stakeholders get together and determine for themselves what 
standards are needed to ensure confidence and quality, those 
standards are much more likely to be adopted and implemented.
    NIST began the framework development process with a request 
for information and received hundreds of submissions. Those 
submissions provided a foundation for the framework. We 
followed this request with five workshops around the country 
with thousands of participants. Our approach was to gather 
feedback from participants, conduct analysis, and present those 
findings back to the community for additional refinement. Even 
the fundamental structure of the framework came from this 
engagement as an initial outline, was presented to the 
stakeholders, and then that outline was filled in at our 
workshops.
    The result of this effort is a document that lays out 
critical elements of any cybersecurity program and then links 
those elements to proven best practices and protections for 
organizations to consider using while factoring in privacy and 
civil liberty needs.
    The framework consists of three parts: the Framework Core, 
the body of existing practices that can help an organization 
answer fundamental questions, including how we are doing; the 
Framework Tiers that help to provide context on how an 
organization views cybersecurity risks; and the Framework 
Profiles that can be used to identify opportunities for 
improving cybersecurity posture by comparing a current state 
with a desired or target state. My written testimony has 
additional details on each of these pieces.
    The framework structure will enable organizations to tailor 
plans to their specific needs and communicate them throughout 
their organization. Some companies may discover that an entire 
cybersecurity effort consists only of passwords and antivirus 
software with no real-time detection capability, and other 
companies may find the framework a useful tool for holding 
their key suppliers accountable for their practices.
    As organizations use the framework, their experiences can 
then be reflected back to keep pace with changes in technology, 
threats, and other factors, and to incorporate lessons learned 
from its use and to ensure it is meeting national priorities.
    Moving forward, NIST will continue to work with industry, 
DHS, and other government agencies to help organizations 
understand, use, and improve the framework.
    Only 6 weeks in, we are aware of many organizations that 
are already using the framework and providing feedback to DHS 
and NIST. Phyllis has already discussed the great strides that 
DHS is making in working with sectors on more detailed 
operational guidance, which we will work with them to support.
    We recognize that the cybersecurity challenge facing this 
Nation is greater than it has ever been. We are committed to 
working as part of the private-public sector team to address 
this challenge. In particular, NIST will continue to support a 
comprehensive set of technical solutions, standards, 
guidelines, and best practices that are necessary to address 
this challenge. Some of NIST's work will be conducted through 
other programs, including our work under the Federal 
Information Security and Management Act, the National Strategy 
for Trusted Identities in Cyberspace, and the National 
Cybersecurity Center of Excellence, as well as our research and 
development work.
    Thank you for this opportunity to testify today, and I 
would be happy to answer any questions you may have.
    Chairman Carper. Ms. Dodson, thanks so much for your 
testimony and for being with us. Mr. Caldwell.

