b"<html>\n<title> - CYBER THREATS: LAW ENFORCEMENT AND PRIVATE SECTOR RESPONSES</title>\n<body><pre>[Senate Hearing 113-827]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n                                                        S. Hrg. 113-827\n\n                     CYBER THREATS: LAW ENFORCEMENT\n                      AND PRIVATE SECTOR RESPONSES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON CRIME AND TERRORISM\n\n                                 of the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 8, 2013\n\n                               __________\n\n                          Serial No. J-113-17\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n    \n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    \n    \n    \n    \n   \n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n98-755 PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001 \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n    \n                    COMMITTEE ON THE JUDICIARY\n\n                  PATRICK J. LEAHY, Vermont, Chairman\nDIANNE FEINSTEIN, California         CHUCK GRASSLEY, Iowa, Ranking \nCHUCK SCHUMER, New York                  Member\nDICK DURBIN, Illinois                ORRIN G. HATCH, Utah\nSHELDON WHITEHOUSE, Rhode Island     JEFF SESSIONS, Alabama\nAMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina\nAL FRANKEN, Minnesota                JOHN CORNYN, Texas\nCHRISTOPHER A. COONS, Delaware       MICHAEL S. LEE, Utah\nRICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas\nMAZIE HIRONO, Hawaii                 JEFF FLAKE, Arizona\n            Bruce A. Cohen, Chief Counsel and Staff Director\n        Kolan Davis, Republican Chief Counsel and Staff Director\n                                 ------                                \n\n                  Subcommittee on Crime and Terrorism\n\n               SHELDON WHITEHOUSE, Rhode Island, Chairman\nDIANNE FEINSTEIN, California         LINDSEY GRAHAM, South Carolina, \nCHUCK SCHUMER, New York                  Ranking Member\nDICK DURBIN, Illinois                TED CRUZ, Texas\nAMY KLOBUCHAR, Minnesota             JEFF SESSIONS, Alabama\n                                     MICHAEL S. LEE, Utah\n                Stephen Lilley, Democratic Chief Counsel\n                Sergio Sarkany, Republican Chief Counsel\n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                \n                            C O N T E N T S\n\n                              ----------                              \n\n                         MAY 8, 2013, 9:05 A.M.\n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nGraham, Hon. Lindsey, a U.S. Senator from the State of South \n  Carolina.......................................................     3\nWhitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode \n  Island.........................................................     1\n\n                               WITNESSES\n\nWitness List.....................................................    35\nBaker, Stewart A., Partner, Steptoe and Johnson LLP, Washington, \n  DC.............................................................    22\n    prepared statement...........................................    64\nDemarest, Jr., Joseph M., Assistant Director, Cyber Division, \n  Federal Bureau of Investigation, Washington, DC................     5\n    prepared statement...........................................    51\nDurkan, Hon. Jenny A., United States Attorney, U.S. Department of \n  Justice, Western District of Washington, Seattle, Washington...     4\n    prepared statement...........................................    36\nMandia, Kevin, Chief Executive Officer, Mandiant Corporation, \n  Alexandria, Virginia...........................................    20\n    prepared statement...........................................    57\nMcGuire, Cheri F., Vice President, Global Government Affairs and \n  Cybersecurity Policy, Symantec Corporation, Washington, DC.....    24\n    prepared statement...........................................    71\n\n                MISCELLANEOUS SUBMISSIONS FOR THE RECORD\n\nGraham, Hon. Lindsey, a U.S. Senator from the State of South \n  Carolina, and Hon. Sheldon Whitehouse, a U.S. Senator from the \n  State of Rhode Island, Providence Journal eEdition, \n  ``Protecting against cyber-attacks,'' April 9, 2013, Op-Ed \n  article........................................................    78\nUnited States Department of Defense, Annual Report to Congress, \n  Military and Security Developments Involving the People's \n  Republic of China 2013, annual report excerpt..................    80\n \n                     CYBER THREATS: LAW ENFORCEMENT\n                      AND PRIVATE SECTOR RESPONSES\n\n                              ----------                              \n\n\n                         WEDNESDAY, MAY 8, 2013\n\n                      United States Senate,\n               Subcommittee on Crime and Terrorism,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 9:05 a.m., in\nRoom SD-226, Dirksen Senate Office Building, Hon. Sheldon \nWhitehouse, Chairman of the Subcommittee, presiding.\n    Present: Senators Whitehouse, Klobuchar, and Graham.\n    Also present: Senator Coons.\n\n         OPENING STATEMENT OF HON. SHELDON WHITEHOUSE,\n         A U.S. SENATOR FROM THE STATE OF RHODE ISLAND\n\n    Chairman Whitehouse. Good morning. I will call this hearing \nto order. I believe that Senator Graham will be joining us, but \nin the interest of getting underway on time, we have been \ncleared to proceed and await his arrival during the course of \nthe hearing.\n    I would like to note today's hearing will consider Cyber \nThreats: Law Enforcement and Private Sector Responses. This, as \npress reports indicate every day, is an extremely important and \ntimely topic. Indeed, I would like to add, without objection, \nto the record of this proceeding two pages from the Department \nof Defense Annual Report to Congress that just came out saying, \namong other things, China is using its computer network \nexploitation capability to support intelligence collection \nagainst the U.S. diplomatic, economic, and defense industrial \nbase sectors that support U.S. national defense programs. \nObviously, there is a lot more to this issue than just that, \nbut it is an indication of the timeliness and importance of our \nconcern here.\n    [The information referred to appears as a submission for \nthe record.]\n    Chairman Whitehouse. Technology continues to expand into \nevery area of modern life. Our power stations, our dams, and, \nas the Defense report said, our defense industrial base are all \nonline. And even everyday items like our cars, our home alarm \nsystems, even our refrigerators, are increasingly connected to \nthe Internet.\n    Unfortunately, these innovations have been accompanied by \nnew threats to our prosperity, to our privacy, to our \nintellectual property, to our very national security.\n    This Subcommittee has heard previously about hackers who \nhave taken over the web cams of unsuspecting Americans' \ncomputers. We have heard about hacktivists like Anonymous using \ndistributed denial-of-service attacks against financial \ninstitutions. We have heard about criminal rings that use \nbotnets to send spam, to send spearfishing emails, to capture \nand sell Americans' credit card information, or to engage in \nclick fraud, scareware, or ransomware schemes.\n    And, finally, we have heard about the advanced persistent \nthreats that have allowed foreign entities to steal enormous \nquantities of American intellectual property and to worm their \nway into our American critical infrastructure.\n    This hearing will consider our Nation's law enforcement \nresponse to these threats. Our first panel will include \nwitnesses from the Department of Justice and the Federal Bureau \nof Investigation. It will consider their strategies to combat \nthe broad array of cyber threats and the resources that they \nhave brought to bear to execute those strategies.\n    The second panel will discuss the private sector's role in \nresponding to these threats. It will consider a recent \ninvestigatory report based solely on public information that \nindicates that members of the Chinese military have sponsored \nor engaged in sophisticated and extensive cyber espionage, \nincluding industrial espionage. And it will evaluate the role \nof the private sector in investigating, preventing, and \nresponding to such crimes and intrusions.\n    I would start this discussion by noting that the Justice \nDepartment and the FBI both already have done some important \nwork to address the cyber threats facing our Nation. In March \n2012, for example, charges were unsealed against the former \nhead of the hacktivist groups Anonymous and LulzSec and against \nfour other members of Anonymous or LulzSec and a member of \nAntiSec, another hacking group.\n    Earlier this year, the Justice Department secured the \nconviction of a 25-year-old Russian who had operated and \ncontrolled the Mega-D botnet. And in April 2011, the FBI and \nthe Justice Department engaged in a civil lawsuit to bring down \nthe Coreflood botnet.\n    The Justice Department and the FBI also have developed the \nFBI's National Cyber Investigative Joint Task Force and the \nJustice Department's National Security Cyber Specialists' \nNetwork. I am glad that the Department and the FBI have taken \neach of these important steps, but much more, as the Department \nconcedes, needs to be done.\n    I was disappointed to learn, for example, that the team \nthat took down the Coreflood botnet was not kept together for \nthe purpose of taking down other comparable botnets. The four-\nstar general heading our military's Cyber Command has said that \nour country is on the losing end of the greatest transfer of \nwealth by illicit means in history. It is all well and good to \ncomplain about such thefts through diplomatic channels, but at \nsome point you need to stop complaining and start indicting. \nThe Justice Department has not indicted, to my knowledge, a \nsingle person for purely cyber-based trade secret theft.\n    I am sympathetic that the Justice Department and the FBI \nlack adequate resources to respond to the severe cyber threat. \nAs the witnesses will testify shortly, these are immensely \ncomplex and challenging cases to put together. The \nadministration, of course, agrees, and its 2014 budget includes \na request for 60 new cyber agents at the FBI, 16 new cyber \nattorneys in the National Security Division, and 9 new cyber \nattorneys in the Criminal Division.\n    As welcome as this request is to many of us, we must also \nensure, however, that the resources are deployed wisely. \nAccordingly, I will be inquiring today if appropriate \nstructures, whether task forces or centers of excellence, are \nbeing employed; whether attorneys and agents are properly \ndedicated to cyber work, not just carrying the badge of a cyber \nattorney and listening to the conference call on mute while \nthey do their other work; whether they are tasked with goals of \nachievable scope; and whether the attorneys and agents are \nproperly evaluated and recognized for that work.\n    I will close my opening remarks by adding that a law \nenforcement frustration and a frustration that has affected \nthis very hearing is the unwillingness of many corporations to \ncooperate for fear of offending the Chinese Government and \nsuffering economic retaliation. The shadow of China's heavy \nhand darkens the corporate world and has even shadowed this \nhearing.\n    I look forward to an important discussion on our Nation's \nresponse to the cyber threats that we face. I thank all the \nwitnesses who are here to participate today, and I will call \nthe first panel right now. I will introduce both now so that \nthey can move from the testimony of one to the testimony of the \nnext.\n    We will begin with Jenny Durkan. Ms. Durkan is the United \nStates Attorney for the Western District of Washington. She is \non the Attorney General's Advisory Committee of United States \nAttorneys, and she is the chair of the AGAC's Subcommittee on \nCyber Crime and Intellectual Property Enforcement. Prior to \nbeginning her service as U.S. Attorney in 2009, Ms. Durkan was \nin private practice representing a variety of clients in civil \nand criminal litigation. She is a graduate of the University of \nNotre Dame and received her law degree from the University of \nWashington.\n    With her today is Joseph Demarest. Mr. Demarest is the \nAssistant Director of the Cyber Division at the Federal Bureau \nof Investigation. In that role he manages over 600 employees \ndedicated to the investigation of both national security and \ncriminal computer intrusions. He joined the FBI as a special \nagent in 1988 and has served in a number of roles within the \nBureau, including as a SWAT team leader in the New York \nDivision, as shift commander for the PENTTBOM investigation, \nand as Assistant Director of the International Operations \nDivision.\n    I welcome both of the witnesses here, and before we ask you \nto begin your testimony, I will also welcome my wonderful \nRanking Member, who has demonstrated intense interest and \ncommitment to this issue, and invite him, if he wishes, to make \nany opening remarks he might care to.\n\n           OPENING STATEMENT OF HON. LINDSEY GRAHAM,\n        A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA\n\n    Senator Graham. Well, most of what I know about the \ncybersecurity threat comes from Senator Whitehouse--which is a \ndamning indictment to him.\n    [Laughter.]\n    Senator Graham. But, no, I have really enjoyed working with \nour Chairman here, who I think understands the threat as well \nas anyone in the Congress and, when it comes to the private \nsector, has the most practical solution of trying to get the \nprivate sector to harden their critical infrastructure through \nvoluntary standards, best business practices, with liability \nprotection as the reward. So I am looking forward to the \nhearing.