[Senate Hearing 113-827]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 113-827

                     CYBER THREATS: LAW ENFORCEMENT
                      AND PRIVATE SECTOR RESPONSES

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON CRIME AND TERRORISM

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 8, 2013

                               __________

                          Serial No. J-113-17

                               __________

         Printed for the use of the Committee on the Judiciary

    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    
    
    
   
                         U.S. GOVERNMENT PUBLISHING OFFICE 

98-755 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001 
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                    COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
DIANNE FEINSTEIN, California         CHUCK GRASSLEY, Iowa, Ranking 
CHUCK SCHUMER, New York                  Member
DICK DURBIN, Illinois                ORRIN G. HATCH, Utah
SHELDON WHITEHOUSE, Rhode Island     JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota             LINDSEY GRAHAM, South Carolina
AL FRANKEN, Minnesota                JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware       MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas
MAZIE HIRONO, Hawaii                 JEFF FLAKE, Arizona
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director
                                 ------                                

                  Subcommittee on Crime and Terrorism

               SHELDON WHITEHOUSE, Rhode Island, Chairman
DIANNE FEINSTEIN, California         LINDSEY GRAHAM, South Carolina, 
CHUCK SCHUMER, New York                  Ranking Member
DICK DURBIN, Illinois                TED CRUZ, Texas
AMY KLOBUCHAR, Minnesota             JEFF SESSIONS, Alabama
                                     MICHAEL S. LEE, Utah
                Stephen Lilley, Democratic Chief Counsel
                Sergio Sarkany, Republican Chief Counsel
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                            C O N T E N T S

                              ----------                              

                         MAY 8, 2013, 9:05 A.M.

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Graham, Hon. Lindsey, a U.S. Senator from the State of South 
  Carolina.......................................................     3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode 
  Island.........................................................     1

                               WITNESSES

Witness List.....................................................    35
Baker, Stewart A., Partner, Steptoe and Johnson LLP, Washington, 
  DC.............................................................    22
    prepared statement...........................................    64
Demarest, Jr., Joseph M., Assistant Director, Cyber Division, 
  Federal Bureau of Investigation, Washington, DC................     5
    prepared statement...........................................    51
Durkan, Hon. Jenny A., United States Attorney, U.S. Department of 
  Justice, Western District of Washington, Seattle, Washington...     4
    prepared statement...........................................    36
Mandia, Kevin, Chief Executive Officer, Mandiant Corporation, 
  Alexandria, Virginia...........................................    20
    prepared statement...........................................    57
McGuire, Cheri F., Vice President, Global Government Affairs and 
  Cybersecurity Policy, Symantec Corporation, Washington, DC.....    24
    prepared statement...........................................    71

                MISCELLANEOUS SUBMISSIONS FOR THE RECORD

Graham, Hon. Lindsey, a U.S. Senator from the State of South 
  Carolina, and Hon. Sheldon Whitehouse, a U.S. Senator from the 
  State of Rhode Island, Providence Journal eEdition, 
  ``Protecting against cyber-attacks,'' April 9, 2013, Op-Ed 
  article........................................................    78
United States Department of Defense, Annual Report to Congress, 
  Military and Security Developments Involving the People's 
  Republic of China 2013, annual report excerpt..................    80
 
                     CYBER THREATS: LAW ENFORCEMENT
                      AND PRIVATE SECTOR RESPONSES

                              ----------                              


                         WEDNESDAY, MAY 8, 2013

                      United States Senate,
               Subcommittee on Crime and Terrorism,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 9:05 a.m., in
Room SD-226, Dirksen Senate Office Building, Hon. Sheldon 
Whitehouse, Chairman of the Subcommittee, presiding.
    Present: Senators Whitehouse, Klobuchar, and Graham.
    Also present: Senator Coons.

         OPENING STATEMENT OF HON. SHELDON WHITEHOUSE,
         A U.S. SENATOR FROM THE STATE OF RHODE ISLAND

    Chairman Whitehouse. Good morning. I will call this hearing 
to order. I believe that Senator Graham will be joining us, but 
in the interest of getting underway on time, we have been 
cleared to proceed and await his arrival during the course of 
the hearing.
    I would like to note today's hearing will consider Cyber 
Threats: Law Enforcement and Private Sector Responses. This, as 
press reports indicate every day, is an extremely important and 
timely topic. Indeed, I would like to add, without objection, 
to the record of this proceeding two pages from the Department 
of Defense Annual Report to Congress that just came out saying, 
among other things, China is using its computer network 
exploitation capability to support intelligence collection 
against the U.S. diplomatic, economic, and defense industrial 
base sectors that support U.S. national defense programs. 
Obviously, there is a lot more to this issue than just that, 
but it is an indication of the timeliness and importance of our 
concern here.
    [The information referred to appears as a submission for 
the record.]
    Chairman Whitehouse. Technology continues to expand into 
every area of modern life. Our power stations, our dams, and, 
as the Defense report said, our defense industrial base are all 
online. And even everyday items like our cars, our home alarm 
systems, even our refrigerators, are increasingly connected to 
the Internet.
    Unfortunately, these innovations have been accompanied by 
new threats to our prosperity, to our privacy, to our 
intellectual property, to our very national security.
    This Subcommittee has heard previously about hackers who 
have taken over the web cams of unsuspecting Americans' 
computers. We have heard about hacktivists like Anonymous using 
distributed denial-of-service attacks against financial 
institutions. We have heard about criminal rings that use 
botnets to send spam, to send spearfishing emails, to capture 
and sell Americans' credit card information, or to engage in 
click fraud, scareware, or ransomware schemes.
    And, finally, we have heard about the advanced persistent 
threats that have allowed foreign entities to steal enormous 
quantities of American intellectual property and to worm their 
way into our American critical infrastructure.
    This hearing will consider our Nation's law enforcement 
response to these threats. Our first panel will include 
witnesses from the Department of Justice and the Federal Bureau 
of Investigation. It will consider their strategies to combat 
the broad array of cyber threats and the resources that they 
have brought to bear to execute those strategies.
    The second panel will discuss the private sector's role in 
responding to these threats. It will consider a recent 
investigatory report based solely on public information that 
indicates that members of the Chinese military have sponsored 
or engaged in sophisticated and extensive cyber espionage, 
including industrial espionage. And it will evaluate the role 
of the private sector in investigating, preventing, and 
responding to such crimes and intrusions.
    I would start this discussion by noting that the Justice 
Department and the FBI both already have done some important 
work to address the cyber threats facing our Nation. In March 
2012, for example, charges were unsealed against the former 
head of the hacktivist groups Anonymous and LulzSec and against 
four other members of Anonymous or LulzSec and a member of 
AntiSec, another hacking group.
    Earlier this year, the Justice Department secured the 
conviction of a 25-year-old Russian who had operated and 
controlled the Mega-D botnet. And in April 2011, the FBI and 
the Justice Department engaged in a civil lawsuit to bring down 
the Coreflood botnet.
    The Justice Department and the FBI also have developed the 
FBI's National Cyber Investigative Joint Task Force and the 
Justice Department's National Security Cyber Specialists' 
Network. I am glad that the Department and the FBI have taken 
each of these important steps, but much more, as the Department 
concedes, needs to be done.
    I was disappointed to learn, for example, that the team 
that took down the Coreflood botnet was not kept together for 
the purpose of taking down other comparable botnets. The four-
star general heading our military's Cyber Command has said that 
our country is on the losing end of the greatest transfer of 
wealth by illicit means in history. It is all well and good to 
complain about such thefts through diplomatic channels, but at 
some point you need to stop complaining and start indicting. 
The Justice Department has not indicted, to my knowledge, a 
single person for purely cyber-based trade secret theft.
    I am sympathetic that the Justice Department and the FBI 
lack adequate resources to respond to the severe cyber threat. 
As the witnesses will testify shortly, these are immensely 
complex and challenging cases to put together. The 
administration, of course, agrees, and its 2014 budget includes 
a request for 60 new cyber agents at the FBI, 16 new cyber 
attorneys in the National Security Division, and 9 new cyber 
attorneys in the Criminal Division.
    As welcome as this request is to many of us, we must also 
ensure, however, that the resources are deployed wisely. 
Accordingly, I will be inquiring today if appropriate 
structures, whether task forces or centers of excellence, are 
being employed; whether attorneys and agents are properly 
dedicated to cyber work, not just carrying the badge of a cyber 
attorney and listening to the conference call on mute while 
they do their other work; whether they are tasked with goals of 
achievable scope; and whether the attorneys and agents are 
properly evaluated and recognized for that work.
    I will close my opening remarks by adding that a law 
enforcement frustration and a frustration that has affected 
this very hearing is the unwillingness of many corporations to 
cooperate for fear of offending the Chinese Government and 
suffering economic retaliation. The shadow of China's heavy 
hand darkens the corporate world and has even shadowed this 
hearing.
    I look forward to an important discussion on our Nation's 
response to the cyber threats that we face. I thank all the 
witnesses who are here to participate today, and I will call 
the first panel right now. I will introduce both now so that 
they can move from the testimony of one to the testimony of the 
next.
    We will begin with Jenny Durkan. Ms. Durkan is the United 
States Attorney for the Western District of Washington. She is 
on the Attorney General's Advisory Committee of United States 
Attorneys, and she is the chair of the AGAC's Subcommittee on 
Cyber Crime and Intellectual Property Enforcement. Prior to 
beginning her service as U.S. Attorney in 2009, Ms. Durkan was 
in private practice representing a variety of clients in civil 
and criminal litigation. She is a graduate of the University of 
Notre Dame and received her law degree from the University of 
Washington.
    With her today is Joseph Demarest. Mr. Demarest is the 
Assistant Director of the Cyber Division at the Federal Bureau 
of Investigation. In that role he manages over 600 employees 
dedicated to the investigation of both national security and 
criminal computer intrusions. He joined the FBI as a special 
agent in 1988 and has served in a number of roles within the 
Bureau, including as a SWAT team leader in the New York 
Division, as shift commander for the PENTTBOM investigation, 
and as Assistant Director of the International Operations 
Division.
    I welcome both of the witnesses here, and before we ask you 
to begin your testimony, I will also welcome my wonderful 
Ranking Member, who has demonstrated intense interest and 
commitment to this issue, and invite him, if he wishes, to make 
any opening remarks he might care to.