    TESTIMONY OF STEPHEN L. CALDWELL,\1\ DIRECTOR, HOMELAND 
  SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
    OFFICE; ACCOMPANIED BY GREGORY C. WILSHUSEN, DIRECTOR, 
  INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Caldwell. Chairman Carper, Dr. Coburn, and Senator 
Johnson, thank you very much for asking GAO to come here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Caldwell appears in the Appendix 
on page 63.
---------------------------------------------------------------------------
    Chairman Carper. How about Senator McCain over here?
    Mr. Caldwell. Oh, sorry, Senator McCain. I did not see you 
slip into the----
    Chairman Carper. He slipped in a little late, but he is 
here.
    Senator Coburn. He is hard to miss.
    Senator McCain. I am insulted. [Laughter.]
    Mr. Caldwell. I am Steve Caldwell, and I am from GAO's 
Homeland Security Team, and I am in charge of our work on the 
physical protection of infrastructure. I am accompanied by Greg 
Wilshusen here, whom I think you know. He has testified before 
this Committee previously. He is in charge of GAO's work on 
cybersecurity. The reason both of us are here is we are 
bringing together some of our work on both the physical and the 
cybersecurity areas that deal with the partnership that we are 
talking about our report is here in the broader sense of trying 
to pull up some more generic lessons learned perhaps as we move 
forward with the new C3 initiative.
    Since 2003, GAO has listed cybersecurity of critical 
infrastructure as a high-risk issue. There are several reasons 
for that. One of these is the importance of cybersecurity, as 
our dependence on it continues to grow and evolve. Also, cyber 
incidents continue to rise at a very quick pace, at least the 
ones we know about. Then the Federal Government continues to 
have a number of challenges in trying to deal with these 
incidents.
    As noted, in the wake of the Presidential directives and 
the Executive Order last year, there is a new program, the C3 
Voluntary Program here.
    So today I am going to discuss key factors related to the 
partnership between the private sector and government that may 
provide lessons, moving forward. My statement is based on a 
broad body of GAO work that has included all 16 sectors of 
critical infrastructure. It has looked at protection against 
all hazards, both cyber and physical. It has looked at 
infrastructure largely owned by the private sector and programs 
that have used both a voluntary and a regulatory approach.
    As a whole, the DHS partnership has made a lot of progress 
in terms of sharing threat, protection, and resiliency 
information with a wide variety of partners. These include 
other Federal agencies, State and local governments, and most 
importantly, with industry.
    However, there have been many challenges, and we have noted 
these in our written statement. My written statement goes into 
both progress made in both the physical and cyber partnerships 
as well as several examples.
    For example, our recommendations have asked DHS to seek 
better understanding and focus on what the expectations are of 
industry. We have asked DHS to identify and, where possible, 
clear some of the barriers to information sharing that we have 
found. We have asked DHS to determine why industry does not 
participate in some of the programs DHS runs so it has to go 
beyond those that participate to those that do not participate 
to find out why. We have also asked them to share information 
more broadly at the sector level and at the regional level. It 
should share information, not just with individual companies 
but in the broader sense of the grouping of companies. And we 
have also asked DHS to evaluate whether and how industry is 
actually using some of the assessments that DHS has provided, 
particularly in the voluntary programs. And then, finally, we 
are asking DHS to systematically assess the performance of the 
outreach efforts that they have to industry.
    In closing, DHS has taken a number of steps to develop 
these partnerships, and these are critical for protection 
against both physical and cyber attacks. However, a lot more 
work remains, and we have kept the cybersecurity of 
infrastructure on our high-risk list in our last iteration of 
the list and anticipate that it will remain so as we move 
forward.
    So until the Nation's most critical infrastructure systems 
have a better partnership with DHS these systems remain at 
risk.
    That concludes my remarks. Mr. Wilshusen and I will be 
happy to answer any questions you may have. Thank you.
    Chairman Carper. Thank you very much.
    Dr. Schneck, we just heard from Mr. Caldwell a series of, I 
will call them, ``asks'' from GAO. He says we have asked DHS to 
do this, and I think about a half dozen or so. Are you aware of 
those asks? And would you care to respond to what DHS is doing 
in light of them?
    Ms. Schneck. Absolutely. And, first of all, thank you. We 
do a lot of work--again, my first 6 months with government, I 
am learning a lot, and I really appreciate the work of the GAO.
    Chairman Carper. They are good people.
    Ms. Schneck. Absolutely, and I had the opportunity to work 
with them before. So there are many asks, some of which I have 
known a little of and some not, but we are in the first phase 
of, as Donna mentioned, an evolving program with the framework. 
So this is Phase 1. We are now into Phase 2. This is a living 
document. It will adapt and we will adapt to how industry and 
government need to raise the level of our security, evolve with 
our guidelines, and these metrics will evolve.
    I think we are assessing right now our outreach. We are 
2\1/2\ months in. We already have actually a checklist for our 
State and local as to who has adopted what parts of the 
framework, who is actually using services, who was before. We 
will be looking at doing something similar for the private 
sector, and certainly on the government side, absolutely. So we 
are very much on top of that, but also tracking in partnership, 
because the success of this, as I saw in the first phase as the 
private sector, comes from the fact that the private sector is 
very bought in. They know that they designed this thing with 
us, with NIST, and they have a lot of trust in that. So we want 
to maintain their input as we build how we rate the success.
    Chairman Carper. Could you just describe for us in your own 
words the role--we have the framework, we have the blueprint, 
the road map. It has been well received in a lot of circles. 
What are some of the criticisms you have heard of it? This is 
for anybody. What are the criticisms we have heard of the 
process and the product to date? I have not heard any, and 
there must be some.
    Ms. Dodson. So as we were beginning the development of the 
framework, I think people were concerned if this would truly be 
a private-public partnership, or did the government have the 
answer in its back pocket that it was going to put out and put 
forward. Through the process that we put together with industry 
and the iterative and the constant communication from one 
workshop to the next workshop, they could see the development 
of the framework and the inputs that we received and how we got 
to the end stage.
    People are always concerned about cost, and so as you look 
at the framework development, we took a risk management 
approach so that it is integrated in with your entire business. 
And really that work with the private industry on the 
appropriate set of standards and best practices to put in 
there, there is an element of cost there, and they can balance 
that with the risks that they see and the need to protect their 
information.
    So those are two of the major concerns that we heard during 
the development process of the framework and how we addressed 
those collectively across the government.
    Chairman Carper. All right. Thank you.
    Dr. Schneck, talk to us a little bit about the role of DHS 
going forward in terms of implementing the framework and 
figuring out who needs some help in implementing maybe small 
and mid-sized businesses, maybe even some larger ones. How do 
you identify them? Do they just step forward and say, ``Well, 
we need some help. What can you do for us? and then you have a 
conversation?'' How does that work?
    Also, in terms of what you need at DHS to do that job, the 
kind of resources that you need, be they people, the kind of 
people skills that Dr. Coburn talked about, technology, 
authorization, maybe things you need from us, talk about those, 
what your needs are to be able to meet your responsibilities in 
implementing the framework.
    Ms. Schneck. OK. I will start with DHS' role, the response 
and mitigation to cyber attacks focused on critical 
infrastructure resilience, basically to protect that holistic 
all-hazards approach, and really looking at cyber discussion as 
that risk-consequence equation. Going back to what Dr. 
Gallagher said about equating cybersecurity and business 
practice, when are we going to get there? And I think our role 
is twofold.
    One is on the people side really engaging those 
partnerships. To Donna's point, there was a lot of skepticism. 
Will this really be a partnership? And part of our role in 
working with NIST and others is to make sure that the private 
sector is at the table in helping those discussions and taking 
their lead on what it is going to take to, No. 1, help the 
providers make better technology, to help us innovate and drive 
those markets economically; and the other is how do--to your 
other point on small to medium business, that is a huge risk. I 
testified on that in another capacity some years ago. These are 
companies that have no idea in many cases that they have 
something to protect, and yet they are connecting to everybody 
else, making the rest of us not secure, with very small 
budgets.
    I went to Silicon Valley 2 weeks ago to talk to our venture 
capital community, to talk to our innovators out there about 
how they can protect those assets they are funding and growing.
    So our role in DHS on the people side is really to engage, 
to partner, to build that trust, and to use those qualities 
that we leverage most--the privacy, the civil liberties, the 
transparency--so that when we bring people and information 
together, we can push it out as fast as possible to help stop 
bad things getting to good people. But we can also be a 
resource for people to learn.
    On your next question about implementing the framework, we 
have a very aggressive schedule on helping. We are reaching out 
to small to medium business through the Chamber, through other 
organizations, obviously reaching out to the larger businesses 
through our Conservative Political Action Committee (CPAC) 
partnerships with all 18 critical infrastructures, certainly on 
our Federal civilian side working with all of the agencies and 
with the State and local through the Multi-State Information 
Sharing and Analysis Center (MS-ISAC), so certainly reaching 
everybody. Everybody has different sensitivities. Everybody has 
different things they need to see. And working through all of 
that through different teams that are joined together.
    And quickly to cover on the workforce, there is great 
talent out there. We need everything from technical----
    Chairman Carper. When you say ``out there,'' out where?
    Ms. Schneck. The universities that----
    Chairman Carper. Within DHS or outside?
    Ms. Schneck. Both.
    Chairman Carper. OK.
    Ms. Schneck. And I will say for all the skeptics, I walked 
into one of the finest teams on the planet.
    Chairman Carper. Really?
    Ms. Schneck. So those who think that government is not 
smart, they are wrong. What we need is more people like the 
ones we have, some more technical resources like we have in our 
US-CERT, because more and more we have those teams that fly off 
and help people respond to attacks. We need to have more of 
that. And there is a spectrum of skill sets. We need the 
cybersecurity experts. We also need folks that are skilled in 
analytics. We need policy people. And that combination of 
talent and people that work with us, with our Science and 
Technology Directorate, through Research and Development (R&D), 
need to look at a holistic view of what we can do with our 
partnerships, what we can do across cybersecurity across DHS, 
and have a mind-set of where we can go next. This is how we get 
faster from our adversary, and I have had the opportunity, as I 
mentioned, with Secretary Johnson to meet some people that I 
believe fit that bill. And I believe our mission can meet what 
their other salary offers can meet in a different way.
    Chairman Carper. How can we help? Dr. Coburn mentioned 
briefly one idea, and that is to make sure you are able to 
attract and retain the kind of talent that you need in this 
arena. But whether it is in that regard or some other regard, 
how can we help you meet the responsibilities that you are 
facing?
    Ms. Schneck. The onboarding process, if we could make that 
easier, give us a little bit more money to hire, a little bit 
stronger hiring authorities to make things more competitive for 
us, because our mission meets the salary. People say that good 
talent does not come because we cannot pay them. Sometimes we 
can make up some of that gap with our mission, but the rest of 
the gap and the long process and what it takes to come work for 
government, if you could help us make that easier, give us some 
additional authorities to bring great people on, that will help 
our overall partnership. And I believe that goes to the safety 
of our Nation.
    Chairman Carper. Good. Thanks so much. Dr. Coburn.
    Senator Coburn. One of the words that you spoke a minute 
ago was maintain input from the private sector. And what I hear 
from the private sector is this inherent worry that we get to 
the implementation phase and this is no longer a voluntary 
program but a mandatory program. Talk to us about that.
    Ms. Schneck. Thank you for that question because it is 
something that we work with every day, because we heard it 
every day from our stakeholders. The main goal of this 
framework was to engage the private sector to drive this with 
their innovation, with their picture, and to get us as a 
country together, public and private. There is no better 
incentive than actual security and safety.
    At the White House anniversary of the framework on February 
12 of this year as well as the day of the beginning of the 
launch of the voluntary program to adopt the framework, we had 
several CEOs in attendance of some of the major large 
companies, and one actually said his major incentive was fear 
and that he would be helping us to implement this.
    So other ways that we are looking at this is how do we 
continually in a phased approach maintain the private sector's 
involvement as we do the adoption. We will learn. We are 
putting all of our resources out to the private sector. We are 
not asking them to report to us if they have used it or not. We 
want to look at our outreach. We want to study our metrics, 
stay involved with the large companies that are--and this is 
very key to me--asking their suppliers to be more secure so 
that when you connect to a smaller company, you do not endanger 
the larger company, and requiring of their customers, same with 
the State and local. And a lot of basic cyber hygiene and 
guidelines that are mentioned in this framework could have 
prevented a lot of the attacks that we have seen thus far.
    Senator Coburn. Thank you. Talking a little bit about 
government, hygiene in the government, it is a big problem, 
isn't it? How do we solve that?
    Ms. Schneck. Wow. So one approach that I would look at--and 
you mentioned the Windows XP, so that is a great example. This 
is a critical issue that is affecting everybody. DHS has worked 
with Federal agencies to get this awareness out. We have a 
great partnership between the National Protection and Programs 
Directorate, where I sit, and our Chief Information Officer 
(CIO). Our great new Chief Information Security Officer (CISO) 
Jeff Eisensmith, and CIO Luke McCormack and I talk all the 
time, because, candidly, there is no sweeter network than 
DHS.gov to learn from who is trying to attack us. And then we 
put that knowledge into how we protect everybody else.
    On the XP issue, the migration to Windows 7 for us is 
expected to be complete before the end of the security updates 
for XP, and I know that DHS long before I got here put that 
warning out to all other agencies. So that is one way I think 
DHS protects our other agencies.
    The other is in programs such as EINSTEIN, with simple 
network protection intrusion, prevention and detection. But the 
ability to understand with our information--again, we see all 
the networks we protect, so all that information that large 
view in the Concept of Operations (CONOPS) for cyber from that 
NCCIC goes into the protection of every single agency that we 
protect. And then every time we see something, we learn 
something from it, and that goes to protect everyone else, and 
we can push that information out as well to State and local. So 
that hygiene in government can come back to our programs.
    I also want to call out on that same note Continuous 
Diagnostics and Mitigation. That is near and dear to me because 
it takes the 3-year book of compliance that I called a 
``doorstop'' when I was in the private sector; it takes 
people's resources to build this one book of compliance that 
says at this moment in time this is how my network looked. 
Continuous Diagnostics and Mitigation changes your network into 
an immune system. At any given moment, it will understand, 
detect, and attack something that is bad and report on it. So 
you can save your strongest minds to hunt for the most 
malicious actors.
    So in government, we are taking large strides toward that 
hygiene. All of that fits within the guidelines of the 
framework. And then certainly taking that data from Government 
that we learn and pushing it out to private sector. So we think 
Government hygiene will uplift everybody else, and we certainly 
hold ourselves to higher standards than others at DHS.
    Senator Coburn. There has been some maybe not criticism but 
some questions about the efficacy of EINSTEIN. Do you feel 
comfortable that it is where it needs to be?
    Ms. Schneck. I do. So 6 months ago, when I came in, one of 
the first things I did was learn the history and then the 
current path of where we are. There were, of course, some 
hiccups, as in any large technology program that I have seen 
all my life. But now we have our second service provider on. In 
fact, now that that service provider is signed up to provide 
Einstein 3 Accelerated (E3A) accelerated services, which is 
used in prevention, we at DHS will be leveraging those services 
as well.
    We are finally at a point as well where we are getting 
enough data and protecting enough agencies--I think about a 
quarter now of the seats in the government--and a lot of that 
depends on, again, getting other service providers signed up, 
but I think we are at a point where we are now looking at the 
more interesting topic, if you will, which is how do we use the 
data that we are collecting from government to give it to the 
private sector.
    Senator Coburn. Sure.
    Ms. Schneck. For example, programs such as Enhanced 
Cybersecurity Services, which allow us to protect the private 
sector with classified information, as well as take 
unclassified information but that we learn from the EINSTEIN 
program in government and push that out in real time with 
regular trafficks, so that as traffic flows through the 
network, other parts of the network and other devices know not 
to accept it if it is going to hurt you.
    So to wrap up, government hygiene I think is important, and 
it affects everybody.
    Senator Coburn. So it is important not just to maintain the 
input from the private sector, but also to maintain the trust 
of the private sector that what you have provided to them is 
worth them having.
    Ms. Schneck. Oh, absolutely, because, again, someone like 
me, 6 months ago in a company, was given the ability and the 
authorization to use my own judgment when we should talk with 
government, and I was always asked what are we getting back, 
what are they doing. So that is in both human time, what are we 
going to learn from different government agencies by sharing; 
and then in real time, the government and I believe DHS 
uniquely, because of our emphasis on privacy, civil liberties, 
and transparency, and our NCCIC, has the ability to correlate 
that data and learn a lot from private sector, combine that 
with what we as only government can see, and push that out 
faster than our adversaries could hurt us.
    Senator Coburn. And so in your thought pattern right now, 
as long as you can keep the voluntary compliance and working 
relationship on a basis of trust and value, we are not looking 
at hard regs mandated by the Federal Government for this is how 
you will do this.
    Ms. Schneck. We are focused on voluntary engagement, 
learning as much as we can from the private sector, and pushing 
as much correlated data out as we can.
    Senator Coburn. All right. Thank you.
    Ms. Schneck. Thank you.
    Chairman Carper. Senator Johnson.
    Senator Johnson. Thank you, Mr. Chairman. Ms. Schneck, 
welcome.
    Let me pick up where Dr. Coburn left off there. I have been 
here 3 years now, and we have been talking about cybersecurity. 
I was actually in the meeting with a bunch of Senators trying 
to hammer out a cybersecurity bill. A pretty prevalent attitude 
in that room was that businesses, the private sector, needs to 
be forced into protecting their cyber assets. Is that your 
experience in the private sector?
    Ms. Schneck. So I came from a large cyber provider, so, no, 
we did not need to be forced to protect cyber assets. But I can 
tell you that our customers did not either. They had either 
experienced a breach or knew enough to know that they would 
experience a breach, and many in the field say that there are 
two kinds of companies and entities right now: those who know 
they are compromised and those who do not.
    So the issue is how we raise cybersecurity to a business 
discussion. I think that the framework and the voluntary 
program will get it to the board room, because it becomes part 
of the risk. We do not force people to lock their doors, and 
yet they do. So this is part of a culture of security that has 
been talked about for 12 years. I think Howard Schmidt is the 
first person to use that phrase back in 2000, 2001, or 2002. 
And looking at how we continue to engage that private sector 
innovation, drive the market.
    Once NIST engaged with the private sector, they sent out 
their best and their brightest for 3 to 4 days at a time to 
workshops that required long flights, and they are continuing 
to remain involved because they see the importance, not just 
for their brand reputation but for their customers and, 
candidly, as part of our Nation's network and our global 
assets.
    Senator Johnson. Well, it was certainly my attitude, and 
trust me, I was the minority view, that I really think 
businesses want to protect their cyber assets and actually look 
to government, acknowledging the fact that the government has 
an awful lot to offer. And so I have really been pleased with 
what NIST is trying to do, make this a voluntary approach. It 
is the way to go. If we can facilitate cybersecurity versus 
dictate it, I think this will work. If we try and dictate it, I 
think the private sector shuts down.
    Over these 3 years, it seems like the No. 1 component or 
the first priority is really to facilitate information sharing. 
Ms. Schneck, you talked about the need for speed. What is the 
greatest inhibitor to get that free flow, that rapid, the 
speedy information sharing that is required if we are going to 
detect cyber threats and try and contain them as much as 
possible.
    Ms. Schneck. I have an optimistic view of that, and there 
are pockets in the private sector that can already do this. 
That is how I know we can build it, and that is how I know 
how--I built one of those in my previous life--where the 
analysis of data can be in real time pushed out with traffic.
    I think our job as government, and especially with DHS as a 
lead civilian agency for this, with the ability, again, to do 
it right, with privacy experts and civil liberties, and show 
the world exactly how we do it, we have the ability to 
correlate information and get a global view of what traffic 
might be OK and what might not be, and to literally pass that 
at machine speed. Just as you send an e-mail----
    Senator Johnson. But, again, businesses have to feel 
comfortable to share that information. Isn't liability 
protection a big problem in terms of businesses not being 
willing to share that? And isn't that something Congress needs 
to do?
    Ms. Schneck. So we look at liability protection. I can give 
you an anecdote from my previous life. This is something that 
would have helped us, because I was often in situations where, 
as company or country, and can you share, the lawyer will not 
let you, but you know that the information you have from the 
research you do could help a lot of people. So I know the 
administration is looking at targeted liability protection, 
and, again, my perspectives have changed a bit since I have 
come over to government, because I see some of the different 
challenges. And part of what I want to do is bridge that, and 
that is why I want to build that trust.
    And I think that the targeted liability protection that the 
administration is looking at right now would help us because it 
would protect companies in the instances defined to share 
information, and they would not get hurt by that and would not 
be held liable, nor would their shareholders, if--for example, 
in my case, when I did this, a sector could be exposed for 
having potential liabilities. But it would not be so broad that 
it threatens even the optics or the perception of threatening 
our privacy and civil liberties because we are fighting to 
protect, again, our way of life. So it is a balance.
    Senator Johnson. The devil will be in the details on that 
one.
    First of all, I am pleased to hear that you appreciate the 
talent that is already in your agency. That is good to hear. I 
am intrigued, by the way. I really appreciate the fact that you 
are willing to leave probably a pretty good-paying job and come 
in here and do work for the Federal Government, pretty 
important work.
    Ms. Schneck. Thank you.
    Senator Johnson. Let me just ask you, if you had to go 
through the confirmation process, would you have decided to 
make that switch?
    Ms. Schneck. If I had to go through the confirmation 
process? So when----
    Senator Johnson. Did you go through the confirmation 
process? My information is you did not.
    Ms. Schneck. Not the Senate confirmation, no, sir.
    Senator Johnson. Correct. But if you----
    Ms. Schneck. But I would have done it anyway.
    Senator Johnson. But had you gone through the confirmation 
process, would that have prevented you from considering a 
position here in the administration?
    Ms. Schneck. No.
    Senator Johnson. OK. In terms of attracting other people 
into government, into these high-tech positions, certainly 
there is kind of the mission challenge that is attractive, but, 
again, there are a lot of good-paying jobs out in the private 
sector. Can you speak to what kind of dollar differences we are 
talking about?
    Ms. Schneck. Oh, wow. So, again, all of that, it depends 
on----
    Senator Johnson. I am a business guy, so I focus in on some 
of those practical concerns.
    Ms. Schneck. So in many cases, sir, there are six-figure 
differences, and that is before the stock. However, I think 
there is a much more important--it is not always that way, but 
there is a much bigger, I think, calling, if you will, and that 
is that when you get to government and you can--and I only 
learned this 6 months ago, but how much people in government do 
so that someone in my position never knew it got done and just 
felt safe every day. I think that having that other piece of 
knowledge helps bridge the gaps that we need to bridge to keep 
our economy--to let our private sector drive innovation to keep 
our country in leadership in science, and all of that will make 
us more secure. And so what I would love to do is be able to 
pull some more people from the private sector and say, ``Come 
see what I learned, and come join our team and help us.'' I 
know that our mission can pull them.
    From what I am told, the hiring process is very difficult, 
and, if, again, we could get that help from Dr. Coburn and from 
the Committee----
    Senator Johnson. OK. That is really the point I am trying 
to make.
    Having come from the private sector, which obviously has 
bureaucratic problems as well, can you just compare and 
contrast a little bit in terms of what you see, what your 
viewpoint is, comparing bureaucracy in the private sector 
versus bureaucracy here in government? Because, again, this has 
been an urgent need since I have been here, and even before 
that. This is 3 years. We are still moving forward. We are 
still talking pretty much about the same issues, although there 
has been some real advancements because of the Executive Order 
and NIST, and I appreciate that. But we are still, it seems 
like we certainly have a ways to go.
    Ms. Schneck. So do you mean in the hiring or in the 
technology?
    Senator Johnson. I am talking about just in terms of moving 
a process forward and the bureaucracy versus the private sector 
versus government.
    Ms. Schneck. So in my short 6 months here, I have learned 
that working with our partners across the Department as well as 
across agencies and certainly with committees such as this is 
the best way to get things done because you build support for 
what needs to get done, you target your budget, your blueprints 
and your outlook, your strategic plan toward what you feel 
needs to get done. In a company, I think that sometimes things 
move a little bit faster. But bringing that together--and that 
is what companies can do best. That is why they can innovate so 
quickly. But then, again, there are rules and reasons why we 
have government processes. I have had the opportunity and honor 
to start to understand some of that. It keeps government 
honest. And we do have a lot of information and deal with very 
large budgets. I think that is fair.
    But, again, bridging that, building that partnership, 
building that balance, I have seen both bureaucracies, and I 
know we can work together, and I plan to get that done with 
your help. We need your help.
    Senator Johnson. OK. Thank you.
    Thanks, Mr. Chairman.
    Chairman Carper. Thank you, Senator Johnson. Senator 
McCain.
    Senator McCain. Well, thank you, and I thank the witnesses.
    Ms. Schneck, you said that would not have deterred you, 
having to go through the confirmation process, but I guarantee 
you are just as happy you did not. [Laughter.]
    Let me ask all three witnesses, isn't it true that current 
trends indicate that the incidence of cyber attacks and 
incidence of breaches of cybersecurity will continue to 
increase in terms of frequency and gravity for the next 3 years 
and the costs will increase more quickly than the benefits? 
Would you agree with that assessment?
    Ms. Schneck. So I have not seen those numbers or the 
source. I do think cyber attacks are increasing. I do think the 
gravity is increasing. And we see everything on the spectrum 
from making noise to preventing business to actual destruction.
    Senator McCain. Ms. Dodson.
    Ms. Dodson. So when we started the development of the 
framework----
    Senator McCain. My question is: Do you believe that they 
are increasing?
    Ms. Dodson. So yes, we do believe that they are increasing, 
and that is why the framework addresses resiliency, not just 
stopping the attacks but that protect, detect, respond, and 
recover capability that are outlined in the framework, because 
that resiliency is very important.
    Senator McCain. Thank you. Mr. Caldwell.
    Mr. Caldwell. Senator McCain, hopefully I can make up for 
my omission at the beginning----
    Senator McCain. Inexcusable. [Laughter.]
    Mr. Caldwell. The data that we use, which is from CERT, 
certainly shows a striking increase in incident numbers.
    Senator McCain. And more than 100 countries are cyber 
capable. And if you put it into different categories--and there 
are different ways of doing that, but let me try this: 
Political activism, organized crime, intellectual property 
theft, espionage, disruption of service, and destruction of 
property--which of those are our highest priorities, would you 
say, Dr. Schneck?
    Ms. Schneck. I believe that resilience against all of them. 
They are all happening. If we prioritize toward one, the 
adversary will go after----
    Senator McCain. One or two is fine.
    Ms. Schneck. So the ones that harm our way of life, the 
destruction for me, and certainly for the business.
    Ms. Dodson. So I agree with Phyllis that look at resiliency 
is critical, and those things that really affect our way of 
life and those things that touch our life, and it is a big 
challenge as we look at the explosion of information technology 
across all aspects of our life.
    Mr. Caldwell. Senator McCain, really the priorities on 
those threats would vary a lot. Obviously, in government you 
have to worry about espionage of national secrets. If you are 
big company, you are worried about data breaches, dealing with 
your consumers and your clients. If your business is dependent 
on the innovation end, you are worried about the stealing of 
your intellectual property.
    Senator McCain. And I think we all conclude that the 
cybersecurity is an issue of transcendent importance.
    Mr. Caldwell, the cybersecurity budget is about $1.5 
billion. It is less than 5 percent of the total DHS budget. We 
do not like to talk just in terms of money, but money is a very 
significant factor. Do you think that that is sufficient 
priority of cybersecurity, that amount of money?
    Mr. Caldwell. I am going to ask Greg Wilshusen to address 
that. He does most of our cyber work within GAO.
    Mr. Wilshusen. Good morning. I would say that, we did not 
address the budget per se, whether that particular amount is 
enough. One of the things that governmentwide has been reported 
is that government spending toward information security has 
been around $13 to $15 billion out of about $70 to $80 billion 
spent on information technology (IT). So it has been about 18 
percent, as has been reported by the Office of Management and 
Budget (OMB). Within the Department of Homeland Security, I do 
not know if I could actually say that that is the accurate 
amount or the total amount that should be spent.
    Clearly, the Department has many responsibilities and needs 
to do a better job in certain areas in terms of providing 
better support to the Federal agencies as well as to critical 
infrastructure. If that is a matter of budget, I think we 
talked earlier about there are some needs for top talented 
people to continue to come to the Department.
    Senator McCain. Thank you. I, like Senator Carper and 
Senator Johnson, have spent many hours in meetings trying to 
formulate cybersecurity legislation. We bump up into various 
problem areas--privacy versus national security, what the role 
of private enterprise is. We continue to address this in a 
circular fashion.
    One of the reasons is because we have oversight overlap of 
so many different committees that have responsibilities--the 
Judiciary Committee, Armed Services Committee, this Committee, 
and probably the Commerce Committee and many others.
    Given the gravity of this challenge that we face, I have 
been arguing for a Select Committee. I count some 30 pieces of 
legislation that have already been introduced in both Houses, 
and, of course, none of them are going anywhere.
    Mr. Caldwell, does GAO have a thought on that subject?
    Mr. Wilshusen. Certainly there are a number of 
Congressional committees that have oversight of the Department. 
I believe the Department would probably be better positioned to 
determine what impact that has on it. But we do testify before 
a number of committees on this subject. But it is up to 
Congress to organize as it sees fit in terms of how it provides 
oversight.
    Senator McCain. Thank you.
    Ms. Schneck, should we shift the focus to 
telecommunications companies and Internet Service Providers 
(ISPs) and examine whether they could be doing more to monitor 
the various cyber threats coming through their infrastructure?
    Ms. Schneck. So cybersecurity is a shared responsibility. 
We all have a piece throughout government and the private 
sector. In my experience, the telecoms have done a lot. They 
have really stepped up and helped, for example, in botnets, 
which is when the adversary ties together tens of thousands of 
machines sometimes, compromises them, and tells them to send a 
lot of traffic all to one or two places. That is called 
``distributed denial of service,'' and it prevents business 
from being done because imagine too much water from a fire hose 
going into a straw. It just cannot be handled.
    One of the things that the ISPs have stepped up to help us 
do with the NCCIC is when we use our trusted partnerships to 
coordinate and understand which machines are causing the harm, 
the ISPs actually are online ready there to take the 
information from us and help distribute that through their 
networks since they are carrying all of this traffic. So that 
is one way they have partnered. They are very engaged in many 
of the different public-private partnerships, and I hope that 
other sectors--some already are and some are not--but, again, 
they are one piece, and, again, it is a shared responsibility.
    Senator McCain. Well, it is my conclusion, after looking at 
where different personnel assigned to cybersecurity 
responsibilities are spread throughout the Federal Government, 
we have Cybersecurity Command in the Department of Defense 
(DOD), we have you, we have other agencies of government all 
who have a cybersecurity responsibility. And, frankly, I do not 
see the coordination between those different agencies of 
government that I think would increase dramatically our 
effectiveness. And if we engage in legislation, which we have 
tried to do without success, I would argue that that has to be 
part of any legislation that we enact.
    If you view this threat with the gravity that many of us do 
now, then it may require a reorganization such as we carried 
out after 9/11, which is the reason why this Committee and the 
Department of Homeland Security is in being. I hope that you 
will contemplate that kind of option as we examine all options, 
because one thing we do agree on, this problem is going to get 
a lot worse before it gets better.
    I thank you, Mr. Chairman.
    Chairman Carper. We are going to start voting here very 
shortly, and my inclination--I checked with Dr. Coburn to see 
what he thought, and we think we will be here until about 11:15 
for the first panel. Then we will excuse you. We will run to 
vote, and we will have a series of votes and come back as soon 
as we can, my hope is around noon. But we will see how that 
works out.
    I would say to our second panel, those of you that are 
here, thank you for joining us. Please be patient with us.
    I want to go back to something that I think you said maybe 
in response to Senator McCain, Dr. Schneck, and I think you 
mentioned the words ``targeted liability protection.'' Senator 
McCain knows, as do my other colleagues, Dr. Coburn especially, 
that one of the issues that has made it difficult for us to put 
together any kind of comprehensive cybersecurity policy has 
been our inability to agree on what kind of liability is 
appropriate. And Secretary Johnson mentioned to me last week 
that he has been noodling on this and thinking it through as an 
attorney what might make sense, and obviously you have as well. 
Just think out loud for--and I am going to take about 3 
minutes, and then turn it over to Dr. Coburn. But think out 
loud for us about what form that targeted liability protection 
might take, looking at your private sector experience, which 
you have alluded to, and your current role.
    Ms. Schneck. So thank you. The end goal is to get the 
combined set of information. You have a wide set of companies 
that see a lot, some that make cyber products, some that use 
them, some across all different sectors from electric to water. 
We need to know what they see. We need to know what they know. 
And they need to know what we see from across, so how do we 
build that trust?
    It is very difficult coming from inside of a company to 
make an attorney feel comfortable--and I am not a lawyer, so I 
can say that--with the idea that I am going to pick up the 
phone and call someone in government when, again, a lot of 
these companies are not based in Washington so there is--and 
that is why I have spent some time in California. There is a 
lack of understanding as to what happens in Washington. And we 
have tried as a Department to put a friendly customer service 
face and engage other areas of the country because of this.
    We have to get the general counsels to be comfortable with 
the fact that information is going to come--not intellectual 
property but information about awareness and cyber events, 
whether it is their breach or something else that they are 
seeing or building. We have to have the lawyers comfortable 
with that transfer of information.
    I was held accountable. I trusted, candidly, Larry Zelvin 
in our NCCIC. I called him and I called some folks at the FBI 
that I knew, and those were trusted relationships. I could have 
lost my job if something went wrong.
    DHS, FBI and the Secret Service has always handled my 
information the way we asked. We could control whether it went 
to government, whether it went to industry. But, again, we 
wanted to be protected from getting hurt. If you tell the 
government that the electric sector has--we have seen activity 
across the electric sector, as we saw in Night Dragon in 2011, 
where five oil and gas companies had their oil exfiltration 
diagrams shipped off to another country unknowingly. We wanted 
to issue a warning to the whole sector, and the lawyers had a 
very difficult time with that because they felt that the 
shareholders in that sector would suffer the next morning and 
it would be the company's fault.
    So that is a case where some protection would be needed, 
not liability for everything on the planet, but liability 
protection for that case. And I believe that is part of what 
the administration means by targeted liability. And if those 
companies can feel comfortable in those situations, we believe 
more information will come in that we can then use to protect.
    Right now it is game on for the adversary because everybody 
is afraid to share information. And if we wait and do not share 
this information and do not engage these partnerships and do 
not leverage the work of NIST and this framework, we let the 
adversary get far too ahead.
    Chairman Carper. All right. Well, this is a conversation we 
are going to want to continue.
    Ms. Schneck. Yes.
    Chairman Carper. And if we can solve this one, I think we 
will move a long ways toward where were need to go in this 
arena.
    Ms. Schneck. Thank you.
    Chairman Carper. Dr. Coburn.
    Senator Coburn. One of the assumptions that has changed 
during my lifetime as a citizen of this country is the 
assumption in government that people are going to do something 
wrong rather than they are going to do something right. And it 
has been one of the most discouraging things I have ever seen 
in our country. It is because basically the vast majority of 
the people in this country want to do everything right. They do 
not want to do it wrong. But government's interface with them 
works under the assumption that they have done it wrong, now 
prove that you have done it right. And that is the key where we 
are on this liability.
    Just for example, let us take two of the large Internet 
service providers. Unlimited liability, that is a great focused 
thing, but look what we lose when we start limiting the ability 
of two ISPs who are working on something back and forth to 
actually really talk a lot back and forth, and the Justice 
Department comes in with their Antitrust Division and says, 
``Hey, wait a minute, you have to prove that that was necessary 
for cybersecurity rather than you guys colluding to keep 
somebody out.''
    And that is where this gets sticky. It is like Senator 
Johnson said. The fact is that I know right now ISP providers 
are talking back and forth without any immunity because it is 
the best thing to do for the country to protect us. And yet 
what we are finding is resistance here to give them that kind 
of broad legal liability because we do not trust them. We do 
not trust them to do what is best for the country as a whole, 
and we think they are always self-centered, they are only going 
to do what is good for them. And we have already seen in the 
cyber arena that is not true. And yet this whole concept of a 
very narrow limited liability is based on the assumption that 
we do not trust them, and so, therefore, we can only give you 
limited liability. And what we are going to do, if we do a very 
narrow limited liability, we are not going to get where you 
have espoused we want to get, because their same lawyer is 
going to say, no, you got to have this there, so, therefore, 
you can no longer do this.
    So that is the downside to this, and it is important that 
that gets communicated up the chain when we start talking about 
specific limited liabilities versus general liabilities. And 
the proof is in the pudding of what are your actions directed 
toward and what are you trying to accomplish, not a specific 
event, because if it is only event related, we are going to 
lose. We are going to lose in this battle.
    Mr. Caldwell, I want to talk to you a little bit--and I am 
saying this based on hindsight, and it is no reflection on DHS 
today. But there is a great example on how not to do something. 
It is called the Chemical Facility Anti-Terrorism Standards 
(CFATS), the chemical facility security act. And I just 
wondered, have you looked at that at all? We spent billions. We 
have not inspected the first chemical plant. We did not use 
this proactive Executive Order style that the President used in 
terms of creating a partnership. We did not listen to industry. 
What we did is create a bureaucracy and spent a bunch of money. 
And today we still have not accomplished what we need to in 
terms of chemical facilities.
    So my question to you--I do not think that DHS has been 
effective at CFATS. It is better. I admit that. The guy that is 
running it today is far superior to what we had in the past. It 
is improving. Do you think CFATS would have been better if we 
had done a public-private partnership much like we have done in 
terms of cyber?
    Mr. Caldwell. I think it is hard to say. I will say a 
couple things about CFATS.
    We have done a number of reports about it, and I would 
agree the last 2 years they have made a lot of progress, and a 
lot of it has been actually tracking what they are doing and 
paying attention to it and trying to work with industry. So 
there has been--they are getting closer to those compliance 
inspections for those facilities that are deemed to be high 
risk.
    There have been a lot of distractions along the way. I 
think a lot of the problem was actually setting up the 
bureaucracy in the first place in terms of deciding what they 
were going to do, what kind of people they needed, what kind of 
inspections they were going to do, and how they were going to 
do their risk analysis. We have made a number of 
recommendations that they have taken pretty seriously and they 
are moving toward.
    It was very slow, and that is maybe a cautionary tale of 
going down a regulatory path, that there is a lot of structure 
to a government regulatory process, whether it is through the 
rulemaking process or other things that take a lot of time. And 
I think that is some of it. But I think a lot of it can be 
traced back to starting from scratch.
    For example, the Coast Guard, they had the Maritime 
Transportation Security Act. They had that up running within 
about 18 months, but you have to remember they also had a lot 
of regulatory structure that related to the maritime sector. 
They had people that already----
    Senator Coburn. Well, they also have a different management 
structure. You will do it, or you are getting booted out of the 
Coast Guard. That is different.
    Mr. Caldwell. Yes, sir.
    Senator Coburn. Let me go back to my original point.
    Mr. Caldwell. Please.
    Senator Coburn. Had we started out CFATS with the framework 
that said we are going to bring all the industry together and 
say how do we best solve this problem--that is not what we did 
with CFATS. And that is what we are trying to do now. I 
understand that. But it is my point, and it is a great lesson 
for us, and I think we have that dynamic going now in 
cybersecurity. But in this one, it is in the best interest of a 
chemical company to not have exposure. But the assumption under 
CFATS, which goes back to what I said before, is prove that you 
are not, rather than the assumption is we are going to assume 
you are and we are going to have to show you where you are not, 
and let us do this in a cooperative manner so that when we 
regulate you, we can take what we learn from XYZ Company and 
put it over to ABC Company, and we will come with judgment, 
because that is what was lacking with CFATS. There was no 
judgment because there was no knowledge, because we did not 
listen to industry, who at their own best interest want to 
protect their facilities.
    Mr. Caldwell. I think the----
    Chairman Carper. I am going to ask you to be very brief. I 
want to make sure that Senator Johnson has a chance to ask a 
question or two before we close. Go ahead, very briefly.
    Mr. Caldwell. So, briefly, I think industry was engaged 
with government when CFATS was created. I think one of the 
problems that happened is after the law went into place, then 
government kind of went into this quiet period where that 
engagement kind of stopped, and maybe that is where when we 
move forward with this, we have to make sure that engagement 
stays at a high level all the way through.
    Senator Coburn. All right.
    Chairman Carper. Good point. Senator Johnson.
    Senator Johnson. Thank you. I want to drill down on the 
liability protection issue. Right now it seems to me like we 
are erring on the side of limited liability protection or no 
liability protection. As a result, we are not getting the 
information that everybody believes is absolutely crucial if we 
are going to provide cybersecurity. Correct?
    Ms. Schneck. I would add that a lot of information is 
already being shared through our Cyber Information Sharing and 
Collaboration Program (CISCP) programs.
    Senator Johnson. But not enough.
    Ms. Schneck. There is more. And coming from the other side, 
I know why some of those lawyers want liability protection. We 
need a balance.
    Senator Johnson. So let me complete my question. What would 
be wrong with erring on the side of too much liability 
protection so we would get the information, so we would, 
complete this urgent need to provide greater cybersecurity? 
What would be wrong in just erring on the side of maybe too 
much liability protection? What is the cost? What is the damage 
in doing that, other than to the trial lawyers?
    Ms. Schneck. So that is hard for me as a nerd, not a 
lawyer, but I am open to have the conversation. Again, you know 
my goal. It is to bring all the information together. And I 
need to work with our experts in the administration and in 
Congress to understand what our folks at NIST and DHS have----
    Senator Johnson. But, again, if we provide too much 
liability protection, that means companies will not be able to 
be sued as readily, correct? Isn't that the----
    Ms. Schneck. We do not want companies getting sued. No, we 
do not. We want information shared. I need----
    Senator Johnson. Why would we withhold a broader level of 
liability protection other than for that reason?
    Ms. Schneck. I need to understand all the legal issues 
around that, and, again----
    Senator Johnson. Let us just walk through when companies 
get sued, who pays for that. I just want to so people 
understand. If a company gets sued and they pay a big old fine 
to the Federal Government or a great big class action suit, who 
really bears the cost of that litigation?
    Ms. Schneck. We absolutely all do, and the bad guys win. It 
is a terrible situation.
    Senator Johnson. We all do.
    Ms. Schneck. Yes.
    Senator Johnson. So every consumer ends up paying higher 
prices, correct.
    Ms. Schneck. Absolutely. It is a terrible situation. It 
is----
    Senator Johnson. Now, who benefits from that liability? I 
mean, when somebody sues successfully, who benefits?
    Ms. Schneck. I am not a lawyer, but probably the lawyers.
    Senator Johnson. Certainly trial lawyers on a contingency 
fee, they make a lot of money, correct?
    Ms. Schneck. Probably.
    Senator Johnson. Every now and again, when it is a class 
action, the members in that class might get, oh, a couple 
pennies?
    Ms. Schneck. I actually do not know.
    Senator Johnson. Well, that is really, in effect, what 
happens. So, again, I just want us to be really realistic in 
terms of what is happening here. By not providing broader 
liability protection, we are putting our cyber assets at risk. 
And what we are doing is we are protecting the ability of trial 
lawyers to get big old fees. Generally the class action 
plaintiffs get very little. And when we do have these huge 
settlements, it is American consumers overall that pay the 
higher costs.
    Ms. Schneck. And this is why the adversary is winning 
because they have no lawyers----
    Senator Johnson. Precisely. So, again, I think it is just 
important that we understand what is happening when we refuse 
to provide broader liability protection so we can actually get 
the information that we need to provide cybersecurity.
    Ms. Schneck. And that is why we need to have a 
conversation, before anybody refuses anything. But, again, we 
need the experts from the science side, the legal side, the 
administration to find that balance, because we do not want to 
err on the side of not honoring the privacy and civil liberties 
that we are all here to fight to keep.
    Senator Johnson. I understand. Again, I appreciate your 
willingness to serve your Nation in this capacity. I think, 
your kind of background, your willingness to come from the 
private sector, a very lucrative job, I am sure, in the private 
sector, to really address this challenge is just really 
appreciated. Thank you.
    Ms. Schneck. Thank you.
    Senator Coburn. Uplifting.
    Chairman Carper. ``Uplifting.'' That is what Dr. Coburn 
said. It is uplifting. Well, it is uplifting to have all of you 
before us, and, Ms. Dodson, nice to see you again. Thank you 
for your testimony. Mr. Caldwell, good to see you. Greg, thank 
you for joining us.
    We are going to have to run and vote. We are running out of 
time, and they will not hold the clocks for us. So thank you 
all. There are going to be some questions, followup questions 
that you will be receiving subsequent to this hearing, and we 
just ask that you respond to those.
    Chairman Carper. And we look forward to an ongoing 
conversation. This has been a very encouraging panel, so thanks 
so much. And we should be reconvening around noon.
    [Recess.]
    We are going to reconvene now. I want to thank everybody 
for their patience and for waiting for us. When Dr. Coburn and 
I are the leaders of the Senate, we will not schedule these 
votes and interrupt our hearings. But we appreciate your 
patience and appreciate your being here with us.
    Our first witness is a familiar-looking person. I think I 
have seen her before, Dr. Coburn. Elayne Starkey is our chief 
security officer (CSO) for the State of Delaware where she is 
responsible for the enterprise-wide protection of information 
assets from high-consequence events. Ms. Starkey is also the 
Chair of the Delaware Information Security Council and member 
of the Governor's Homeland Security Council. Before joining 
State government, Ms. Starkey spent 12 years in software 
engineering in the private sector, and, Tom, I just want you to 
know, for the 8 years that I served as Governor, most of those 
years I worked for this woman, and it is great to see her 
again. We thank you for your service to our State.
    Our next witness is David Velazquez, executive vice 
president and leader of power delivery business for Pepco 
Holdings Inc. (PHI). Previously Mr. Velazquez served as 
president and chief executive officer of Connective Energy. He 
serves on the boards of the Maryland Business Roundtable for 
Education, Southeastern Electric Exchange, the Trust for The 
National Mall, and the Smithsonian National Zoo Advisory Board. 
Welcome. Nice to see you.
    Doug Johnson is vice chairman of the Federal Services 
Sector Coordinating Council, which advises the Federal bank 
regulatory agencies on homeland security and critical 
infrastructure protection issues. Mr. Johnson also serves as 
vice president and senior advisor of risk management policy, at 
the American Bankers Association (ABA), where he leads 
enterprise risk, physical and cybersecurity, business 
continuity and resiliency policy, and fraud deterrence. I 
understand you are also a member of the Financial Services 
Information Sharing and Analysis Center. Is that right?
    Mr. Johnson. I am.
    Chairman Carper. OK. A private corporation that works with 
the government to provide the financial sector with cyber and 
physical threat and vulnerability information as part of our 
Nation's homeland security efforts.
    A final witness, saving the best for last, the final 
witness is Steven Chabinsky, senior vice president of legal 
affairs, general counsel, and chief risk officer for 
CrowdStrike, a big data security technology firm specializing 
in continuous threat detection, cyber intelligence, and 
computer incident response. He also serves as an adjunct 
faculty member of the George Washington University and is a 
cyber columnist for Security Magazine. Before joining 
CrowdStrike, Mr. Chabinsky had a distinguished career with the 
government culminating in his service as Deputy Assistant 
Director of the FBI's Cyber Division.
    A big thanks to all of you for coming, for your 
testimonies, and for your patience with us today.
    Elayne, would you please proceed? Your entire statement 
will be made part of the record. You can summarize as you see 
fit.