\n    Chairman Whitehouse. Ms. Durkan, why don't you proceed with \nyour testimony? We obviously will put your entire very \ncomprehensive statement into the record of this proceeding, but \nif you could keep your oral statement to about 5 minutes, that \nwould be helpful so that we can engage in some conversation \nafterwards and leave time for the next panel.\n    Ms. Durkan.\n\n        STATEMENT OF HON. JENNY A. DURKAN, UNITED STATES\n ATTORNEY, WESTERN DISTRICT OF WASHINGTON, SEATTLE, WASHINGTON\n\n    Ms. Durkan. Thank you. Good morning, Mr. Chairman, Ranking \nMember Graham. Thank you for the opportunity to testify on \nbehalf of the Department of Justice regarding the investigation \nand prosecution of cyber threats and the resources required to \ndo so. I thank each of you for your leadership in this area. \nThe articles you have written show your great grasp of the \narray of threats that we face.\n    As United States Attorney, I see the full range of threats \nthat our communities and our Nation face. Few things are as \nsobering as the daily cyber threat briefing that I receive. \nTechnology is changing our lives. We have witnessed the rapid \ngrowth of important businesses, life-saving technologies, and \nnew ways to connect our society. Unfortunately, the ``good \nguys'' are not the only innovators. We have also seen a \nsignificant growth in the number and the sophistication of bad \nactors exploiting the new technology.\n    Seeking profit, international rings have stolen large \nquantities of personal data. Criminal groups develop tools and \ntechniques to disrupt our computer systems. State actors and \norganized criminals have demonstrated the desire and the \ncapability to steal sensitive data, trade secrets, and \nintellectual property.\n    One particular area of concern is the computer crimes that \ninvade the privacy of every individual American. Every day \ncriminals hunt for our personal and financial data which they \nuse to commit other fraud or sell to criminals. As you will \nhear from the next panel, the potential victims range in the \ntens of millions.\n    The national security landscape has also undergone a \ndramatic evolution in recent years. Although we have not yet \nexperienced a devastating terrorist cyber attack, we have been \nthe victim to a range of malicious cyber activities that are \ntesting our defenses, targeting our valuable economic assets, \nand threatening our Nation's security.\n    There can be no doubt: Cyber threat actors pose significant \nrisks to our national security, our communities, and our \neconomic interests. Addressing these complex threats requires a \nunified approach that incorporates criminal investigative \ntools, civil and national security authorities, diplomatic \nefforts, public-private partnerships, and international \ncooperation. Criminal prosecutions, whether in the United \nStates or abroad, play a central and critical role in these \nefforts. We need to ensure that throughout the country the \nDepartment of Justice's investigators and prosecutors have the \nresources and forensic capabilities they need to meet this \nevolving threat, and we thank this Committee for its support in \nthose efforts.\n    The Department of Justice has organized itself to ensure we \nare in a position to aggressively meet this threat. The \nCriminal Division's Cyber Crime and Intellectual Property \nSection works with a nationwide network of over 300 Assistant \nUnited States Attorneys who are designated as ``Computer \nHacking and Intellectual Property'' prosecutors. Mr. Chairman, \nwe will address that question. They are doing the work in the \nfield. They lead our efforts to investigate and prosecute cyber \ncrime offenses.\n    The Department's National Security Division pursues \nnational cyber threats through a variety of means, including \ncounterespionage and counterterrorism investigations and \nprosecutions.\n    Recognizing the diversity of this threat, last year we did \nform what, Mr. Chairman, you have noted, the National Security \nCyber Specialists. This network brings together the \nDepartment's full range of expertise in this area, drawing on \nexperts from the National Security Division, the U.S. \nAttorney's Office, the Criminal Division, and other components. \nThere is a national security cyber specialist designated in \nevery United States Attorney's Office across the country. These \ncombined efforts have led to great successes. I hope to address \nsome of them later here today.\n    But, as said, despite these successes, the number of \nintrusions continues. Because of the very serious nature of the \ncyber threats and the pressing need to respond, the \nadministration is asking for enhancement of the budget to \ntarget this critical program. Most of this is addressed to the \nFBI so that we can do more ground research. An additional \nrequest of the $92.6 million is to the National Security \nDivision because we must address this increasing national \nsecurity threat and to the Criminal Division so that we have \nthe resources we need to deal with this internationally.\n    Mr. Chairman, Ranking Member Graham, thank you for the \nopportunity to testify here today. The country is at risk. \nThere is much work to be done. But we look forward to working \nwith your Committee.\n    Thank you.\n    [The prepared statement of Hon. Jenny A. Durkan appears as \na submission for the record.]\n    Chairman Whitehouse. Thank you very much, Ms. Durkan.\n    Assistant Director Demarest.\n\n          STATEMENT OF JOSEPH DEMAREST, JR., ASSISTANT\n          DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF\n                 INVESTIGATION, WASHINGTON, DC\n\n    Mr. Demarest. Thank you, Chairman. Chairman Whitehouse, \nSenator Graham, and distinguished Members of the Committee, I \nam pleased to appear before you today to discuss the cyber \nthreat, how the FBI has responded to it, and how we are \nmarshaling our resources currently and strengthening our \npartnerships to more effectively combat the increasingly \nsophisticated adversaries we face in cyberspace.\n    As the Subcommittee is well aware, the 21st century brings \nwith it new challenges, in which national security and criminal \nthreats strike from afar through computer networks, with \npotentially devastating consequences. These intrusions into our \ncorporate networks, personal computers, and Government systems \nare occurring every day. Such attacks pose an urgent threat to \nour Nation's security and economy. We face these significant \nchallenges in our efforts to address and investigate cyber \nthreats, and we are currently prioritizing our immediate and \nlong-term needs for strategic development in order to best \nposition ourselves for the future.\n    We have made great progress since the Cyber Division was \nfirst created in 2002. We have seen the value of its trusted \npartnerships and worked tirelessly to support and improve them. \nProviding the information that is needed to secure our networks \ndemands cooperation, and cyber vulnerabilities are magnified \nwhen you consider the ever-connected, interdependent ecosystem \nof the cyber world.\n    We follow a one-team approach in our partnerships with the \nU.S. intelligence community, law enforcement, private industry, \nand academia. We significantly increased the hiring of \ntechnically trained agents, analysts, and computer scientists. \nWe have placed cyber specialists in key global locations to \neffectively facilitate the investigation of cyber crimes \naffecting the U.S. And while we are pleased to report our \nprogress, we recognize that we must be proactive in order to \neffectively address the threats that we face.\n    Next Gen Cyber. The FBI's Next Gen Cyber Initiative has \nenhanced the FBI's ability to collect, analyze, and act on \ninformation related to cyber intrusion investigations at FBI \nheadquarters and throughout our 56 domestic field offices, 400 \nresident agencies, and with the intelligence community and law \nenforcement partners, both domestically and overseas. \nImplementation of the initiative is focused in four areas:\n    First, the NCIJTF, the National Cyber Investigative Joint \nTask Force, in Chantilly, Virginia. A key part of the \nintergovernmental effort is the FBI-led National Cyber \nInvestigative Joint Task Force. Since its formulation in 2008 \nby Presidential directive, the NCIJTF has made significant \nprogress in developing its capabilities and operational \ncoordination as well as expanding its interagency leadership to \nnow include increased personnel from 19 partner agencies and \nDeputy Directors from five key agencies.\n    A second key element on this initiative is the \nrestructuring and expansion of the FBI's network of field \noffice Cyber Task Forces, which emulate the successful Joint \nTerrorism Task Force model in our Counterterrorism Division. \nAnd just last year--just this past year, the FBI has formally \nestablished a Cyber Task Force in each of our 56 field offices, \nstaffed by cyber-specialized agents, analysts, and other agency \nparticipants. In the future, each CTF, or Cyber Task Force, \nwill continue to grow its capabilities, leveraging nationally \ndeveloped systems, investigative efforts, and expanding its \nmembership with a key focus to add additional State and local \nparticipants.\n    Third, the FBI is committed to advancing the capability of \nour cyber work force and the supporting enterprise \ninfrastructure. We established our High-Technology Environment \nTraining--HiTET--initiative to enhance the technical \nproficiency of special agents, intelligence analysts, \nprofessional staff, and task force officers through online \ntraining. The current results of this effort are increased \nefficiencies and improved information analysis.\n    Since the rollout of Next Gen Cyber, the FBI has expanded \nvisibility into the source of cyber threat activities and \ndramatically increased its cyber intelligence reporting.\n    Last but not least, the FBI is working to strengthen both \nlocal and national information sharing and collaboration to \nsupport success in investigation, intelligence operations, and \ndisruption operations. To support this, we adopted an incident-\nreporting and collaboration system called ``eGuardian,'' used \nsuccessfully by our Counterterrorism Division and tailored it \nfor cyber reporting.\n    Further, we are deploying a platform called ``iGuardian'' \nto enable trusted private industry partners to also report \ncyber incidents in a secure and efficient manner to the FBI, \nand we are leveraging intelligence from the NCIJTF to \neffectively identify and notify cyber victims.\n    As the Committee knows, we face significant challenges in \nour efforts to combat cyber crime. We are optimistic that by \nidentifying and prioritizing strategic areas for change, the \nFBI will position itself to neutralize national security and \ncriminal threats of the future. We look forward to working with \nthe Committee and Congress, sir, as a whole to determine a \ncourse forward to ensure our success in addressing cyber \nthreats.\n    Thank you once again, Chairman, for the invitation to \nappear before you today. I would be more than happy to take any \nquestions you may have.\n    [The prepared statement of Joseph M. Demarest, Jr., appears \nas a submission for the record.]\n    Chairman Whitehouse. Terrific. Well, first of all, let me \nthank you both very much. I immensely appreciate the work you \nare doing. Ms. Durkan, I know it is a considerable honor to be \nselected and confirmed as United States Attorney. It is an even \ngreater honor when you are in the ranks to be selected to serve \non the Attorney General's Advisory Committee, and your work to \nfocus on cyber crime and cyber terror as the Chair of that \nSubcommittee I think is something that we should all be very \nproud of. And, Agent Demarest, you have been working this beat \nfor a while. Nobody has more passion for it than you, so I am a \nlittle bit preaching to the choir, but I do want to try to give \nboth of your organizations a bit of a shove through this \nhearing to be a little bit more forward on this issue.\n    One of the ways you measure legal outcomes is results. Your \ntestimony, Ms. Durkan, talked about the importance of \nprosecution both as a deterrent and as a punishment. And yet \nthe level of actual legal activity does not seem to be all that \ngreat. The Coreflood botnet was taken down I think well over a \nyear ago. I think we are actually through the stage where the \nparticipants have had their Attorney General awards, and I am \nglad that they were recognized for that very important piece of \nwork. But as I understand it, this was a group that was sort of \ncobbled together from a variety of different offices, and at \nthe conclusion of that effort, it was basically allowed to just \ndisappear back to those original offices rather than continue \nthe process of cleaning up and attacking botnets.\n    As you know, Microsoft has done at least four that I can \nthink of, civil cases to go to court and get an order to clear \nbotnets out of the system. So it is not impossible for the \nJustice Department to have done more than one.\n    On the side of our intellectual property theft, we have, I \nthink, primarily the Chinese attacking exceedingly vigorously \nnot only our national defense infrastructure in order to try to \nhack into things like how our jets work, how our guidance \nsystems work, so that they can imperil our military in the \nevent that we were to end up in a military conflict with them, \nbut they are also just plain trying to steal stuff so they can \ngive it to their companies so they can build it without either \ninventing it or paying us for the intellectual property rights. \nAnd that has been described as the biggest transfer of wealth \nin the history of humankind. And to my knowledge, the \nDepartment has done exactly zero cases involving a pure cyber \nintrusion to steal intellectual property and back out. They \nhave done some intellectual property theft cases where somebody \nleft with a CD in their pocket, kind of the old-school version, \nbut they have not done any cases left yet. So the results are a \nlittle bit--do not send the signal yet that we are where we \nneed to be.