           OPENING STATEMENT OF HON. LINDSEY GRAHAM,
        A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA

    Senator Graham. Well, most of what I know about the 
cybersecurity threat comes from Senator Whitehouse--which is a 
damning indictment to him.
    [Laughter.]
    Senator Graham. But, no, I have really enjoyed working with 
our Chairman here, who I think understands the threat as well 
as anyone in the Congress and, when it comes to the private 
sector, has the most practical solution of trying to get the 
private sector to harden their critical infrastructure through 
voluntary standards, best business practices, with liability 
protection as the reward. So I am looking forward to the 
hearing.
    Chairman Whitehouse. Ms. Durkan, why don't you proceed with 
your testimony? We obviously will put your entire very 
comprehensive statement into the record of this proceeding, but 
if you could keep your oral statement to about 5 minutes, that 
would be helpful so that we can engage in some conversation 
afterwards and leave time for the next panel.
    Ms. Durkan.

        STATEMENT OF HON. JENNY A. DURKAN, UNITED STATES
 ATTORNEY, WESTERN DISTRICT OF WASHINGTON, SEATTLE, WASHINGTON

    Ms. Durkan. Thank you. Good morning, Mr. Chairman, Ranking 
Member Graham. Thank you for the opportunity to testify on 
behalf of the Department of Justice regarding the investigation 
and prosecution of cyber threats and the resources required to 
do so. I thank each of you for your leadership in this area. 
The articles you have written show your great grasp of the 
array of threats that we face.
    As United States Attorney, I see the full range of threats 
that our communities and our Nation face. Few things are as 
sobering as the daily cyber threat briefing that I receive. 
Technology is changing our lives. We have witnessed the rapid 
growth of important businesses, life-saving technologies, and 
new ways to connect our society. Unfortunately, the ``good 
guys'' are not the only innovators. We have also seen a 
significant growth in the number and the sophistication of bad 
actors exploiting the new technology.
    Seeking profit, international rings have stolen large 
quantities of personal data. Criminal groups develop tools and 
techniques to disrupt our computer systems. State actors and 
organized criminals have demonstrated the desire and the 
capability to steal sensitive data, trade secrets, and 
intellectual property.
    One particular area of concern is the computer crimes that 
invade the privacy of every individual American. Every day 
criminals hunt for our personal and financial data which they 
use to commit other fraud or sell to criminals. As you will 
hear from the next panel, the potential victims range in the 
tens of millions.
    The national security landscape has also undergone a 
dramatic evolution in recent years. Although we have not yet 
experienced a devastating terrorist cyber attack, we have been 
the victim to a range of malicious cyber activities that are 
testing our defenses, targeting our valuable economic assets, 
and threatening our Nation's security.
    There can be no doubt: Cyber threat actors pose significant 
risks to our national security, our communities, and our 
economic interests. Addressing these complex threats requires a 
unified approach that incorporates criminal investigative 
tools, civil and national security authorities, diplomatic 
efforts, public-private partnerships, and international 
cooperation. Criminal prosecutions, whether in the United 
States or abroad, play a central and critical role in these 
efforts. We need to ensure that throughout the country the 
Department of Justice's investigators and prosecutors have the 
resources and forensic capabilities they need to meet this 
evolving threat, and we thank this Committee for its support in 
those efforts.
    The Department of Justice has organized itself to ensure we 
are in a position to aggressively meet this threat. The 
Criminal Division's Cyber Crime and Intellectual Property 
Section works with a nationwide network of over 300 Assistant 
United States Attorneys who are designated as ``Computer 
Hacking and Intellectual Property'' prosecutors. Mr. Chairman, 
we will address that question. They are doing the work in the 
field. They lead our efforts to investigate and prosecute cyber 
crime offenses.
    The Department's National Security Division pursues 
national cyber threats through a variety of means, including 
counterespionage and counterterrorism investigations and 
prosecutions.
    Recognizing the diversity of this threat, last year we did 
form what, Mr. Chairman, you have noted, the National Security 
Cyber Specialists. This network brings together the 
Department's full range of expertise in this area, drawing on 
experts from the National Security Division, the U.S. 
Attorney's Office, the Criminal Division, and other components. 
There is a national security cyber specialist designated in 
every United States Attorney's Office across the country. These 
combined efforts have led to great successes. I hope to address 
some of them later here today.
    But, as said, despite these successes, the number of 
intrusions continues. Because of the very serious nature of the 
cyber threats and the pressing need to respond, the 
administration is asking for enhancement of the budget to 
target this critical program. Most of this is addressed to the 
FBI so that we can do more ground research. An additional 
request of the $92.6 million is to the National Security 
Division because we must address this increasing national 
security threat and to the Criminal Division so that we have 
the resources we need to deal with this internationally.
    Mr. Chairman, Ranking Member Graham, thank you for the 
opportunity to testify here today. The country is at risk. 
There is much work to be done. But we look forward to working 
with your Committee.
    Thank you.
    [The prepared statement of Hon. Jenny A. Durkan appears as 
a submission for the record.]
    Chairman Whitehouse. Thank you very much, Ms. Durkan.
    Assistant Director Demarest.

          STATEMENT OF JOSEPH DEMAREST, JR., ASSISTANT
          DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF
                 INVESTIGATION, WASHINGTON, DC