  TESTIMONY OF ELAYNE M. STARKEY,\1\ CHIEF SECURITY OFFICER, 
       DELAWARE DEPARTMENT OF TECHNOLOGY AND INFORMATION

    Ms. Starkey. Good afternoon, Senator Carper, Ranking Member 
Coburn. Thank you for the opportunity to be here at the hearing 
today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Starkey appears in the Appendix 
on page 85.
---------------------------------------------------------------------------
    As the chief security officer for the State of Delaware, I 
can report that we are combatting a greater number of cyber 
attacks than ever before. State governments not only host 
volumes of sensitive data about our citizens, we use the 
Internet to deliver vital services, and ensure our first 
responders can access the data they need in crisis situations. 
State government IT systems are a vital component of the 
Nation's critical infrastructure.
    Today, with this testimony, I want to provide the Committee 
information on the value of public-private partnerships, as I 
see it from where I sit. Cyber threats know no borders, and in 
our interconnected world where all levels of government work 
with each other and work with private sector partners and 
citizens, the only defense is a multi-sector approach. I view 
these partnerships as a critical component of the Delaware 
Information Security Program, and I am eager to give you very 
specific examples of what is working in my State.
    We have been partnering with the U.S. Department of 
Homeland Security since our program started back in 2004, and 
over the years, our incident response capabilities have 
improved significantly by partnering and participating in their 
Cyber Storm Exercises. We have advanced our capabilities, 
thanks to applying funding from the Homeland Security 
Preparedness Grant Program, and we have used this money for a 
variety of different things, including annual employee 
awareness training, e-mail phishing simulations, technical 
training, and I am most grateful to have received approval for 
this funding.
    Delaware, however, is an exception. In contrast, most of my 
peers in other States report limited success in competing with 
traditional emergency responders for just a small share of 
those grant funds. I urge Congress to carve out a portion of 
this funding for States to use exclusively on cybersecurity 
initiatives.
    One of the things I am most proud of is Delaware's 
effective outreach and collaboration with local governments and 
other critical infrastructure providers. We were delighted to 
be selected to participate in the Community Cyber Security 
Maturity Model, run by the Center for Infrastructure Assurance 
and Security at the University of Texas at San Antonio. This 
program has resulted in training at all levels, and exercises, 
and seminars. In fact, our next event is a statewide 
cybersecurity conference on May 6. This is a day-long education 
workshop where we will bring together State and local 
government, law enforcement, military, higher education, health 
care, and other critical infrastructure providers.
    Cyber awareness and education and training have been the 
cornerstones of Delaware's program ever since we got started. 
Our campaign is very active throughout the year. But in 
October, as part of National Cybersecurity Awareness Month, we 
racheted up the program with TV and radio advertising, and even 
wrapping a Delaware Transit bus with an eye-popping 
cybersecurity message. In the testimony that I provided,\1\ if 
you cannot imagine what a wrapped cybersecurity bus looks like, 
there are some pictures in the testimony that I provided. This 
literally has become a moving billboard up and down the State, 
carrying the Internet safety message to 50,000 motorists each 
day.
---------------------------------------------------------------------------
    \1\ The pictures submitted by Ms. Starkey appear in the Appendix on 
page 91.
---------------------------------------------------------------------------
    We are unable to use State funding to do projects like 
that, so that is why I am so thankful to Verizon. Verizon's 
support of this program has been unwavering. We could not have 
done many of these initiatives without the financial support 
from the Verizon Foundation and the incredible volunteer 
support from Verizon employees as we go out into Delaware 
elementary schools and present on Internet safety. We have 
reached 25,000 fourth graders over the last 7 years thanks to 
this wonderful partnership that we have with Verizon.
    Cybersecurity works best when people have an understanding 
of the risks and the threats, so I am especially appreciative 
of our strong partnership and collaboration with the Multi-
State Information Sharing and Analysis Center (MS-ISAC) and the 
National Association of Chief Information Officers.
    My final partnership example is with higher education. Five 
years ago, a team of people came together, and we discovered we 
all had the same passion. We had a passion for nurturing the 
next generation of cybersecurity professionals, and today that 
team includes all Delaware universities and colleges. And 
together with the Council on Cybersecurity and SANS Institute, 
we are planning our 5th annual U.S. Cyber Challenge summer 
camp. It is a week-long, intensive training filled with 
specialized speakers intended to reduce the shortage in the 
cyber workforce.
    So, in conclusion, my compliments to NIST and DHS and all 
the stakeholders that worked together to develop the 
Cybersecurity Framework. It is valuable to State governments. 
It is valuable to reference a core set of activities to 
mitigate against attacks on our systems. For those of us that 
have established security programs, the framework will not 
introduce major changes for us. Rather, the framework offers 
valuable risk management guidance and is complementary to our 
Exercise and Incident Response Program. I endorse the framework 
as an excellent first step; however, it is important to stress 
it is the beginning and it is not the end. My hope is that 
future versions are going to include incentives to adopt the 
framework and strive for continuous reduction of the cyber 
risk.
    This is a complex issue. We have a long road ahead of us to 
making our Nation's systems more secure. It is a journey, and 
it is a race with no finish line. There is no single solution; 
there is no silver bullet. I compliment you for holding 
hearings such as these. I ask Congress to continue to work with 
States to identify ways to protect our Nation's information 
assets and provide funding opportunities for State government 
cybersecurity.
    Thank you.
    Chairman Carper. Elayne, thank you so much. Great to see 
you here, and thank you for joining us.
    Steven Chabinsky, please proceed.

   TESTIMONY OF STEVEN R. CHABINSKY,\1\ CHIEF RISK OFFICER, 
    CROWDSTRIKE, INC. (TESTIFYING IN HIS PERSONAL CAPACITY)

    Mr. Chabinsky. Thank you. Good afternoon, Chairman Carper, 
Ranking Member Coburn. I am pleased to appear before you today 
to discuss cybersecurity public-private partnerships.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Chabinsky appears in the Appendix 
on page 93.
---------------------------------------------------------------------------
    First, I would like to discuss the Cybersecurity Framework. 
Senator Rockefeller had proclaimed last year that NIST is the 
``jewel of the Federal Government.'' I agree. I especially 
commend NIST for having engaged with over 3,000 individuals and 
organizations on the framework. In doing so, NIST established a 
true public-private partnership. I would also note that the 
Cybersecurity Framework is written in such a straightforward 
manner and so concisely that it should be required reading for 
every corporate officer and director.
    I have no doubt that, if implemented, it would improve our 
critical infrastructure cybersecurity. But having improved 
security is not the same thing as having adequate security. And 
in my professional opinion, the strategy we are pursuing to 
include the NIST framework will not result in adequate security 
of our critical infrastructure and for our country.
    Regardless of how vigorously industry applies risk 
management principles, there simply is no chance the private 
sector can consistently withstand intrusion attempts from 
foreign military units and intelligence services or even, for 
that matter, from transnational organized crime. As a result, 
improving our security posture requires that we reconsider our 
efforts rather than simply redouble them.
    We must ensure that our cybersecurity strategies focus 
greater attention not on preventing all intrusions but on more 
quickly detecting them and mitigating harm while in parallel--
and this is the significant part--identifying, locating, and 
penalizing bad actors. Doing so also would align our 
cybersecurity efforts with the security strategies we 
successfully use every day in the physical world.
    In the physical world, vulnerability mitigation efforts 
certainly have their place. We take reasonable precautions to 
lock our doors and windows, and depending upon the type of 
business, those locked doors and windows will be of varying 
strength and expense. Still, we do not spend an endless amount 
of resources seeking to cutoff every possible point of entry 
against those who might dig holes underground or parachute onto 
the roof.
    Instead, to counter determined adversaries, we ultimately 
concede that they can gain unlawful entry. So we shift our 
focus. We might hire armed guards. More often we get security 
systems that have alarms for instant detection and video 
cameras to capture attribution. None of these make the facility 
any stronger or less penetrable; rather, in the physical world, 
guards, alarms, and cameras essentially declare to the bad guy, 
``It is no longer about us. Now it is about you.''
    When a monitoring company is alerted that a door was broken 
into at 3 in the morning, it calls the police to respond. It 
does not call the locksmith. And as a result, most would-be 
intruders are deterred from acting in the first place.
    It is surprising then and suggests a larger strategic 
problem that, in the world of cyber, when the intrusion 
detection system goes off, the response has been to blame the 
victim time and again and to demand that they prevent it from 
happening again.
    The goal then becomes one of ridding the network of malware 
rather than of finding and deterring the attackers. I believe 
that this single-minded focus of preventing or cleaning up 
after an intrusion is grossly misplaced.
    Consider the scene in ``The Godfather'' movie of waking up 
to find a horse's head in your bed. That is no time to wonder 
how you are going to clean it up. Rather, the obvious questions 
are: Who did it? What are they after? Are they coming back? And 
what will it take to stop them or change their mind? It is 
threat deterrence, not vulnerability mitigation, that effects 
security in the physical world every day.
    Making matters worse, as industry and government agencies 
continue to spend greater resources on vulnerability 
mitigation, we find ourselves facing the problems of 
diminishing economic returns and perhaps even negative returns. 
With respect to diminishing returns, imagine trying to protect 
a building by spending millions of dollars on a 20-foot brick 
wall. Meanwhile, an adversary can go to a hardware store and 
for less than $100 buy a 30-foot ladder. That is happening 
every day in cyber where defenses are expensive and malware is 
cheap.
    Far worse, though, is the concept of negative returns in 
which well-intentioned efforts actually make the problem worse. 
Consider our brick wall again. What if instead of buying a 
ladder the adversary decides to use a life-threatening 
explosive to bring down the wall? This is not dissimilar from 
our current defensive cyber strategy, which has had the 
unintended consequence of proliferating a greater quantity and 
quality of attack methods, thereby escalating the problem and 
placing more of our infrastructure at greater risk.
    We can and must do better. It is time to refocus our 
public-private partnerships on developing the technologies and 
policies necessary to achieve the level of hacker detection, 
attribution, and punitive response that is necessary to reduce 
the threat. By doing so, businesses and consumers are far more 
likely to benefit from improved, sustained cybersecurity and at 
lower costs.
    Thank you for the opportunity to testify today. I would be 
very happy to answer any questions you may have.
    Chairman Carper. Thank you, sir. We are very happy you are 
here, and thank you for that testimony.
    Mr. Johnson, please.

TESTIMONY OF DOUG JOHNSON,\1\ VICE CHAIRMAN, FINANCIAL SERVICES 
                  SECTOR COORDINATING COUNCIL

    Mr. Johnson. Yes, Chairman Carper, Ranking Member Coburn, 
my name is Doug Johnson. I am vice president of risk management 
policy at the American Bankers Association. I am here today 
testifying in my capacity as the vice chairman of the Financial 
Services Sector Coordinating Council (FSSCC), and also in my 
capacity as a board member of the Financial Services 
Information Sharing and Analysis Center (FS-ISAC).
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Johnson appears in the Appendix 
on page 103.
---------------------------------------------------------------------------
    ABA is always proud of and committed to maintaining its 
leadership role in organizations such as these as we help to 
protect our Nation's critical infrastructure, and we feel that 
it is extremely important to do so as an association. The 
financial sector shares the Committee's commitment to 
strengthening the public-private partnership to reduce cyber 
risks to our Nation's critical infrastructure.
    The nature and the frequency of cyber attacks against 
financial services and others sectors have focused a great deal 
of attention on whether our institutions, regardless of size, 
are properly prepared for such events and whether we are 
committing the appropriate level of resources to detect and 
defend against them. This is not a new exercise. The financial 
services sector continuously assesses and refines our 
preparedness to detect and to respond to future attacks and 
actively engage our government partners in this process. These 
efforts build on a longstanding, collaborative imperative for 
the financial sector to protect institutions and customers from 
physical and cyber events. A significant protection 
infrastructure, in partnership with government, exists, and the 
FSSCC and the FS-ISAC obviously play vital roles in the 
process.
    For the FSSCC, much of 2013 and now 2014 was and has been 
dedicated to responding to the administration's Executive 
Order, and particularly regarding the development of NIST's 
Cybersecurity Framework. You have heard a lot of compliments 
about the framework, and we share in that assessment. Our 
sector is supportive of the administration's and NIST's efforts 
in this regard to build a voluntary framework and will remain 
engaged as we migrate into what is really the all-important 
implementation phase of the framework.
    Our government partners are many. Our partnership with DHS 
is really extremely important. Of particular note is DHS' 
assistance. The FS-ISAC is now the third sector which is 
participating in the National Cybersecurity and Communications 
Integration Center. The collocation of sectors in the NCCIC is 
an extremely important component of our overall effort to build 
the trusted network between government and industry, and the 
only way to do that, frankly, is to have an ability to really 
share information in very much of a trusted network, which 
requires individuals really to have that trusted ability to 
communicate with each other. And the NCCIC is a prime example 
of how the co-location of subject matter experts across the 
public and private sector can build that model. That enhances 
the ability both to protect our critical infrastructure and to 
build that trust.
    The FS-ISAC also works very closely with other critical 
infrastructure sectors through the National Council of ISACs 
where our cross-sector cooperation and coordination for the 
FSSCC occurs through the Partnership for Critical 
Infrastructure Security (PCIS) Cross-Sector Council. The 20 
sectors and the subsectors that really comprise the PCIS Cross-
Sector Council are unanimously in support of it remaining the 
mechanism to engage DHS on our joint critical infrastructure 
protection mission. We look forward to working with DHS in a 
manner consistent with the National Infrastructure Protection 
Plan in that regard.
    Through the FS-ISAC and the sector, our sector is committed 
to working collaboratively with NIST to further improve the 
framework and our Nation's overall cybersecurity posture. In my 
written testimony, I have offered a number of recommendations 
to meet our mutual goals, including: encouraging the 
development of sector-specific approaches to the framework; 
facilitating automated information sharing; clarifying 
liability protections for the sharing of information; fostering 
the growth of the existing ISACs and encouraging the 
development of additional models similar to that in other 
sectors that might not currently be deemed critical 
infrastructure protection; leveraging existing audit and 
examination processes when implementing the framework to the 
greatest extent possible; creating incentives that are tailored 
to address specific market gaps and letting the market make the 
determination as to whether or not they can fill those gaps 
independent of government; and, last, fostering research and 
development and workforce creation is always very important, as 
you have heard others speak of today.
    Thank you for holding this important hearing. Financial 
services companies do make cybersecurity a top priority. We 
look forward to continuing to work with you toward our mutual 
goal, and at this point I would be willing to take any 
questions.
    Thank you.
    Chairman Carper. Thank you, Mr. Johnson.
    And our last witness, Mr. Velazquez, please proceed. Good 
to see you.

 TESTIMONY OF DAVID VELAZQUEZ,\1\ EXECUTIVE VICE PRESIDENT FOR 
              POWER DELIVERY, PEPCO HOLDINGS, INC.