\n    When you try to look at the structure, it is not clear that \nthe structure is firmly in place for this. This has been a \nconsiderable issue for some time, and yet it is, I think, last \nyear that the expert corps began at the Department of Justice. \nYour testimony, Ms. Durkan, is that the Department is \ndeveloping ``threat focus'' cells. The NCIJTF is a wonderful \neffort. I have been out there, and I think the people who are \nthere are doing great work. But my impression of it was that \nthey are working so hard out there just to try to figure out \nwho is coming through the windows and trying to keep track of \nthem and trying to warn businesses that somebody is now in \ntheir system that there really has not been the capability to \nsit down and take that information and turn it into a \nprosecution package and put it into play in a U.S. Attorney's \nOffice and go and put somebody on the business end of an \nindictment. I am not even aware of any grand juries that are \nactive in this area at this point.\n    So I think that I want to applaud--and I am sure it is \nthanks to both of your leadership that both the U.S. Attorney's \nOffices, the Department of Justice, and the FBI are rethinking \nthe structure that needs to deploy this effectively. If this \nreally is a national security threat of the type that every \nmajor administration figure says, if this really is the biggest \ntransfer of wealth in the history of humankind through illicit \nmeans, we are still pretty underresourced for it when you put \nit up against--we have got a DEA just to deal with narcotics. \nWe have got ATF just for alcohol, tobacco, firearms, and bombs. \nWhere are we in terms of what are we doing about this new \nthreat?\n    So I want to applaud you for your own personal commitment \nin this issue, but I really do want to continue to push both \nthe Department and the Bureau to resource this up. We will do \neverything we can to support your efforts to enhance the \nresources in the way that the budget requests--at least I will \nfirm up this structure so it is clear that the people who are \non the list as doing cyber work are, in fact, doing cyber work \nand not just--I have been a U.S. Attorney, I know the drill. \nSomebody has to get on the phone, somebody who is the cyber \nperson, out goes the conference call, and so there is an AUSA \nin the offices across the country sitting there listening with \nthe call on mute. That is not the way to fight this battle, and \nwe should not really be counting those--it is a valuable \nfunction, but we should not be counting them as full-time cyber \nfolks if that is the sum of what they are doing.\n    I like this notion of the threat focus cells that are being \ndeveloped. Could you tell me, both of you, a little bit more \nabout the new steps, the new structure that you are looking at \nfor implementing the cyber and where on the curve between \nbehind the curve and way behind the curve that we are in terms \nof the resources necessary to do this? Ms. Durkan, why don't \nyou go ahead first?\n    Ms. Durkan. Thank you, Senator. Let me unpack that a little \nbit.\n    First, let me say that I want to talk a bit about results, \nstructure, and grand juries. You know, in the last 3 years I \nhave been United States Attorney and served in this role as a \ncyber crime task force, the threat has evolved enormously. But \nI will say also so has the Department's response and our \nforward-looking nature. There is no one solution to this cyber \nthreat, and no one part of Government can fix it alone.\n    As Mr. Demarest said, we have to have a one-team approach \nso every aspect of Government is working together, and we have \nto work with the private sector.\n    For example, in my district we have a very strong outreach \nto private enterprise to see what they are doing, see what the \nthreats they are seeing to see what we can address. If we can \nprosecute someone, believe me, we will do it, and we have done \nit.\n    I want to report that results actually have been very good, \nand I will use my own district as an example. Even in the areas \nof botnets, our district was the center of a botnet \ninvestigation. Some people know it as the Conficker botnet. It \nwas one of the largest--I think even larger than Coreflood, but \nthat is my district. It was, as you know, a very resource-\nintensive investigation. It required multiple agents and \nmultiple districts in multiple countries. But we were able to \nwork with our international partners across law enforcement, \nSecret Service, FBI. We took down the entire botnet at the same \ntime in America and in several European countries. People were \narrested in several European countries, and we were able to \nextradite one of those actors to my district, prosecute them, \nand put them in jail.\n    So we have had successes, and we will continue to have \nthose successes. But we also understand to meet this threat, we \nwill not be able to prosecute our way out of it. We have to \nhave technology answers. We have to have efforts from the \nDepartment of Defense, the Department of State, and all across \nGovernment from the top down, I think every agency is committed \nto addressing this threat.\n    It is a big threat, but I think we have great successes to \nreport, and I am proud that we do.\n    Chairman Whitehouse. Let me ask Senator Graham to jump in \nbecause he has to step out for a moment and make a phone call \nand then return to the hearing. But let me ask him to jump in.\n    Senator Graham. Well, thank you, and you can continue to \nanswer his question, which I thought were great questions.\n    From a lay person's point of view, we have a pretty robust \nsystem to deal with bank robbers. Is that right, Mr. Demarest?\n    Mr. Demarest. Yes, sir.\n    Senator Graham. And do you have any idea how many bank \nrobberies there were last year that the FBI was involved in?\n    Mr. Demarest. No, sir.\n    Senator Graham. Probably hundreds?\n    Mr. Demarest. Hundreds.\n    Senator Graham. How many cyber thefts are there in the \nUnited States?\n    Mr. Demarest. Hundreds per days, weeks.\n    Senator Graham. Okay, so thousands, if not hundreds of \nthousands a year?\n    Mr. Demarest. Yes, Senator.\n    Senator Graham. So there are two ways you can have money \ntaken, stolen from you. A guy can come in with a gun and say, \n``Give me your money.'' Or somebody can hack into the bank and \nsteal your money. How many people have been prosecuted for \nhacking into the bank and stealing the money?\n    Ms. Durkan. Can I answer that, Senator?\n    Senator Graham. Please.\n    Ms. Durkan. Actually, very many. Let me use an example from \nour district. One of the things we saw was a spike in not just \nhacking but ATM skimming where people would put devices, \npinhole cameras, and were able to take millions of dollars from \nmany, many customers. We put together a task force and were \nable to break down a Romanian ring, and we prosecuted those \npeople. We had great success. In fact, for a period of time in \nmy district, we drove down the incidence of skimming to almost \nvirtually zero. But we did it not just through the prosecutions \nbut by working with the banking industry, educating the public, \nand the others.\n    Senator Graham. How many people were prosecuted?\n    Ms. Durkan. There were, I think--I will have to get you the \nexact number, but it was the entire ring responsible for this \ngroup of thefts. And so it was more than a dozen.\n    Senator Graham. Okay. Well, get back with me.\n    Senator Graham. The point I am trying to make is I know you \nall are doing a good job of trying to up our game, but the \nresources we have provided over time to deal with bank \nrobberies, compare that to the resources we have provided over \ntime to deal with cyber theft, how would you equate the two?\n    Mr. Demarest. Well, the threat is certainly changing, so \nthe FBI has a reallocated resource which we had in other \nprograms internally to cyber. So we significantly--and we will \ntalk about structure, the Chairman's question, and what we have \ndone to actually develop the teams both at headquarters and \nnational platforms and also in our local field offices' Cyber \nTask Forces.\n    Senator Graham. Do you have the resources necessary to deal \nwith this, what appears to be a rampant theft problem?\n    Mr. Demarest. Well, we are making do on what we have today.\n    Senator Graham. And I think what we are telling you is let \nus not make do, let us treat this sort of like Bonnie and \nClyde. Remember the Bonnie and Clyde, you know, the national \nbank robberies during the Depression, that really started the \nFBI. It was sort of its reason for being in existence. And that \nkind of focus of dealing with, you know, crime in the 1920s and \n1930s, do you think we have that kind of focus now, Ms. Durkan?\n    Ms. Durkan. I think, sir, I would like to--I describe it as \nthe ``buggy whip moment.'' It has changed so much to where \ncrime that used to happen on the street is now moving online, \nincluding violent crime. We have more and more violent crime \nthat is being set online. Victims are being targeted online. \nAnd we are addressing that threat, but we still have a great \nbrick-and-mortar threat we have to address on the streets, \nwhich we are doing. But it is a time when we have to allocate \nand realign ourselves. We have done it. We need to do more. And \nwith the help of this Committee and Congress and----\n    Senator Graham. Do you need changes in our laws to make you \nmore effective?\n    Ms. Durkan. Yes, and I think that we have proposed some \nchanges. I think there are other changes that Senators have \nproposed, and Congressmen, that we are working with them and \nyour staffs to see what--to make sure we address those threats.\n    Senator Graham. During the 1920s and 1930s, we \nfundamentally changed the role of the Federal Government's \ninvolvement in crimes that were committed across State lines \nand really created Eliot Ness-type groups. And I would--that is \nmaybe not a good analogy, but to me we seem to be having a new \nemerging crime wave here, and when it comes to resources and \nlegal infrastructure, would you say on an A-to-F rating, A \nbeing we are exceptionally prepared, F we are failing--where \nwould you put us in terms of legal infrastructure and resources \nto deal with this new kind of crime?\n    Ms. Durkan. I think we are much better off than we were 3 \nyears ago. I think we have aligned ourselves to address it and \nhave had successes, but I think we have to keep working, and we \nhave to make sure that we are aligned also with private \nindustry.\n    Senator Graham. Give the Congress an A-to-F grade and give \nlaw enforcement----\n    Ms. Durkan. I give Congress always an A grade.\n    [Laughter.]\n    Senator Graham. Well, you would be the only one.\n    Chairman Whitehouse. She is the one person in the country.\n    [Laughter.]\n    Senator Graham. I wish you were my teacher. How would you \nsay our infrastructure----\n    Mr. Demarest. I think today we are still facing the same \nthreats we faced 10 and 20 years ago, but now we have this \nparallel threat, if not emerging new threat, in addition to the \nold crimes----\n    Senator Graham. Well, that is what I am saying.\n    Mr. Demarest [continuing]. Responsible for it.\n    Senator Graham. How far behind the curve, to use Senator \nWhitehouse's analogy, are we?\n    Mr. Demarest. As far as the community, we are much evolved, \neven from the time the Cyber Division was created in 2002 to \nwhere we are today, and even over the past, I would say, 6 \nmonths or a year, sir.\n    Senator Graham. Well, I think both of us want us to kick in \ngear and get there quicker.\n    Mr. Demarest. Yes, sir.\n    Senator Graham. And wherever the Congress is failing, we \nare willing to try to inform our colleagues we need to up our \ngame, because if you have hundreds of bank robberies using \nforce and you have maybe millions of thefts using cyber \ntechnology, it seems to me we are probably not where we should \nbe.\n    Chairman Whitehouse. I know Senator Graham has to jump out \nfor a moment, and I would like to continue this.\n    One thing I am going to do, without objection, is to put in \nthe op-ed piece that Senator Graham and I wrote together into \nthe record of this proceeding.\n    [The op-ed appears as a submission for the record.]\n    Chairman Whitehouse. I want you guys to know, we have just \nconfirmed a new OMB Director. We have got a new Deputy Director \nin the process of confirmation. I have spoken to both of them \nabout this problem and about the concern that I have that you \nguys are good scouts and do not go beyond the envelope that OMB \nand the White House allow you in the budget. But we have to \nhave a serious discussion and sit down and figure out what the \nplan is for dealing with this and have we really resourced it \nenough. And I have been trying for some time to get OMB and the \nDepartment in the room together so that we can have this \ndiscussion without you guys being accused of talking out of \nschool without OMB there and vice versa. So I hope to do that.\n    Senator Graham and I came very close to having a bipartisan \nagreement on a cyber bill. It fell apart, unfortunately, at the \nlast minute for reasons beyond both of our controls. And the \nExecutive order emerged, and now that the Executive order is \nout and the landscape has been changed by that Executive order, \nwe are re-engaged on trying to do what needs to be done \nlegislatively.