    Mr. Demarest. Thank you, Chairman. Chairman Whitehouse, 
Senator Graham, and distinguished Members of the Committee, I 
am pleased to appear before you today to discuss the cyber 
threat, how the FBI has responded to it, and how we are 
marshaling our resources currently and strengthening our 
partnerships to more effectively combat the increasingly 
sophisticated adversaries we face in cyberspace.
    As the Subcommittee is well aware, the 21st century brings 
with it new challenges, in which national security and criminal 
threats strike from afar through computer networks, with 
potentially devastating consequences. These intrusions into our 
corporate networks, personal computers, and Government systems 
are occurring every day. Such attacks pose an urgent threat to 
our Nation's security and economy. We face these significant 
challenges in our efforts to address and investigate cyber 
threats, and we are currently prioritizing our immediate and 
long-term needs for strategic development in order to best 
position ourselves for the future.
    We have made great progress since the Cyber Division was 
first created in 2002. We have seen the value of its trusted 
partnerships and worked tirelessly to support and improve them. 
Providing the information that is needed to secure our networks 
demands cooperation, and cyber vulnerabilities are magnified 
when you consider the ever-connected, interdependent ecosystem 
of the cyber world.
    We follow a one-team approach in our partnerships with the 
U.S. intelligence community, law enforcement, private industry, 
and academia. We significantly increased the hiring of 
technically trained agents, analysts, and computer scientists. 
We have placed cyber specialists in key global locations to 
effectively facilitate the investigation of cyber crimes 
affecting the U.S. And while we are pleased to report our 
progress, we recognize that we must be proactive in order to 
effectively address the threats that we face.
    Next Gen Cyber. The FBI's Next Gen Cyber Initiative has 
enhanced the FBI's ability to collect, analyze, and act on 
information related to cyber intrusion investigations at FBI 
headquarters and throughout our 56 domestic field offices, 400 
resident agencies, and with the intelligence community and law 
enforcement partners, both domestically and overseas. 
Implementation of the initiative is focused in four areas:
    First, the NCIJTF, the National Cyber Investigative Joint 
Task Force, in Chantilly, Virginia. A key part of the 
intergovernmental effort is the FBI-led National Cyber 
Investigative Joint Task Force. Since its formulation in 2008 
by Presidential directive, the NCIJTF has made significant 
progress in developing its capabilities and operational 
coordination as well as expanding its interagency leadership to 
now include increased personnel from 19 partner agencies and 
Deputy Directors from five key agencies.
    A second key element on this initiative is the 
restructuring and expansion of the FBI's network of field 
office Cyber Task Forces, which emulate the successful Joint 
Terrorism Task Force model in our Counterterrorism Division. 
And just last year--just this past year, the FBI has formally 
established a Cyber Task Force in each of our 56 field offices, 
staffed by cyber-specialized agents, analysts, and other agency 
participants. In the future, each CTF, or Cyber Task Force, 
will continue to grow its capabilities, leveraging nationally 
developed systems, investigative efforts, and expanding its 
membership with a key focus to add additional State and local 
participants.
    Third, the FBI is committed to advancing the capability of 
our cyber work force and the supporting enterprise 
infrastructure. We established our High-Technology Environment 
Training--HiTET--initiative to enhance the technical 
proficiency of special agents, intelligence analysts, 
professional staff, and task force officers through online 
training. The current results of this effort are increased 
efficiencies and improved information analysis.
    Since the rollout of Next Gen Cyber, the FBI has expanded 
visibility into the source of cyber threat activities and 
dramatically increased its cyber intelligence reporting.
    Last but not least, the FBI is working to strengthen both 
local and national information sharing and collaboration to 
support success in investigation, intelligence operations, and 
disruption operations. To support this, we adopted an incident-
reporting and collaboration system called ``eGuardian,'' used 
successfully by our Counterterrorism Division and tailored it 
for cyber reporting.
    Further, we are deploying a platform called ``iGuardian'' 
to enable trusted private industry partners to also report 
cyber incidents in a secure and efficient manner to the FBI, 
and we are leveraging intelligence from the NCIJTF to 
effectively identify and notify cyber victims.
    As the Committee knows, we face significant challenges in 
our efforts to combat cyber crime. We are optimistic that by 
identifying and prioritizing strategic areas for change, the 
FBI will position itself to neutralize national security and 
criminal threats of the future. We look forward to working with 
the Committee and Congress, sir, as a whole to determine a 
course forward to ensure our success in addressing cyber 
threats.
    Thank you once again, Chairman, for the invitation to 
appear before you today. I would be more than happy to take any 
questions you may have.
    [The prepared statement of Joseph M. Demarest, Jr., appears 
as a submission for the record.]
    Chairman Whitehouse. Terrific. Well, first of all, let me 
thank you both very much. I immensely appreciate the work you 
are doing. Ms. Durkan, I know it is a considerable honor to be 
selected and confirmed as United States Attorney. It is an even 
greater honor when you are in the ranks to be selected to serve 
on the Attorney General's Advisory Committee, and your work to 
focus on cyber crime and cyber terror as the Chair of that 
Subcommittee I think is something that we should all be very 
proud of. And, Agent Demarest, you have been working this beat 
for a while. Nobody has more passion for it than you, so I am a 
little bit preaching to the choir, but I do want to try to give 
both of your organizations a bit of a shove through this 
hearing to be a little bit more forward on this issue.
    One of the ways you measure legal outcomes is results. Your 
testimony, Ms. Durkan, talked about the importance of 
prosecution both as a deterrent and as a punishment. And yet 
the level of actual legal activity does not seem to be all that 
great. The Coreflood botnet was taken down I think well over a 
year ago. I think we are actually through the stage where the 
participants have had their Attorney General awards, and I am 
glad that they were recognized for that very important piece of 
work. But as I understand it, this was a group that was sort of 
cobbled together from a variety of different offices, and at 
the conclusion of that effort, it was basically allowed to just 
disappear back to those original offices rather than continue 
the process of cleaning up and attacking botnets.
    As you know, Microsoft has done at least four that I can 
think of, civil cases to go to court and get an order to clear 
botnets out of the system. So it is not impossible for the 
Justice Department to have done more than one.
    On the side of our intellectual property theft, we have, I 
think, primarily the Chinese attacking exceedingly vigorously 
not only our national defense infrastructure in order to try to 
hack into things like how our jets work, how our guidance 
systems work, so that they can imperil our military in the 
event that we were to end up in a military conflict with them, 
but they are also just plain trying to steal stuff so they can 
give it to their companies so they can build it without either 
inventing it or paying us for the intellectual property rights. 
And that has been described as the biggest transfer of wealth 
in the history of humankind. And to my knowledge, the 
Department has done exactly zero cases involving a pure cyber 
intrusion to steal intellectual property and back out. They 
have done some intellectual property theft cases where somebody 
left with a CD in their pocket, kind of the old-school version, 
but they have not done any cases left yet. So the results are a 
little bit--do not send the signal yet that we are where we 
need to be.
    When you try to look at the structure, it is not clear that 
the structure is firmly in place for this. This has been a 
considerable issue for some time, and yet it is, I think, last 
year that the expert corps began at the Department of Justice. 
Your testimony, Ms. Durkan, is that the Department is 
developing ``threat focus'' cells. The NCIJTF is a wonderful 
effort. I have been out there, and I think the people who are 
there are doing great work. But my impression of it was that 
they are working so hard out there just to try to figure out 
who is coming through the windows and trying to keep track of 
them and trying to warn businesses that somebody is now in 
their system that there really has not been the capability to 
sit down and take that information and turn it into a 
prosecution package and put it into play in a U.S. Attorney's 
Office and go and put somebody on the business end of an 
indictment. I am not even aware of any grand juries that are 
active in this area at this point.
    So I think that I want to applaud--and I am sure it is 
thanks to both of your leadership that both the U.S. Attorney's 
Offices, the Department of Justice, and the FBI are rethinking 
the structure that needs to deploy this effectively. If this 
really is a national security threat of the type that every 
major administration figure says, if this really is the biggest 
transfer of wealth in the history of humankind through illicit 
means, we are still pretty underresourced for it when you put 
it up against--we have got a DEA just to deal with narcotics. 
We have got ATF just for alcohol, tobacco, firearms, and bombs. 
Where are we in terms of what are we doing about this new 
threat?
    So I want to applaud you for your own personal commitment 
in this issue, but I really do want to continue to push both 
the Department and the Bureau to resource this up. We will do 
everything we can to support your efforts to enhance the 
resources in the way that the budget requests--at least I will 
firm up this structure so it is clear that the people who are 
on the list as doing cyber work are, in fact, doing cyber work 
and not just--I have been a U.S. Attorney, I know the drill. 
Somebody has to get on the phone, somebody who is the cyber 
person, out goes the conference call, and so there is an AUSA 
in the offices across the country sitting there listening with 
the call on mute. That is not the way to fight this battle, and 
we should not really be counting those--it is a valuable 
function, but we should not be counting them as full-time cyber 
folks if that is the sum of what they are doing.
    I like this notion of the threat focus cells that are being 
developed. Could you tell me, both of you, a little bit more 
about the new steps, the new structure that you are looking at 
for implementing the cyber and where on the curve between 
behind the curve and way behind the curve that we are in terms 
of the resources necessary to do this? Ms. Durkan, why don't 
you go ahead first?
    Ms. Durkan. Thank you, Senator. Let me unpack that a little 
bit.
    First, let me say that I want to talk a bit about results, 
structure, and grand juries. You know, in the last 3 years I 
have been United States Attorney and served in this role as a 
cyber crime task force, the threat has evolved enormously. But 
I will say also so has the Department's response and our 
forward-looking nature. There is no one solution to this cyber 
threat, and no one part of Government can fix it alone.
    As Mr. Demarest said, we have to have a one-team approach 
so every aspect of Government is working together, and we have 
to work with the private sector.
    For example, in my district we have a very strong outreach 
to private enterprise to see what they are doing, see what the 
threats they are seeing to see what we can address. If we can 
prosecute someone, believe me, we will do it, and we have done 
it.
    I want to report that results actually have been very good, 
and I will use my own district as an example. Even in the areas 
of botnets, our district was the center of a botnet 
investigation. Some people know it as the Conficker botnet. It 
was one of the largest--I think even larger than Coreflood, but 
that is my district. It was, as you know, a very resource-
intensive investigation. It required multiple agents and 
multiple districts in multiple countries. But we were able to 
work with our international partners across law enforcement, 
Secret Service, FBI. We took down the entire botnet at the same 
time in America and in several European countries. People were 
arrested in several European countries, and we were able to 
extradite one of those actors to my district, prosecute them, 
and put them in jail.
    So we have had successes, and we will continue to have 
those successes. But we also understand to meet this threat, we 
will not be able to prosecute our way out of it. We have to 
have technology answers. We have to have efforts from the 
Department of Defense, the Department of State, and all across 
Government from the top down, I think every agency is committed 
to addressing this threat.
    It is a big threat, but I think we have great successes to 
report, and I am proud that we do.
    Chairman Whitehouse. Let me ask Senator Graham to jump in 
because he has to step out for a moment and make a phone call 
and then return to the hearing. But let me ask him to jump in.
    Senator Graham. Well, thank you, and you can continue to 
answer his question, which I thought were great questions.
    From a lay person's point of view, we have a pretty robust 
system to deal with bank robbers. Is that right, Mr. Demarest?
    Mr. Demarest. Yes, sir.
    Senator Graham. And do you have any idea how many bank 
robberies there were last year that the FBI was involved in?
    Mr. Demarest. No, sir.
    Senator Graham. Probably hundreds?
    Mr. Demarest. Hundreds.
    Senator Graham. How many cyber thefts are there in the 
United States?
    Mr. Demarest. Hundreds per days, weeks.
    Senator Graham. Okay, so thousands, if not hundreds of 
thousands a year?
    Mr. Demarest. Yes, Senator.
    Senator Graham. So there are two ways you can have money 
taken, stolen from you. A guy can come in with a gun and say, 
``Give me your money.'' Or somebody can hack into the bank and 
steal your money. How many people have been prosecuted for 
hacking into the bank and stealing the money?
    Ms. Durkan. Can I answer that, Senator?
    Senator Graham. Please.
    Ms. Durkan. Actually, very many. Let me use an example from 
our district. One of the things we saw was a spike in not just 
hacking but ATM skimming where people would put devices, 
pinhole cameras, and were able to take millions of dollars from 
many, many customers. We put together a task force and were 
able to break down a Romanian ring, and we prosecuted those 