    Mr. Velazquez. Thank you, Chairman Carper, Ranking Member 
Coburn. I am Dave Velazquez, and I have the privilege of 
serving as executive vice president of power delivery for Pepco 
Holdings Inc. (PHI). We are an electric utility that serves 
about 2 million customers in the Mid-Atlantic area, including 
here in Washington, DC. It is my pleasure to appear before you 
today to discuss an issue of fundamental significance to our 
industry, the electric utility sector: the public-private 
partnerships to advance the security of our electric grid.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Velazquez appears in the Appendix 
on page 113.
---------------------------------------------------------------------------
    As the utility power in the Nation's capital, PHI has been 
actively engaged in cybersecurity protection and in the 
advancement of national cybersecurity regulations and 
legislation. In addition to Washington, we serve customers in 
four other jurisdictions. The thought that each of these 
jurisdictions could develop its own Cybersecurity Framework and 
protocols becomes quite daunting for us. That is why we believe 
Federal legislation is necessary, and we commend the work of 
this Committee and others in the House and Senate, the work 
that has been toward that goal.
    We were very active in the public information gathering 
sessions led by NIST to develop the framework. We found that 
process to be very collaborative and respectful of the work 
that the electric utility sector and our regulators had already 
done.
    PHI has pledged to be among the first utilities to work 
with DHS and the Department of Energy (DOE) to apply that 
framework to our operations. This self-assessment process is 
ongoing, but to be truly resonant with our regulators, PHI 
believes it should include some form of standardized third-
party verification.
    The framework is not, however, the first example of a 
public-private partnership for grid security. There are a 
number of others in which PHI is active. Critical 
Infrastructure Protection (CIP) standards are mandatory for all 
owners and operators of bulk power system assets, and they are 
enforceable by the Federal Energy Regulatory Commission (FERC). 
In this way, the CIP standards ensure basic network hygiene and 
baseline levels of security for the grid.
    The NCCIC serves as a centralized location where 
cybersecurity operational elements are coordinated and 
integrated. NCCIC partners include the Federal agencies, State 
and local governments, the private sector, and international 
entities. PHI is in the process of obtaining the clearances 
needed to maintain a seat on the NCCIC floor.
    The Electricity Subsector Coordinating Council, which is 
made up of utility and trade association leaders and government 
executives, has focused its efforts on three areas of industry-
government collaboration: incident response, information flow, 
and tools and technology.
    PHI is also an active participant in the ICS-CERT, a 
program that provides vulnerability information regarding 
industry control systems.
    While the NCCIC, Electricity Subsector Coordinating Council 
(ESCC), and Industrial Control Systems Cyber Emergency Response 
System (ICS-CERT) are industry-wide initiatives, there are also 
opportunities for individual utilities to apply federally 
developed threat detection technologies. Though I am not at 
liberty to discuss the details of these threat detection 
programs, I can say that PHI has been afforded the opportunity 
to participate in Federal security technology applications that 
allow both temporary and also permanent real-time, machine-to-
machine threat detection.
    Additionally, last November the North American Electric 
Reliability Corporation (NERC) conducted Grid-Ex II, a 2-day 
cyber and physical security and incident response exercise in 
which more than 165 industry and governmental organizations 
participated. One of the key learnings from the exercise was 
the need for clearer protocols to coordinate governmental roles 
in the physical defense of privately held critical 
infrastructure.
    Though these existing partnerships are impactful, there are 
some open issues that exist. For instance, though the federally 
administered technology programs in which a number of the 
utilities participate offer some threat information sharing 
capability, in the absence of Federal legislation much is left 
undefined with regard to data privacy and also liability 
associated with the bi-directional threat information sharing. 
Similarly, forums exist for event response coordination. 
Without explicit authorization, these forums may not resolve 
all the jurisdictional issues. And, very importantly, we must 
have clear protocols for industry-government event response 
before an event occurs. Finally, some assurance of prompt and 
reasonable recovery of cybersecurity investments will be 
imperative.
    Today our regulators seem willing to acknowledge the value 
of the investments we are making in cybersecurity. However, as 
the threat continues to become more sophisticated, our 
investments will likely rise pretty rapidly, and some 
systemized form of prompt cost recovery would facilitate our 
capacity to grow our expertise.
    In summary, PHI has been very active in and benefited 
greatly from the growing array of opportunities to partner with 
Federal, State, and local authorities. Public-private 
partnerships have improved cyber threat detection and cyber and 
physical event preparation and response coordination. However, 
more can be done.
    In particular, some issues still needing attention include 
real-time and actionable threat information sharing, liability 
protection, event response protocols and systemized cost 
recovery. We look forward to continuing to work with the 
administration, this Committee, and your colleagues in the 
House and Senate to advance legislation to address these open 
issues.
    Thank you.
    Chairman Carper. David, thank you very much.
    Dr. Coburn has to be off to another meeting, and he is 
going to ask some questions. I am going to step out and take a 
phone call and then come right back and continue, and we will 
wrap up a little bit after 1. Dr. Coburn.
    Senator Coburn. Thank you, Mr. Chairman.
    Mr. Chabinsky, I am really interested in your testimony 
because you have taken a track that nobody else has taken here 
other than Senator McCain in his questions that he asked 
earlier. And you have a lot of experience in terms of 
deterrence with your past history. I was wondering what the 
other panelists thought about what he said. You all talked 
about mitigation of vulnerabilities, and he is talking about 
deterrence--one of which is cheaper, one of which is more 
effective. Any comments about what Mr. Chabinsky had to say?
    Mr. Johnson. Well, Senator, I would be glad to take a first 
shot at that. I think that what we saw during the denial-of-
service attacks that we had over a period of over a year gave 
us a real understanding of the dynamics associated with that 
particular issue.
    I will go back to anecdote that occurred in a conversation 
between Treasury and a series of bankers from New York that are 
not necessarily shy in a lot of cases. Basically during the 
height of the denial-of-service attacks, they were asking 
Treasury whether or not the denial-of-service attacks in and of 
themselves were part of the defensive strategy that we as a 
Nation were taking as it related to Iran. And I think that what 
that really brought to the fore is the jobs issue. Whose job is 
it to really take that so-called active defenses? And I think 
that in large part that is an area that is still to be 
determined, because clearly it is the expectation of industry 
that government has a role, a substantial role in that defense, 
and obviously when we are talking about issues such as ``hack 
back,'' there has been a lot of controversy associated with the 
private sector taking those kind of roles. And, in fact, it is 
illegal at this particular juncture to do so.
    And I love Steve's analogies. He is always extremely good 
at them. But if you go back to the analogy of physical 
security, when the bank is robbed, it is not up to bank 
personnel to catch the robber.
    Senator Coburn. Right. I agree.
    Mr. Johnson. And so I think that while there is some 
substantial role that organizations have on the front end--and 
that role might migrate to some degree toward active defense--I 
think that we really have to be clear on what that line is.
    Senator Coburn. But the key is that you can give the 
government attribution.
    Mr. Johnson. Yes.
    Senator Coburn. And the government by itself does not have 
that. So for it to act, we need to create a pathway so that 
that information on attribution can get to the government if 
the government is going to act on it.
    Mr. Johnson. Right, and that is where the analogy still 
holds, because when you are talking about fiscal crime, 
essentially one of the first things the police are going to ask 
when the bank is robbed is, ``What did the robber look like?''
    Senator Coburn. Yes.
    Mr. Johnson. And so I think that analogy still holds.
    Senator Coburn. Mr. Velazquez.
    Mr. Velazquez. I would just second Mr. Johnson's comments, 
and I think one of the critical pieces from a private-public 
partnership is being able to share that information in real 
time so that the government can take appropriate action.
    Senator Coburn. Right, OK.
    Mr. Chabinsky, are you familiar with the Deter Cyber Theft 
Act?
    Mr. Chabinsky. I am, Senator.
    Senator Coburn. What do you think about that?
    Mr. Chabinsky. I think that that is exactly the right path 
that we need to be going down, which is threat deterrence, 
making sure that the recipients of illegally obtained 
intellectual property are not able to benefit from that to 
further actually impact our economy. Bad enough that our 
intellectual property is being stolen every day by foreign 
powers. Then to have the corporate recipients of those 
companies come back to our shores and unfairly compete against 
our industry is unconscionable. Thank you for introducing that.
    Senator Coburn. Thank you.
    Ms. Starkey, I thank you for your testimony and what you 
are doing in the State of Delaware. Maybe I have some bad news 
for you. The fact is that 3 or 4 years from now you are not 
going to be getting a penny from the Federal Government for 
what you are doing. And the question is, it is really not our 
role to do that. The taxpayers of Delaware ought to fund 
theirs. But our financial situation is going to be such--we are 
going back to trillion-dollar deficits even in a growing 
economy, 3 or 4 percent. So we are not going to be there.
    So are you prepared as representative of the State of 
Delaware to do what you need to do without Federal money?
    Ms. Starkey. Yes, we recognize that, and we have seen the 
dwindling amounts that have been coming out of the Homeland 
Security Grant just over the last few years. That is the 
reason, that is exactly the reason why we pursued the 
partnership with the Verizon Foundation, to be able to continue 
the momentum that we had through non-government dollars, if you 
will. So we are fully prepared for that.
    I cannot really speak on behalf of the budget writers in 
the Delaware State government.
    Senator Coburn. I understand.
    Ms. Starkey. But it is something that we are paying 
attention to. We are alerting them that, you know, the threats 
keep going up, and there needs to be additional tools added to 
our toolkit to combat the threats all the time, and those 
tools--as has been pointed out here, those tools are expensive. 
It is very expensive to be secure.
    Senator Coburn. But if we did more deterrence and less 
vulnerability mitigation, what we might see is less capability, 
because the fact is if you take a bunch of smart people, no 
matter what you put on your network, they are going to 
eventually find a hole in it.
    Now, we may respond to that. We may protect everybody else 
that was not attacked. But eventually, if they want to, the 
guys that want to rob the bank, they are going to rob the bank. 
They are going to do that. So Mr. Chabinsky's point is well 
made.
    Mr. Chabinsky, you spent some time with the FBI. What 
resources now do we have at the FBI in terms of manpower in 
terms of going after these people versus what you think in your 
opinion we should have?
    Mr. Chabinsky. Thank you, Dr. Coburn, for the question. 
When you look at the FBI's resources, the FBI and the Secret 
Service both have concurrent jurisdiction over cyber crime, and 
the FBI has exclusive jurisdiction when the intrusions are 
nation state sponsored.
    The FBI's manpower of agents that are exclusively focusing 
on intrusions is in the hundreds, not thousands of persons. And 
since this crime is international, one would then look to see 
what resources the FBI has to place special agents abroad, 
working with partners in other countries who actually want to 
work with us. And what we see is that those are able to be 
counted on both hands.
    So we are looking at a problem that, on the defensive side, 
we are putting tens of billions of dollars into, and on the 
side that actually could help the private sector make those 
handoffs to the government to have threat deterrence, put these 
bad guys in jail, we are severely understaffing and 
underfunding that.
    Making matters worse, when we look at the Presidential 
Executive Order, the Executive order is focused on steering 
some of those very investigative resources away from 
investigations and toward warning the private sector that it is 
under attack. So now you have a limited pool of resources that 
should be investigating the crime. Now they are spending all 
day actually warning victims. And we do not see anything in the 
Executive Order that functions get the private sector to 
provide information to law enforcement to work hand in glove to 
try to figure out who these bad guys are and to bring them to 
justice.
    Senator Coburn. That is really important for us as we try 
to write a cyber bill.
    I have a lot of other questions, but my time constraints 
will force me to put them in the record. Thank you.
    Chairman Carper. Let me ask a question for Elayne Starkey, 
for David, and for Mr. Johnson. OK? I think one of the 
interesting, maybe unique features of the framework that has 
been constructed is that it can apply equally to an energy 
company, a utility, a bank, even a State or local government. 
It is also scalable so that both small business and large 
business can take advantage of it. All of you have already 
touched on how you will be using the framework in your 
statements, but I would like to ask you to drill down on this 
issue just a little bit more. OK?
    What can we do, not just this Committee, not just the 
Federal Government, but government and industry, maybe working 
together, to encourage more businesses to adopt the framework 
that has been produced? In particular, can you talk with us a 
little bit about what type of help you would like to see from 
the Department of Homeland Security and other Federal agencies 
as you and your sectors work to implement the framework? 
Elayne, if you would start that off, I would appreciate it.
    Ms. Starkey. Sure. I am glad you asked the question. 
Business adoption of this, in particular small to medium-sized 
business, is absolutely critical to the success, in my opinion. 
The larger companies have established programs, and they have 
been paying attention to this for a long time. It is the small 
and medium-sized businesses that maybe do not know what they do 
not know, or just simply do not have the resources to throw at 
this problem.
    It is a huge problem. It is an expensive problem. And, 
quite frankly, it does not increase or improve their bottom 
line by adding a lot of security defenses necessarily. So that 
is not an automatic.
    So I think it is going to be critical in the next few 
months and years as we see how this is going to be rolled out 
and adopted by not just governments but by the private sector 
as well.
    The second part to your question in terms of what DHS can 
do, certainly what our plans in Delaware are----
    Chairman Carper. And not just DHS, but other relevant 
Federal agencies, please.
    Ms. Starkey. OK, sure. In Delaware, we have had an 
established program now for a number of years based on the 
International Organization for Standardization (ISO) 
international standards and NIST standards, and they have 
served us incredibly well. We do not plan to change that 
because our whole framework is centered around those NIST and 
ISO standards. But what we are going to do and have started to 
do is to take this framework and overlay it with our current 
framework and identify where there are gaps and work to close 
those gaps.
    So we will be anxious to see--we are following the rollout 
from DHS. I know there is a kickoff meeting tomorrow, actually, 
all morning tomorrow. We are fortunate because I know cyber 
resilience is a huge part of the rollout plan, and we have some 
success with that, because back in 2010 we invited DHS to come 
in and do a cyber resilience study for Delaware State 
government, and it was an incredibly valuable exercise for us. 
We got a lot of good feedback. They brought in folks from US-
CERT, from Carnegie Mellon, as well as here in D.C., and they 
spent all day with us talking to a variety of different parts 
of my department and parts of State government. And I was so 
pleased to see that that cyber resilience program is part of 
their rollout strategy. So I am looking forward to that.
    Chairman Carper. That is good to hear.
    Mr. Chabinsky, same question--or no, you are the one person 
that gets---- [Laughter.]
    David.
    Mr. Velazquez. Yes, I think first I would mention that I 
think with the NIST framework, the flexibility that has been 
built inherent in it, and as that flexibility continues and 
being respectful of other regulations that cover the different 
sectors, I think that is very helpful for the continued 
adoption and more people adopting it.
    I think if there are incentives for participation, although 
I would note that, like most companies, the real incentive for 
participation is our customers and providing them service. And 
I think if any business, if your customers lose confidence in 
your ability, you lose business. But beyond that, we had talked 
already about liability protection, I think could help spur 
some others adopting it. If there is a way to provide 
discounted terrorism insurance as a result of that, access to 
Federal technologies maybe that comes with that, and then as a 
regulated industry as well, support for timely recovery of the 
investments necessary to support it. All those I think would 
help.
    Chairman Carper. Good. That is helpful. Mr. Johnson.
    Mr. Johnson. Yes, as you indicated, probably in financial 
services, we are already essentially at the highest tiers 
within the Cybersecurity Framework. And so the question becomes 
one of two things: What do financial institutions have to do 
associated with the framework? And then how can they leverage 
the framework in their environment to increase adoption?
    I think one thing that I have seen in our institutions is 
they are largely doing what the framework is--they might call 
it different things in different places, but by and large, 
conceptually the manner in which the framework is devised, 
financial institutions by and large are doing that.
    And so one of the things I think will be to our advantage 
is the ability to leverage this within our supply chain. We 
have heard talk of that in the earlier panel. I think it is 
really vital to be able to give those supply chain partners a 
mechanism to think about what cybersecurity should look like in 
their organization and to aspire toward various tiers, to 
aspire toward the next tier, if you will, and to have a path 
forward. And I think the framework gives them that in large 
degree. And so I think that will be helpful for not only the 
critical suppliers that we have that are by law supposed to be 
adhering to the same information security standards that we do 
as financial institutions, but also the less critical suppliers 
as well, because I do not know that, for instance, the air 
conditioning supplier to Target was felt to be a critical 
supplier but, nonetheless, I think what that points to is the 
need to have the entire environment have some higher level of 
cybersecurity. And I think the framework essentially enables 
you to do that.
    From the standpoint of what government could do, sometimes 
I think it is helpful if government would set their children 
free, if you will. I think that NIST has a tendency to do that 
with standards and is looking to do that to some degree with 
the framework where--trying to find a home for the framework 
for implementation purposes, for instance. But I would think 
long and hard before I established legislative incentives 
before I see what the market can do in terms of incentives. I 
see insurance companies, for instance, already going into our 
financial institutions and asking how the institution is 
thinking about the Cybersecurity Framework. I see insurance 
associations that write those policies coming to us as 
financial institutions and rethinking how they might want to 
write those cybersecurity policies on the basis of the 
framework. And so I think some of that thinking is very 
important to lay the groundwork for where the gaps are from the 
standpoint of incentives, because I do not know that we know 
yet where those gaps are.
    Liability has been spoken of as a particular gap, and I 
think that for one thing, liability means a lot of different 
things in terms of protection to a lot of different people. And 
I think that one of the things that we saw, going back from the 
denial-of-service attacks again, is the fact that, to some 
degree, the sharing of information was impeded by the potential 
for the use of that information to have unintended 
consequences. And by that I mean when you want to shut down, 
for instance, a set of Internet addresses or compel an Internet 
service provider to take a certain action that might actually 
harm some individuals that are innocent, what kind of 
protections does that particular company have associated with 
taking that action? Can they be subject to civil suits to the 
extent that someone is harmed in that environment?
    So I think that is something that we need to potentially 
look at from the standpoint of liability protection, is the use 
of that data. And under what criteria should personally 
identifiable information, properly defined, be able to be 
utilized to the extent that a threat is imminent? To what 
extent are Internet protocol or Internet addresses personally 
identifiable information? Are they not? There is some 
uncertainty associated with that. So I think those are some 
things the government could certainly be able to do.
    Chairman Carper. Good. Well, those are all very helpful 
answers. Thank you.
    One last question, and we will break and send you on your 
own, and I will go back to my day job. I had originally thought 
I would ask the same question of these three people. I am going 
to ask Mr. Chabinsky to join in on this question if you would 
like to as well. But failures in our critical infrastructure 
can, as we know, have cascading effects that ripple through our 
communities, our lives. For example, if the power goes out for 
an extended period of time, our communications, our 
transportation, our drinking water might all be negatively 
impacted in some way. Should something terrible happen like 
that--and it probably will--I am not so sure we have clearly 
defined the roles and the responsibilities of the Federal 
Government, States, and the private sector to respond.
    Two questions, if I could. One, are you confident that you 
will know who to turn to for help if there is a major cyber 
incident that takes down some of our most critical 
infrastructure for an extended period of time? And the second 
question would be: Are there any roles and responsibilities 
that need to be more clearly defined in law so you know what to 
expect and from whom? Elayne, if you would like to take a shot 
at that?
    Ms. Starkey. Part one is extremely confident. I would like 
to think that I should not be in the job I am in if I was not 
confident in that. The reason I am so confident is because we 
practice. We simulate. We have held nine consecutive annual 
exercises involving examples like you just gave. They are 
simulations, granted. It is different when it is the real 
thing. But we pull together those folks. Not only am I 
confident of knowing who to contact, I am reasonably 
comfortable with what their response is going to be and what 
their readiness level is. So, that is what drills are all 
about. So definitely for part one.
    Part two is additional roles and responsibilities. Yes, I 
think that comes out of every exercise, is areas for 
improvement, action items, corrective action items, 
communication is always one that comes out in various channels 
that can always be improved, and we try to do that on an annual 
basis.
    Chairman Carper. OK. thanks.
    Mr. Chabinsky, I do not know if you have a comment here, 
but if you do in response to either questions, please feel 
free.
    Mr. Chabinsky. I do appreciate the opportunity, Chairman 
Carper. From my time in government, I believe that the 
government actually is very well situated with specific 
discrete roles and responsibilities that it has communicated 
effectively to the private sector. The National Cyber 
Investigative Joint Task Force, for example, that is led by the 
FBI but includes DHS and other agencies, has a clear 
responsibility for organizing the investigative approach to 
find out who the bad guy is and to try to bring that to an end.
    The Department of Homeland Security, both on the 
vulnerability mitigation side, has gone out to owners and 
operators and has provided on-the-ground assistance with 
mitigation efforts, and in the worst-case scenario, if FEMA 
were needed to be brought in under DHS for consequence 
management, I believe that those roles are actually quite well 
understood.
    The issue that I pointed out in my written testimony, 
though, is I think there really has not been a very effective 
coordination in the area of emerging threats, and one of those 
threats that I wanted to bring to the attention of this 
Committee is the emerging threat of purposeful interference. 
Whether it is GPS signals or just regular communications 
jamming that could impact first responders, that is an area 
where there is currently no centralized place for reporting 
information, no central analysis of data that is coming off of 
purposeful interference events, and law enforcement not at this 
moment coordinating its response with education and 
technologies that would be necessary to quickly isolate and 
identify from where the interference events are coming. So I 
think that there are certainly areas to extend public-private 
partnership specifically focused on emerging threats.
    Chairman Carper. Good. Thank you.
    Mr. Johnson, if you could be fairly brief, I have other 
people waiting for me, so I do not want to cut you off, but 
just be brief, if you will. And David as well.
    Mr. Johnson. What Mr. Chabinsky said. [Laughter.]
    Mr. Velazquez. The only thing I would add is we very much 
know who to turn to. Our concern is more in a major event 
having too many different agencies turning to us, and the 
coordination and the clear roles defined so that we do not have 
the FBI, DOE, DHS, and three other agencies showing up on our 
doorsteps all wanting the same thing. And I think tremendous 
advances have been made, and the Grid-Ex exercise pointed out 
some of those advances, but also pointed out the need to 
continue to define those roles more clearly.
    Chairman Carper. OK, great.
    Mr. Johnson. I do think that the NCCIC provides an 
opportunity for collocation that can solve some of those 
problems as well. So that would be the comment that I would 
make, is try to find a way to really have security operations 
centers to effect the kind of trusted network you need to 
really have the proper level of response in a lot of instances.
    Chairman Carper. All right. Thank you. Thanks for adding 
that.
    We are in your debt for a lot of reasons: one, for the good 
work that you have done and continue to do with your lives; we 
are in debt to you for being here today and preparing for this 
testimony and giving it and responding to Dr. Coburn's 
questions in writing.
    We will keep the record open for about 15 more days, until 
April 13 at 5 p.m., for the submission of statements and for 
questions for the record. If you get some questions, I would 
just ask that you respond to them promptly, and that will be 
much appreciated.
    Again, great to see you all, and thank you so much for 
being a part of this. I apologize you had to wait. Sometimes we 
have to vote on things over on the floor, and we had about four 
of them today, and so it disrupted our hearing. But thank you 
for going with the flow.
    Thanks, and with that we are adjourned.
    [Whereupon, at 1:13 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


   DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM

                              ----------                              


                        WEDNESDAY, APRIL 2, 2014

                                       U.S. Senate,
                             Committee on Homeland Security
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:12 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Thomas R. 
Carper, presiding.
    Present: Senators Carper, Coburn, McCain, and Johnson.

              OPENING STATEMENT OF CHAIRMAN CARPER

    Chairman Carper. The hearing will come to order.
    I just want to say good morning, everyone. Thank you very 
much for joining us. For our first panel and for anyone on our 
second panel who is actually in the audience, thank you for 
coming, as well. To the audience, we are happy to see all of 
you.
    I really want to extend a warm welcome to Senator Blunt, 
with whom I have been working on data breach issues and some 
others for a while. We really appreciate his participation. He 
is one of those people who is always interesting. He is a 
glass-half-full guy. He is always looking to find the middle 
and to figure out how we can use some common sense and 
collaborate.
    Whenever I ask, Roy, whenever I ask people who have been 
married a long time, I ask them, what is the secret to being 
married, like, 50, 60, 70 years, and I get really hilarious 
answers. The best answer I ever got was two Cs, communicate and 
compromise. Communicate and compromise. And I would add a third 
C. The two Cs are also--communicate and compromise--the secret 
to a vibrant democracy. But if you add a third one, 
collaborate, I think that is the secret for us actually having 
some success with respect to data breach. Communicate, find 
principal compromises, collaborate, and the hearing today here 
is really designed to move us in that direction.
    Senator Blunt and I have introduced a bill, the same bill, 
actually, for the last couple of Congresses. Is it perfect? 
Probably not. Could it be improved? Probably so, and what we 
want to do is work with the other sponsors of legislation in 
the Senate, and there are a number of them who have their own 
bills, other Committees with jurisdiction, and just work 
together and see if we cannot get something done, which is 
really what the American people sent us here to do.
    There is no doubt that technology has evolved rapidly, 
particularly over the last decade, and these advances will 
continue to grow exponentially in the coming years. Technology 
that 10 years ago could have been something out of a science 
fiction movie is now a part of our daily lives. In fact, I saw 
a science fiction movie last night starring Woody Allen, and I 
am trying to remember the name of it. It came on really late at 
night. I turned it on as my wife was getting ready for bed and 
she said, ``What is that?'' And I said, it is a Woody Allen 
movie. Does anybody in the audience remember the name of it? It 
is just a great--pardon? ``Sleeper''? Yes, I think maybe that 
is it. Oh, what a---- [Laughter.]
    But, anyway, some of the technology in that movie, it 
seemed pretty outrageous then, but today, it is coming true, 
with a sense of humor.
    But, as we embrace the latest technology both at home and 
in the workplace, there is little doubt that more of our 
sensitive personal information is at risk of being compromised. 
Whether it is stored in our electronic devices we use daily or 
on company servers, this data can be vulnerable to the threat.
    As the way we communicate and do business has evolved, so 
have the tactics used by criminals to steal our money and steal 
our personal information. And today, cyber criminals run 
sophisticated operations and are discovering how to manipulate 
computer networks and make off with troves of our personal 
data. These data breaches have become much more prevalent, with 
a new one seemingly reported almost every day.
    My wife now teaches at the University of Delaware and they 
had a breach last year. I think the State of Delaware--as an 
old Governor, I know the State Treasury had a breach in the 
last couple of years. I get these monthly reports from, I think 
it is Experian, telling me they are monitoring my accounts and 
personal data, and I was one of those people who had a credit 
card that we used at Target. We ultimately ended up getting a 
new credit card and replacing my old credit card just 3 months 
after I had gotten a new credit card, and I got the new credit 
card and it did not work. So, we know personally how it is not 
just inconvenience, but how this can damage our financial well-
being and really cause a lot of distress.
    But data breaches can put our most valuable and personal 
information at risk, causing worry and confusion for millions 
of individuals and businesses. The impact of a data breach on 
the average American can be extremely inconvenient and 
sometimes results in serious financial harm. Data breaches can 
also be extremely expensive for banks and other entities to 
respond to and remediate, including to merchants.
    Although several high-profile retailers have recently come 
face to face with data breaches, they are not the only victims 
of these cyber intrusions. Hackers are targeting all types of 
organizations that people trust to protect their information, 
from popular social media platforms to major research 
universities, including the University of Delaware. The 
pervasiveness of these incidents highlights the need for us to 
find reasonable solutions to prevent attacks and protect 
consumers and businesses if a breach occurs.
    We will hear in the testimony today that many retailers, 
financial institutions, payment processors, and the groups 
representing them are coming together to find common sense 
solutions that the private sector can undertake proactively 
without the help of Congress. These are groups which oftentimes 
find themselves on different sides of this issue.
    I recognize, though, that there are many existing areas 
where Congress can and should play a constructive role. An 
important area where Congress can play a constructive role is 
answering the call for implementing a uniform national 
notification standard for when a data breach occurs. Currently, 
when a breach happens, notification occurs under a patchwork 
quilt, as we know, of 46 separate State laws. While some of 
these laws have common elements, creating a strong uniform 
national standard will allow consumers to know the rules of the 
road and allow business to invest the money saved from 
compliance into important upgrades and protections.
    That is why I joined Senator Blunt to introduce our Data 
Security Act of 2014. We think this common sense legislation, 
along with other good legislation that has been introduced, as 
I mentioned earlier, would require a national standard for 
entities that collect sensitive personal information. It would 
require these entities to enact a cohesive plan for preventing 
and responding to data breaches, plans that would detail steps 
that will be taken to protect information, investigate 
breaches, and notify consumers (PIN). I will say those three 
things again: Protect information, investigate breaches, and 
notify consumers.
    Most importantly, these plans would provide consistency 
throughout the Nation and allow consumers to have a greater 
level of confidence that their information will be protected 
and they will be notified if a breach occurs, despite whatever 
protective measures have been put into place. We are never 
going to be able to prevent every breach, I know that. We all 
know that. But we owe it to our consumers, we owe it to our 
taxpayers, we owe it to businesses and other entities that have 
been and will be victims of breaches to put into place the best 
system possible to grow with this growing threat.
    We look forward to hearing from our witnesses today who are 
leading the voices on cybersecurity and data breach in both 
government and the private sector. I am sure that your insights 
will be valuable as we continue our efforts to fix this 
problem, and I am encouraged that a number of our colleagues 
share our interest in advancing our efforts to address data 
breaches.
    I hope we can raise the 80/20 rule. The 80/20 rule, to our 
visitors here, a guy named Mike Enzi, a very good guy, a 
Senator from Wyoming, has this 80/20 rule. And I once asked him 
how he and Ted Kennedy got so much done when they took turns 
leading the Health, Education, Labor, and Pension Committee and 
he said, ``Well, Ted and I subscribe to the 80/20 rule.'' And I 
said, what is that? He said, ``Ted and I agree on 80 percent of 
the stuff. We disagree on 20 percent of the stuff. And what we 
do is just focus on the 80 percent where we agree and we set 
the 20 percent aside to another day,'' and I think that is what 
we need to do here. I hope we will keep that in mind as we go 
forward, is focus on that 80 percent where we can agree.
    I think it is in everyone's interest to ensure that we 
minimize the occurrence and impacts of data breaches, and I am 
sure you agree.
    I am happy to turn to Dr. Coburn and then to Senator Blunt 
for any comments that they would like to make.
    Senator Coburn. Let me defer to Senator Blunt and then I 
will followup.
    Chairman Carper. Senator Blunt, welcome aboard.