\n    So please work with us on this. We will provide whatever \ncover you need to bring OMB in so we can have a grown-up \ndiscussion in which you do not have to be flinching from saying \nwhat your real needs are. But it is very clear to me that when \nyou put the privacy and the criminal loss of all of our \nindividual credit card and personal information that is being \nhoovered up out of the Internet and actually marketed on \ncrooked websites where crooks can actually go and buy personal \ninformation so that they can run crooked schemes off that info, \nyou stack that on top of the attacks on the banks that Senator \nGraham was referring to, you stack that on top of the theft of \nso many companies' secret, special, confidential information \nthat they use to protect themselves and build their product and \nthat is their own intellectual property and that is stolen by \nindustrial espionage, you throw on top of that what is being \ndone to our defense industrial base, which has both private \ntheft and national security connotations, and you throw on top \nof that the viruses and worms and programs that have been \ninserted into our critical infrastructure so that the grid \ncould be taken down, bank records could be compromised, dams \ncould be opened, gates and pipelines could be opened, all those \nsorts of things could take place--you stack all that up, that \nis a big problem set.\n    I know I do not want to get you in trouble for saying any \nmore than you are authorized to, but you have at least the two \nof us who strongly believe that we need to have our Eliot Ness \nmoment on this and get ready to put the resources into this \nproblem set. And one measure of that will be when we see some \nsignificant indictments on this industrial espionage piece \nrelated to what the Defense Department has said is being done, \nrelated to what the Mandiant company has said is being done, \nand all of that.\n    I will give you a chance to respond to those thoughts. We \nare kind of having a bit of a back-and-forth here, but I really \nwant to push you on this because I think as wonderful as the \nwork is that you have done, we are not there yet, and we need \nto make sure we get there, because we cannot for long remain on \nthe losing end of the biggest transfer of wealth in human \nhistory through illicit means.\n    I see that Senator Coons has arrived, so rather than \ncontinue my peroration here, go ahead. Thank you for being \nhere, Senator Coons. Senator Coons has taken a very sincere and \nstrong interest in this issue and worked very hard with me and \nothers to try to get that bill to the finish line before it \nfell apart and before the Executive order came out, and so \nthank you very much.\n    Senator Coons. Thank you, Senator Whitehouse. Thank you for \nyour invitation. And to you and to Senator Graham and so many \nothers who have dedicated time and effort and leadership to \ntrying to make sure that we in the Congress are doing our part, \nwe will give ourselves a low grade for how we have done in \nterms of being able to bridge the differences between our \nparties and our chambers in terms of coming up with some \nfunctional structure for dealing with the cyber threat to our \nNation. And I am grateful to Senator Whitehouse for his \npersistent leadership in this very complex issue that crosses a \nnumber of committees of jurisdiction. My own home State--\nSenator Carper obviously chairs Homeland Security, but this \nalso has implications in addition to Judiciary, for \nintelligence, for defense, for many others.\n    Let me just, if I could at the outset, ask a few questions. \nI have a piece of legislation I want to talk about, but if you \nwould, help me understand in the run-up to some of this \nlegislative work last year, a great deal was made about our \nmilitary's unique capabilities to defend the United States in \ncyberspace and their advantages over other agencies in \nGovernment, civilian agencies, in terms of their capabilities \nand capacities.\n    What unique advantages do civilian agencies or the \ncompanies that the next panel will represent have in the realm \nof cybersecurity?\n    Ms. Durkan. One unique ability we have is to put them in \njail, and we are trying to do that more. But, again, I think \nthat our ability to investigate and prosecute in these arenas I \nthink forms a couple of important things.\n    Number one, we deter further activity, and believe me, when \nwe are able to extradite someone who is a foreign national \nvacationing in a different jurisdiction and we arrest them and \nbring them to Seattle and put them in jail, it sends a message.\n    Two, we try to disrupt because we do not have the \ncapability to put all the bad actors in jail. So part of our \nstrategy has to be to disrupt this activity anywhere we can do \nit.\n    And the third is we have to hold people accountable, which \nwe are trying to do more and more. So I think that some of the \nunique capabilities we have is in our system we have the \nability through the grand jury process, subpoena process, and \ninvestigative tools to get information that others do not have. \nAnd so--but, again, looking at the Department of Defense, we \nhave to use a whole Government approach. Senator Whitehouse is \nexactly right that the nature of this threat frankly cannot be \noverstated. But it cannot be answered by any one part of \nGovernment or Government alone. It has to be private-public \nsector partnerships; it has to be Department of Defense, \ndiplomatic efforts, and our civilian efforts to prosecute \npeople.\n    Mr. Demarest. Senator Coons, the FBI is uniquely positioned \nbased on statutory authorities, and cyber you know is cross-\ncutting, so it is a program that we have within the FBI that \nlooks across criminal, counterintelligence, and also \ncounterterrorism. So we are able to incorporate the subject \nmatter expertise from each of those divisions and looking at \nthe various threats. It is not just one area in \ncounterintelligence, but it is a broad array.\n    And, again, getting back to Ms. Durkan's statements, too, \nDOD plays a key role along with NSA, the intelligence community \nwrit large, and our other partners at home here--law \nenforcement along with Homeland Security.\n    Senator Coons. Thank you. Thank you for those answers, and \nI agree with you that in particular in a democracy and facing \nwhat is a broadly distributed threat, its origins not \ncompletely clear--it is not always attacks from nation states; \nit is not always attributable to specific foreign actors. Cyber \ncrime and cyber threats come from a very wide range of sources, \nand they manifest in our country in a very wide range of \nimpacts. And so the ability to complement the defense \ncapabilities with agencies that have broad jurisdiction and \nwith the capabilities to investigate, to deter, to imprison, to \nseek compensation for victims is a different response than one \ngets from the Defense Department.\n    I just wanted to comment, if I could, in my remaining \nminutes that when it comes to doing comparably broad things \nthat deal with both domestic disorder, natural disaster, or \nwith confronting foreign threats, the National Guard has also a \nbroad range of capabilities. It crosses in its legal \nauthorization, in its actual tactical capabilities, and in its \nstrategic role a fairly broad range of capabilities. And so a \nnumber of us Senators--Gillibrand and Vitter, Blunt and I--have \nintroduced the Cyber Warrior Act, which, among other things, \nwould give Governors the capability to order cyber-capable \nguardsmen to support and train local law enforcement, to \nleverage the expertise they have from their military training \nand their civilian careers. My own home State happens to have a \nvery capable network warfare squadron which allows us to tap \ninto the skills and abilities of the fairly sophisticated data \ncenters operated by the advanced elements of the financial \nservices community that are headquartered in Delaware and have \nthem also in a dual-hatted way through the National Guard serve \nas adjuncts to the NSA and be helpful.\n    I think this sort of function in this particular \nlegislative authorization would be helpful for DOJ and FBI as \nwell, because it can help them have more capable, better \nprepared State and local partners. And I would certainly \nwelcome recommendations or comments from you or from the other \nwitnesses in the next panel. We will be holding a law \nenforcement caucus event on this particular idea in this bill \nin June, and I am grateful to Senator Whitehouse for the chance \nto contribute to this hearing this morning.\n    Thank you, Senator.\n    Chairman Whitehouse. Thank you, Senator Coons. We in Rhode \nIsland also have a cyber wing in the Rhode Island Guard, and I \nlook forward to working with you on your legislation. I think \nit is a very valuable thought. It is, I think, important for \nthe record of this proceeding to reflect that when you move \nfrom our local guard and reserve capabilities to our military, \nand from there to our active-duty military, and from there into \nour intelligence services, there are increasing restrictions \nand concerns about taking action within the continental United \nStates, particularly where it involves American companies, \nsystems, and individuals. And so that is, I think, a particular \nreason why our law enforcement role is so important when we \nlook at this domestically.\n    We are joined by Senator Klobuchar, a former prosecutor \nherself, and we are delighted to recognize her.\n    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank \nyou to both our witnesses. And I was listening to Senator Coons \nand thinking about back to when I did my job for 8 years, \nrunning an office of about 400 people, but two levels of issues \nwith computer crime, cyber crime. One was officers who, despite \ntheir best efforts, just did not have the training, so we would \nhave cases where they would go into a room and turn on a \ncomputer and then erase everything on it because that is how it \nwas rigged, what it was rigged to do. And it happened a number \nof times. And the second thing was we are second per capita for \nFortune 500 companies, so we have huge companies like Target \nand Best Buy and companies like 3M and U.S. Bank. So I have \nfirsthand seen how challenging the situation is and how as a \nlocal prosecutor we simply did not have the resources or the \nknow-how to handle some of those cases when they would come our \nway or it would be handled by the U.S. Attorney's Office.\n    So my first question is on that, to you, Ms. Durkan--thank \nyou for your good work--just how you have coordinated with the \nlocal prosecutor's office, how do you think--what is the best \nmodel of how we go forward and how we get them trained?\n    Ms. Durkan. That is an excellent question, and, again, the \npartnership with local law enforcement is critical to our \nsuccesses. Working both with the Secret Service Electronic \nCrimes Task Force and the FBI's task force, we have great \nsuccesses in that field. Key to it is training, and we have \nworked to make sure that we have more not just task force \nofficers but forensic people who can handle this, and also \neducation of the public.\n    An example of a success where that has worked in my \ndistrict is we had a very small family restaurant that was \nhacked by someone who was in Maryland who attacked a number of \npoint-of-sale people. He stole many, many, many credit cards. \nHe sold them to someone who was in Romania, a citizen of \nanother country, who then posted them to a carding site. Then \nthey were purchased by a gang-affiliated group in Los Angeles.\n    Through our investigation we were able to arrest the person \nin Maryland, charge and extradite the person in Romania, and \nget the person in Los Angeles. So we got all three levels of \nthat. We did it, though, working with our local law \nenforcement, task force officers, the Secret Service, and the \nFBI all played a part in those and other investigations. So it \nis a critical part of it.\n    The training also, if we look at our training for lawyers, \nwe have worked to make sure that not just our CHIP lawyers are \ntrained in cyber activities but other lawyers have experience. \nWe have the National Advocacy Center in South Carolina, and one \nof the conferences, even in these difficult times, that we made \nsure went forward was our cyber conference, because we have to \nmake sure our prosecutors are trained, our local law \nenforcement is trained, and the public is educated.\n    Senator Klobuchar. Well, and I think that is part of it, \nespecially with small businesses, which you noted are not going \nto have the resources of a U.S. Bank in Minnesota. So I think \nmore outreach to them would be a good idea through chambers or \nanything, because I think they are starting to be victims as \nwell and they just do not have the resources.\n    Ms. Durkan. That is absolutely right. And if that small \nbusiness had not come forward in our case, we would not have \nhad that case. And so having that outreach also enables us to \ndo our job.\n    Senator Klobuchar. Okay. My next question is on the cloud \ncomputing area and the fact that our cases are becoming more \nand more sophisticated. As you know, digital evidence \nevaporates a lot quicker than a paper trail, making it very \ndifficult for law enforcement to investigate the crime. And \nanother challenge is if the evidence is incriminating \ninformation, it is stored in the cloud out of the jurisdiction \nof the United States. I had a bill on this that is sort of \nfloating out there like a cloud as we try to deal with some of \nthe cyber bills that I think are important.\n    Could you comment on the challenges of a lifetime of \nevidence in cybersecurity crimes and the real possibility that \nthe evidence could be outside the jurisdiction of the United \nStates?\n    Mr. Demarest. There is a very good likelihood that it will \nbe outside the jurisdiction of the United States. As you \npointed out, Madam Senator, it presents many challenges, and \ndepending on which country that the evidence may lie, our \nrelationship with that country, with the investigative agencies \nof that country as well. So it does present several challenges \non that front.\n    Senator Klobuchar. And what would be the best way to try to \nget at it? Would it be agreements with other countries? Is \nthere something we could put in law that would create a \nstructure for those agreements?\n    Mr. Demarest. Well, I think the agreements, and then I will \ndefer to Ms. Durkan as far as what law or what other changes \nthat we could possibly put in place to better the circumstances \nin working with our foreign partners.