people. We had great success. In fact, for a period of time in 
my district, we drove down the incidence of skimming to almost 
virtually zero. But we did it not just through the prosecutions 
but by working with the banking industry, educating the public, 
and the others.
    Senator Graham. How many people were prosecuted?
    Ms. Durkan. There were, I think--I will have to get you the 
exact number, but it was the entire ring responsible for this 
group of thefts. And so it was more than a dozen.
    Senator Graham. Okay. Well, get back with me.
    Senator Graham. The point I am trying to make is I know you 
all are doing a good job of trying to up our game, but the 
resources we have provided over time to deal with bank 
robberies, compare that to the resources we have provided over 
time to deal with cyber theft, how would you equate the two?
    Mr. Demarest. Well, the threat is certainly changing, so 
the FBI has a reallocated resource which we had in other 
programs internally to cyber. So we significantly--and we will 
talk about structure, the Chairman's question, and what we have 
done to actually develop the teams both at headquarters and 
national platforms and also in our local field offices' Cyber 
Task Forces.
    Senator Graham. Do you have the resources necessary to deal 
with this, what appears to be a rampant theft problem?
    Mr. Demarest. Well, we are making do on what we have today.
    Senator Graham. And I think what we are telling you is let 
us not make do, let us treat this sort of like Bonnie and 
Clyde. Remember the Bonnie and Clyde, you know, the national 
bank robberies during the Depression, that really started the 
FBI. It was sort of its reason for being in existence. And that 
kind of focus of dealing with, you know, crime in the 1920s and 
1930s, do you think we have that kind of focus now, Ms. Durkan?
    Ms. Durkan. I think, sir, I would like to--I describe it as 
the ``buggy whip moment.'' It has changed so much to where 
crime that used to happen on the street is now moving online, 
including violent crime. We have more and more violent crime 
that is being set online. Victims are being targeted online. 
And we are addressing that threat, but we still have a great 
brick-and-mortar threat we have to address on the streets, 
which we are doing. But it is a time when we have to allocate 
and realign ourselves. We have done it. We need to do more. And 
with the help of this Committee and Congress and----
    Senator Graham. Do you need changes in our laws to make you 
more effective?
    Ms. Durkan. Yes, and I think that we have proposed some 
changes. I think there are other changes that Senators have 
proposed, and Congressmen, that we are working with them and 
your staffs to see what--to make sure we address those threats.
    Senator Graham. During the 1920s and 1930s, we 
fundamentally changed the role of the Federal Government's 
involvement in crimes that were committed across State lines 
and really created Eliot Ness-type groups. And I would--that is 
maybe not a good analogy, but to me we seem to be having a new 
emerging crime wave here, and when it comes to resources and 
legal infrastructure, would you say on an A-to-F rating, A 
being we are exceptionally prepared, F we are failing--where 
would you put us in terms of legal infrastructure and resources 
to deal with this new kind of crime?
    Ms. Durkan. I think we are much better off than we were 3 
years ago. I think we have aligned ourselves to address it and 
have had successes, but I think we have to keep working, and we 
have to make sure that we are aligned also with private 
industry.
    Senator Graham. Give the Congress an A-to-F grade and give 
law enforcement----
    Ms. Durkan. I give Congress always an A grade.
    [Laughter.]
    Senator Graham. Well, you would be the only one.
    Chairman Whitehouse. She is the one person in the country.
    [Laughter.]
    Senator Graham. I wish you were my teacher. How would you 
say our infrastructure----
    Mr. Demarest. I think today we are still facing the same 
threats we faced 10 and 20 years ago, but now we have this 
parallel threat, if not emerging new threat, in addition to the 
old crimes----
    Senator Graham. Well, that is what I am saying.
    Mr. Demarest [continuing]. Responsible for it.
    Senator Graham. How far behind the curve, to use Senator 
Whitehouse's analogy, are we?
    Mr. Demarest. As far as the community, we are much evolved, 
even from the time the Cyber Division was created in 2002 to 
where we are today, and even over the past, I would say, 6 
months or a year, sir.
    Senator Graham. Well, I think both of us want us to kick in 
gear and get there quicker.
    Mr. Demarest. Yes, sir.
    Senator Graham. And wherever the Congress is failing, we 
are willing to try to inform our colleagues we need to up our 
game, because if you have hundreds of bank robberies using 
force and you have maybe millions of thefts using cyber 
technology, it seems to me we are probably not where we should 
be.
    Chairman Whitehouse. I know Senator Graham has to jump out 
for a moment, and I would like to continue this.
    One thing I am going to do, without objection, is to put in 
the op-ed piece that Senator Graham and I wrote together into 
the record of this proceeding.
    [The op-ed appears as a submission for the record.]
    Chairman Whitehouse. I want you guys to know, we have just 
confirmed a new OMB Director. We have got a new Deputy Director 
in the process of confirmation. I have spoken to both of them 
about this problem and about the concern that I have that you 
guys are good scouts and do not go beyond the envelope that OMB 
and the White House allow you in the budget. But we have to 
have a serious discussion and sit down and figure out what the 
plan is for dealing with this and have we really resourced it 
enough. And I have been trying for some time to get OMB and the 
Department in the room together so that we can have this 
discussion without you guys being accused of talking out of 
school without OMB there and vice versa. So I hope to do that.
    Senator Graham and I came very close to having a bipartisan 
agreement on a cyber bill. It fell apart, unfortunately, at the 
last minute for reasons beyond both of our controls. And the 
Executive order emerged, and now that the Executive order is 
out and the landscape has been changed by that Executive order, 
we are re-engaged on trying to do what needs to be done 
legislatively.
    So please work with us on this. We will provide whatever 
cover you need to bring OMB in so we can have a grown-up 
discussion in which you do not have to be flinching from saying 
what your real needs are. But it is very clear to me that when 
you put the privacy and the criminal loss of all of our 
individual credit card and personal information that is being 
hoovered up out of the Internet and actually marketed on 
crooked websites where crooks can actually go and buy personal 
information so that they can run crooked schemes off that info, 
you stack that on top of the attacks on the banks that Senator 
Graham was referring to, you stack that on top of the theft of 
so many companies' secret, special, confidential information 
that they use to protect themselves and build their product and 
that is their own intellectual property and that is stolen by 
industrial espionage, you throw on top of that what is being 
done to our defense industrial base, which has both private 
theft and national security connotations, and you throw on top 
of that the viruses and worms and programs that have been 
inserted into our critical infrastructure so that the grid 
could be taken down, bank records could be compromised, dams 
could be opened, gates and pipelines could be opened, all those 
sorts of things could take place--you stack all that up, that 
is a big problem set.
    I know I do not want to get you in trouble for saying any 
more than you are authorized to, but you have at least the two 
of us who strongly believe that we need to have our Eliot Ness 
moment on this and get ready to put the resources into this 
problem set. And one measure of that will be when we see some 
significant indictments on this industrial espionage piece 
related to what the Defense Department has said is being done, 
related to what the Mandiant company has said is being done, 
and all of that.
    I will give you a chance to respond to those thoughts. We 
are kind of having a bit of a back-and-forth here, but I really 
want to push you on this because I think as wonderful as the 
work is that you have done, we are not there yet, and we need 
to make sure we get there, because we cannot for long remain on 
the losing end of the biggest transfer of wealth in human 
history through illicit means.
    I see that Senator Coons has arrived, so rather than 
continue my peroration here, go ahead. Thank you for being 
here, Senator Coons. Senator Coons has taken a very sincere and 
strong interest in this issue and worked very hard with me and 
others to try to get that bill to the finish line before it 
fell apart and before the Executive order came out, and so 
thank you very much.
    Senator Coons. Thank you, Senator Whitehouse. Thank you for 
your invitation. And to you and to Senator Graham and so many 
others who have dedicated time and effort and leadership to 
trying to make sure that we in the Congress are doing our part, 
we will give ourselves a low grade for how we have done in 
terms of being able to bridge the differences between our 
parties and our chambers in terms of coming up with some 
functional structure for dealing with the cyber threat to our 
Nation. And I am grateful to Senator Whitehouse for his 
persistent leadership in this very complex issue that crosses a 
number of committees of jurisdiction. My own home State--
Senator Carper obviously chairs Homeland Security, but this 
also has implications in addition to Judiciary, for 
intelligence, for defense, for many others.
    Let me just, if I could at the outset, ask a few questions. 
I have a piece of legislation I want to talk about, but if you 
would, help me understand in the run-up to some of this 
legislative work last year, a great deal was made about our 
military's unique capabilities to defend the United States in 
cyberspace and their advantages over other agencies in 
Government, civilian agencies, in terms of their capabilities 
and capacities.
    What unique advantages do civilian agencies or the 
companies that the next panel will represent have in the realm 
of cybersecurity?
    Ms. Durkan. One unique ability we have is to put them in 
jail, and we are trying to do that more. But, again, I think 
that our ability to investigate and prosecute in these arenas I 
think forms a couple of important things.
    Number one, we deter further activity, and believe me, when 
we are able to extradite someone who is a foreign national 
vacationing in a different jurisdiction and we arrest them and 
bring them to Seattle and put them in jail, it sends a message.
    Two, we try to disrupt because we do not have the 
capability to put all the bad actors in jail. So part of our 
strategy has to be to disrupt this activity anywhere we can do 
it.
    And the third is we have to hold people accountable, which 
we are trying to do more and more. So I think that some of the 
unique capabilities we have is in our system we have the 
ability through the grand jury process, subpoena process, and 
investigative tools to get information that others do not have. 
And so--but, again, looking at the Department of Defense, we 
have to use a whole Government approach. Senator Whitehouse is 
exactly right that the nature of this threat frankly cannot be 
overstated. But it cannot be answered by any one part of 
Government or Government alone. It has to be private-public 
sector partnerships; it has to be Department of Defense, 
diplomatic efforts, and our civilian efforts to prosecute 
people.
    Mr. Demarest. Senator Coons, the FBI is uniquely positioned 
based on statutory authorities, and cyber you know is cross-
cutting, so it is a program that we have within the FBI that 
looks across criminal, counterintelligence, and also 
counterterrorism. So we are able to incorporate the subject 
matter expertise from each of those divisions and looking at 
the various threats. It is not just one area in 
counterintelligence, but it is a broad array.
    And, again, getting back to Ms. Durkan's statements, too, 
DOD plays a key role along with NSA, the intelligence community 
writ large, and our other partners at home here--law 
enforcement along with Homeland Security.
    Senator Coons. Thank you. Thank you for those answers, and 
I agree with you that in particular in a democracy and facing 
what is a broadly distributed threat, its origins not 
completely clear--it is not always attacks from nation states; 
it is not always attributable to specific foreign actors. Cyber 
crime and cyber threats come from a very wide range of sources, 
and they manifest in our country in a very wide range of 
impacts. And so the ability to complement the defense 
capabilities with agencies that have broad jurisdiction and 
with the capabilities to investigate, to deter, to imprison, to 
seek compensation for victims is a different response than one 
gets from the Defense Department.
    I just wanted to comment, if I could, in my remaining 
minutes that when it comes to doing comparably broad things 
that deal with both domestic disorder, natural disaster, or 
with confronting foreign threats, the National Guard has also a 
broad range of capabilities. It crosses in its legal 
authorization, in its actual tactical capabilities, and in its 
strategic role a fairly broad range of capabilities. And so a 
number of us Senators--Gillibrand and Vitter, Blunt and I--have 
introduced the Cyber Warrior Act, which, among other things, 
would give Governors the capability to order cyber-capable 
guardsmen to support and train local law enforcement, to 
leverage the expertise they have from their military training 
and their civilian careers. My own home State happens to have a 
very capable network warfare squadron which allows us to tap 
into the skills and abilities of the fairly sophisticated data 
centers operated by the advanced elements of the financial 
services community that are headquartered in Delaware and have 
them also in a dual-hatted way through the National Guard serve 
as adjuncts to the NSA and be helpful.
    I think this sort of function in this particular 
legislative authorization would be helpful for DOJ and FBI as 
well, because it can help them have more capable, better 
prepared State and local partners. And I would certainly 
welcome recommendations or comments from you or from the other 
witnesses in the next panel. We will be holding a law 
enforcement caucus event on this particular idea in this bill 
in June, and I am grateful to Senator Whitehouse for the chance 
to contribute to this hearing this morning.
    Thank you, Senator.
    Chairman Whitehouse. Thank you, Senator Coons. We in Rhode 
Island also have a cyber wing in the Rhode Island Guard, and I 
look forward to working with you on your legislation. I think 
it is a very valuable thought. It is, I think, important for 
the record of this proceeding to reflect that when you move 
from our local guard and reserve capabilities to our military, 