   OPENING STATEMENT OF THE HONORABLE ROY BLUNT, U.S. SENATE

    Senator Blunt. Well, thank you.
    Chairman Carper. A former Secretary of State, I just 
learned today.
    Senator Blunt. as we were talking about that, both you and 
I, as former Statewide elected officials, have a predisposition 
to think that many of these things are handled better at the 
State and local level and that should be where we look first.
    I have a prepared statement\1\ I am going to leave, but I 
would like to say, first of all, this is an issue that has been 
around longer than it should have been around. You and I 
introduced legislation over 2 years ago, but it got a lot more 
attention after what happened at the end of last year and the 
beginning of this year.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Blunt appears in the Appendix 
on page 220.
---------------------------------------------------------------------------
    But, I am persuaded on this topic that we cannot expect 
people to successfully comply with 49 different standards, and 
I think that is where we are now, 46 States and another three 
standards in Territories and other places that you have to 
comply with. That is an unreasonable thing to do and it is 
probably an impossible thing to do successfully every time you 
need to do it.
    The other thing I would see as a hallmark of whatever we do 
would be that the Congress cannot be too prescriptive in how we 
secure this important information. I am absolutely confident 
that the hackers and the criminals will be more nimble than the 
Congress, and if you put the code in the law, you just tell 
them the code that has to be broken and then you have to change 
the law before somebody can protect themselves adequately 
against the code itself.
    So, I would think those two things are principal goals that 
we should try to achieve. As Senator Carper says, there are a 
number of different people talking about this, and different 
Committees of jurisdiction. Some of you were at the Commerce 
Committee just the other day to talk about this same topic. But 
we need to move beyond talking about this to finding the 
solution, and I think it is really pretty simple.
    If a financial institution, retailer, or a Federal agency 
determines that sensitive information was or may have been 
compromised, the bill that Senator Carper and I have proposed 
would simply require them to investigate the scope of the 
breach and determine whether the information will likely be 
used to cause harm or fraud, and then if the answer is yes, to 
notify law enforcement, to notify appropriate Federal agencies, 
consumer reporting agencies, and the consumers themselves.
    There is clearly some discussion in the many discussions we 
have had on this about what level of breach has to be reached 
before you have to notify, and we are willing to have lots of 
input on what that number should be. I think the bill calls for 
one number, but that is probably not the perfect number, and 
frankly, whatever number we agree on probably will not be the 
perfect number. But, 49 different compliance regimens, an area 
that has driven us from one of the most secure places to do 
business and commerce as individuals in the world to way higher 
on the list of less secure than we would like to be is 
something that the Congress should be able to figure out a 
solution to.
    Senator Toomey has a bill that could very well be, many 
elements of it, added to the bill that Senator Carper and I 
have proposed now for two different Congresses. I look forward 
to this Committee playing a real leadership role in working 
toward a conclusion. Surely, we have talked about this long 
enough and now it is time to find that solution. I am sitting 
here wondering if actually Senator Carper and Senator Coburn 
agree on 80 percent of everything, but they agree on some 
percent of everything and they will be the ones to figure out 
what percent that is, and hopefully, we can work together and 
get this done.
    Thank you for letting me come by this morning.
    Chairman Carper. We are delighted that you are here. Thanks 
so much.
    Dr. Coburn and I agree on about 78 percent of everything. 
[Laughter.]
    We are closing in on 80.
    Senator Coburn. Point-six-six-seven. [Laughter.]
    Senator Blunt. Point-eight percent.

              OPENING STATEMENT OF SENATOR COBURN

    Senator Coburn. Well, thank you, Senator Blunt and Senator 
Carper.
    I would note, this is the fourth hearing on data breach in 
the Senate this year. And although it is an important topic, we 
are talking about vulnerability mitigation instead of 
deterrence. This Committee has had lots of testimony that we 
are going in the wrong direction. There is no question, I agree 
that we need to have some type of uniform set of standards, and 
I am not opposed to that. What I am opposed to is to not 
recognize the legitimate exposure that businesses see and why 
it would be in their own best interest to make sure they do not 
have data breaches, and I think all of them are looking at that 
now.
    I also understand that when you spend money for 
vulnerability mitigation, it does not increase sales. It does 
not produce new products. It does not do anything to add to the 
bottom line. It reduces the bottom line. But, it is a necessary 
expenditure, just like water and heat and light and other 
areas.
    There is no question that we have seen some serious 
problems in terms of data breach, but what we are not talking 
about today are the data breaches in the Federal Government. 
And to me, it is ironic that we can, as a Congress, sit and 
tell people, here are the rules, and we cannot even manage our 
own backyard in terms of data breaches. And I will not go into 
it. I will put my whole statement into the record.\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Coburn appears in the 
Appendix on page 217.
---------------------------------------------------------------------------
    But I think one of the important things is that we ought to 
be setting a good example on our own cyber within the 
government, and the multitude of breaches that have occurred in 
the Federal Government's networks would say that we are not 
doing that. And so we do not speak with authority on this 
subject until we have a track record that we, in fact, 
ourselves have accomplished what is necessary on our own 
responsibilities.
    I am happy that Mr. Wilshusen is here today from the 
Government Accountability Office (GAO), who can really talk 
about what these issues are within the Federal Government and 
also some discussion on the EINSTEIN program, on which the 
Inspector General (IG) released a report just this last week. 
It is poorly managed and is not meeting milestones, and 
actually does not have the milestones and the management 
capabilities to get where they need to with that. Although I am 
a supporter of that effort, we lack that.
    So, I look forward to our witnesses. I will have to leave 
for a period of time, but I am appreciative of the openness to 
talk about the whole area of data breaches, not just in the 
private sector. Thank you.
    Chairman Carper. Thank you, Tom.
    I am going to just offer a brief introduction for each of 
our witnesses and then turn it over to you.
    Our first witness is Edith Ramirez, Chairwoman of the 
Federal Trade Commission (FTC). In this capacity, she aims to 
prevent business practices that are anti-competitive or 
deceptive to consumers and enhance consumer choice and public 
understanding of the competitive process. Prior to joining the 
Commission, Ms. Ramirez was a partner in a Los Angeles law firm 
where she handled a broad range of complex business litigation, 
successfully representing clients in intellectual property, 
antitrust, unfair competition, and Lanham Act matters. What law 
firm was that?
    Ms. Ramirez. Quinn Emanuel.
    Chairman Carper. And how long were you with them?
    Ms. Ramirez. For 13 years.
    Chairman Carper. OK. Our second witness is William Noonan. 
Mr. Noonan, nice to see you. He is Deputy Special Agent in 
Charge of the Secret Service Criminal Investigative Division, 
Cyber Operations. Throughout his career at the Secret Service, 
he has focused on both protective and investigative missions of 
the agency. In his current position, he oversees the Secret 
Service's cyber portfolio. Mr. Noonan has over 20 years of 
Federal Government experience, and throughout his career, he 
has initiated and managed high-profile transnational fraud 
investigations involving network intrusions and theft of data 
information and intellectual property. Thank you for joining 
us.
    Our final witness is Greg Wilshusen, Director of 
Information Security Issues at GAO, where he leads 
cybersecurity and privacy-related studies and audits of the 
Federal Government and critical infrastructure. We have not 
seen you for almost a week, so it is nice you have come back. 
We are going to have to start paying you per visit. That would 
break the bank.
    Mr. Wilshusen has over 30 years of auditing, financial 
management, and information systems experience and has held a 
variety of public and private sector positions. He is a 
Certified Public Accountant, Certified Internal Auditor, and a 
Certified Information Systems Auditor.
    We thank all of you for joining us today. Your testimonies 
will be made part of the record. Feel free to summarize, and we 
will get started. I am not aware of any votes that are 
scheduled. Tom, are you? Ron? OK. So, I think we are good to 
go.
    Ms. Ramirez, please proceed.

 TESTIMONY OF HON. EDITH RAMIREZ,\1\ CHAIRWOMAN, FEDERAL TRADE 
                           COMMISSION

    Ms. Ramirez. Chairman Carper, Ranking Member Coburn, and 
Members of the Committee, thank you for the opportunity to 
appear before you to discuss the FTC's Data Security 
Enforcement Program. I am pleased to be testifying with my 
colleagues from the Secret Service and the Government 
Accountability Office.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Ramirez appears in the Appendix 
on page 227.
---------------------------------------------------------------------------
    As this Committee is well aware, consumers' data is at 
risk. Recent well-publicized breaches at major retailers remind 
us that consumer data is susceptible to compromise by those who 
seek to exploit security vulnerabilities. This takes place 
against the background of the threat of identity theft, which 
has been the FTC's top consumer complaint for the last 14 
years.
    The Commission is here today to reiterate its bipartisan 
and unanimous call for Federal data security legislation. Never 
has the need for such legislation been greater. With reports of 
data breaches on the rise, Congress needs to act, and I would 
like to thank you, Chairman Carper, for your longstanding 
attention to the issue of data security.
    The FTC supports Federal legislation that would strengthen 
existing data security tools and require companies, in 
appropriate circumstances, to provide notification to consumers 
when there is a security breach. Reasonable security practices 
are critical to preventing data breaches and protecting 
consumers from identity theft and other harm. And, when 
breaches do occur, notifying consumers helps them protect 
themselves from any harm that is likely to be caused by the 
misuse of their data.
    Legislation should give the FTC authority to seek civil 
penalties where warranted to help ensure that FTC actions have 
an appropriate deterrent effect. In addition, enabling the FTC 
to bring cases against nonprofits, such as universities and 
health systems, which have reported a substantial number of 
breaches, would help ensure that whenever personal information 
is collected from consumers, entities that maintain such data 
adequately protect it.
    Finally, Administrative Procedure Act (APA) rulemaking 
authority, like that used in the Controlling the Assault of 
Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), 
would allow the Commission to ensure that as technology changes 
and the risks from the use of certain types of information 
evolve, companies would be required to give adequate protection 
to such data. For example, whereas a decade ago, it would have 
been difficult and expensive for a company to track an 
individual's precise location, smartphones have made this 
information readily available. And in recent years, the growing 
problem of child identity theft has brought to light that 
Social Security numbers alone can be combined with another 
person's information to steal an identity.
    Using its existing authority, the FTC has settled 52 civil 
actions against companies that we alleged put consumer data at 
risk. In all these cases, the touchstone of the Commission's 
approach has been reasonableness. A company's data security 
measures must be reasonable in light of the sensitivity and 
volume of consumer information it holds, the size and 
complexity of its data operations, and the cost of available 
tools to improve security and reduce vulnerabilities.
    The Commission has made clear that it does not require 
perfect security, and the fact that a breach occurred does not 
mean that a company has violated the law.
    A number of the breaches that have prompted FTC civil 
enforcement action have also led to investigation and 
enforcement by criminal authorities. For example, in 2008, the 
FTC settled allegations that security deficiencies of retailer 
TJX permitted hackers to obtain information about tens of 
millions of credit and debit cards. At the same time, the 
Department of Justice (DOJ) successfully prosecuted a hacker 
behind the TJX and other breaches.
    As the TJX case illustrates, the FTC and criminal 
authorities share complementary goals. FTC actions help ensure, 
on the front end, that businesses do not put their consumers' 
data at unnecessary risk, while criminal enforcers help ensure 
that cyber criminals are caught and punished. This dual 
approach to data security leverages government resources and 
best serves the interests of consumers, and to that end, the 
FTC, the Justice Department, and the Secret Service have worked 
to coordinate our respective data security investigations.
    The TJX case is also a good illustration of the 
Commission's approach to data security enforcement. In our case 
against TJX, the FTC alleged a failure to implement basic, 
fundamental safeguards with respect to consumer data. More 
specifically, the Commission alleged that the company engaged 
in a number of practices that, taken together, were 
unreasonable, such as allowing network administrators to use 
weak passwords, failing to limit wireless access to in-store 
networks, not using firewalls to isolate computers processing 
cardholder data from the Internet, and not having procedures to 
detect and prevent unauthorized access to its networks.
    In addition to the Commission's enforcement work, the FTC 
offers guidance to consumers and businesses. For those 
consumers affected by recent breaches, the FTC has posted 
information online about steps they should take to protect 
themselves. These materials are in addition to the large stable 
of other FTC resources we have for ID theft victims. We also 
engage in extensive policy initiatives on privacy and data 
security issues.
    In closing, I want to thank the Committee for holding this 
hearing and for the opportunity to provide the Commission's 
views. Data security is among the Commission's highest 
priorities, and we look forward to working with Congress on 
this critical issue. Thank you.
    Chairman Carper. Ms. Ramirez, thank you so much for that 
testimony.
    Mr. Noonan, welcome. Please proceed.

TESTIMONY OF WILLIAM NOONAN,\1\ DEPUTY SPECIAL AGENT IN CHARGE, 
CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, U.S. 
      SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Noonan. Thank you, sir. Good morning, Chairman Carper, 
Ranking Member Coburn, and distinguished Members of the 
Committee. Thank you for the opportunity to testify on behalf 
of the Department of Homeland Security (DHS) regarding the 
ongoing trend of criminals exploiting cyberspace to obtain 
sensitive financial and identity information as part of a 
complex criminal scheme to defraud our Nation's payment 
systems.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Noonan appears in the Appendix on 
page 239.
---------------------------------------------------------------------------
    Our modern financial system depends heavily on information 
technology (IT) for convenience and efficiency. Accordingly, 
criminals, motivated by greed, have adapted their methods and 
are increasingly using cyberspace to exploit our Nation's 
financial payment systems to engage in fraud and other illicit 
activities. The widely reported payment card data breaches of 
Target, Neiman Marcus, White Lodging, and other retailers are 
just recent examples of this trend. The Secret Service is 
investigating these recent data breaches and we are confident 
we will bring the criminals responsible to justice.
    This year is the 30th anniversary of when Congress first 
defined as specific Federal crimes both unauthorized access to 
computers and access device fraud, while explicitly assigning 
the Secret Service authority to investigate these crimes. Over 
the past three decades, the Secret Service has continuously 
innovated in how we investigate these crimes and defeat the 
criminal organizations responsible for major data breaches.
    In support of the Department of Homeland Security's 
missions to safeguard cyberspace, the Secret Service has 
developed a unique record of successes investigating cyber 
crime through the efforts of our highly trained special agents 
and the work of our growing network of 35 Electronic Crimes 
Task Forces, which Congress in 2001 assigned the mission of 
preventing, detecting, and investigating various forms of 
electronic crimes, including potential terrorist attacks 
against critical infrastructure and financial payment systems.
    As a result of our cyber crime investigations, over the 
past 4 years, the Secret Service has arrested nearly 5,000 
cyber criminals. In total, these criminals were responsible for 
over a billion dollars in fraud losses, and we estimate 
investigations prevented over $11 billion in fraud losses.
    Data breaches like the recently reported occurrences are 
just one part of the complex criminal scheme executed by 
organized cyber crime. These criminal groups are using 
increasingly sophisticated technology to conduct a criminal 
conspiracy consisting of five parts.
    One, gaining unauthorized access to computer systems 
carrying valuable protected information.
    Two, deploying specialized malware to capture and 
exfiltrate this data.
    Three, distributing or selling this sensitive data to their 
criminal associates.
    Four, engaging in sophisticated distributed frauds using 
the sensitive information obtained.
    And, five, laundering the proceeds of this illicit 
activity.
    All five of these activities are criminal violations in and 
of themselves, and when conducted by sophisticated 
transnational networks of cyber criminals, this scheme has 
yielded hundreds of millions of dollars in illicit proceeds.
    The Secret Service is committed to protecting our Nation 
from this threat. We disrupt every step of their five-part 
criminal scheme through proactive criminal investigations and 
defeat these transnational cyber criminals through coordinated 
arrests and seizure of assets.
    Foundational to these efforts are our private industry 
partners as well as the close partnerships that we have with 
the State, local, Federal, and international law enforcement. 
As a result of these partnerships, we are able to prevent many 
cyber crimes by sharing criminal intelligence regarding the 
plans of cyber criminals and by working with victim companies 
and financial institutions to minimize financial losses.
    Through our Department's National Cybersecurity and 
Communications Integration Center (NCCIC), the Secret Service 
also quickly shares technical cybersecurity information while 
protecting civil rights and civil liberties in order to enable 
other organizations to reduce their cyber risks by mitigating 
technical vulnerabilities.
    We also partner with the private sector and academia to 
research cyber threats and publish the information on cyber 
crime trends through reports like the Carnegie Mellon CERT 
Insider Threat Study, the Verizon Data Breach Investigations 
Report, and the Trustwave Global Security Report.
    The Secret Service has a long history of protecting our 
Nation's financial system from threats. In 1865, the threat we 
were founded to address was that of counterfeit currency. As 
our financial payment system has evolved, from paper to plastic 
to now digital information, so, too, has our investigative 
mission. The Secret Service is committed to continuing to 
protect our Nation's financial system, even as criminals 
increasingly exploit it through cyberspace.
    Through the dedicated efforts of our special agents, our 
Electronic Crimes Task Forces, and by working in close 
partnership with the Department of Justice, in particular, the 
Computer Crimes, Intellectual Property Section, and local U.S. 
Attorney's Offices, the Secret Service will continue to bring 
cyber criminals that perpetrate major data breaches to justice.
    Thank you for the opportunity to testify on this important 
topic, and we look forward to your questions.
    Chairman Carper. Thank you so much. I enjoyed meeting with 
you last week and learned a lot from that conversation, and I 
am sure we will learn a lot more here today. Thanks.
    Mr. Wilshusen, welcome aboard.

  TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION 
     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Thank you. Chairman Carper, Ranking Member 
Dr. Coburn, and Members of the Committee, thank you for the 
opportunity to testify at today's hearing on data breaches. My 
testimony today will address Federal efforts to protect its 
information and to respond to data breaches that occur.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wilshusen appears in the Appendix 
on page 250.
---------------------------------------------------------------------------
    Before I begin, if I may, I would like to recognize several 
members of my team, including John de Ferrari and Jeff Knott, 
who are sitting behind me, and Larry Crosland and Marisol Cruz, 
who conducted the work underpinning my testimony today.
    Chairman Carper. Would they raise their hands, please? 
Thank you.
    Mr. Wilshusen. In addition, Lee McCracken was instrumental 
in crafting my written statement.
    Mr. Chairman, as you know, the Federal Government collects 
and retains large volumes of sensitive information, including 
personal information on American citizens. The loss or 
unauthorized disclosure or alteration of this information can 
lead to serious consequences and substantial harm to 
individuals, as well as the Nation.
    Over the past 4 years, the number of information security 
incidents reported by Federal agencies involving personal 
information has more than doubled, to 25,566 in fiscal year 
(FY) 2013.
    Agencies continue to face challenges in securing their 
information. They have had mixed results in addressing the 
eight components of an agency-wide information security program 
called for by law, and most of the 24 agencies covered by the 
Chief Financial Officers Act have had weaknesses in 
implementing key security controls.
    In fiscal year 2013, for example, 18 of the 24 agencies 
reported a significant deficiency or material weakness in 
information security controls for financial reporting purposes. 
IGs at 21 agencies cited information security as a major 
management challenge for their agency. And GAO once again 
designated Federal information security as a Governmentwide 
High-Risk Area.
    Mr. Chairman, even when agencies have implemented effective 
information security programs, data breaches can still occur, 
so it is imperative that agencies respond appropriately. At the 
request of this Committee, we issued a report in December on 
agency responses to breaches of personally identifiable 
information (PII). We determined that agencies included in our 
review had generally developed policies and procedures for 
responding to data breaches and had implemented key preparatory 
practices that should be performed in advance of specific 
incidents, and these include establishing a Data Breach 
Response Team to oversee response activities and training 
employees on the roles and responsibility for breach response.
    However, agencies' implementation of key operational 
practices that should be performed in response to specific 
incidents was inconsistent. Although all the agencies reviewed 
had prepared and submitted reports of incidents to appropriate 
authorities, they did not consistently implement other key 
response practices.
    For example, of the seven agencies we reviewed, only the 
Internal Revenue Service (IRS) consistently assigned a risk 
level for each data breach reviewed and documented how that 
level was determined.
    The seven agencies documented the number of individuals 
affected by a breach in only 46 percent of the 363 incidents we 
reviewed. And only the Army and Securities and Exchange 
Commission (SEC) notified all affected individuals for each 
breach determined to be high-risk. In total, individuals were 
not notified in about 22 percent of the high-risk incidents.
    The seven agencies also did not consistently offer credit 
monitoring to individuals affected by PII-related breaches, and 
none of the agencies consistently document lessons learned from 
data breaches, including corrective actions to prevent or 
detect similar incidents in the future.
    We also reported that the Office of Management and Budget 
(OMB) requirement for agencies to individually report each PII-
related incident involving paper-based information or the loss 
of hardware with encrypted data to U.S. Computer Emergency 
Readiness Team (US-CERT) within 1 hour of discovery added 
little value beyond what could be achieved by periodic 
consolidated reporting. We recommended that OMB revise its 
reporting requirements and update its guidance to improve the 
consistency and effectiveness of agency data breach response 
programs. We also made 22 recommendations to agencies to 
improve their data breach response practices.
    At the request of this Committee, we also studied Federal 
agencies' ability to respond to cyber incidents. We determined 
the extent to which Federal agencies are effectively responding 
to cyber incidents once they have been detected and the extent 
to which DHS is providing assistance to agencies. We plan to 
issue our report later this spring.
    Chairman Carper, Dr. Coburn, and Members of the Committee, 
this concludes my statement. I would be happy to answer any 
questions.
    Chairman Carper. Greg, thanks so much for joining us again 
this week.
    You have mentioned and Dr. Coburn has mentioned the ability 
of the Federal Government to protect its own sensitive 
information. There is an old law called the Federal Information 
and Security Management Act which needs desperately to be 
updated. One of the things--Dr. Coburn is threatening to leave 
us at the end of this year, as you may know, and one of the 
things I am very hopeful that we will be able to do is update 
that legislation. We are working on it, our staffs are working 
on it, and we appreciate very much your help in doing that.
    I think it was Abraham Lincoln who once said the role of 
government is to do for the people what they cannot do for 
themselves. With that thought in mind, what I really hope we 
can accomplish here today--I do not want to have a hearing just 
to have another hearing on data breach. We have all these 
different ideas, legislation from good people, Democrats, 
Republicans, and we have to get on the same page. We have to 
stop talking past each other. And, I think as the retailers, as 
the card issuers, as the card processors are coming together, 
creating their own coalition to look for ways to collaborate, 
that, I think, helps us to better figure out what we need to do 
and to guide us.
    But, here is what I am going to ask this panel, each of 
you, and I am going to ask the second panel, as well, is what 
does the Congress need to do? And to the extent that we can 
find some concurrence on that question, that would be hugely 
helpful. What do we need to do? Let me just start off with 
Chairwoman Ramirez, please. What does the Congress need to do? 
And maybe the second half of my question is, what do we need 
not to do?
    Ms. Ramirez. Let me focus on the first question that you 
posed, which I think is the central question to ask today. From 
our perspective at the Federal Trade Commission, we think that 
it is absolutely time for Congress to enact comprehensive 
Federal legislation in this area, setting robust standards and 
data breach notification requirements. And specifically, what 
we ask is that this legislation provide civil penalty authority 
to the FTC to augment our existing work in this arena and to 
ensure that there is appropriate deterrence and that companies 
invest appropriately and institute reasonable security measures 
to protect consumer information.
    We also think it is important for any legislation to give 
the FTC APA rulemaking authority, which----
    Chairman Carper. I am sorry. APA----
    Ms. Ramirez. Administrative Procedure Act. This would 
enable us to make rules to implement any legislation, and the 
reason that we think it is so necessary to have this authority 
is that it is really critical that we be provided the tools so 
that any legislation can be adapted to changing and evolving 
technology. And I mentioned in my opening statement today, 
geolocation information is readily available. A decade ago, 
that certainly was not the case, and we need to be able to 
adapt to changing times, both to be able to, if necessary, 
redefine what constitutes personal information, but then also, 
perhaps, to lift any requirements that may no longer be 
necessary, given the evolution of technology.
    And then, finally, we also ask that we be provided 
jurisdiction over nonprofits, which we currently lack. Today, 
we also know that university systems and nonprofit hospitals 
that are currently outside of our jurisdiction also have 
suffered breaches and we think it is important that the FTC 
have authority in this area.
    Chairman Carper. OK. Thanks.
    Mr. Noonan, if you and Mr. Wilshusen--feel free to react to 
what Ms. Ramirez has said, points that you agree with, maybe 
those that you do not. But again, the idea is for us to better 
understand today what the Congress needs to do and what we do 
not need to do and looking for consensus here. If we can find 
some of that, that would be great.
    Mr. Noonan. I think, generally, the consensus that I have 
is that we do need to establish a national bill where 
disclosure is made. Important to the Secret Service, and, I 
think, to the country, is there should be a piece there where 
there is notification or disclosure of data breaches to law 
enforcement with jurisdiction. Law enforcement plays a critical 
role in data breach investigations, both in law enforcement 
going after the criminal piece as a deterrent, but also as an 
information sharing piece, what we learn out of these data 
breaches and then how we are able to take that information and 
share it back with critical infrastructure.
    So, I think that is a critical piece of any national 
legislation that should potentially go forward, as well as 
increasing the penalties for these types of activities. If 
Congress were to increase the penalties of 18 USC 1030, 
potentially, that would act as a deterrent for criminals from 
coming into protected computer systems, as well as having 1030 
act as a predicate offense to Racketeering and Organized Crime 
standards, so we can get higher-level prosecution.
    So, in our exposure and in what we have learned, too, is 
that the higher the level of penalties, the higher the level of 
cooperation sometimes is amongst some of the people that we 
bring to justice, and they are able to share information back 
with the government so we can prevent further acts from 
occurring.
    Chairman Carper. OK. Mr. Wilshusen, same question, please.
    Mr. Wilshusen. I would say one thing that Congress can do 
is to look at the Federal Information Security Management Act 
(FISMA) reform within the Federal space. As you know, FISMA 
gives OMB several responsibilities for overseeing and assisting 
agencies in their implementation of information security 
controls. OMB has delegated or transferred many of those 
responsibilities to the Department of Homeland Security, and so 
clarifying the roles and responsibilities of those two 
organizations for overseeing information security within the 
Federal space could be very helpful.
    I also think, that this Committee and others should 
continue to provide the oversight necessary within the Federal 
space and to assure that proper attention is given to 
protecting information security, not only within the Federal 
Government, but also in its interactions with critical 
infrastructure protection and other roles in helping our 
citizens protect information that they also have out on the Web 
and Internet.
    One thing Congress should not do is to turn a blind eye. 
Keep attention focused on this area.
    Chairman Carper. OK. Thanks very much.
    Senator McCain, welcome.

              OPENING STATEMENT OF SENATOR MCCAIN

    Senator McCain. Well, thank you, Mr. Chairman.
    Ms. Ramirez, so that people and perhaps Members of Congress 
can understand better what is going on here, let us talk a 
little bit about the data breach at Target Corporation. 
Apparently, there was some Russian input into it, or there may 
have been that there was Russian language or something like 
that into what we were able to ascertain about these hackers, 
is that right?
    Ms. Ramirez. Senator, let me just emphasize, the FTC 
focuses on the civil law side of this, and on the front end. 
And this is an investigation that Target has confirmed that the 
FTC is looking at it. I cannot comment on any pending 
investigation----
    Senator McCain. Mr. Noonan, can you comment? It is in the 
public record, I mean. It is not a secret. Is there----
    Chairman Carper. Can I just interject something, John? Mr. 
Noonan came and met with us in my office last week. He gave a 
great explanation of what happened at Target that even I could 
understand, and----
    Senator McCain. Go ahead. And I am also interested in the 
financial loss there so that people can understand better the 
magnitude of this breach, which is symptomatic of many others. 
Go ahead, Mr. Noonan.
    Mr. Noonan. Sure, sir. I just want to kind of crosswalk you 
across these data breaches, these major data breaches, exactly 
how these intrusions occur and the nationality that we are 
talking about. These are transnational organized criminals. To 
say that it is one country that these people are from, it would 
be inaccurate if I told you that. I would like to say that----
    Senator McCain. But there are some allegations that some of 
this has come from Russian sources.
    Mr. Noonan. So, a majority of these people that are 
attacking these systems are from Eastern Europe. They use the 
Russian language as a means to be able to communicate in----
    Senator McCain. I got you.
    Mr. Noonan [continuing]. As an operations security (OPSEC), 
if you will, to keep domestic law enforcement out of their 
wares.
    So, the way it works it is not one criminal, it is not one 
criminal group, it is a loosely affiliated group. So, there are 
people out there that are gaining access to computer systems 
and they are potentially selling access on criminal 
undergrounds to one another.
    There are other people that are developing malware and that 
malware is then used by another person or another group that 
may insert that malware into the compromised system.
    There are other pieces of the organization that will test 
that malware to make sure that that malware is not susceptible 
to our antivirus means that are out there to stop this.
    You have to understand, these people are motivated by 
greed. So, when they go into a system, they have to be quiet. 
They cannot be found or discovered. Otherwise, they are not 
going to achieve their goal, and that is to exfiltrate out the 
data which they can sell. Exfiltrate, in the cases of a lot of 
the data breaches that are in the media right now, are related 
to payment cards, but that is just not what they are after. 
They are after whatever it is that they can monetize. So, I 
think that we have brought up the fact that personally 
identifiable information, is a piece that can be monetized and 
such.
    So, in the underground, once that data is exfiltrated out, 
there is a criminal underground that works on vending that 
data. So, they sell to other criminals across the world who 
then use that for their personal gain.
    And then there is a money laundering system where the money 
flow goes back, and when we talk about money flow, we are not 
talking about currencies. We are talking about digital 
currencies on how the money is moved back, where it is not 
traceable. It is very difficult for law enforcement to trace 
the movement of that money where it is not regulated.
    So, that is the type of criminal organizations we are 
talking about----
    Senator McCain. So, in the case of Target, how much money 
are we talking about?
    Mr. Noonan. We are not at the point in our investigation 
where we can lock down a dollar amount, but we believe it is 
probably going to be several million dollars were at risk.
    Senator McCain. And no matter who is responsible, 
eventually, that cost is passed on to the consumer, and Target 
is just one of many, perhaps one of the more visible, but 
Neiman Marcus and others, this has happened. And there is no 
reason to believe this is going to stop, would you agree?
    Mr. Noonan. I believe that with the assistance of law 
enforcement, we are moving toward getting certain individuals 
to be able to stop this action as a deterrent. I would hope 
that we would be able to bring these criminals to justice. So, 
I think it is a long string, a long history of attacks that 
have occurred, and I think what our--and to your point, 
wherever we raise the fence, I think these criminals, because 
of their motivation, will always be looking for the edge of the 
fence. So, there is no silver bullet that is going to be able 
to take care of the problem.
    Senator McCain. And you would, as you have already stated, 
Ms. Ramirez, that different State laws obviously does not get 
it, that there needs to be Federal legislation.
    Ms. Ramirez. State laws only address the breach 
notification aspect of this, so I think there does need to be a 
Federal standard. And based on our own experience and what we 
look at, which is the measures that companies have in place, it 
is clear that companies are not investing adequately in the 
area of data security and that more needs to be done.
    Senator McCain. Mr. Wilshusen, you stated in your testimony 
that in a 2013 GAO report, GAO made 22 recommendations to 
Federal agencies which aim to improve data breach response 
activities. How are these agencies responding to those 
recommendations?
    Mr. Wilshusen. Well, we made recommendations to nine 
agencies. Four of them agreed and concurred with all the 
recommendations that we made. Three neither concurred or non-
concurred. And we had two that agreed with one of our 
recommendations each to them, but disagreed, non-concurred, 
with the other recommendations we made to them.
    Senator McCain. Mr. Chairman, we ought to find out the 
reason why several of these agencies did not concur. They may 
have had some reason that I cannot detect, but this GAO report, 
I think, were common sense addressing some of these issues.
    So, you have not seen the kind of compliance or 
implementation of your recommendations that you think are 
adequate?
    Mr. Wilshusen. We just made the recommendations back in 
December. In the responses, six of the agencies indicated some 
of the actions that they were taking to implement our 
recommendations, and we will followup over the course of the 
year, and we will do so annually, to assess the status of their 
corrective actions in implementing our recommendations.
    Senator McCain. When do we expect to hear from you next?
    Mr. Wilshusen. Whenever you invite me.
    Senator McCain. I mean, as far as the assessment is 
concerned.
    Mr. Wilshusen. That would be later this year.
    Senator McCain. Like----
    Mr. Wilshusen. Toward the end of the year, when we will 
check to see if--the first time we will hear something back 
from them will be in their 60-day letter to us on the status of 
their actions and final determinations of concurrence with our 
recommendations.
    Senator McCain. Thank you, Mr. Chairman.
    Chairman Carper. Dr. Coburn.
    Senator Coburn. Chairwoman Ramirez, in your oral testimony, 
you talked about civil penalties creating the deterrence 
effect. You were talking about a deterrence for businesses to 
be compliant with what they need to be. The deterrence I am 
talking about is what Mr. Noonan--so, of the 52 cases that you 
had authority in, and one of your statements is that you needed 
greater authority to hold them. Of those 52 cases, in how many 
were the perpetrators prosecuted?
    Ms. Ramirez. Senator, I am going to need to get back to you 
with a particular figure, but what I can tell you is that we 
work very closely with the criminal authorities. We coordinate 
with Mr. Noonan and his team on a number of different matters. 
So, even though we focus on what we call the front end, the way 
businesses are implementing data security measures, we do, of 
course, understand it is absolutely critical that criminal law 
enforcers go after----
    Senator Coburn. Well, that is the real answer, because as 
soon as--here is the problem. When it is all regulatory 
authority to make compliance versus punishing the people who 
are violating the compliance, in other words, the people who 
are probing the networks, we are never going to get ahead of 
this. And we have had very strong testimony before this 
Committee that if you focus on mitigation vulnerabilities, 
mitigating the vulnerabilities in your network, and you do not 
put 60 to 70 percent of your time in terms of prosecuting the 
mal-actors, we are never going to win this battle. We can have 
the strongest networks in the world and there is always going 
to be somebody who goes after it.
    So, if we create the expectation in this country that if 
you are violating a network, you are going to get hammered, 
what we are going to do is markedly increase not only the 
events that happen, but the costs associated with protecting 
networks. And so I think it is really important that we look at 
that, and it bothers me a little bit, even though you say you 
work with them, the point is, you need to have a balanced 
approach. It needs to be both. It cannot just be businesses 
comply with this regulatory regime and you are fine, because we 
will never stop it.
    Ms. Ramirez. Senator, if I may, just so that I can clarify 
this point, my view is that this is a very complex problem that 
requires multiple prongs. At the FTC, we only have certain 
authority. We have civil law authority and our authority goes 
to the businesses that put data security measures in place. We 
think there is under-investment in that arena and that needs to 
be addressed. But, absolutely, all the points that you raise 
are absolutely valid, and we do collaborate with the other 
agencies that have another part to play in this arena.
    Senator Coburn. One other question. Of the 52 cases where 
you had the authority to work, how many other cases have you 
had greater authority? Where were you limited by not having 
additional authority? Can you name examples of places where you 
saw a problem but you did not see the authority to get the 
problem corrected?
    Ms. Ramirez. Well, the additional authority that we seek is 
very targeted. So we are asking for civil penalty authority, 
because today, we do not have, under our Section 5 authority, 
we do not have the ability to impose penalties, and we do think 
that it is necessary to have greater deterrence in this arena. 
We are also asking for----
    Senator Coburn. Well, you really mean compliance. You do 
not mean deterrence. Deterrence is going after the bad actors. 
Compliance is what you really----
    Ms. Ramirez. Well, we----
    Senator Coburn. Is that right?
    Ms. Ramirez. No. We view deterrence also in terms of 
companies providing reasonable security measures and providing 
adequate protection to consumers.
    Senator Coburn. OK. Mr. Noonan, I am proud of the work that 
you all do and appreciate all of you being here. One of the 
other things that we had in our testimony was that we have very 
few Federal Bureau of Investigation (FBI) agents with which you 
can work that cooperate overseas on investigating. Do you see 
that as a problem as you all work these cases?
    Mr. Noonan. To have the number of agents that are overseas 
in our overseas offices?
    Senator Coburn. Well, not just your agents, but also FBI 
agents. Do you not work in conjunction with FBI on a lot of 
this stuff?
    Mr. Noonan. Yes, sir. So, we do coordinate with the FBI on 
a lot of these cases.
    Senator Coburn. But the testimony was there is really a 
slim number of those people with which to work. Do you see that 
as a problem as you try to execute prosecution and 
investigation on these cases? Do you see a lack of resources, 
as far as coming from the FBI, coordinating with you, with our 
partners overseas as we try to prosecute these events?
    Mr. Noonan. What I see is that we, together, have a unique 
history of bringing cyber criminals to justice. What I do think 
is that our relationship building is probably the most critical 
piece that we in Federal law enforcement have overseas. We do 
not have jurisdiction to really work in these overseas 
environments, but I think in Federal law enforcement, it is 
based on the relationship building and our efforts of 
coordinating with Federal--with other international law 
enforcement.
    So, as far as the numbers of people, could we always have 
more to assist in building that liaison and building on that 
coordination? Absolutely. But, I think it is based on our 
efforts, the Secret Service efforts, in our international 
offices and our working groups in developing those 
relationships with those international partners that is aiding 
us in bringing those different criminal actors in Eastern 
Europe to justice here domestically. We have a great----
    Senator Coburn. I understand that, but here is what I am 
trying to get at. Mr. Chabinsky testified last week, Steve 
Chabinsky, that we have few FBI agents working overseas to try 
to coordinate to help you do that. And my question is, do you 
see that as a problem or not a problem? Do you dispute his 
testimony?
    Mr. Noonan. No, I would not dispute the Director's 
testimony.
    Senator Coburn. So, we do need more resources on the FBI to 
coordinate with you, with our partners overseas?
    Mr. Noonan. I think with all of Federal law enforcement, we 
would--and not just necessarily the FBI, but also with the 
Secret Service in our international capacities over in the 
international footprint, as well.
    Senator Coburn. OK. Mr. Wilshusen, would you clarify. 
Twenty-five-thousand-five-hundred-and-sixty-six events in 2013. 
Describe what you mean by ``event.''
    Mr. Wilshusen. OK. Those would be incidents reported by 
Federal agencies to the US-CERT, and those can include various 
different types of security incidents. These all involved 
personal information or personally identifiable information, as 
opposed to other incidents which do not. And----
    Senator Coburn. So, all 25,000 of these were PIIs?
    Mr. Wilshusen. Yes, that is correct----
    Senator Coburn. OK.
    Mr. Wilshusen [continuing]. As reported by Federal agencies 
to the US-CERT. About 25 percent of all incidents including 
non-PII incidents were non-cyber incidents. Another 16 percent 
of those could be due to equipment loss or theft of equipment 
which contained PII data. Some of that data may have been 
encrypted on those machines, some perhaps not. And others 
included the implementation of--or installation, excuse me, of 
malicious code onto devices and onto the systems. It could also 
include, for example, policy violations, where individuals may 
have violated their agency's policy related to protecting or 
using personal information.
    Senator Coburn. OK. The other part of your report is that 
operational practices were inconsistent pretty well throughout 
the government.
    Mr. Wilshusen. Throughout the seven agencies that we 
reviewed as part of that review, and those agencies included 
the Army, Centers for Medicare and Medicaid Service (CMS), IRS, 
Department of Veterans Affairs, Federal Deposit Insurance 
Corporation (FDIC), the Federal Reserve Board, Securities and 
Exchange Commission, and the Federal Retirement Thrift 
Investment Board.
    Senator Coburn. OK. Chairman Carper and I, as well as the 
Commerce Committee and the Intelligence Committee, have the job 
of putting together a cyber bill this year. Hopefully, we will 
get that done. Any comments from any of you all on things that 
we should look at that will make your job easier and at the 
same time make us more effective as a Nation in terms of 
cybersecurity?
    Mr. Noonan. Yes, sir. In fact, we spoke earlier in the week 
about an issue regarding notification. We believe it is 
important to allow law enforcement to have an active role in 
these types of investigations.
    The late notification is a piece that we talked about as it 
relates to notification out to victims. So, when we potentially 
identify a victim company, the victim company, of course, has 
an obligation where they would like to inform its victims of 
the exposure, if you will.
    There are many times where law enforcement has ongoing 
operations, whether they are undercover operations or working 
with sources, which have the ability to get at the potential 
root that we talked about in a deterrent factor to try to 
gather more evidence and to identify who the criminal actors 
potentially are. So, in a case where law enforcement would work 
with the victim company and allow them to have a delay in their 
notification out to the individual victims----
    Senator Coburn. It would give us an advantage to travel 
back.
    Mr. Noonan. Potentially, yes, sir.
    Senator Coburn. OK.
    Mr. Noonan. So, I think it is very important--in fact, I 
can crosswalk you through a case that we not too recently, but 
we have recently had, where we were engaged in an undercover 
operation where we had the opportunity to not only advise that 
company of their data breach, but after we had advised them of 
their data breach, we entered into an operation where we could 
actually obtain that data and get that data. The company was 
very quick and wanted to notify its consumers to the point 
where it was interfering with the operation. So, that is what--
--
    Senator Coburn. So, we need to have the flexibility in any 
data act or cyber bill we have to protect the law enforcement 
to be able to do their job and continue a sting or something 
similar to that. In other words, there needs to be a variance 
if and when law enforcement says, please wait one week until we 
finish what we are doing.
    Mr. Noonan. Yes, sir. So, the word I would use is a 
compromise. So, there must be a compromise. When I use the word 
``compromise,'' I mean notification should not be delayed by 
months and years. It should be a reasonable amount of time.
    Senator Coburn. All right. Anybody else?
    Mr. Wilshusen. I would just add, as it relates to FISMA and 
within the Federal space, just to clarify the roles and 
responsibilities of the Office of Management and Budget and the 
Department of Homeland Security with overseeing and assisting 
Federal agencies in implementing information security.
    Senator Coburn. Well, the only way you are going to get it 
implemented is have some teeth in it, and the only organization 
that has teeth right now is OMB. Homeland Security is coming on 
strong. They are improving rapidly, thanks to Senator Carper 
and the new Secretary and some of the work that was done before 
they got there. But it is important that we get a bill that 
causes people to buy into what we need to do on a timely basis.
    Thank you, Mr. Chairman.
    Chairman Carper. You bet.
    I want to go back to the questioning that was going on with 
Dr. Coburn and really with you, Mr. Noonan, on notification. I 
think I said earlier in my comments, I said there are three 
things we are focused on here. One, how do we protect 
information? Two, how do we investigate when there are 
problems? And, three, how do you go about notification? Another 
one would probably be, do we continue to have 40-some standards 
or do we compress that to one national standard, or something 
in between 49 and one that we should do.
    But, let us just stick with notification for a little bit. 
I heard from some sources that if people get notified too 
often, consumers get notified repeatedly for even minor 
breaches, that they come to a point where they become almost 
numb to the notifications. Can any of you comment on that, 
trying to figure out when should the notification occur for an 
individual to avoid that, if that is a legitimate concern?
    Ms. Ramirez. Chairman, I am happy to answer your question. 
I think it is a balance. We at the FTC are certainly very 
sensitive to the concern that you raise about potential over-
notification. What we think needs to be done is that consumers 
need to be notified if there is a reasonable risk of harm. So, 
the----
    Chairman Carper. How do we go about----
    Ms. Ramirez. Well, it is a fact-specific test, but I think 
it is important that a company that holds consumer data have an 
opportunity before there is any notification to assess and 
determine exactly what data might have been compromised, and 
then based on that information, and based on the sensitivity of 
the information, that, in turn, can be used to determine when 
and who ought to be notified. So, I do think it is a balance, 
but I think the test ought to be a reasonableness test, and if 
there is a reasonable risk of harm to consumers, there ought to 
be notification.
    Chairman Carper. OK. Others, please.
    Mr. Wilshusen. Yes.
    Chairman Carper. Mr. Wilshusen.
    Mr. Wilshusen. Yes. Within the Federal space, agencies are 
supposed to assess the risk and level of impact that could 
occur once a data breach occurs; that is the level of harm that 
could occur to the affected individual. There are a number of 
factors that they take into account, or should take into 
account to determine that level of risk.
    Those include one the type of information that was actually 
compromised, whether it is just a name or is it the name and 
Social Security number and other personal information, and the 
two nature of the breach. Is it one in the case of where, for 
example, the PII is on a laptop for which the data is 
encrypted? The risk would be lower than if someone had intruded 
on a network and was exfiltrating this information out of the 
network.
    And so taking those factors and considering the risk of 
harm that could occur with the information that was compromised 
would be another factor in determining the level of risk, and 
also just the number of people that may be impacted by that 
incident.
    And based on that, make a determination on whether 
notification should be made to the affected individual, because 
as you point out, you do not want to unnecessarily or unduly 
notify someone who will really have a very minor or limited 
risk of their information being compromised. But if that risk 
is reasonable or high, certainly, notification should probably 
be made.
    Chairman Carper. Mr. Noonan, anything else you want to 
mention on this?
    Mr. Noonan. Yes, sir. I think it is also important to give 
a company the opportunity to look at its own systems. So, a lot 
of times, you are going to understand, in the report that we 
have worked with--the Verizon data breach, on the Verizon Data 
Breach Report, just last year, together, Verizon reported that 
over 70 percent of the disclosures to a victim company were 
made by an outside source, so, by law enforcement or another to 
the victim company saying that they have a problem. So, when 
that occurs, the company needs to take a look at itself within 
and determine if and when it actually did have a compromise and 
an exfiltration of that data.
    That being said, companies do need to have a window of time 
to be able to do an internal investigation to determine if 
there is actually a problem from the notification from law 
enforcement. So, it is not an instant occurrence where law 
enforcement comes to them and says, we believe you have a 
problem. They still have to take an opportunity to work with 
third-party forensic companies to take a look at their systems 
to determine if they do have a problem. So, by requiring too 
quick of a notification, it could damage the company or the 
company's reputation, as well. So, we think that is an 
important part, to give leverage to companies.
    Chairman Carper. OK. Good. One last question, and then we 
will excuse this panel and invite our second panel to join us. 
But in our next panel, we are going to hear from Governor 
Pawlenty, representing the Financial Services Roundtable, Ms. 
Kennedy from the Retail Industry Leaders Association about 
common sense solutions that the private sector can undertake 
proactively without the help of Congress. And these are groups 
which oftentimes find themselves, as you know, on different 
sides of an issue, and certainly this issue, so it is actually 
quite encouraging that they are taking steps to work together 
to get their arms around this very difficult issue.
    Can each of you just offer some advice to the new Working 
Group that has been formed in recent weeks. Just give them some 
advice, if you will. And, also, what should they be focusing 
on? What should they be focusing on? Who should they be talking 
to in order to make sure they are getting all the information 
that they need?
    Mr. Noonan. Yes, sir. So, the Secret Service and law 
enforcement work together collaboratively, especially since 
Secret Service has been so engaged in the area and the lane of 
the financial services sector. We work very closely with the 
Financial Services Information Sharing and Analysis Centers 
(FS-ISAC).
    We have developed a very close relationship, not just at 
their headquarters level, but throughout the country in our 
field offices. So, we have a group of 35 Electronic Crimes Task 
Forces throughout the country that those task forces have 
active members of the FS-ISAC sitting with them in these task 
force environments sharing information back and forth. Not to 
mention that the ability of the FS-ISAC, the Information 
Sharing and Analysis Center for the Financial Services Sector, 
they also sit up at the NCCIC. They sit on the NCCIC floor, 
where information flows freely and the FS-ISAC is able to take 
that information that they learned on the NCCIC floor and share 
that out with its different members.
    So, again, any new Information Sharing and Analysis Center, 
should do a couple of different things. It should develop a 
robust relationship with the Department of Homeland Security 
and the NCCIC and try to secure a position on that floor so 
they can gain access to that valuable information to share with 
its members, as well as develop a relationship with the law 
enforcement, Federal law enforcement. We believe that 
relationship is done through the network of our 35 Electronic 
Crimes Task Forces, which its members can join through any one 
of those task forces or through one of the local Secret Service 
offices.
    Chairman Carper. OK. Thank you.
    Just briefly, Mr. Wilshusen, please.
    Mr. Wilshusen. OK. I would just piggyback on what Mr. 
Noonan mentioned, and that is, and as we testified at last 
week's hearing, is to remove the barriers that would allow for 
effective information sharing of these threats, alerts, as well 
as other incidents that occur in this space.
    Chairman Carper. Good. Thanks.
    Ms. Ramirez, just very briefly, please.
    Ms. Ramirez. Let me just say that I applaud all of these 
efforts. From our perspective, anything that could be done to 
increase protection for consumer information is a good step.
    Chairman Carper. OK. Good.
    We are going to excuse you now, but we want to continue 
this conversation and we very much appreciate your input. You 
are part of the solution and we are, too, and we need your help 
and we appreciate the kindness and the counsel you have given 
us today. And we are determined to communicate, to find 
principal compromises, and to collaborate, and we look forward 
to doing all those things with you. Thank you so much.
    With that, we are going to have a brief recess while the 
next panel comes forward. Again, it is great to see you all. 
Thanks so much for your help.
    [Recess.]
    Hello. From one recovering Governor to another, welcome 
aboard.
    Ms. Kennedy, nice to see you again.
    Tiffany Jones, thank you so much for coming.
    You heard a little bit of advice there from the first panel 
to each of you and I hope you will take it to heart. We will, 
as well.
    But, our first witness is the Honorable Tim Pawlenty. 
Governor Pawlenty he used to be Chief Executive Officer for his 
State, and I still say that is the best job around, at least 
for a guy in our business--but, Chief Executive Officer now for 
the Financial Services Roundtable, an advocacy organization for 
America's financial services industry. Prior to joining the 
Financial Services Roundtable, Governor Pawlenty served, as we 
know, as the Governor of Minnesota for two terms. We are happy 
to see you.
    Our second witness is Sandra Kennedy. I have not talked 
with her since yesterday, and it is good to see you again this 
soon. She is President of the Retail Industry Leaders 
Association, the trade association for America's largest and 
most innovative retail brands. In this position, Ms. Kennedy 
works to promote the public policy interests of its members to 
ensure continued growth in the retail industry. Ms. Kennedy 
previously served as the Director of Leadership Dialogue Series 
for Accenture, a global management consulting and technology 
services company, and as the Senior Vice President of Member 
Services for the National Retail Federation.
    Our final witness is Tiffany Jones. Ms. Jones is the Senior 
Vice President of Client Solutions and Chief Revenue Officer 
for iSIGHT Partners, a cyber threat intelligence firm, where 
she leads the development of business strategies and field 
execution. Prior to joining iSIGHT Partners, Ms. Jones worked 
in senior roles at Symantec and served as Deputy Chief of Staff 
at the White House Office of Cybersecurity and Critical 
Infrastructure Protection. All I can say is you must have 
started really early in that work, early in your life.
    All right. We are glad you are here. Your whole testimonies 
will be made part of the record, and feel free to summarize as 
you wish and then we will just have a good conversation.
    Again, my charge to you, as it was to the first group, we 
talked enough about the different people's legislation, 
introducing legislation, the problem, why we need to do 
something. Everybody agrees we have to do something. There is a 
role for the private sector. There is a role for us here. What 
we have to do is figure out our role here, what to do, what not 
to do, so we need your help. I think this is, actually, two 
good panels to help us to accomplish those goals.
    So, Governor, take it away.