\n    Ms. Durkan. I think it is all of the above, Senator, that \nyou have mentioned. You will notice that one of the budget \nincreases we have asked for is to have additional prosecutors \noverseas. We have seen more and more of these cases arrive on \ninternational soil. Our partnerships with foreign nations in \nEurope particularly have increased, but we need more people \nthere.\n    We also have the Budapest Convention, which is gaining more \nand more international partners to make sure we can get the \nevidence abroad that we need to prosecute people here. But they \ncannot get the evidence from our country that they need there. \nSo we have to do all of those things.\n    Mr. Demarest. Madam Senator, we have increased our \nfootprint overseas from just three offices to it will be just \nshort of a dozen this coming year in key locations throughout \nthe globe.\n    Senator Klobuchar. Thank you. I appreciate it.\n    Chairman Whitehouse. Senator Graham had his time \ninterrupted both by me and the call he had to take, so let me \nturn to him and give him a fresh start.\n    Senator Graham. Just very quickly, we are facing a law \nenforcement threat, people stealing our property, our \nintellectual property, stealing our money, and anything else of \nvalue through cyber crime. But on the Nation state, national \nsecurity, counterterrorism, after 9/11 the FBI has two missions \nnow, counterterrorism--right?\n    Mr. Demarest. Yes, sir.\n    Senator Graham. As well as traditional law enforcement. Are \nthere clear rules of engagement that exist today that would \nallow the FBI, the CIA, the Department of Defense to engage a \nnation state who has committed a cyber attack under the laws of \nwar?\n    Mr. Demarest. There has been a lot of discussion and a lot \nof coordination. We mentioned----\n    Senator Graham. Well, that means no.\n    Mr. Demarest. No, well--I am sorry. The question again, \nSenator?\n    Senator Graham. Are there any rules of engagement--I mean, \nhas anybody sat down and said this event would be considered a \nnation state cyber attack allowing us to respond outside the \nlaw enforcement model? Our Chinese friends seem to be hell bent \non stealing anything they can get their hands on here in \nAmerica rather than developing it in their own time and \neconomy. But I am more worried about what they could, or other \nnation states, not just China, or terrorist organizations could \ndo to our ability to defend ourselves. Do you worry about a \ncyber 9/11?\n    Mr. Demarest. Well, again, depending on--it is an extremely \ncomplex issue, and what actor set you may be referring to or \nlooking at, different motivations by many----\n    Senator Graham. Is that possible? Is it possible that \nthrough cyber technology you could create a 9/11-type event on \nAmerica?\n    Mr. Demarest. It is possible that they could cause \nsignificant damage and destruction through cyber. It is \npossible.\n    Senator Graham. What kind of things would be possible?\n    Mr. Demarest. If you look at access to ICS or SCADA \nsystems, if they do get access to, say, oil and energy and the \nsystems that actually control key networks or critical \nnetworks, that could cause significant damage, and whether it \nbe long-lasting or short-term, it could be both.\n    Senator Graham. Could they disrupt military operations?\n    Mr. Demarest. I am not sure, sir.\n    Senator Graham. Well, maybe this--would you like to take a \ncrack at that?\n    Ms. Durkan. I think, Senator Graham, that if you look at \nthe range of threats----\n    Senator Graham. Maybe this is better for Senator----\n    Ms. Durkan [continuing]. It is what keeps me up at night--\n--\n    Senator Graham. Or General Alexander, I guess.\n    Ms. Durkan. I think part of these questions have to go to \nGeneral Alexander. But I do think if you look at the range of \nthreats, anything with intelligence can be hacked--everything \nfrom one rogue actor to state actors to criminal \norganizations--and there are people who work to get that done. \nThat is why the Department of Justice is part of the solution, \nbut it is not the whole solution. And, again, private \nenterprise is developing better security mechanisms and better \ntechnology.\n    Going back to robbing banks, when banks were set up, they \ndid not all have bars, they did not have cameras, they did not \nhave a lot of defenses. And private companies are now \ndetermining technology they have to develop to also provide \npart of that solution.\n    Senator Graham. Well, both of you focused about the law \nenforcement model here and how we can go after bad actors. Are \nyou familiar with the counterterrorism threats? Are you \nfamiliar, both of you?\n    Ms. Durkan. Yes, sir.\n    Mr. Demarest. Yes, sir.\n    Senator Graham. Okay. How would you rate our infrastructure \non the counterterrorism side, the national security side, to \nprotect us against people who just do not want to steal money \nbut want to do more damage?\n    Mr. Demarest. Well, I think based on the tragic losses of \n9/11, part of the response to that in New York and also here at \nheadquarters, I think it is a much more developed model that I \nthink the community has in addressing counterterrorism issues.\n    Senator Graham. So we are further down the road?\n    Mr. Demarest. Well, I think we are further down the road, \nand for good reason.\n    Senator Graham. Do you agree with that?\n    Ms. Durkan. Absolutely.\n    Mr. Demarest. And I think we will get there, Senator, with \ncyber as well.\n    Ms. Durkan. And if I could just use one example, the \nNational Security Cyber Specialist, while it just sounds like \nanother Government alphabet soup, one thing we realized in the \nnational security setting, if there is a cyber event or we get \nintelligence that there is going to be, who do we call? Do we \ncall the cyber lawyer who may not have the security clearances? \nDo we call the antiterrorism lawyers who may not have the cyber \nexperience? We knew we had to marry those two things up, so \nthat is what we are trying to do, is to make sure that we have \nthe right, appropriate people in every office and the best \nexpertise we can have in here to get to the field.\n    Chairman Whitehouse. Let me, before I release you guys and \ncall up the next panel, ask you two things. One is, Could you \nin a supplemental fashion to the testimony that you have \nprovided make a little bit more of a detailed case as to the \nconclusion you describe in both of your testimonies about how \ncomplicated, complex, resource-intensive, et cetera--as much as \nyou can without revealing things that should not be revealed, \ntry to put some tangible facts and real teeth into that \ndiscussion, because it will help both Senator Graham and myself \nin arguing with our colleagues for this if we have more than \nthe conclusory statement that these are complex, difficult, \nrequire forensic capabilities or unusual--and really lay out a \ncase study or an example of something that makes that case a \nlittle bit further. That would be very helpful to us as we try \nto proceed.\n    The second thing is we have had this discussion about \nresources and structure and budgets, and I look forward to \ncontinuing that discussion with the new OMB Director and with \nyour Department and your Bureau. But separate from that, I \nthink we can make some progress on your capabilities and \nauthorities and safeguards in taking out these botnets. And I \nwould ask you for your commitment to work with us in drafting \nappropriate legislation that will allow you to have more \nauthority and proper safeguards as you go after future \nCorefloods and future Confickers. Would you do that?\n    Ms. Durkan. Absolutely, Senator.\n    Mr. Demarest. Yes, sir.\n    Chairman Whitehouse. Terrific.\n    Ms. Durkan. Thank you.\n    Chairman Whitehouse. Again, let me close by thanking both \nof you for your service and for your passion in this area. I am \nreally pleased that people like you are in our Government \nservice. And if you detect a note of impatience from myself and \nfrom Senator Graham, it comes with the recognition that you are \nparts of very, very large bureaucracies that do not always move \nwith great alacrity, and it is sometimes our job to give them a \nlittle bit of a shove. But it reflects not at all on either of \nyou or on the folks who are working this problem set. It is \nbeing done very impressively.\n    Thank you very much.\n    Ms. Durkan. Thank you, Senator.\n    Mr. Demarest. Thank you.\n    Chairman Whitehouse. We will take a minute to call up the \nnew panel.\n    [Pause.]\n    Chairman Whitehouse. Let me thank our private sector \nrepresentatives for being here.\n    Kevin Mandia is the CEO of Mandiant Corporation, which he \nfounded in 2004 to help private organizations detect and \nrespond to and contain computer intrusions. When you find out \nyou have been hacked, ``Who are you going to call? \nGhostbusters.'' That is kind of what Mandiant does. He began \nhis career in the U.S. Air Force, in which he served as--\nSenator Graham is also in the Air Force--a computer security \nofficer and as a cyber crime investigator. He has degrees from \nLafayette College and the George Washington University. He has \nalso taught at both George Washington and Carnegie Mellon \nUniversities.\n    Let me just stop there, and I will call on Kevin. But let \nme also--back in our earlier legislative process, Senator \nGraham and I and Senator Mikulski and others organized a series \nof classified briefings for Senators to try to bring them more \ninto awareness of what was going on in this field, and you were \ngracious enough to come and make one of those presentations, \nand it was a very effective one, and I want to thank you for \nthat.\n    Let me ask you to proceed with your testimony, and then I \nwill introduce the other witnesses as they are called up.\n    Mr. Mandia.\n\n STATEMENT OF KEVIN MANDIA, CHIEF EXECUTIVE OFFICER, MANDIANT \n               CORPORATION, ALEXANDRIA, VIRGINIA\n\n    Mr. Mandia. Thank you, Mr. Chairman and Ranking Member \nGraham.\n    Today, and into the foreseeable future, American companies \nare going to be under siege by many different types of \nattacks--criminal attacks, economic espionage, more than \nnuisance-based attacks. Today what I am going to talk about is \nthe sophisticated economic espionage attacks. And while many \norganizations are actively trying to counter these threats, at \nthe end of the day there is a security gap that we need to \nclose. So today what I would like to talk about is three \nthings: why the security gap exists; what the private sector is \ndoing about it; and then how law enforcement can help in \nregards to that security gap.\n    First, the reason the security gap exists is that there are \nGovernment resources hacking our private sector. It is simply \nan unfair and imbalanced fight. If our Government was chartered \nto hack the private sector in other countries, we would be very \nsuccessful at that. So I always likened it to an ultimate \nfighting champion mugging my grandmother. It is simply an \nimbalanced battlefield.\n    Mandiant pointed that out when we did an APT1 report. In \nFebruary of this year, we released a report to the public that \nclearly shows that there are members of the PLA targeting the \nprivate sector here in the United States.\n    The second reason there is a gap in our cybersecurity is \nthat--for the first time in history that I am aware of--it used \nto be when systems were targeted, nobody knew who used that \nsystem. But today the cybersecurity attacks, there are human \ntargets, and we also showed that in our APT1 report in that the \nPLA is recruiting English-speaking people so that they can send \nthose innocuous-looking emails, but, in fact, those innocuous \nemails that have fake information in them and purport to be \nfrom someone they are not and are compromising systems. So we \nhave human targets, and we have not figure out technically how \nto patch the human trust.\n    The third reason is that the government entities that we \nsee compromising the U.S. private sector are actually \ncompromising a lot of the supply chain. So we have the big \ncompanies that have a rather mature security program, so if \nthat security program is bolstered and it starts rejecting some \nof these attacks, what the attackers do is go down the supply \nchain, hit smaller organizations that only have hundreds of \nfolks, and potentially no cybersecurity posture, and that is a \ntough one to defend.\n    The fourth reason we have a security gap is because there \nis simply an imbalance. It only takes one attacker, and that \none attacker can create work for thousands, if not hundreds of \nthousands, of defenders. It is just an imbalance in the \nexpertise that is required.\n    Another reason, there is simply no risk of repercussions to \nhacking the U.S. infrastructure if you do it from certain safe \nharbors or safe havens, such as apparently China, potentially \nRussia, North Korea, Iran. These are countries that could hack \nour resources with impunity and not really fear any \nrepercussions.\n    We also have a lack of resources, and I can go on. But, in \nshort, technology and our adoption of it vastly outpaces our \nability and willingness to secure it.\n    So what are companies doing about it? Essentially, I have \nnoticed two things. There are companies that are aware they are \ncompromised, and they are doing some--really they are adopting \ntechnologies and hiring the expertise to defend. And, Senator, \nyou had mentioned we are unwilling to oppose China. I would say \nin my experience most of the private sector takes it very \nseriously when they have had a breach from China to do \neverything they can on the technical front to bolster their \nsafeguards. And I think that the fear and unwillingness is more \na public admission as to what happens based on the fear of \nshareholder value repercussions, and at the same timeframe, \nbecause simply the economic gains could be so great in China. \nSo it is a very tough issue. But make no mistake, on the \ncybersecurity side, folks are doing a lot in the private sector \nwhen they are aware of the breach and have the resources to do \nsomething about it.