and from there to our active-duty military, and from there into 
our intelligence services, there are increasing restrictions 
and concerns about taking action within the continental United 
States, particularly where it involves American companies, 
systems, and individuals. And so that is, I think, a particular 
reason why our law enforcement role is so important when we 
look at this domestically.
    We are joined by Senator Klobuchar, a former prosecutor 
herself, and we are delighted to recognize her.
    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you to both our witnesses. And I was listening to Senator Coons 
and thinking about back to when I did my job for 8 years, 
running an office of about 400 people, but two levels of issues 
with computer crime, cyber crime. One was officers who, despite 
their best efforts, just did not have the training, so we would 
have cases where they would go into a room and turn on a 
computer and then erase everything on it because that is how it 
was rigged, what it was rigged to do. And it happened a number 
of times. And the second thing was we are second per capita for 
Fortune 500 companies, so we have huge companies like Target 
and Best Buy and companies like 3M and U.S. Bank. So I have 
firsthand seen how challenging the situation is and how as a 
local prosecutor we simply did not have the resources or the 
know-how to handle some of those cases when they would come our 
way or it would be handled by the U.S. Attorney's Office.
    So my first question is on that, to you, Ms. Durkan--thank 
you for your good work--just how you have coordinated with the 
local prosecutor's office, how do you think--what is the best 
model of how we go forward and how we get them trained?
    Ms. Durkan. That is an excellent question, and, again, the 
partnership with local law enforcement is critical to our 
successes. Working both with the Secret Service Electronic 
Crimes Task Force and the FBI's task force, we have great 
successes in that field. Key to it is training, and we have 
worked to make sure that we have more not just task force 
officers but forensic people who can handle this, and also 
education of the public.
    An example of a success where that has worked in my 
district is we had a very small family restaurant that was 
hacked by someone who was in Maryland who attacked a number of 
point-of-sale people. He stole many, many, many credit cards. 
He sold them to someone who was in Romania, a citizen of 
another country, who then posted them to a carding site. Then 
they were purchased by a gang-affiliated group in Los Angeles.
    Through our investigation we were able to arrest the person 
in Maryland, charge and extradite the person in Romania, and 
get the person in Los Angeles. So we got all three levels of 
that. We did it, though, working with our local law 
enforcement, task force officers, the Secret Service, and the 
FBI all played a part in those and other investigations. So it 
is a critical part of it.
    The training also, if we look at our training for lawyers, 
we have worked to make sure that not just our CHIP lawyers are 
trained in cyber activities but other lawyers have experience. 
We have the National Advocacy Center in South Carolina, and one 
of the conferences, even in these difficult times, that we made 
sure went forward was our cyber conference, because we have to 
make sure our prosecutors are trained, our local law 
enforcement is trained, and the public is educated.
    Senator Klobuchar. Well, and I think that is part of it, 
especially with small businesses, which you noted are not going 
to have the resources of a U.S. Bank in Minnesota. So I think 
more outreach to them would be a good idea through chambers or 
anything, because I think they are starting to be victims as 
well and they just do not have the resources.
    Ms. Durkan. That is absolutely right. And if that small 
business had not come forward in our case, we would not have 
had that case. And so having that outreach also enables us to 
do our job.
    Senator Klobuchar. Okay. My next question is on the cloud 
computing area and the fact that our cases are becoming more 
and more sophisticated. As you know, digital evidence 
evaporates a lot quicker than a paper trail, making it very 
difficult for law enforcement to investigate the crime. And 
another challenge is if the evidence is incriminating 
information, it is stored in the cloud out of the jurisdiction 
of the United States. I had a bill on this that is sort of 
floating out there like a cloud as we try to deal with some of 
the cyber bills that I think are important.
    Could you comment on the challenges of a lifetime of 
evidence in cybersecurity crimes and the real possibility that 
the evidence could be outside the jurisdiction of the United 
States?
    Mr. Demarest. There is a very good likelihood that it will 
be outside the jurisdiction of the United States. As you 
pointed out, Madam Senator, it presents many challenges, and 
depending on which country that the evidence may lie, our 
relationship with that country, with the investigative agencies 
of that country as well. So it does present several challenges 
on that front.
    Senator Klobuchar. And what would be the best way to try to 
get at it? Would it be agreements with other countries? Is 
there something we could put in law that would create a 
structure for those agreements?
    Mr. Demarest. Well, I think the agreements, and then I will 
defer to Ms. Durkan as far as what law or what other changes 
that we could possibly put in place to better the circumstances 
in working with our foreign partners.
    Ms. Durkan. I think it is all of the above, Senator, that 
you have mentioned. You will notice that one of the budget 
increases we have asked for is to have additional prosecutors 
overseas. We have seen more and more of these cases arrive on 
international soil. Our partnerships with foreign nations in 
Europe particularly have increased, but we need more people 
there.
    We also have the Budapest Convention, which is gaining more 
and more international partners to make sure we can get the 
evidence abroad that we need to prosecute people here. But they 
cannot get the evidence from our country that they need there. 
So we have to do all of those things.
    Mr. Demarest. Madam Senator, we have increased our 
footprint overseas from just three offices to it will be just 
short of a dozen this coming year in key locations throughout 
the globe.
    Senator Klobuchar. Thank you. I appreciate it.
    Chairman Whitehouse. Senator Graham had his time 
interrupted both by me and the call he had to take, so let me 
turn to him and give him a fresh start.
    Senator Graham. Just very quickly, we are facing a law 
enforcement threat, people stealing our property, our 
intellectual property, stealing our money, and anything else of 
value through cyber crime. But on the Nation state, national 
security, counterterrorism, after 9/11 the FBI has two missions 
now, counterterrorism--right?
    Mr. Demarest. Yes, sir.
    Senator Graham. As well as traditional law enforcement. Are 
there clear rules of engagement that exist today that would 
allow the FBI, the CIA, the Department of Defense to engage a 
nation state who has committed a cyber attack under the laws of 
war?
    Mr. Demarest. There has been a lot of discussion and a lot 
of coordination. We mentioned----
    Senator Graham. Well, that means no.
    Mr. Demarest. No, well--I am sorry. The question again, 
Senator?
    Senator Graham. Are there any rules of engagement--I mean, 
has anybody sat down and said this event would be considered a 
nation state cyber attack allowing us to respond outside the 
law enforcement model? Our Chinese friends seem to be hell bent 
on stealing anything they can get their hands on here in 
America rather than developing it in their own time and 
economy. But I am more worried about what they could, or other 
nation states, not just China, or terrorist organizations could 
do to our ability to defend ourselves. Do you worry about a 
cyber 9/11?
    Mr. Demarest. Well, again, depending on--it is an extremely 
complex issue, and what actor set you may be referring to or 
looking at, different motivations by many----
    Senator Graham. Is that possible? Is it possible that 
through cyber technology you could create a 9/11-type event on 
America?
    Mr. Demarest. It is possible that they could cause 
significant damage and destruction through cyber. It is 
possible.
    Senator Graham. What kind of things would be possible?
    Mr. Demarest. If you look at access to ICS or SCADA 
systems, if they do get access to, say, oil and energy and the 
systems that actually control key networks or critical 
networks, that could cause significant damage, and whether it 
be long-lasting or short-term, it could be both.
    Senator Graham. Could they disrupt military operations?
    Mr. Demarest. I am not sure, sir.
    Senator Graham. Well, maybe this--would you like to take a 
crack at that?
    Ms. Durkan. I think, Senator Graham, that if you look at 
the range of threats----
    Senator Graham. Maybe this is better for Senator----
    Ms. Durkan [continuing]. It is what keeps me up at night--
--
    Senator Graham. Or General Alexander, I guess.
    Ms. Durkan. I think part of these questions have to go to 
General Alexander. But I do think if you look at the range of 
threats, anything with intelligence can be hacked--everything 
from one rogue actor to state actors to criminal 
organizations--and there are people who work to get that done. 
That is why the Department of Justice is part of the solution, 
but it is not the whole solution. And, again, private 
enterprise is developing better security mechanisms and better 
technology.
    Going back to robbing banks, when banks were set up, they 
did not all have bars, they did not have cameras, they did not 
have a lot of defenses. And private companies are now 
determining technology they have to develop to also provide 
part of that solution.
    Senator Graham. Well, both of you focused about the law 
enforcement model here and how we can go after bad actors. Are 
you familiar with the counterterrorism threats? Are you 
familiar, both of you?
    Ms. Durkan. Yes, sir.
    Mr. Demarest. Yes, sir.
    Senator Graham. Okay. How would you rate our infrastructure 
on the counterterrorism side, the national security side, to 
protect us against people who just do not want to steal money 
but want to do more damage?
    Mr. Demarest. Well, I think based on the tragic losses of 
9/11, part of the response to that in New York and also here at 
headquarters, I think it is a much more developed model that I 
think the community has in addressing counterterrorism issues.
    Senator Graham. So we are further down the road?
    Mr. Demarest. Well, I think we are further down the road, 
and for good reason.
    Senator Graham. Do you agree with that?
    Ms. Durkan. Absolutely.
    Mr. Demarest. And I think we will get there, Senator, with 
cyber as well.
    Ms. Durkan. And if I could just use one example, the 
National Security Cyber Specialist, while it just sounds like 
another Government alphabet soup, one thing we realized in the 
national security setting, if there is a cyber event or we get 
intelligence that there is going to be, who do we call? Do we 
call the cyber lawyer who may not have the security clearances? 
Do we call the antiterrorism lawyers who may not have the cyber 
experience? We knew we had to marry those two things up, so 
that is what we are trying to do, is to make sure that we have 
the right, appropriate people in every office and the best 
expertise we can have in here to get to the field.
    Chairman Whitehouse. Let me, before I release you guys and 
call up the next panel, ask you two things. One is, Could you 
in a supplemental fashion to the testimony that you have 
provided make a little bit more of a detailed case as to the 
conclusion you describe in both of your testimonies about how 
complicated, complex, resource-intensive, et cetera--as much as 
you can without revealing things that should not be revealed, 
try to put some tangible facts and real teeth into that 
discussion, because it will help both Senator Graham and myself 
in arguing with our colleagues for this if we have more than 
the conclusory statement that these are complex, difficult, 
require forensic capabilities or unusual--and really lay out a 
case study or an example of something that makes that case a 
little bit further. That would be very helpful to us as we try 
to proceed.
    The second thing is we have had this discussion about 
resources and structure and budgets, and I look forward to 
continuing that discussion with the new OMB Director and with 
your Department and your Bureau. But separate from that, I 
think we can make some progress on your capabilities and 
authorities and safeguards in taking out these botnets. And I 
would ask you for your commitment to work with us in drafting 
appropriate legislation that will allow you to have more 
authority and proper safeguards as you go after future 
Corefloods and future Confickers. Would you do that?
    Ms. Durkan. Absolutely, Senator.
    Mr. Demarest. Yes, sir.
    Chairman Whitehouse. Terrific.
    Ms. Durkan. Thank you.
    Chairman Whitehouse. Again, let me close by thanking both 
of you for your service and for your passion in this area. I am 
really pleased that people like you are in our Government 
service. And if you detect a note of impatience from myself and 
from Senator Graham, it comes with the recognition that you are 
parts of very, very large bureaucracies that do not always move 
with great alacrity, and it is sometimes our job to give them a 
little bit of a shove. But it reflects not at all on either of 
you or on the folks who are working this problem set. It is 
being done very impressively.
    Thank you very much.
    Ms. Durkan. Thank you, Senator.
    Mr. Demarest. Thank you.
    Chairman Whitehouse. We will take a minute to call up the 
new panel.
    [Pause.]
    Chairman Whitehouse. Let me thank our private sector 
representatives for being here.
    Kevin Mandia is the CEO of Mandiant Corporation, which he 
founded in 2004 to help private organizations detect and 
respond to and contain computer intrusions. When you find out 
you have been hacked, ``Who are you going to call? 
Ghostbusters.'' That is kind of what Mandiant does. He began 
his career in the U.S. Air Force, in which he served as--
Senator Graham is also in the Air Force--a computer security 
officer and as a cyber crime investigator. He has degrees from 
Lafayette College and the George Washington University. He has 
also taught at both George Washington and Carnegie Mellon 
Universities.
    Let me just stop there, and I will call on Kevin. But let 
me also--back in our earlier legislative process, Senator 
Graham and I and Senator Mikulski and others organized a series 
of classified briefings for Senators to try to bring them more 
into awareness of what was going on in this field, and you were 
gracious enough to come and make one of those presentations, 
and it was a very effective one, and I want to thank you for 
that.
    Let me ask you to proceed with your testimony, and then I 
will introduce the other witnesses as they are called up.
    Mr. Mandia.