  TESTIMONY OF HON. TIM PAWLENTY,\1\ CHIEF EXECUTIVE OFFICER, 
                 FINANCIAL SERVICES ROUNDTABLE

    Mr. Pawlenty. Chairman Carper, good morning, and thank you 
for the opportunity to appear here today to address the 
important topic of data breaches and the further steps needed 
to better protect personal information and the payment system 
from cyber threats. We appreciate your leadership and your 
concern and your commitment to these very important issues.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Pawlenty appears in the Appendix 
on page 267.
---------------------------------------------------------------------------
    In my testimony this morning, I would like to address two 
major points. First, the financial services and retail 
industries are working together to aggressively address 
cybersecurity and the threat of cyber breaches. And second, and 
importantly, we cannot optimally address these challenges 
without congressional action, so we want to urge that, and I 
will touch upon that more in detail in just a second.
    The financial service sector is better prepared than other 
sectors to defend and respond to cyber attacks, but we also 
have more work to do as these threats continue to evolve. We 
have the strongest information sharing process of any critical 
infrastructure sector. Industry-wide initiatives are underway 
to identify and take action on information sharing, tactical 
operations, stronger Internet controls, and more research and 
development. We also plan and run simulations to improve 
defense and resiliency.
    As you know, financial institutions are also regulated and 
examined to ensure compliance with comprehensive data security, 
privacy protection, vendor management, and resiliency 
requirements. The financial service sector proactively works 
with the Treasury Department, regulators in government, and law 
enforcement agencies to improve cyber defenses. We also worked 
with the National Institute of Standards and Technology (NIST) 
as they developed the standards, and we support directionally, 
of course, the cybersecurity framework that was recently issued 
through the NIST process. We do all of this because we owe it 
to our customers to protect them and to maintain and keep their 
trust.
    You have already heard about and touched upon the scale and 
nature of the problems that our industry and the economy more 
broadly is facing, so rather than focus on that, I will focus 
on the future in the remainder of my time.
    In the wake of the recent data breaches at Target and other 
places, Sandy Kennedy and I got together and decided it would 
be best for our consumers and for our industry to collaborate 
with our other industry partners to strengthen our defenses and 
keep the focus on the real enemy, our cyber attackers, and try 
to minimize the finger pointing back and forth about who could 
or should be doing what.
    Chairman Carper. And maybe we should take a lesson from 
that here. [Laughter.]
    Mr. Pawlenty. So, along with 17 other trade associations, 
Mr. Chairman, we established the Merchant and Financial 
Services Cybersecurity Partnership. That partnership overall 
has two major goals, first, to improve overall security across 
the entire payments ecosystem, and second, to bolster consumer 
confidence in the security of their data and the payment system 
overall.
    The partnership consists of a number of things, but at 
core, it is five working groups that will focus on the 
following five topics: One, threat information sharing; two, 
cyber risk mitigation; three, advanced card present security 
technology; four, card not present and mobile security 
technology; and, five, cybersecurity and data breach 
notification.
    Our progress, however, is going to remain inadequate unless 
we have some additional help in partnership with further 
actions needed from Congress.
    Institutions need to have the ability and the necessary 
liability protections to share threat information with other 
private partners and the government when they act in good faith 
to defend consumers and the financial system.
    As was mentioned, we also need robust data breach 
notification legislation setting a strong national notification 
standard. This standard should be clear so that customers can 
understand what happened and companies know what actions to 
take. These standards should be uniform so that customers can 
be treated similarly, regardless of what State they live in.
    Mr. Chairman, your Data Security Act of 2014 and the Cyber 
Intelligence Sharing and Protection Act (CISPA), which was 
recently passed by the House, are both terrific efforts. We are 
very pleased with those efforts and we want to make sure that 
they advance and do all that we can to help you in your efforts 
to advance that legislation.
    In the end, all of us, retailers, financial service 
companies, the government, want to stop attacks in real time 
and prevent them, and we also want to make sure that if in the 
event attackers do break through, that they find nothing of 
value and cannot leave our system with things of value.
    Mr. Chairman, we believe the partnership between the retail 
industry and the financial service industry will help us get 
closer to achieving these goals. We will certainly keep you 
informed of our efforts and our progress. We do not view this 
as a multi-year framework. We would like to get this up and 
running with results over the next 6 to 12 months.
    And we also hope that the legislation that I referenced 
will pass the U.S. Congress. It is overdue. It is urgently 
needed. And we appreciate your efforts and leadership in that 
regard, and I certainly welcome any questions once the panel 
comments are complete.
    Chairman Carper. Great. Governor, thanks for those 
comments, and we appreciate your work on this and look forward 
to being your partner. Thank you. Ms. Kennedy.

 TESTIMONY OF SANDRA L. KENNEDY,\1\ PRESIDENT, RETAIL INDUSTRY 
                      LEADERS ASSOCIATION

    Ms. Kennedy. Chairman Carper, Ranking Member Dr. Coburn, 
and Members of the Committee, thank you for the opportunity to 
testify today before the Committee.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Kennedy appears in the Appendix 
on page 273.
---------------------------------------------------------------------------
    The Retail Industry Leaders Association (RILA) represents 
the Nation's largest and most innovative retailers. Together, 
our members employ millions of Americans, generate more than 
$1.5 trillion in annual sales, and operate more than 100,000 
stores and distribution centers around the world.
    I welcome the opportunity to talk today about cybersecurity 
threats we collectively face and steps that the retail industry 
is taking to address them in order to better protect our 
customers. I am pleased to be testifying alongside Governor 
Pawlenty, a person with whom I have developed a strong working 
relationship as we pursue this very important partnership.
    The threat of cyber attacks is all too common. Though we 
place a premium on security, cyber criminals are persistent and 
their methods of attack are increasingly sophisticated. As we 
have seen, no organization, be it business, nonprofit, or 
government agency, is immune from attacks. Given the scale and 
impact of the threats, and with strong support of our Board of 
Directors, RILA launched a comprehensive initiative in January. 
The initiative is intended to enhance the industry's existing 
cybersecurity efforts, inform the public dialogue, and build 
and maintain consumer trust.
    We have identified three main components relevant to 
today's hearing: Strengthening threat information sharing in 
cybersecurity; engaging with Congress on breach notification 
legislation; and collaborating to pursue enhancements to 
payment security.
    There is widespread agreement that merchants should have 
had an information sharing mechanism through which retailers 
can communicate with each other about threats. To that end, 
RILA formed a council made up of the top security executives at 
our member companies. The council has formed a partnership with 
the National Cyber Forensics and Training Alliance, and we met 
last week at its headquarters to begin the important work of 
establishing a trusted forum. The forum will allow retailers to 
share threat information and collaborate with businesses and 
government agencies on solutions to combat cyber criminals. We 
have already begun to study the threat sharing model used by 
the financial services industry and believe there is a great 
deal that we can learn from that industry.
    The initiative also calls on Congress to pass a national 
breach notification law. Following a breach, retailers secure 
their systems and make every effort to provide timely 
notification and actionable information to their customers. 
RILA urges that Federal breach notification legislation, one, 
preempt the State laws in place today; two, take into account 
the practical realities of notification, such as providing 
adequate time to secure the breached environment, investigate 
and analyze the breach, and comply with any law enforcement 
direction; and, finally, be proportional and linked to the risk 
of harm, be it financial fraud or identity theft.
    We applaud Chairman Carper, Senator Blunt, and other 
Members of this Committee, for pursuing breach notification 
legislation. We want to work with you on a Federal bill that 
will be consistent with the goals I have outlined.
    Finally, RILA's initiative recognizes the need to 
strengthen security within the electronic payment system. The 
initiative spells out near and long-term actions that can be 
taken to improve payment security, including retiring the 
magnetic stripe, adding PIN authentication to all credit and 
debit card transactions, migrating to chip and PIN cards, and 
collaborating on solutions to online, mobile, and other 
transactions where the physical card is not present.
    While retailers believe these goals are reasonable, 
achieving them will be challenging and require substantive 
collaboration across the entire payments ecosystem. The need 
for collaboration was the genesis behind are partnership with 
Governor Pawlenty.
    The tasks of these working groups, which Governor Pawlenty 
described, are significant, but we believe that they are 
achievable and we are committed to pursuing significant 
progress over the course of the next 9 to 12 months. While we 
expect there to continue to be issues on which we disagree, we 
have a shared obligation to consumers to find ways to improve 
payment security.
    In closing, we believe by working together with public and 
private sector stakeholders, we can maintain the strongest 
defenses against cyber attacks and render stolen data largely 
valueless to cyber criminals.
    Again, I very much appreciate this opportunity, Mr. 
Chairman, and welcome your questions.
    Chairman Carper. Thank you, Ms. Kennedy. Thank you.
    Tiffany Jones, welcome. Please proceed.

  TESTIMONY OF TIFFANY O. JONES,\1\ SENIOR VICE PRESIDENT AND 
          CHIEF REVENUE OFFICER, iSIGHT PARTNERS, INC.