\n    Then there are a lot of companies that are pre-aware that \nthey have had a security breach, and they could be making very \nimportant intellectual property for our country, but they \nsimply do not have the defenses to safeguard it. Those \ncompanies are beholden to standards legislation or regulations \nto create some kind of security posture, and it has been my \nexperience that if your sole driver for security is some kind \nof compliance, that compliance usually does not prevent the \nattacks we see.\n    So what can we do about it? What can the FBI or law \nenforcement do to help?\n    The FBI already conducts outreach to American companies \nthat have been compromised by advanced threat groups. Indeed, \nabout two-thirds of the breaches Mandiant responds to are first \ndetected by a third party. So if we do what we can to have--and \nthe detection could be the DOD, it could be the intel \ncommunity, but I have seen the communication come from the FBI. \nIf the FBI narrows that gap and notifies quicker, we can \neliminate the impacts and consequences of breaches.\n    And while private industry will not always win the battles \nbeing fought in cyberspace, if we share that information in a \ntimely and codified manner, what you will see is we can limit \nthe impact of the breaches, limit the consequences, and we just \nneed to be able to share that information, and I think law \nenforcement is the arm that can do that.\n    By establishing a system where law enforcement and the \nprivate sector share proactively and use this threat \ninformation, America will build a cyber defense that is \nactually dynamic. No one is getting any smarter from these \nbreaches today.\n    So with that, I would like to thank you very much for this \nopportunity to share with you.\n    [The prepared statement of Kevin Mandia appears as a \nsubmission for the record.]\n    Chairman Whitehouse. Thanks, Mr. Mandia.\n    Our next witness is Stewart Baker. He is a partner at \nSteptoe and Johnson here in Washington. From 2005 to 2009, he \nwas the first Assistant Secretary for Policy at then the early \nstages of the Department of Homeland Security. As an \nintelligence lawyer, Mr. Baker has also been general counsel to \nthe National Security Agency and general counsel to the \ncommission that investigated weapons of mass destruction \nintelligence failures that took place prior to the Iraq war.\n    Mr. Baker, welcome. Thank you.\n\n              STATEMENT OF STEWART BAKER, PARTNER,\n            STEPTOE AND JOHNSON, LLC, WASHINGTON, DC\n\n    Mr. Baker. Thank you, Mr. Chairman, Senator Graham. I am \ngoing to sound some of the themes that Kevin sounded and then \nturn to the question of what the role of the FBI and the \nJustice Department could be, should be. I will not spend too \nmuch time. As Kevin demonstrated, we are not likely to defend \nour way out of this problem. Defenses play an important role. I \nhave been very supportive of the legislation and the Executive \norder, but it is not enough. It is as though we were trying to \nsolve the street crime problem by telling pedestrians to buy \nbetter body armor every year. That is not a complete solution. \nWe have to find the criminals, and we have to deter them. I do \nnot have to preach to either of you about the importance of \nthat.\n    But in thinking about that, the real question is how can we \nbest reach the threats that are most troubling to Americans \ntoday, which is the government-protected attackers. And there \nit seems to me that both the Justice Department and the FBI \nsuffer from a lack of imagination about authorities and a lack \nof imagination about resources.\n    With respect to their authorities, prosecuting the people \nwho are attacking us who are protected by nation states is \ndeeply unlikely, and we need to find additional mechanisms for \ndeterring that activity. The administration is doing some \nnaming and shaming. That is a good thing. But we should be \nusing our visa authorities to say if you participate--if you \ntrain hackers in a country, if you hire hackers after they \nfinish their tour of duty as hackers in the government, you are \ngoing to have to cooperate in investigations, or you are not \ngoing to get visas to come to the United States.\n    The same thing is true for the Treasury Department which \ndesignates nationals with whom we will not do business. We will \nnot do business with people who are bad for human rights in \nRussia or in Belarus. We will not do business with people who \nare engaged in conflict diamond transactions. I think we should \ntake at least as much care to protect against people who are \nabusing human rights right here by breaking into the computers \nof dissidents and ordinary citizens. So we should be using \nthose tools as well.\n    I see that Senator McCain, Senator Levin, Senator Coburn, \nand Senator Rockefeller have just introduced a bill that goes \ndown this road, looking for tools to deter government-sponsored \nattacks. Just the names of the cosponsors gives me a lot of \nhope, and I think that the approach of looking for ways to \ndeter the beneficiaries of this espionage is really worth \npursuing.\n    Let me turn now to the question of resources, which is \nprofound and probably not solvable in our current budget \nsituation. Chairman Whitehouse talked about the JTF that \nnotifies people about attacks on their networks. This is \nenormously effective because many people do not know they have \nbeen exploited for months. But at the end of the day--and I \nhave worked with clients who have had this experience--the \nFBI's role basically is to figure out that somebody has been \ncompromised and to tell them. And maybe they can give them a \nlittle bit of advice, but, frankly, after that it is a little \nlike having somebody tell you your bicycle has been stolen. You \nare not going to get a lot of help from the police tracking \nthat bicycle down because they do not have enough cops to do \nit. And the FBI will not be able to help all the companies that \nthey are notifying. In fact, after they have put a few person-\ndays into the investigation and made the notice, the company is \nlargely on its own, and the company goes out and hires somebody \nlike Kevin Mandia or like Symantec, and it begins a process of \nspending hundreds of thousands of dollars, sometimes millions \nof dollars, to get the attackers out of its network and to \nfigure out who is attacking it.\n    We know from the report that Mandiant has done that they \ngather enormous volumes of information about who is actually \nattacking their clients. We should be working much more \neffectively to utilize that information to build it into \nmechanisms that will deter the attackers by outing them.\n    The biggest problem that I think we face is that even \nthough private sector resources are enormous and they are well \nfocused on particular attacks, we do not let the individuals \nwho are under attack or the experts whom they have hired go \nbeyond gathering evidence in their network and perhaps a few \nnetworks that will cooperate with them voluntarily inside the \nUnited States.\n    I am not calling for vigilantism. I am not calling for \nlynch mobs. But we need to find a way to give the firms that \nare doing these investigations authority to look beyond their \nown network, perhaps under guidance from the Justice \nDepartment, and certainly without doing harm to the networks \nthat they are investigating. They need to enter the networks \nwhere the hackers are storing all of their stolen data, to \nretrieve the stolen data, and to gather enough evidence to \nactually prosecute the attackers.\n    My deepest disappointment here, and the reason I think that \njust pouring more money into the Justice Department at this \npoint is a dubious proposition, is the Justice Department's \nreaction to that idea has been to pour as much cold water on it \nas they can, to say, ``We think that is a bad policy idea, and \nprobably illegal.'' Justice is deterring companies that want to \ninvestigate the people who are attacking them and provide that \ninformation back to the Government. Justice is saying, ``Well, \nyou can give the evidence to us, but we might indict you \ninstead of the hacker.'' That is just the wrong answer.\n    And so my suggestion would be that we find mechanisms to \nprovide the kind of oversight that is necessary so that we are \nnot just authorizing victims to shoot in the dark, but we are \nauthorizing people who know what they are doing to carry out \ninvestigations and pursue attackers back to what they currently \nthink is their safe haven in another country. If we do not do \nthat, we will never get to the bottom of most of these attacks.\n    Thank you.\n    [The prepared statement of Stewart A. Baker appears as a \nsubmission for the record.]\n    Chairman Whitehouse. Thank you.\n    Finally, Ms. McGuire from Symantec. Thank you for being \nhere, and thank you for so much that Symantec has done to be \nhelpful in our process of trying to get to legislation.\n\n         STATEMENT OF CHERI F. MCGUIRE, VICE PRESIDENT,\n          GLOBAL GOVERNMENT AFFAIRS AND CYBERSECURITY\n          POLICY, SYMANTEC CORPORATION, WASHINGTON, DC\n\n    Ms. McGuire. Thank you. Chairman Whitehouse----\n    Chairman Whitehouse. I think your microphone may need to be \nturned on.\n    Ms. McGuire. Thank you. Chairman Whitehouse, Ranking Member \nGraham, it is my pleasure to testify here before you today.\n    My name is Cheri McGuire, and I am the Vice President for \nGlobal Government Affairs and Cybersecurity----\n    Chairman Whitehouse. I should have done a more complete \nintroduction. Ms. McGuire served in various capacities at the \nDepartment of Homeland Security, including Acting Director and \nDeputy Director of the National Cybersecurity Division and the \nUS-CERT. So she comes not only with her experience at Symantec \nbut with considerable Government experience, and I am sorry I \nomitted that.\n    Please proceed.\n    Ms. McGuire. Thank you very much. So Symantec is the global \nleader in developing security software, and we have over 31 \nyears of experience in developing Internet security and \ninformation management technology. Today we have employees in \nmore than 50 countries and more than 21,000 employees with us.\n    In particular, I would like to mention our Global \nIntelligence Network, or what we call the GIN, which is \ncomprised of more than 69 million attack sensors in more than \n200 countries, where we record thousands of Internet events per \nsecond, which gives us incredible insight into the worldwide \nthreat landscape. In addition, every day we process more than 3 \nbillion email messages and more than 1.4 billion Web requests \nat our 14 global data centers.\n    As I said, these resources allow us to capture worldwide \nsecurity intelligence data that gives our analysts a view of \nthe entire Internet threat landscape.\n    A few key findings from our latest Internet Security Threat \nReport that I would like to share with you include a 42-percent \nrise in targeted attacks in 2012 and 93 million identities \nexposed through hacking, theft, and simple error.\n    In addition, we estimate that there were 3.4 million bot or \nzombie computers worldwide, and one in seven, or 15 percent of \nthese, were actually located in the United States. We also saw \na 52-percent rise in the threats to mobile devices.\n    Another disturbing trend was the expansion of what we refer \nto as ``watering hole attacks.'' These are efforts by attackers \nto compromise legitimate Web sites so that every visitor runs \nthe risk of infection. Criminals often use these sites to \ndistribute ransomware, which is a type of malware or type of \nmalicious software that locks a user's computer, displays a \nfake FBI warning, and attempts to extort money from the user in \nreturn for unlocking the computer, which, oh, by the way, \nusually does not get unlocked even after the user pays the \nextortion.\n    Now, Symantec participates in numerous industry \norganizations as part of our global commitment to fighting \ncyber crime as well as numerous public-private partnerships in \nthe U.S. and abroad to address these and other cyber threats. \nJust a few of these successful partnerships include the Norton \nCybersecurity Institute, the National Cyber Forensics and \nTraining Alliance, the FBI's Infraguard, the U.S. Secret \nService Electronic Crimes Task Force, and Interpol. I have \nprovided more information about each of these in my written \ntestimony, but I do want to highlight a few.\n    For example, 2 years ago, we established the Norton \nCybersecurity Institute to help address the critical shortage \nof investigators, prosecutors, and judges who are adequately \ntrained to handle complex cyber crime cases. Through the \nInstitute, we coordinate and sponsor technical training for law \nenforcement globally. We also publish the annual Norton Cyber \nCrime Report, which is one of the largest global cyber crime \nstudies that interviews more than 20,000 users globally across \n24 countries.\n    Another example that I would like to highlight is the \nNational Cyber Forensics and Training Alliance, which includes \nmore than 80 industry partners and provides members with real-\ntime cyber threat intelligence to help identify threats and \ntheir actors and which has been a key player in the fight \nagainst some of the financial sector intrusions that have \noccurred recently.\n    These partnerships have led to some notable successes, and \none example is the takedown earlier this year of the Bamital \nbotnet, which compromised millions of computers being used for \ncriminal activities such as identity theft and click fraud. \nThis takedown was the culmination of a multi-year \ninvestigation--many would say that it takes far too long to \ncomplete these investigations--and demonstrates what can be \ndone when private industry and law enforcement join forces to \ngo after cyber crime networks. I have also detailed in my \nwritten testimony similar successes in Operation Ghost Click as \nwell as Coreflood, which have been mentioned earlier in other \ntestimony today.