 STATEMENT OF KEVIN MANDIA, CHIEF EXECUTIVE OFFICER, MANDIANT 
               CORPORATION, ALEXANDRIA, VIRGINIA

    Mr. Mandia. Thank you, Mr. Chairman and Ranking Member 
Graham.
    Today, and into the foreseeable future, American companies 
are going to be under siege by many different types of 
attacks--criminal attacks, economic espionage, more than 
nuisance-based attacks. Today what I am going to talk about is 
the sophisticated economic espionage attacks. And while many 
organizations are actively trying to counter these threats, at 
the end of the day there is a security gap that we need to 
close. So today what I would like to talk about is three 
things: why the security gap exists; what the private sector is 
doing about it; and then how law enforcement can help in 
regards to that security gap.
    First, the reason the security gap exists is that there are 
Government resources hacking our private sector. It is simply 
an unfair and imbalanced fight. If our Government was chartered 
to hack the private sector in other countries, we would be very 
successful at that. So I always likened it to an ultimate 
fighting champion mugging my grandmother. It is simply an 
imbalanced battlefield.
    Mandiant pointed that out when we did an APT1 report. In 
February of this year, we released a report to the public that 
clearly shows that there are members of the PLA targeting the 
private sector here in the United States.
    The second reason there is a gap in our cybersecurity is 
that--for the first time in history that I am aware of--it used 
to be when systems were targeted, nobody knew who used that 
system. But today the cybersecurity attacks, there are human 
targets, and we also showed that in our APT1 report in that the 
PLA is recruiting English-speaking people so that they can send 
those innocuous-looking emails, but, in fact, those innocuous 
emails that have fake information in them and purport to be 
from someone they are not and are compromising systems. So we 
have human targets, and we have not figure out technically how 
to patch the human trust.
    The third reason is that the government entities that we 
see compromising the U.S. private sector are actually 
compromising a lot of the supply chain. So we have the big 
companies that have a rather mature security program, so if 
that security program is bolstered and it starts rejecting some 
of these attacks, what the attackers do is go down the supply 
chain, hit smaller organizations that only have hundreds of 
folks, and potentially no cybersecurity posture, and that is a 
tough one to defend.
    The fourth reason we have a security gap is because there 
is simply an imbalance. It only takes one attacker, and that 
one attacker can create work for thousands, if not hundreds of 
thousands, of defenders. It is just an imbalance in the 
expertise that is required.
    Another reason, there is simply no risk of repercussions to 
hacking the U.S. infrastructure if you do it from certain safe 
harbors or safe havens, such as apparently China, potentially 
Russia, North Korea, Iran. These are countries that could hack 
our resources with impunity and not really fear any 
repercussions.
    We also have a lack of resources, and I can go on. But, in 
short, technology and our adoption of it vastly outpaces our 
ability and willingness to secure it.
    So what are companies doing about it? Essentially, I have 
noticed two things. There are companies that are aware they are 
compromised, and they are doing some--really they are adopting 
technologies and hiring the expertise to defend. And, Senator, 
you had mentioned we are unwilling to oppose China. I would say 
in my experience most of the private sector takes it very 
seriously when they have had a breach from China to do 
everything they can on the technical front to bolster their 
safeguards. And I think that the fear and unwillingness is more 
a public admission as to what happens based on the fear of 
shareholder value repercussions, and at the same timeframe, 
because simply the economic gains could be so great in China. 
So it is a very tough issue. But make no mistake, on the 
cybersecurity side, folks are doing a lot in the private sector 
when they are aware of the breach and have the resources to do 
something about it.
    Then there are a lot of companies that are pre-aware that 
they have had a security breach, and they could be making very 
important intellectual property for our country, but they 
simply do not have the defenses to safeguard it. Those 
companies are beholden to standards legislation or regulations 
to create some kind of security posture, and it has been my 
experience that if your sole driver for security is some kind 
of compliance, that compliance usually does not prevent the 
attacks we see.
    So what can we do about it? What can the FBI or law 
enforcement do to help?
    The FBI already conducts outreach to American companies 
that have been compromised by advanced threat groups. Indeed, 
about two-thirds of the breaches Mandiant responds to are first 
detected by a third party. So if we do what we can to have--and 
the detection could be the DOD, it could be the intel 
community, but I have seen the communication come from the FBI. 
If the FBI narrows that gap and notifies quicker, we can 
eliminate the impacts and consequences of breaches.
    And while private industry will not always win the battles 
being fought in cyberspace, if we share that information in a 
timely and codified manner, what you will see is we can limit 
the impact of the breaches, limit the consequences, and we just 
need to be able to share that information, and I think law 
enforcement is the arm that can do that.
    By establishing a system where law enforcement and the 
private sector share proactively and use this threat 
information, America will build a cyber defense that is 
actually dynamic. No one is getting any smarter from these 
breaches today.
    So with that, I would like to thank you very much for this 
opportunity to share with you.
    [The prepared statement of Kevin Mandia appears as a 
submission for the record.]
    Chairman Whitehouse. Thanks, Mr. Mandia.
    Our next witness is Stewart Baker. He is a partner at 
Steptoe and Johnson here in Washington. From 2005 to 2009, he 
was the first Assistant Secretary for Policy at then the early 
stages of the Department of Homeland Security. As an 
intelligence lawyer, Mr. Baker has also been general counsel to 
the National Security Agency and general counsel to the 
commission that investigated weapons of mass destruction 
intelligence failures that took place prior to the Iraq war.
    Mr. Baker, welcome. Thank you.

              STATEMENT OF STEWART BAKER, PARTNER,
            STEPTOE AND JOHNSON, LLC, WASHINGTON, DC

    Mr. Baker. Thank you, Mr. Chairman, Senator Graham. I am 
going to sound some of the themes that Kevin sounded and then 
turn to the question of what the role of the FBI and the 
Justice Department could be, should be. I will not spend too 
much time. As Kevin demonstrated, we are not likely to defend 
our way out of this problem. Defenses play an important role. I 
have been very supportive of the legislation and the Executive 
order, but it is not enough. It is as though we were trying to 
solve the street crime problem by telling pedestrians to buy 
better body armor every year. That is not a complete solution. 
We have to find the criminals, and we have to deter them. I do 
not have to preach to either of you about the importance of 
that.
    But in thinking about that, the real question is how can we 
best reach the threats that are most troubling to Americans 
today, which is the government-protected attackers. And there 
it seems to me that both the Justice Department and the FBI 
suffer from a lack of imagination about authorities and a lack 
of imagination about resources.
    With respect to their authorities, prosecuting the people 
who are attacking us who are protected by nation states is 
deeply unlikely, and we need to find additional mechanisms for 
deterring that activity. The administration is doing some 
naming and shaming. That is a good thing. But we should be 
using our visa authorities to say if you participate--if you 
train hackers in a country, if you hire hackers after they 
finish their tour of duty as hackers in the government, you are 
going to have to cooperate in investigations, or you are not 
going to get visas to come to the United States.
    The same thing is true for the Treasury Department which 
designates nationals with whom we will not do business. We will 
not do business with people who are bad for human rights in 
Russia or in Belarus. We will not do business with people who 
are engaged in conflict diamond transactions. I think we should 
take at least as much care to protect against people who are 
abusing human rights right here by breaking into the computers 
of dissidents and ordinary citizens. So we should be using 
those tools as well.
    I see that Senator McCain, Senator Levin, Senator Coburn, 
and Senator Rockefeller have just introduced a bill that goes 
down this road, looking for tools to deter government-sponsored 
attacks. Just the names of the cosponsors gives me a lot of 
hope, and I think that the approach of looking for ways to 
deter the beneficiaries of this espionage is really worth 
pursuing.
    Let me turn now to the question of resources, which is 
profound and probably not solvable in our current budget 
situation. Chairman Whitehouse talked about the JTF that 
notifies people about attacks on their networks. This is 
enormously effective because many people do not know they have 
been exploited for months. But at the end of the day--and I 
have worked with clients who have had this experience--the 
FBI's role basically is to figure out that somebody has been 
compromised and to tell them. And maybe they can give them a 
little bit of advice, but, frankly, after that it is a little 
like having somebody tell you your bicycle has been stolen. You 
are not going to get a lot of help from the police tracking 
that bicycle down because they do not have enough cops to do 
it. And the FBI will not be able to help all the companies that 
they are notifying. In fact, after they have put a few person-
days into the investigation and made the notice, the company is 
largely on its own, and the company goes out and hires somebody 
like Kevin Mandia or like Symantec, and it begins a process of 
spending hundreds of thousands of dollars, sometimes millions 
of dollars, to get the attackers out of its network and to 
figure out who is attacking it.
    We know from the report that Mandiant has done that they 
gather enormous volumes of information about who is actually 
attacking their clients. We should be working much more 
effectively to utilize that information to build it into 
mechanisms that will deter the attackers by outing them.
    The biggest problem that I think we face is that even 
though private sector resources are enormous and they are well 
focused on particular attacks, we do not let the individuals 
who are under attack or the experts whom they have hired go 
beyond gathering evidence in their network and perhaps a few 
networks that will cooperate with them voluntarily inside the 
United States.
    I am not calling for vigilantism. I am not calling for 
lynch mobs. But we need to find a way to give the firms that 
are doing these investigations authority to look beyond their 
own network, perhaps under guidance from the Justice 
Department, and certainly without doing harm to the networks 
that they are investigating. They need to enter the networks 
where the hackers are storing all of their stolen data, to 
retrieve the stolen data, and to gather enough evidence to 
actually prosecute the attackers.
    My deepest disappointment here, and the reason I think that 
just pouring more money into the Justice Department at this 
point is a dubious proposition, is the Justice Department's 
reaction to that idea has been to pour as much cold water on it 
as they can, to say, ``We think that is a bad policy idea, and 
probably illegal.'' Justice is deterring companies that want to 
investigate the people who are attacking them and provide that 
information back to the Government. Justice is saying, ``Well, 
you can give the evidence to us, but we might indict you 
instead of the hacker.'' That is just the wrong answer.
    And so my suggestion would be that we find mechanisms to 
provide the kind of oversight that is necessary so that we are 
not just authorizing victims to shoot in the dark, but we are 
authorizing people who know what they are doing to carry out 
investigations and pursue attackers back to what they currently 
think is their safe haven in another country. If we do not do 
that, we will never get to the bottom of most of these attacks.
    Thank you.
    [The prepared statement of Stewart A. Baker appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you.
    Finally, Ms. McGuire from Symantec. Thank you for being 
here, and thank you for so much that Symantec has done to be 
helpful in our process of trying to get to legislation.