    Ms. Jones. Chairman Carper, Ranking Member Coburn, and 
distinguished Members of the Committee, thank you for the 
opportunity. My name is Tiffany Jones. I represent iSIGHT 
Partners, a leading cyber threat intelligence firm. Over the 
last 7 years, we have built a team of over 220 experts 
dedicated to studying cyber threats in many nations across the 
globe and enabling organizations to protect themselves against 
these threats.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Jones appears in the Appendix on 
page 278.
---------------------------------------------------------------------------
    There are a variety of different threat domains that make 
up the cyber threat landscape today. Each of these threat 
domains is motivated differently. For example, Cyber Espionage, 
targeted intrusion operations aimed at corporate and government 
entities to collect information for the purpose of strategic 
advantage, can be politically motivated or economically 
motivated. Cyber hacktivism focuses on the intentions and 
capabilities of politically or ideologically motivated actors. 
And then you have cyber crime focusing on cyber threats from 
primarily financial motivated actors.
    The intelligence we research, analyze, and disseminate, 
coupled with the scope, scale, and duration of the recent 
retailer attacks, leads us to one very clear conclusion. We 
need to stop thinking about cyber crime like the movie, ``Catch 
Me If You Can,'' one clever young man assuming identities and 
passing bad checks, and instead, we need to understand that 
cyber crime is more like the movie ``Goodfellas,'' an organized 
community of bad people intent on crime, economically 
motivated, increasingly sophisticated, and operating without 
much fear of law enforcement.
    Cyber crime is a global industry, with a division of labor. 
It involves supply chain as well as a defined value chain. This 
chart over here actually gives you an overview of what the 
value chain looks like.\1\
---------------------------------------------------------------------------
    \1\ The chart referenced by Ms. Jones appears in the Appendix on 
page 281.
---------------------------------------------------------------------------
    In step one, you have malware. Cyber crime starts with 
malware. Think of this like the App Store for hackers. 
Thousands of developers craft hacking tools and tool kits with 
various features, functions, and capabilities and then sell 
them in a broad array of electronic markets. Prices can range 
from a few to several thousand dollars. Just like an App Store, 
only a fraction of the malware goes on to be popular, depending 
upon the features, the targeted vulnerability, usability, and 
other characteristics. But at any point in time, there are 
probably a few thousand notable pieces of malware on the 
market, with 10 new entrants that warrant real analysis in a 
given month. At higher prices, subscriptions of $5,000 to 
$15,000 per month, there is also private access to malware 
developers. These are the more sophisticated designers.
    Step two is the infrastructure. Cyber criminals must 
obfuscate their operations. This means buying, storing, 
computing, and network services from dedicated infrastructure 
operators. Think of criminal cloud computing. This is a large 
and varied segment of the market, everything from securing $50 
domain names to $1,000 per server, per month hosting 
arrangements, and some of these organizations can scale to 
multi-million-dollar operations serving more than a thousand 
criminal clients at a time.
    Step three is the cyber crime operators. Like 
entrepreneurs, operators assemble temporary teams, acquire 
tools, secure infrastructure, and execute against a plan. The 
better the plan, the bigger the payout. Like entrepreneurs, the 
very best exploit a market need, quickly monetize the value, 
and move to the next opportunity. In fact, one recent 
observation we have observed netted as much as $3.8 million for 
the operator and their team in just a couple of short months.
    Step four, the brokerages or intermediaries. To monetize 
stolen assets in cyber crime, typically, this is some form of 
personal data--credit card, health insurance, Social Security 
numbers, PII. The operators take that bulk data to brokers. 
Think of these players, again, numbering in the thousands, as 
wholesalers. The brokerages pay bulk prices to the operators 
for the stolen data and then parcel it up into sizes that a 
large number of smaller criminals can use. At the retail level, 
this looks like an underworld eBay with prices set by type, the 
newness, the quality, and the completeness of the stolen data. 
More reliable sellers get higher prices.
    In early December, we saw complete U.S. credit cards at 
$100 per card. But with the dramatic increase in supply due to 
several recent retailer breaches, the price dropped to $50. 
Much of that card data is now dated and U.S. cards are selling 
closer to $16 per card.
    Step five is the card buyers and mules. The transition from 
the criminal economy to the traditional economy presents the 
biggest bottleneck right now for cyber crime. Using stolen 
information involves risks and transaction costs, so most cyber 
criminals leave much of the small change on the table while 
focusing their efforts on the big quick hits. Card buyers and 
mules bear most of the risk. The typical card buyer or mule for 
receiving stolen property or bank payments is just a small 
time, sometimes even occasionally unwitting, criminal. Think of 
them as the intern of the cyber crime industry. They get 
relatively small payments for relatively small crimes. They are 
typically involved in the illegal activity for a short time and 
have no connection with the larger criminal enterprise. Like a 
pickpocket who just takes the cash from your wallet, their gain 
is small, but your loss in time effort and personal value can 
be significant.
    So, as you can see, the scope of the cyber criminal market 
is daunting and the money made pales in comparison to economic 
value destroyed as a result. At any time, there are tens, if 
not hundreds of thousands of independent actors. They are 
global. They are unregulated. They are better equipped, better 
trained, and more experienced than many of their law 
enforcement counterparts, and they are growing bolder. You will 
see, like the 2013 retailer breaches, again, with greater 
frequency.
    Business and government have started to understand the 
scope of the problem. They are increasingly shifting to an 
intelligence-led cybersecurity approach to improve prevention, 
speed response, and solve the cybersecurity risk equation. 
There is progress, but there needs to be more of it. Thanks to 
government entities like the Department of Homeland Security, 
U.S. Secret Service, and others, the severity and scope of the 
problem is becoming increasingly evident.
    I will be happy to answer any questions that you have 
following our discussion here today.
    Chairman Carper. Thank you. Thank you all for good, helpful 
testimonies.
    If you were here for the beginning of the first panel, I 
said to that panel--I quoted Abraham Lincoln. The role of 
government is to do for the people what they cannot do for 
themselves. And I asked them to help us figure out what the 
private sector can do in this regard to protect information, 
money, things of value, particularly with respect to these 
breaches. But, what can the government do and what should the 
government do? And there is a broad range of views on what is 
the role of the government. We heard a little bit of that this 
morning.
    But what I am trying to get at is consensus. If I had the 
first panel still here, I would put all of you up here and say, 
let us just go down the line and tell me where you think you 
agree. Tell me where you think you agree on what the government 
should do. What is our role? And let me just ask that, and 
Governor, I will ask you just to lead off. What is our role?
    Mr. Pawlenty. Mr. Chairman, I think there are a number of 
things the government can and should do, and we would urge you 
to take these actions. First of all, it is appropriate for your 
Committee to be focused on these issues. As was mentioned, many 
of these instances are not just transnational criminal 
elements, but we, of course, through public reports and 
otherwise, have reason to believe there is the prospect of 
cyber terrorism, self-declared cyber jihadists, and other 
elements that you would fall into the category of not just 
cyber criminal activity, but potential for cyber terrorism. So, 
obviously, your Committee is appropriately focused on these 
issues.
    At a minimum, Mr. Chairman, we hope that the Senate and the 
Congress more broadly would take action promptly on the 
national data breach notification laws that will help in terms 
of the response to incidents, but we also should realize that 
that is just one step and an incomplete step. We also need to 
do all that we can to be better prepared and more resilient on 
the prevention side.
    One thing that would help tremendously, Mr. Chairman, is if 
the Congress would pass an information sharing bill that would 
be similar, or at least directionally similar to the House 
CISPA bill. We realize that post-Snowden, that became more 
difficult, but we hope that post-Target, that that becomes more 
possible.
    Again, we are, as an industry and our sector, in 
particular, are extraordinarily dedicated on these issues. 
Fortunately, the financial service sector has not yet 
experienced a large-scale successful attack, but we are greatly 
concerned about these issues and these challenges and we would 
be better prepared and could be better on the prevention side 
if Congress would allow that threat information sharing bill.
    To give you one example, if we have reason to believe, good 
faith, a reason to believe that a certain entity or an Internet 
Service Providers (ISP) address is preventing threatening 
information and we move to constrain or shut off that ISP, even 
though we did it in good faith as a way to stop the contagion, 
if we do not have some protection around that action, if it is 
done in good faith for proper reason, we are going to be less 
likely to do that. If we are going to share threat information 
with another entity or the government and it is going to get 
the Freedom of Information Act (FOIA)-ed, it turns out to be 
not what we thought it was and we are going to get sued over 
that, or the entity is going to get sued over that, those are 
the kinds of things that are deterrents to more high-speed, 
more aggressive defensive mechanisms, and a bill like that 
would help, sir.
    Chairman Carper. OK. That is very helpful. Thank you. Ms. 
Kennedy.
    Ms. Kennedy. At the risk of being repetitive, Mr. 
Chairman----
    Chairman Carper. Repetition is good. [Laughter.]
    This is one of those instances where repetition is good.
    Ms. Kennedy. We support Federal breach notification 
legislation, as well, and as you know, it is one of the working 
groups that the Governor and I will be working on with our 
fellow associations. It is important that such legislation 
creates a single national law that preempts the State laws so 
that we are not having to comply with a patchwork of 46 or 47 
different State laws.
    It is also important that notification be proportional to 
harm. If someone has stolen my shoe size or the type of cookies 
I like, that is one thing. If they have stolen my personal 
information related to my payment system, that is another. So, 
that is important to us, as well as making sure that it is 
reasonable given the operational requirements as well as those 
that are placed on us by law enforcement.
    Chairman Carper. Give us some--that word ``reasonable'' is 
going to be not an easy one to define. Just think out loud 
about what, when you say reasonable, what are you thinking?
    Ms. Kennedy. I am thinking that----
    Chairman Carper. Or maybe some examples.
    Ms. Kennedy [continuing]. It takes time for our members to 
identify the threat, to stop the threat, to assess the damage 
that has been done, and the data that has been stolen. And, of 
course, law enforcement has a role in that. So, I think it is 
important that that is all considered in terms of the 
practicality of the legislation.
    Chairman Carper. OK. Ms. Jones, same question.
    Ms. Jones. A couple of ``don't''s and then a couple of 
``do''s.
    Chairman Carper. Umm, I like that.
    Ms. Jones. Do not seek to be technically prescriptive, so--
--
    Chairman Carper. Chip and PIN. It is not our job to say----
    Ms. Jones. So, chip and PIN, I will say, does increase 
security, absolutely, so if there is any question about that it 
does. But it is not the panacea. And so----
    Chairman Carper. Is it our role to prescribe that? I think 
not.
    Ms. Jones. I do not think so. But I do think it is 
absolutely in your authority to look at the overall standards 
and make sure that they equate to the threat that is today, all 
right.
    Chairman Carper. Someone said to me, they said, if you want 
to go ahead and prescribe chip and PIN, you can do that, but 
the threats change, technology changes. He said that to me, if 
you have not noticed, sometimes it is hard to get Congress to 
move, and we need to be able to move a lot faster.
    Ms. Jones. Yes, and our information technology is 
dynamically changing, as well. And so today's cool thing is 
going to be tomorrow's, oh, that was so yesterday, right. So, I 
think there are other things to consider. I would say, think 
about it in the sense of do all that you can to deter the bad 
guys from getting in, but also, assume that they are in. How do 
you protect the data, assuming that the bad guys are in the 
environment? So, things like encrypting data at rest, 
encrypting data in transit, those types of things are also 
really important to think about.
    Chairman Carper. What was the first thing you said, 
encrypting data at rest? What does that mean?
    Ms. Jones. Correct. So, if it is just sitting there in a 
server, in a storage space, in a data center within an 
organization's environment, it is sitting there at rest. And in 
many cases for a lot of organizations today, they actually are 
only encrypting data as it is being transferred from their 
environment to another organization or environment. That is 
data in transit. So the data at rest is simply when it is just 
sitting there within their organization. Is it being properly 
protected?
    Chairman Carper. OK.
    Ms. Jones. And then, do not equate the quantity of arrests 
in cyber crime with the quality of arrests. Focus prosecution 
higher in the value chain. It makes a significantly bigger 
impact. And, again, I applaud the work of Secret Service and 
DOJ and what they are doing there. I think they are making the 
right steps, for sure.
    I would say on the ``do'' side, do increase global 
collaboration. Most of these people, these threat actors, are 
not inside our borders, and so that global collaboration among 
law enforcement is absolutely critical.
    And do pass national data breach legislation. It was said 
quite eloquently, there is a patchwork of State laws. I think 
of my mother and I think of, why does it matter what State she 
lives in to determine the level of protection that she has? It 
should not.
    Chairman Carper. Where does your mother live?
    Ms. Jones. She lives in Illinois.
    Chairman Carper. OK. Well, if things get too hot there, she 
is always welcome to come to Delaware.
    Ms. Jones. Delaware. [Laughter.]
    Chairman Carper. And when it gets hot, people will come to 
Delaware and they will go to our beaches. We have, I think, 
more five-star beaches than any----
    Ms. Jones. They are beautiful.
    Chairman Carper [continuing]. Any State in the country. We 
are very proud of them. But, one of them is Rehoboth Beach. 
Rehoboth translates literally, Governor, and means room for 
all. Is that not nice? Room for all.
    All right. Some of you said very nice things about the 
legislation that Senator Blunt and I have introduced. I like to 
say, everything I do, I know I can do better. I think that is 
true of all of us. It is certainly true of the Federal 
Government, Federal agencies. But not everyone appreciates 
every aspect of our bill and I would just invite you to--you 
have heard some of the criticisms of each of the major pieces 
that have been introduced in the Senate. But just share with us 
some of the criticism, whether they are legitimate or not, of 
our legislation. And if you think those are reasonable 
criticisms that should be addressed in modifying our 
legislation, fine. I would like to hear that. If some of the 
criticisms, you think, are just not very well founded, not very 
well thought out, then help us rebut those. If you could do 
that, that would be much appreciated.
    Do you want to go first, Ms. Jones.
    Ms. Jones. I have no criticisms on the legislation----
    Chairman Carper. But maybe criticisms that you have heard, 
because I read some articles where folks have taken some big 
potshots at the handiwork of Senator Blunt and myself.
    Ms. Jones. I think one of the criticisms, in general, for 
not wanting to pass national data breach legislation has simply 
been that you create a baseline that is so low, maybe there are 
certain State laws today that have higher levels of protection 
for their consumers. But, I counter that simply with just 
having a consistency across the Nation is more important for 
the consumer than the patchwork. And the amount of money that 
companies are spending today just on compliance is pretty 
unbelievable to deal with the various State laws. So, I think 
it is really important that they can reinvest their dollars 
that they are spending in compliancy today and actually put it 
into information security protection.
    Chairman Carper. OK. Thank you.
    Ms. Kennedy, what are some of the criticisms you have heard 
of our bill that you think are reasonable, should be 
incorporated, maybe some that are less thoughtful, and rebut 
those. Rebut those for us, if you could.
    Ms. Kennedy. I think that as we looked at your legislation, 
we certainly support the preemption and the recognition that 
businesses have practical operational areas they need to 
address before they do notification.
    We would welcome the opportunity, I think, to talk to you 
about enforcement, to make sure that the FTC has very clear 
direction on what enforcement looks like. And that is----
    Chairman Carper. All right.
    Ms. Kennedy. Otherwise, we are in agreement with a number 
of things in your bill.
    Chairman Carper. Governor Pawlenty.
    Mr. Pawlenty. Mr. Chairman, I would echo those comments and 
just say there has been some criticism, not by us but by 
others, on the standard that is set in terms of substantial 
harm and inconvenience to the consumer. We think that standard 
strikes the right balance. Obviously, it is going to be 
interpreted, and so some others have expressed concern about 
that, but we just reinforce that we think that you and Senator 
Blunt have struck the right balance in that regard.
    If I might, Mr. Chairman, just for a second jump back to 
the issue around mandating technology, for all the reasons that 
were mentioned by Ms. Jones, we concur with that. Keep in mind 
that there are--as cards get misused, there are fraudulent or 
forfeited cards, and, of course, the chip protects the security 
of the card and so it cannot be forfeited or it would be much 
more difficult to forfeit. And then the PIN authenticates the 
user, or a signature does, or in some cases of small 
transactions, no signature.
    So, technology in the payment space is going to continue to 
evolve. It already is evolving rapidly. But also, keep in mind 
that relates to card present environments, and as commerce 
continues to migrate to the virtual space and e-commerce 
platforms, there is a whole another set of concerns and issues 
and opportunities around something called tokenization, secure 
cloud transactions in the space that will address the card not 
present environment that is important to the discussion, as 
well, because if you make it much more difficult for the fraud 
to occur at the card present environment, it will shift to the 
card not present environment and we need to do both.
    Chairman Carper. All right. Thank you. Card not present--
that is one I just learned this week. I hear all these new 
terms. No wonder my colleagues and I have a hard time figuring 
out what to do here. It can get pretty confusing.
    One of the things you are trying to do with this new 
partnership, though, Governor and Ms. Kennedy, is to try to 
take some of the obligation or the work that needs to be done 
off of our plates and really put it where it better belongs, 
and that is on yours. But we are pleased to see people like you 
and the folks you represent working together on these issues, 
and the new partnership certainly seems on its surface to be a 
step in the right direction. We would like to hear just a 
little bit more about it before we close, and if you maybe 
could just share with us some of the goals that you see.
    Mr. Pawlenty. Sure.
    Chairman Carper. These are the goals that we have for this 
partnership, and maybe give us a snapshot of the timeline for 
the group, please.
    Mr. Pawlenty. Sure. Well, again, I want to tip my cap to 
Sandy Kennedy and her leadership in the Retail Industry Leaders 
Association. They came forward on behalf of that sector and 
have been extremely constructive and forward leaning on these 
issues.
    We have said, to your 80/20 comments earlier, there is some 
stuff we are not going to agree on about card replacement costs 
and some of the fallout of these previous breaches. That is 
going to get litigated and settled, hopefully, in another 
forum. But, there is a lot of stuff we can agree on, so we are 
focused on that, and we think we can agree and hope to agree on 
these things.
    One, come together with a statement of principles, maybe 
even a specific statement of support on national data breach 
notification legislation.
    Two, make sure that we do all that we can to agree upon and 
advance cybersecurity information sharing legislation.
    But on the things we can do ourselves, we have realized 
even in the early inventory of practices, government to 
industry, industry to industry, that there is a lot that this 
partnership can share without government mandating a 
requirement on technology best practices, cyber best practices, 
cyber defenses, resiliency, simulations, sector coordinator 
councils, and much more. So, we can get that done.
    And then, last, there has not really been a good forum for 
various players in the payments ecosystem--retailers, card 
issuers, merchant acquirers, financial institutions, the banks 
on the other end of the transaction, various other cyber 
entities--coming together to talk about, can we agree on where 
we are headed in the so-called Europay, Mastercard, and Visa 
standard (EMV), card present, card not present, next steps on 
technology and cyber defenses.
    So, at the very least, we hope we can convene that 
discussion, but we believe that out of that discussion we can 
agree on some next steps that will be very important and 
helpful, and our timeline is 6 to 9 months, Mr. Chairman.
    Chairman Carper. OK. Thanks. Ms. Kennedy.
    Ms. Kennedy. I would just like to elaborate a little bit on 
the working groups. As I mentioned, they are comprised of 
executives from both the financial services as well as from our 
merchant members and they have clear objectives. We are working 
with people to help keep us on track, project management. They 
have clear deliverables, and they are going to be challenging 
deliverables, but we think that it is important for our shared 
customer that we deliver on those.
    I would also like to say that this has been a very welcome 
partnership. The payments system is an ecosystem and you have 
to have all the links in place and everyone as strong as they 
can be. So, we are going to learn a lot, I think, from our 
partners, and I think that we are also going to have an 
opportunity to address the future issues that we are going to 
face. The way our customers are shopping are changing every 
day, whether it is mobile or it could be wearable technology. I 
mean, they are adapting so quickly. So, it is very important 
that the payment system keep up with that so that confidence is 
maintained with our customers and they continue to shop with 
us.
    Chairman Carper. OK. The words ``information sharing'' have 
been mentioned a time or two on this panel, and I think even on 
the first panel, and I am not sure--Governor, I think it might 
have been you who mentioned what we might need to do to 
facilitate information sharing. Can you just drill down on that 
for me a little bit, please.
    Mr. Pawlenty. Sure, Mr. Chairman. One of your previous 
witness on the panel before us made reference to a recent study 
that I think is worth just camping on for a minute. The 
Washington Post recently reported that the Federal Government 
notified 3,000 businesses last year that they were breached, 
and the Verizon study indicated that 70 percent of those 
companies did not know they were breached until the Federal 
Government told them.
    So, when you think about these issues from a Federal 
Government knowledge standpoint and capacity standpoint, of 
course, that knowledge resides, oftentimes, in the FBI, Secret 
Service, Department of Defense, the National Security Agency 
(NSA), Homeland Security, Treasury, and others. So, there is an 
opportunity and a challenge to better integrate and coordinate 
intergovernmental information sharing and it is not optimized 
at the moment. But then, also, there is a need for that 
information to flow to the private sector in appropriate ways, 
respecting privacy rights.
    The FS-ISAC, and I know the Financial Services Sector 
Coordinating Council (FSSCC) which you are speaking to later 
today, are examples of portals between government and the 
private sector that allow that information to flow. But, unless 
we have the legal changes that I mentioned earlier that provide 
those protections for information sharing done in good faith--
again, threat information, not personal information--we cannot 
move this to the place that it needs to go. And so that is 
really needed and it is really helpful and it is one of the 
best things that we can do. The NSA, for example, is viewed by 
many as the best entity when it comes to cyber and they were 
breached. They had a massive breach, internal, insider threat. 
It crossed numerous platforms.
    So, the point is, the government has great knowledge they 
can share with private industry, but private industry, if one 
of our members shares it with the government and then it 
becomes a FOIA request and you have knowledge that is 
proprietary and/or you misstate something, even though it is 
done in good faith, the lawyers get a hold of that, class 
action suits start, regulators might want to be interested in 
that. Unless you have some rules of the road going into that, 
you are going to be less likely to share the information lest 
you know what is going to happen to it.
    Chairman Carper. All right. Ms. Kennedy, as you know, in 
this Committee, we work a fair amount on cybersecurity. We work 
on other things, too. But particularly with the defensive side, 
we often hear that technical collaboration and information 
sharing are essential parts to a strong cyber defense. Talk to 
us just a little bit here on information sharing, and I am 
going to give you a chance to ask you to come back and just 
revisit it with us here again, but do you think that the recent 
series of breaches has impacted the level of information 
sharing between companies, the willingness to share information 
between companies, the willingness to share information with, 
we will say, law enforcement, with Federal agencies?
    Ms. Kennedy. Absolutely, Mr. Chairman. We think it is 
imperative, and it was really key to our initiative that was 
approved by our Board of Directors, and we have already started 
that process. I think information sharing has been occurring 
within our industry, but we think it is important that we 
formalize that in some way and we are looking at different ways 
to do that now. We had, I believe, 30 of our member companies 
in Pittsburgh last week for a meeting where that was one of the 
central discussions, of how we can effectively share 
information to make sure that we are doing all that we can to 
protect our customer.
    Chairman Carper. OK. Ms. Jones, are you up for one more 
question?
    Ms. Jones. Absolutely.
    Chairman Carper. OK. This is really more of a focus, I 
guess, for law enforcement, but we will deputize you----
    Ms. Jones. Thank you.
    Chairman Carper [continuing]. And ask you to step up to the 
plate. But, I think in your testimony, you provide a fair 
amount of background on the criminal networks that are often 
behind the data breaches that we are talking about here today. 
I was especially interested to learn about all the different 
steps that are needed to monetize the personal information that 
is stolen from an organization.
    And before I ask the question, as it turns out, one of the 
credit card banks that is involved in the Target breach is TD 
Bank and their credit card operation is in Wilmington, 
Delaware. We actually visited with them, and this was a month 
or so ago. We are interested in learning just how most of the 
losses are absorbed, I think, by banks, not by the merchants in 
these cases--trying to just get them to give us a sense for how 
much money was at stake here and at risk here to be lost. And I 
was struck by one of the things they said, and I think we heard 
it here, as well.
    The folks who actually figured out how to get in and steal 
the data or the information from Target were pretty good at 
doing that. They were less adept at monetizing and figuring 
out, once they had all this information, what to do with it and 
an effort to make money. The banks reacted very quickly. They 
immediately sent out to people like me new credit cards and 
responded. There is a lot of cost to this stuff, I am sure. 
But, the losses were, I think, a good deal less than certainly 
I ever expected them to be. And, again, the reason that was 
explained to me, they are better at stealing the data than 
actually monetizing, which is a good thing. It is a good thing.
    Where in the process are cyber criminals most vulnerable? 
In other words, where in the process should U.S. law 
enforcement be targeting our limited resources? This is 
something Dr. Coburn talked about quite a bit.
    Ms. Jones. Yes, absolutely.
    Chairman Carper. Go back and revisit that.
    Ms. Jones. So, pertaining to where law enforcement needs to 
focus, I think as I had talked about the ecosystem, lots of 
different players, loosely affiliated, or highly organized 
crime cells, I think you have to move up into the supply chain. 
Do not be going after the mules, necessarily, the small petty 
theft folks. I mean, yes, you want to try to gather all that 
you can and go after them all, but if you have limited 
resources, you really want to go after the highly organized 
kind of crime organizations that are really ultimately trying 
to monetize all of this, right.
    The operators, the infrastructure providers, they are just 
small pieces in all of this. Now, if you can start going after 
different points in the supply chain, you are going to get 
further along. But, ultimately, you get one infrastructure 
provider, pull him away, another will show up, because the 
demand is there. It is very low cost overall and low skill to 
establish those capabilities. You just have to have the 
resources to go buy them.
    Chairman Carper. OK. The last question is, we asked you to 
give an opening statement, and sometimes, if we have time, I 
like for our witnesses to give us a closing statement, 
especially when we are trying to develop consensus on an issue 
about which there is not absolute consensus. You can take 
advantage of this opportunity if you would like and give us a 
short closing statement. But if you have something you want to 
reiterate, a point that has been made, something that one of 
your colleagues has said that sort of triggered a thought, that 
would be fine, as well. But, just a very brief closing 
statement, maybe a minute or so.
    Mr. Pawlenty. Just very briefly, Mr. Chairman, thank you 
again for your leadership and your commitment to these issues.
    I would just try to impress upon you and the Committee a 
sense of urgency. The nature and sophistication and pace of 
these attacks is evolving daily, weekly, and it is concerning. 
And I hope that we do not find ourselves a year from now or 2 
years from now waking up to a bigger problem, wishing action 
would have been taken earlier.
    So, if I were to just emphasize one theme, it would be a 
sense of urgency. As the threat increases, the pace of response 
needs to increase from us, from our partners, and, candidly, 
from the Congress.
    Chairman Carper. Good. Thank you. Ms. Kennedy.
    Ms. Kennedy. Cybersecurity is a top priority for the retail 
industry, and we are working in an ecosystem. The data that has 
been stolen was payment data, so it is important that we have 
our partners on board and it appears that we are going to make 
some great progress in that area.
    I think it is also important in this ecosystem to 
understand that we also share in the loss, share in the fraud. 
The Federal Reserve, in fact, puts it at almost 50/50. So, as 
we look at this, we all have a stake in this game.
    Chairman Carper. Good. We all have a dog in this fight.
    Ms. Kennedy. We do.
    Chairman Carper. Yes. Ms. Jones.
    Ms. Jones. Everybody is using the term ``cybersecurity'' as 
the buzz term of the day, but at the end of the day, what this 
is is just simply a risk management problem, like many problems 
out there today. But, we are not treating it like a risk 
management problem, typically. We are typically treating it 
like, let us throw more technology at the problem.
    And I think one of the things that we are recognizing in 
speaking--I am going around the country, speaking to a lot of 
retailers right now who have lots of questions--they are really 
trying to wrap their arms around, what is the threat? They 
actually do not have a good sense for their threat profile, 
many of these companies. And so you cannot solve for risk if 
you do not understand the threat profile.
    So, I would say, as we look at things like the NIST 
framework that I know there has been a lot of work that has 
gone into, making sure, threat is really brought in more 
effectively into the risk equation is going to be critical. 
Otherwise, we are continuing to solve for vulnerability 
mitigation.
    Chairman Carper. Well, that is a good note to end on.
    About a year ago, a fellow named Pat Gallagher sat right 
where you are sitting and he is now the Deputy Secretary of 
Commerce. But, for a while, he was the person--in fact, he may 
be double-hatted, I do not know, dual-hatted, and still running 
NIST. But, he sat right there where you sit and he said in his 
testimony, we will know we are in the right place in this arena 
when good cyber policy is synonymous with good business policy. 
That is what he said. We will know we are in the right place 
when good cyber policy is synonymous with good business policy 
and where the government has less of a need to, like, to 
command and control, to dictate, whether it is technology or 
best practices and so forth. But when the folks that are either 
controlling the critical infrastructure, our merchants, our 
banks, whatever, when good cyber policy is good business 
policy, we will know we are in the right place.
    I think we are actually moving in that direction, of which 
I am pleased. I think Pat and the folks at NIST did a very nice 
job working on the framework. I call it a blueprint or a 
roadmap. They got a lot of good support, a lot of good input, 
including from the folks at the table here and your member 
organizations, and we are grateful for that.
    One of the other things I learned from that effort is, we 
will say on the day that the framework was put out there, best 
practices, it was out of date, because the nature of the 
attacks change all the time and we continue to have to evolve. 
It has to be a dynamic framework, if you will, dynamic 
blueprint, and we will seek to do that.
    I think we will probably wrap it up here. This has been 
helpful, and we are going to be calling on you some more as Dr. 
Coburn, he said he is going to leave us at the end of the year, 
cutting his term short by 2 years, and I said--and he said he 
wants to finish strong. I want him to finish strong. I want us 
to finish strong and this would be a great area for not just 
the two of us to collaborate with John McCain and with Roy 
Blunt, but also Pat Leahy, Senator Leahy, with Jay Rockefeller, 
with John Thune and with Pat Toomey, all of our colleagues, 
Democrat and Republican, working with a lot of folks like you. 
And we look forward to doing that.
    I am going from here to a luncheon, not a cyber luncheon, 
but a luncheon that Senator Reid, our Majority Leader, hosts 
every couple of weeks of Committee Chairs, and the first thing 
on our agenda is going to be to talk about this issue, data 
breach, and maybe how can we collaborate, how can we 
communicate, and how can we find principal compromises that 
advance the security of our Nation's citizens and our 
businesses.
    With that, the hearing record will remain open for 15 days. 
I think that is until April 17, at 5 p.m. for the submission of 
statements and questions for the record. I suspect you will 
have some, and we would very much appreciate your responding to 
them in a timely way.
    Again, thank you all very, very much.
    And with that, this hearing is adjourned.
    [Whereupon, at 12:12 p.m., the Committee was adjourned.]




                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                 [all]