\n    Unfortunately, these examples highlight just how much still \nneeds to be done. For a while we have seen some successful \nprosecutions and takedowns, as, Chairman Whitehouse, you \ndescribed in your opening statement, there are undoubtedly more \nand larger criminal rings that are operating today, and the \nrelative dearth of cases like these is not because the \nGovernment does not want to pursue them or because the \ncriminals are not out there. In fact, the investigators and \nprosecutors, at least we have found, are quite willing and many \nin the private sector are even eager to help. But, \nunfortunately, prosecuting cyber crime cases requires a highly \ntechnical understanding of how computers and networks operate \nas well as a deep knowledge of multijurisdictional legal \nissues.\n    There are simply not enough investigators, prosecutors, or \njudges with this technical training to keep up with the cyber \ncriminals. Thus, as you have already heard today, there is a \nlow bar for deterrence.\n    At Symantec, we are committed to improving online security \nand securing our most critical infrastructure as well as their \ndata across the globe, and we will continue to work \ncollaboratively with governments and industry on ways to do so.\n    Thank you again for the opportunity to testify, and I am \nhappy to answer any questions.\n    [The prepared statement of Cheri F. McGuire appears as a \nsubmission for the record.]\n    Chairman Whitehouse. Thank you. Let me thank all the \nwitnesses for their very helpful testimony.\n    I am going to turn immediately to Senator Graham, as his \nschedule is starting to tug at him, and I am going to be here \nuntil the end of the hearing. So, Senator Graham, let me thank \nyou very much again for being the Ranking Member on this and \nfor the intensity of your effort at protecting our Nation in a \nvariety of areas, but particularly in this new cyber area.\n    Senator Graham. Thank you, Mr. Chairman. Enjoy the easy \nquestion period you are about to embark upon, because he will \nbe back.\n    I really have learned a lot from Senator Whitehouse and the \nwitnesses today, but just to keep this sort of at a 30,000-foot \nlevel, Mr. Baker and Kevin, do you both agree that China as a \nnation state is actively involved in hacking into U.S. \ndatabases, banks, stealing intellectual property? Is that a \nfair statement?\n    Mr. Baker. Yes.\n    Mr. Mandia. I would agree that is the case.\n    Senator Graham. Could you give me, both of you, two pages \nof why you say yes? And I am going to take it to the Chinese \nAmbassador and ask him to give me a response.\n    Mr. Mandia. I will give you about a hundred pages, sir.\n    Senator Graham. Yes, which will be consolidated to two.\n    [Laughter.]\n    Mr. Baker. Yes, absolutely. Kevin's company has done the \nmost----\n    Senator Graham. Using very big words.\n    Mr. Baker. But other research----\n    Senator Graham. Russia?\n    Mr. Baker. Russia is harder to identify as a country \nbecause they are more stealthy.\n    Senator Graham. Well, let us rank the bad actors here. \nWould you say China is number one?\n    Mr. Mandia. China is the number one reason my company \ngrows. It doubles in size every year. So, yes, they are number \none.\n    Senator Graham. Good news/bad news, I guess.\n    Mr. Mandia. Yes.\n    Mr. Baker. China by far in terms of volume is the most \naggressive and is doing the most----\n    Senator Graham. Who would be second?\n    Mr. Mandia. There is a battle for second.\n    Senator Graham. Could you give me the top five?\n    Mr. Mandia. I think it aligns with safe harbors, so you are \ngoing to see Middle Eastern organizations emerging. It goes \nChina first, probably Russia second, but it has been my opinion \nthat the rules of engagement between Russia and America, it is \nalmost like we have worked it out. If we see the Russians--\ngenerally their government only hacks our Government. If we see \nthem, they tend to go away. The Chinese are like a tank through \na cornfield. They just keep mowing through it. And I think \nthere is an enormous gap between China first, Russia second. \nBut I think second is there is competition there. I think we \nare starting to see attacks coming out of the Middle East more \nat this point.\n    Senator Graham. Okay. Give me the top five, because I am \ngoing to get with Senator Whitehouse, and we are going to try \nto do something about this. We are going to try to put nation \nstates on notice that if you continue to do this, you are going \nto pay a price. And visa programs are all kinds of tools \navailable to us as politicians up here to put the bad actors on \nnotice, and maybe the immigration bill would be a good \nopportunity to do that. We have got to think outside the box.\n    Now, when it comes to cyber 9/11s--and I have got 2 minutes \nand 20 seconds--could you in 20 or 30 seconds describe what you \nthink a cyber 9/11 could look like? Mr. Baker, then----\n    Mr. Baker. Sure. Very briefly, if you can break into a \nnetwork, you can probably break it, and there are no networks \nin the United States, as far as I can tell, that have not been \nbroken into. So all of them can be attacked. And in many cases, \nyou can move to the equipment that runs on that and break that. \nWe demonstrated that when I was at DHS with a big generator. \nJust by sending code to it, we burned it up. And so the real \nrisk here is that an attacker that is determined could break \ninto our industrial control systems and wreck power systems, \npipelines, refineries, water, and sewage. You know, New York \nCity, without all of those things, is going to be a very \nunpleasant place, and if the crisis lasts for a week, it will \nfeel worse than 9/11.\n    Senator Graham. Do you have anything to add there?\n    Mr. Mandia. I think it is complex to determine what will \nhappen when somebody tries to bring down an electric grid. Even \nfrom the attacker's perspective, you may get unpredictable \nresults. I remember during the Super Bowl when the lights went \nout, everybody was, like, ``Was that cyber?'' But the results \nwould be very unpredictable. I would give you two things.\n    One, we should see and we might see shots across the bow \nbefore it happens. I do not think the first attack, if it is \ntruly remote, will be noticed. The catch is I think that if it \ndoes happen, it is going to come from a third grade classroom \nin Mississippi somewhere. It is going to come from an IP \naddress here in the States or from a human operator here in the \nStates, and then it will branch out from there.\n    The second thing is that hopefully we have the controls in \nplace--and this is what is most important--to know who did it, \nbecause I think the deterrence for that kind of act is outside \nof the cyber domain.\n    Senator Graham. Ms. McGuire, you mentioned about the law \nenforcement resources and model. How would you rate our legal \ninfrastructure in terms of providing the tools necessary to \nactively go out and attack cyber theft and create deterrence \nwithout all of us having to worry about more body armor? And \nfrom a resourcing point of view, how advanced are we? Give a \ngrade from A to F. Legal infrastructure and the resources \navailable to our Government to fight cyber crime.\n    Ms. McGuire. I think from a standpoint of our actual legal \ninfrastructure, we have a pretty strong legal infrastructure in \nthis country. But being equipped to address cyber crime, as I \nmentioned in my opening statement, is something that we need to \nplay catch-up with. There is quite a gap there because we just \ndo not have the number of investigators, prosecutors----\n    Senator Graham. Well, give us kind of a wish list of what \nyou think we would need to get to where we want to be.\n    Ms. McGuire. Well, I think that we clearly need more \ninvestigators, prosecutors, and judges who are equipped and \ntrained with the necessary skills to address these kinds of \nactions. That is a pretty big gap that we have today. The folks \nwho are out there are doing yeoman's effort. Probably most of \nthem would say they are overworked and they cannot keep up with \nthe volume that they are being presented with every day.\n    Senator Graham. I do not want to run over, but given the \nthreat and given the focus, is there a big gap there? He \nmentioned a security gap. Is there sort of a gap between the \nthreat we face as a Nation and the amount of resources we are \nsupplying to the threat, to meet the threat? How big is that \ngap?\n    Ms. McGuire. I do not know if I could actually quantify how \nlarge that gap is, but I think suffice it to say that there is \na gap. It is a significant gap. We are not putting enough \nresources against this today. What you mentioned earlier about \nthe way that we approach burglaries and robbers, we do not put \nthe same type of emphasis on cyber criminal and cyber crime \nactivity today in this country. We are making progress, but we \nhave got a really long way to go to catch up.\n    Senator Graham. Thank you, Mr. Chairman.\n    Chairman Whitehouse. Thank you, Senator Graham.\n    Let me do a couple of follow-ups. First of all, Mr. Mandia, \nwhen you mentioned that a big attack might very well come \nthrough a classroom in Mississippi or through somebody's \nindividual computer, you did not mean that it would be \noriginated there. You were referring to an attack starting \noverseas that would have come through a slaved computer there \nso that it would look as if that was the source. But clearly \nthat is the level of sophistication that our enemies are \noperating at, is that they could slave a Mississippi classroom \ncomputer to use that to vector attacks into our critical \ninfrastructure. Correct?\n    Mr. Mandia. That is absolutely the case. Almost every \nsingle attack that we currently respond to, there are hot \npoints in between, but they are all in the United States. These \nattacks are not coming straight out of China straight into the \nend victim. They are being routed through vulnerable sites, and \nthe real challenge that we have, sir, is that the protocols--\nnothing looks bad about the traffic going from a nation state \nto a third grade classroom in Mississippi. It is going to look \nlike normal access. It looks bad when it goes from a classroom \nto the real target. So it is going to be very complicated to \nprevent that.\n    Chairman Whitehouse. And if you are looking at--you \nmentioned China and Russia. If you are looking at what we would \ncall, for want of a better word--I do not think it is the best \nword, but it seems to be the word that has developed--\n``advanced persistent threats'' versus, say, botnets and big \ncriminal siphoning efforts, the Chinese effort is much more in \nthe direction of advanced persistent threats and of attacking \nour intellectual property and trying to insert potential \nsabotage, cyber sabotage, into our systems, and not so much \nengaged in botnets and that kind of activity; whereas, from the \nRussian side, there is both official and criminal network \nactivity, and that is much more involved in stealing and \nspamming and botnets. So they are a little bit two different \nproblem sets, depending on the source. Is that correct?\n    Mr. Mandia. That is correct, and at the highest level of \nabstraction, when you think botnet, I would think it is a \nconsumer problem, not necessarily an enterprise problem, but it \ndoes cross into companies having to deal with it, and it is a \ncriminal element using it. And then with the targeted attacks, \nthe criminal element uses them, but when you think economic \nespionage, most of those are targeted attacks, very \nsophisticated attacks.\n    Chairman Whitehouse. Now, if I heard you correctly in your \ntestimony, you said that two-thirds of the time when you \nrespond to a company that has said, ``We have been hacked,'' \nthey had no idea that they had been hacked until some \nGovernment agency warned them, often the FBI--usually the FBI, \nsometimes the Department of Homeland Security.\n    There was a time not too long ago--and I am just using my \nrecollection now--when my recollection is that both your \ncompany and the NCIJTF, the FBI operation, indicated that when \nthey went out, 90 percent of the time they were the bearers of \nbad news to companies that had no idea, a little bit like the \nU.S. Chamber of Commerce, which, while busily attacking our \nefforts to get legislation in this place, also had basically \nthe Chinese throughout all their systems right down to the \nfingernails for months and months and months and months, and \nhad no clue about that until the Government came and told them, \n``By the way, I think you have been hacked.''\n    Has it shifted from 90 percent to two-thirds? Is my memory \nfailing me or----\n    Mr. Mandia. No, no.\n    Chairman Whitehouse [continuing]. Something that has \nhappened where there is a little bit more awareness in the \nprivate sector now?\n    Mr. Mandia. I would not even equate it to awareness, sir. \nWe had a misleading figure. Quite frankly, when Mandiant \nreports that, it is based on the incidents that we respond to. \nI have been responding to Chinese intruders since 1996. Over \ntime, it is no longer the first time you are learning you have \nbeen compromised by these folks. So when you go through your \nsecond or third drill of being compromised from Chinese \nhackers, in general, your security posture gets to a point \nwhere you now detect it yourself.\n    So I think that is just a skew because last year we would \nhave told you over 90 percent, and I have been tracking this \nsince 1998. It has been over 90 percent third-party \nnotification since 1998 for the customers that I have serviced. \nAnd this is the first dip, and it is because we are responding \nfor the second or third or fourth time to organizations that \nhave detected it themselves because they have already lived \nthrough that first wake-up call from law enforcement.