         STATEMENT OF CHERI F. MCGUIRE, VICE PRESIDENT,
          GLOBAL GOVERNMENT AFFAIRS AND CYBERSECURITY
          POLICY, SYMANTEC CORPORATION, WASHINGTON, DC

    Ms. McGuire. Thank you. Chairman Whitehouse----
    Chairman Whitehouse. I think your microphone may need to be 
turned on.
    Ms. McGuire. Thank you. Chairman Whitehouse, Ranking Member 
Graham, it is my pleasure to testify here before you today.
    My name is Cheri McGuire, and I am the Vice President for 
Global Government Affairs and Cybersecurity----
    Chairman Whitehouse. I should have done a more complete 
introduction. Ms. McGuire served in various capacities at the 
Department of Homeland Security, including Acting Director and 
Deputy Director of the National Cybersecurity Division and the 
US-CERT. So she comes not only with her experience at Symantec 
but with considerable Government experience, and I am sorry I 
omitted that.
    Please proceed.
    Ms. McGuire. Thank you very much. So Symantec is the global 
leader in developing security software, and we have over 31 
years of experience in developing Internet security and 
information management technology. Today we have employees in 
more than 50 countries and more than 21,000 employees with us.
    In particular, I would like to mention our Global 
Intelligence Network, or what we call the GIN, which is 
comprised of more than 69 million attack sensors in more than 
200 countries, where we record thousands of Internet events per 
second, which gives us incredible insight into the worldwide 
threat landscape. In addition, every day we process more than 3 
billion email messages and more than 1.4 billion Web requests 
at our 14 global data centers.
    As I said, these resources allow us to capture worldwide 
security intelligence data that gives our analysts a view of 
the entire Internet threat landscape.
    A few key findings from our latest Internet Security Threat 
Report that I would like to share with you include a 42-percent 
rise in targeted attacks in 2012 and 93 million identities 
exposed through hacking, theft, and simple error.
    In addition, we estimate that there were 3.4 million bot or 
zombie computers worldwide, and one in seven, or 15 percent of 
these, were actually located in the United States. We also saw 
a 52-percent rise in the threats to mobile devices.
    Another disturbing trend was the expansion of what we refer 
to as ``watering hole attacks.'' These are efforts by attackers 
to compromise legitimate Web sites so that every visitor runs 
the risk of infection. Criminals often use these sites to 
distribute ransomware, which is a type of malware or type of 
malicious software that locks a user's computer, displays a 
fake FBI warning, and attempts to extort money from the user in 
return for unlocking the computer, which, oh, by the way, 
usually does not get unlocked even after the user pays the 
extortion.
    Now, Symantec participates in numerous industry 
organizations as part of our global commitment to fighting 
cyber crime as well as numerous public-private partnerships in 
the U.S. and abroad to address these and other cyber threats. 
Just a few of these successful partnerships include the Norton 
Cybersecurity Institute, the National Cyber Forensics and 
Training Alliance, the FBI's Infraguard, the U.S. Secret 
Service Electronic Crimes Task Force, and Interpol. I have 
provided more information about each of these in my written 
testimony, but I do want to highlight a few.
    For example, 2 years ago, we established the Norton 
Cybersecurity Institute to help address the critical shortage 
of investigators, prosecutors, and judges who are adequately 
trained to handle complex cyber crime cases. Through the 
Institute, we coordinate and sponsor technical training for law 
enforcement globally. We also publish the annual Norton Cyber 
Crime Report, which is one of the largest global cyber crime 
studies that interviews more than 20,000 users globally across 
24 countries.
    Another example that I would like to highlight is the 
National Cyber Forensics and Training Alliance, which includes 
more than 80 industry partners and provides members with real-
time cyber threat intelligence to help identify threats and 
their actors and which has been a key player in the fight 
against some of the financial sector intrusions that have 
occurred recently.
    These partnerships have led to some notable successes, and 
one example is the takedown earlier this year of the Bamital 
botnet, which compromised millions of computers being used for 
criminal activities such as identity theft and click fraud. 
This takedown was the culmination of a multi-year 
investigation--many would say that it takes far too long to 
complete these investigations--and demonstrates what can be 
done when private industry and law enforcement join forces to 
go after cyber crime networks. I have also detailed in my 
written testimony similar successes in Operation Ghost Click as 
well as Coreflood, which have been mentioned earlier in other 
testimony today.
    Unfortunately, these examples highlight just how much still 
needs to be done. For a while we have seen some successful 
prosecutions and takedowns, as, Chairman Whitehouse, you 
described in your opening statement, there are undoubtedly more 
and larger criminal rings that are operating today, and the 
relative dearth of cases like these is not because the 
Government does not want to pursue them or because the 
criminals are not out there. In fact, the investigators and 
prosecutors, at least we have found, are quite willing and many 
in the private sector are even eager to help. But, 
unfortunately, prosecuting cyber crime cases requires a highly 
technical understanding of how computers and networks operate 
as well as a deep knowledge of multijurisdictional legal 
issues.
    There are simply not enough investigators, prosecutors, or 
judges with this technical training to keep up with the cyber 
criminals. Thus, as you have already heard today, there is a 
low bar for deterrence.
    At Symantec, we are committed to improving online security 
and securing our most critical infrastructure as well as their 
data across the globe, and we will continue to work 
collaboratively with governments and industry on ways to do so.
    Thank you again for the opportunity to testify, and I am 
happy to answer any questions.
    [The prepared statement of Cheri F. McGuire appears as a 
submission for the record.]
    Chairman Whitehouse. Thank you. Let me thank all the 
witnesses for their very helpful testimony.
    I am going to turn immediately to Senator Graham, as his 
schedule is starting to tug at him, and I am going to be here 
until the end of the hearing. So, Senator Graham, let me thank 
you very much again for being the Ranking Member on this and 
for the intensity of your effort at protecting our Nation in a 
variety of areas, but particularly in this new cyber area.
    Senator Graham. Thank you, Mr. Chairman. Enjoy the easy 
question period you are about to embark upon, because he will 
be back.
    I really have learned a lot from Senator Whitehouse and the 
witnesses today, but just to keep this sort of at a 30,000-foot 
level, Mr. Baker and Kevin, do you both agree that China as a 
nation state is actively involved in hacking into U.S. 
databases, banks, stealing intellectual property? Is that a 
fair statement?
    Mr. Baker. Yes.
    Mr. Mandia. I would agree that is the case.
    Senator Graham. Could you give me, both of you, two pages 
of why you say yes? And I am going to take it to the Chinese 
Ambassador and ask him to give me a response.
    Mr. Mandia. I will give you about a hundred pages, sir.
    Senator Graham. Yes, which will be consolidated to two.
    [Laughter.]
    Mr. Baker. Yes, absolutely. Kevin's company has done the 
most----
    Senator Graham. Using very big words.
    Mr. Baker. But other research----
    Senator Graham. Russia?
    Mr. Baker. Russia is harder to identify as a country 
because they are more stealthy.
    Senator Graham. Well, let us rank the bad actors here. 
Would you say China is number one?
    Mr. Mandia. China is the number one reason my company 
grows. It doubles in size every year. So, yes, they are number 
one.
    Senator Graham. Good news/bad news, I guess.
    Mr. Mandia. Yes.
    Mr. Baker. China by far in terms of volume is the most 
aggressive and is doing the most----
    Senator Graham. Who would be second?
    Mr. Mandia. There is a battle for second.
    Senator Graham. Could you give me the top five?
    Mr. Mandia. I think it aligns with safe harbors, so you are 
going to see Middle Eastern organizations emerging. It goes 
China first, probably Russia second, but it has been my opinion 
that the rules of engagement between Russia and America, it is 
almost like we have worked it out. If we see the Russians--
generally their government only hacks our Government. If we see 
them, they tend to go away. The Chinese are like a tank through 
a cornfield. They just keep mowing through it. And I think 
there is an enormous gap between China first, Russia second. 
But I think second is there is competition there. I think we 
are starting to see attacks coming out of the Middle East more 
at this point.
    Senator Graham. Okay. Give me the top five, because I am 
going to get with Senator Whitehouse, and we are going to try 
to do something about this. We are going to try to put nation 
states on notice that if you continue to do this, you are going 
to pay a price. And visa programs are all kinds of tools 
available to us as politicians up here to put the bad actors on 
notice, and maybe the immigration bill would be a good 
opportunity to do that. We have got to think outside the box.
    Now, when it comes to cyber 9/11s--and I have got 2 minutes 
and 20 seconds--could you in 20 or 30 seconds describe what you 
think a cyber 9/11 could look like? Mr. Baker, then----
    Mr. Baker. Sure. Very briefly, if you can break into a 
network, you can probably break it, and there are no networks 
in the United States, as far as I can tell, that have not been 
broken into. So all of them can be attacked. And in many cases, 
you can move to the equipment that runs on that and break that. 
We demonstrated that when I was at DHS with a big generator. 
Just by sending code to it, we burned it up. And so the real 
risk here is that an attacker that is determined could break 
into our industrial control systems and wreck power systems, 
pipelines, refineries, water, and sewage. You know, New York 
City, without all of those things, is going to be a very 
unpleasant place, and if the crisis lasts for a week, it will 
feel worse than 9/11.
    Senator Graham. Do you have anything to add there?
    Mr. Mandia. I think it is complex to determine what will 
happen when somebody tries to bring down an electric grid. Even 
from the attacker's perspective, you may get unpredictable 
results. I remember during the Super Bowl when the lights went 
out, everybody was, like, ``Was that cyber?'' But the results 
would be very unpredictable. I would give you two things.
    One, we should see and we might see shots across the bow 
before it happens. I do not think the first attack, if it is 
truly remote, will be noticed. The catch is I think that if it 
does happen, it is going to come from a third grade classroom 
in Mississippi somewhere. It is going to come from an IP 
address here in the States or from a human operator here in the 
States, and then it will branch out from there.
    The second thing is that hopefully we have the controls in 
place--and this is what is most important--to know who did it, 
because I think the deterrence for that kind of act is outside 
of the cyber domain.
    Senator Graham. Ms. McGuire, you mentioned about the law 
enforcement resources and model. How would you rate our legal 
infrastructure in terms of providing the tools necessary to 
actively go out and attack cyber theft and create deterrence 
without all of us having to worry about more body armor? And 
from a resourcing point of view, how advanced are we? Give a 
grade from A to F. Legal infrastructure and the resources 
available to our Government to fight cyber crime.
    Ms. McGuire. I think from a standpoint of our actual legal 
infrastructure, we have a pretty strong legal infrastructure in 
this country. But being equipped to address cyber crime, as I 
mentioned in my opening statement, is something that we need to 
play catch-up with. There is quite a gap there because we just 
do not have the number of investigators, prosecutors----
    Senator Graham. Well, give us kind of a wish list of what 
you think we would need to get to where we want to be.
    Ms. McGuire. Well, I think that we clearly need more 