\n    Chairman Whitehouse. Now, would you describe some of the \ncompanies whom you provide services to as operating critical \ninfrastructure in America?\n    Mr. Mandia. Yes, I mean, the critical infrastructure \ndemarcation line is harder to find in some industries, but the \nanswer is yes.\n    Chairman Whitehouse. Do you see any difference among \ncompanies that operate critical infrastructure? Are they \ndemonstrably and noticeably better at this? Are they far away \nfrom the 90 percent, or are they more or less like any other \ncompany?\n    Mr. Mandia. It has been my experience that if there is a \nregulation or a standard imposed, aligned by your industry that \nyour security is, in fact, better in general than organizations \nthat maybe fall through the cracks of all the hodgepodge of \nstandards, legislation, and regulations out there. So if you \nare in a regulated industry, in general your security is \nbetter.\n    Chairman Whitehouse. So let us talk a little bit about what \nwe can do to increase security for critical infrastructure. Let \nme ask Ms. McGuire and Mr. Baker. You both have a background at \nthe Department of Homeland Security. It has been the Department \nof Homeland Security's task for some time to try to develop \nbetter defenses in the critical infrastructure sectors. We have \nalso heard I think from both of you that--the word ``dynamic'' \nkeeps popping up. This is a very dynamic threat. And if we said \nXYZ strategy or XYZ technology is the mandated defense, then \nwithin a week or a month or a year that would be obsolete, and \nnow we would be holding companies back from doing what they \nneeded to do because we would be requiring them to stay with an \nobsolete technology. That is, if we set the regulatory \nrequirements up in a very stupid and static way.\n    So what is your recommendation as to how we might go about \naccomplishing what Mandiant has suggested, which is that \nstandards help and we need to have them and we particularly \nneed them for critical infrastructure, with the same time the \ndynamic capability that is necessary to meet this evolving \nthreat? Ms. McGuire, then Mr. Baker.\n    Ms. McGuire. I think the key point here is this is not a \nsimple technology solution issue. You cannot just fix this with \ntechnology. It has to be a multi-pronged approach--many of us \nwould use the term ``defense in breadth''--that goes across all \nareas of a business. And----\n    Chairman Whitehouse. But, to interrupt, you cannot tell \nwhen a company has it and when they do not. So the fact that it \nis not just a technological solution does not mean that there \nis not a best practice solution out there, correct?\n    Ms. McGuire. Absolutely. You have got to have--first and \nforemost, you have got to have the technology that is properly \ndeployed and up-to-date in order to be your first line of \ndefense. And in most cases, we will catch most of those attack \nvectors and threats. But to Mr. Mandia's point, we are not \ngoing to catch everything. In the face of a sophisticated \nattacker that is well resourced, that has very deep roots of \nsponsorship, we will not be able necessarily to address those \nkinds of APTs and other types of threats.\n    So what has to happen is really a mesh or a standard risk \nmanagement approach. You have got to address this through \ncommon risk management principles, and that includes the \ntechnology, it includes training of personnel, it includes \nawareness of critical infrastructure owners and operators that \nthis threat is real. I think they are starting to get that now \nthat we are having more high-profile conversations around this \nwith events like Stuxnet in the past as well as the recent \nSaudi Aramco issue with the bricking of more than 30,000 \ncomputer devices, associated with control system devices that \noperate major pipelines. They are starting to have this \nawareness about the urgency and the importance of it.\n    There are a couple of other areas that we also need to \naddress, and that is information sharing, and information \nsharing is a tool. It is not the be-all, end-all, but it \ncertainly can help with the warning and the preparedness of \nthose critical infrastructure owners and operators. And the \ncommon standards question always comes up, and I think again, \nas you mentioned, they need to be dynamic and flexible enough \nto allow for the most modern and up-to-date technologies to be \nimplemented. But having the common standards that, for example, \nare being worked on through the Administration's Executive \norder right now that hopefully will raise the bar across all \nindustries, I think that will go a long way. It still remains \nto be seen, but that is a positive step forward.\n    Chairman Whitehouse. Mr. Baker, same question.\n    Mr. Baker. Yes, so not only can we not solve this with \ntechnology, the regulation is not the greatest tool here \nbecause, as we have seen, the things you should be doing keep \nchanging faster than the regulators can identify the things \nthat need to be done and start imposing sanctions. So if people \nare not actually willing to pursue security themselves, a pure \nregulatory solution will not solve the problem.\n    The good news, I think, is there is a way to think about \nthis----\n    Chairman Whitehouse. Unless perhaps the regulatory solution \nmeasures the pursuit rather than the solution.\n    Mr. Baker. That is what I was getting at. You know, when \nthey paint the Golden Gate Bridge, they never stop. They get to \nthe other end, and they go back to where they started and begin \npainting over again. And that is the security approach that \nprobably is our best. I start with who is attacking me, or who \nis likely to attack me. What tactics are they using now and \nlikely to use? How do I stop those tactics? I implement that. \nAnd then I say, okay, now that I have implemented those \nmeasures, who still wants to attack me and what tools are they \ngoing to use now? And I find a solution to that and implement \nit, and you just--you know, lather, rinse, repeat. That process \nis probably the only thing you could say for sure we are going \nto have to require people to do. And measuring that----\n    Chairman Whitehouse. It strikes me that there is an array \nof responses among operators of critical infrastructure to this \nproblem. Some of them are very forward in the foxhole. They are \nthrowing everything they can at the problem. And the danger \nthat regulation creates is that you actually interfere with and \nhold back their efforts. And there is a price to be paid if \nthat is the effect.\n    At the same time, there are free riders and people who just \nfigure, well, you know, why should I spend the money this \nquarter when what are the chances if it is really happening \nnow, and, by the way, it is probably such a big catastrophe \nthat the Government is going to come in and save my rear end \nanyway, and so there are laggards and free riders and cheats on \nthe system, basically. And without a standard, they will \ncontinue to be laggards and free riders and cheats. And so \nthere is a significant cost to not having any standard as well.\n    Where I come down on that is that there needs to be a \nstandard, but it needs to be dynamic, and it needs to measure \npursuit rather than any static point.\n    Mr. Baker. The one area where I think there has already \nbeen a sort of distortion due to regulation and where we should \nbe trying to find a way to use the existing regulatory schemes \nare some of the data breach notification laws say you do not \nhave to notify if you had encryption. People are spending a lot \nof their security budget putting encryption on the hard drives \nof laptops so that if they get lost, they do not have to \ndisclose that they had a breach. That is probably not their \nbiggest threat, but it is the one that hurts the most. And so \nfinding a way to get the FTC and the State Attorneys General to \nfocus more on security as a whole rather than just this one \nthing is probably useful.\n    Chairman Whitehouse. Mr. Mandia, any thoughts on the \npursuit versus static regulatory problem? You deal with a lot \nof these companies as well.\n    Mr. Mandia. I think when you look at legislation, I think \nit is a very complicated matter, and I have had these \ndiscussions for 15 years on how do you legislate security \nbenchmarks. I think that is very complicated. I think that \naligns by industry, and I think the private sector for the most \npart is doing a lot of that themselves.\n    I think what I have heard here makes a lot of sense. If you \ncan push for an agile defense mechanism here in the United \nStates that our companies can take threat intelligence being \nshared with it and have the technology and the means processes \nto do something with it, I think that is a great next step to \ncover that security gap.\n    I think there is already a hodgepodge of standards, \nlegislation, and regulations that are covering the 80 percent \nof the problem out there, the white noise. But when we want to \ndeal with the nation state, 10 to 20 percent of the problem, I \nthink what needs to be pushed now is the means for the \nGovernment to be able to share intelligence with the private \nsector, the private sector to get it to the private sector \nwithout enormous liabilities in doing so, and just start that \ninformation sharing in a codified way where we can make it \nactionable quicker.\n    Chairman Whitehouse. But all three of you agree that among \nthe operators of critical infrastructure in this country, you \ncan find companies that are not doing what they should be doing \nin this area and that are either just not paying the attention \nthat it deserves or have made the economic decision not to \ninvest or are just basically playing the role of the laggard \nand the free rider and letting other people drive it forward. I \nsee--is that a yes, yes, and yes across the board?\n    Mr. Mandia. I have a slightly differing opinion. I can say \nmost of the organizations that we have responded to had \nbreaches that were probably unreasonable to prevent. So we \nrespond to over 30 of the Fortune 100. I do not think they had \nbad security. I think they were probably all getting a check in \nthe go box for compliance with pretty aggressive standards, yet \nthey were still breached. When it comes to the critical \ninfrastructure, as I sit here today thinking about it, the \nmajority of the organizations we have assisted had security \nprograms that were mature and above compliance, yet they were \nstill breached. But I am giving you an unfair frame of \nreference because we are responding to the highest end, that 10 \nto 20 percent of the breaches that are hard to prevent.\n    Chairman Whitehouse. There are really two problems. One is \nthat even the high performers remain vulnerable to breach by \nvery highly qualified and persistent attackers. And at the same \ntime, there is a considerable set of critical infrastructure \noperators who make it easy by simply not being up to basic \nstandards.\n    Mr. Mandia. Sir, I would just describe in 10 seconds, as if \nyou are a B in security or an F in security, the attackers that \nMandiant responds to have the exact same chance of getting in. \nThe only thing that separates the A's in security from the B's \nis the A's will detect the successful attack themselves, the \nB's will not. And we are responding to some A's and some B's \nright now.\n    Chairman Whitehouse. Back to the point that I have heard \nmany people articulate in this area, and that is that if you \nare looking at a company, it is in one of two categories: It \neither has been hacked and knows it, or it has been hacked and \ndoes not know it. But that any company of significance has all \nbeen hacked, and I think it was also important--Senator \nKlobuchar and Senator Coons both mentioned the interest in \nsmall business. As the attack broadens, small businesses, \nparticularly those that have a specialized process or product \nor skill that is susceptible of being stolen and then \nreplicated without having to pay license fees and without \nhaving to invent it on your own, are becoming more and more the \ntarget, particularly if they are in the supply chain to the \ndefense industrial base.\n    So we get to a point where, if you are a small shop in \nRhode Island that is the best place in the world at \nmanufacturing a very specific kind of metals technology, that \nis what we want you to be doing. We do not want you to have to \nstop everything and try to bring in best of class cybersecurity \nin the same way that a Raytheon or a McDonnell-Douglas or some \nreally major contractor would, and yet they are just as much at \nrisk. I think we all agree.\n    Well, let me thank all of you. I know you work hard in this \narea every day and you think in very dynamic ways about this \nproblem, and I look forward to working with all of you as we go \nforward. I will accept Senator Graham's invitation or \nsuggestion that we try to come up with something on visas, \nperhaps in the framework of the immigration bill that is now \npending. But as I said to the first panel, we are also re-\nengaging and trying to basically do cyber legislation 2.0 now \nthat the Executive order is in place, and we look forward to \ntalking with all of you about the substance of that legislation \nand also to having you help us in communicating with our \ncolleagues both the nature and the importance of this problem. \nSo this has been very helpful. I am very grateful to all of \nyou.\n    The hearing will stay open for a week if anybody wishes to \nadd anything to the record of the hearing. If I have not done \nit already, then by consent I will add the piece that Lindsey \nGraham and I wrote into the record of the hearing, and with \nthat, we will stand adjourned.\n    [Whereupon, at 10:54 a.m., the Subcommittee was adjourned.]\n    [Additional material submitted for the record follows.]\n\n                            A P P E N D I X\n\n              Additional Material Submitted for the Record\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                 [all]\n</pre></body></html>\n"