investigators, prosecutors, and judges who are equipped and 
trained with the necessary skills to address these kinds of 
actions. That is a pretty big gap that we have today. The folks 
who are out there are doing yeoman's effort. Probably most of 
them would say they are overworked and they cannot keep up with 
the volume that they are being presented with every day.
    Senator Graham. I do not want to run over, but given the 
threat and given the focus, is there a big gap there? He 
mentioned a security gap. Is there sort of a gap between the 
threat we face as a Nation and the amount of resources we are 
supplying to the threat, to meet the threat? How big is that 
gap?
    Ms. McGuire. I do not know if I could actually quantify how 
large that gap is, but I think suffice it to say that there is 
a gap. It is a significant gap. We are not putting enough 
resources against this today. What you mentioned earlier about 
the way that we approach burglaries and robbers, we do not put 
the same type of emphasis on cyber criminal and cyber crime 
activity today in this country. We are making progress, but we 
have got a really long way to go to catch up.
    Senator Graham. Thank you, Mr. Chairman.
    Chairman Whitehouse. Thank you, Senator Graham.
    Let me do a couple of follow-ups. First of all, Mr. Mandia, 
when you mentioned that a big attack might very well come 
through a classroom in Mississippi or through somebody's 
individual computer, you did not mean that it would be 
originated there. You were referring to an attack starting 
overseas that would have come through a slaved computer there 
so that it would look as if that was the source. But clearly 
that is the level of sophistication that our enemies are 
operating at, is that they could slave a Mississippi classroom 
computer to use that to vector attacks into our critical 
infrastructure. Correct?
    Mr. Mandia. That is absolutely the case. Almost every 
single attack that we currently respond to, there are hot 
points in between, but they are all in the United States. These 
attacks are not coming straight out of China straight into the 
end victim. They are being routed through vulnerable sites, and 
the real challenge that we have, sir, is that the protocols--
nothing looks bad about the traffic going from a nation state 
to a third grade classroom in Mississippi. It is going to look 
like normal access. It looks bad when it goes from a classroom 
to the real target. So it is going to be very complicated to 
prevent that.
    Chairman Whitehouse. And if you are looking at--you 
mentioned China and Russia. If you are looking at what we would 
call, for want of a better word--I do not think it is the best 
word, but it seems to be the word that has developed--
``advanced persistent threats'' versus, say, botnets and big 
criminal siphoning efforts, the Chinese effort is much more in 
the direction of advanced persistent threats and of attacking 
our intellectual property and trying to insert potential 
sabotage, cyber sabotage, into our systems, and not so much 
engaged in botnets and that kind of activity; whereas, from the 
Russian side, there is both official and criminal network 
activity, and that is much more involved in stealing and 
spamming and botnets. So they are a little bit two different 
problem sets, depending on the source. Is that correct?
    Mr. Mandia. That is correct, and at the highest level of 
abstraction, when you think botnet, I would think it is a 
consumer problem, not necessarily an enterprise problem, but it 
does cross into companies having to deal with it, and it is a 
criminal element using it. And then with the targeted attacks, 
the criminal element uses them, but when you think economic 
espionage, most of those are targeted attacks, very 
sophisticated attacks.
    Chairman Whitehouse. Now, if I heard you correctly in your 
testimony, you said that two-thirds of the time when you 
respond to a company that has said, ``We have been hacked,'' 
they had no idea that they had been hacked until some 
Government agency warned them, often the FBI--usually the FBI, 
sometimes the Department of Homeland Security.
    There was a time not too long ago--and I am just using my 
recollection now--when my recollection is that both your 
company and the NCIJTF, the FBI operation, indicated that when 
they went out, 90 percent of the time they were the bearers of 
bad news to companies that had no idea, a little bit like the 
U.S. Chamber of Commerce, which, while busily attacking our 
efforts to get legislation in this place, also had basically 
the Chinese throughout all their systems right down to the 
fingernails for months and months and months and months, and 
had no clue about that until the Government came and told them, 
``By the way, I think you have been hacked.''
    Has it shifted from 90 percent to two-thirds? Is my memory 
failing me or----
    Mr. Mandia. No, no.
    Chairman Whitehouse [continuing]. Something that has 
happened where there is a little bit more awareness in the 
private sector now?
    Mr. Mandia. I would not even equate it to awareness, sir. 
We had a misleading figure. Quite frankly, when Mandiant 
reports that, it is based on the incidents that we respond to. 
I have been responding to Chinese intruders since 1996. Over 
time, it is no longer the first time you are learning you have 
been compromised by these folks. So when you go through your 
second or third drill of being compromised from Chinese 
hackers, in general, your security posture gets to a point 
where you now detect it yourself.
    So I think that is just a skew because last year we would 
have told you over 90 percent, and I have been tracking this 
since 1998. It has been over 90 percent third-party 
notification since 1998 for the customers that I have serviced. 
And this is the first dip, and it is because we are responding 
for the second or third or fourth time to organizations that 
have detected it themselves because they have already lived 
through that first wake-up call from law enforcement.
    Chairman Whitehouse. Now, would you describe some of the 
companies whom you provide services to as operating critical 
infrastructure in America?
    Mr. Mandia. Yes, I mean, the critical infrastructure 
demarcation line is harder to find in some industries, but the 
answer is yes.
    Chairman Whitehouse. Do you see any difference among 
companies that operate critical infrastructure? Are they 
demonstrably and noticeably better at this? Are they far away 
from the 90 percent, or are they more or less like any other 
company?
    Mr. Mandia. It has been my experience that if there is a 
regulation or a standard imposed, aligned by your industry that 
your security is, in fact, better in general than organizations 
that maybe fall through the cracks of all the hodgepodge of 
standards, legislation, and regulations out there. So if you 
are in a regulated industry, in general your security is 
better.
    Chairman Whitehouse. So let us talk a little bit about what 
we can do to increase security for critical infrastructure. Let 
me ask Ms. McGuire and Mr. Baker. You both have a background at 
the Department of Homeland Security. It has been the Department 
of Homeland Security's task for some time to try to develop 
better defenses in the critical infrastructure sectors. We have 
also heard I think from both of you that--the word ``dynamic'' 
keeps popping up. This is a very dynamic threat. And if we said 
XYZ strategy or XYZ technology is the mandated defense, then 
within a week or a month or a year that would be obsolete, and 
now we would be holding companies back from doing what they 
needed to do because we would be requiring them to stay with an 
obsolete technology. That is, if we set the regulatory 
requirements up in a very stupid and static way.
    So what is your recommendation as to how we might go about 
accomplishing what Mandiant has suggested, which is that 
standards help and we need to have them and we particularly 
need them for critical infrastructure, with the same time the 
dynamic capability that is necessary to meet this evolving 
threat? Ms. McGuire, then Mr. Baker.
    Ms. McGuire. I think the key point here is this is not a 
simple technology solution issue. You cannot just fix this with 
technology. It has to be a multi-pronged approach--many of us 
would use the term ``defense in breadth''--that goes across all 
areas of a business. And----
    Chairman Whitehouse. But, to interrupt, you cannot tell 
when a company has it and when they do not. So the fact that it 
is not just a technological solution does not mean that there 
is not a best practice solution out there, correct?
    Ms. McGuire. Absolutely. You have got to have--first and 
foremost, you have got to have the technology that is properly 
deployed and up-to-date in order to be your first line of 
defense. And in most cases, we will catch most of those attack 
vectors and threats. But to Mr. Mandia's point, we are not 
going to catch everything. In the face of a sophisticated 
attacker that is well resourced, that has very deep roots of 
sponsorship, we will not be able necessarily to address those 
kinds of APTs and other types of threats.
    So what has to happen is really a mesh or a standard risk 
management approach. You have got to address this through 
common risk management principles, and that includes the 
technology, it includes training of personnel, it includes 
awareness of critical infrastructure owners and operators that 
this threat is real. I think they are starting to get that now 
that we are having more high-profile conversations around this 
with events like Stuxnet in the past as well as the recent 
Saudi Aramco issue with the bricking of more than 30,000 
computer devices, associated with control system devices that 
operate major pipelines. They are starting to have this 
awareness about the urgency and the importance of it.
    There are a couple of other areas that we also need to 
address, and that is information sharing, and information 
sharing is a tool. It is not the be-all, end-all, but it 
certainly can help with the warning and the preparedness of 
those critical infrastructure owners and operators. And the 
common standards question always comes up, and I think again, 
as you mentioned, they need to be dynamic and flexible enough 
to allow for the most modern and up-to-date technologies to be 
implemented. But having the common standards that, for example, 
are being worked on through the Administration's Executive 
order right now that hopefully will raise the bar across all 
industries, I think that will go a long way. It still remains 
to be seen, but that is a positive step forward.
    Chairman Whitehouse. Mr. Baker, same question.
    Mr. Baker. Yes, so not only can we not solve this with 
technology, the regulation is not the greatest tool here 
because, as we have seen, the things you should be doing keep 
changing faster than the regulators can identify the things 
that need to be done and start imposing sanctions. So if people 
are not actually willing to pursue security themselves, a pure 
regulatory solution will not solve the problem.
    The good news, I think, is there is a way to think about 
this----
    Chairman Whitehouse. Unless perhaps the regulatory solution 
measures the pursuit rather than the solution.
    Mr. Baker. That is what I was getting at. You know, when 
they paint the Golden Gate Bridge, they never stop. They get to 
the other end, and they go back to where they started and begin 
painting over again. And that is the security approach that 
probably is our best. I start with who is attacking me, or who 
is likely to attack me. What tactics are they using now and 
likely to use? How do I stop those tactics? I implement that. 
And then I say, okay, now that I have implemented those 
measures, who still wants to attack me and what tools are they 
going to use now? And I find a solution to that and implement 
it, and you just--you know, lather, rinse, repeat. That process 
is probably the only thing you could say for sure we are going 
to have to require people to do. And measuring that----
    Chairman Whitehouse. It strikes me that there is an array 
of responses among operators of critical infrastructure to this 
problem. Some of them are very forward in the foxhole. They are 
throwing everything they can at the problem. And the danger 
that regulation creates is that you actually interfere with and 
hold back their efforts. And there is a price to be paid if 
that is the effect.
    At the same time, there are free riders and people who just 
figure, well, you know, why should I spend the money this 
quarter when what are the chances if it is really happening 
now, and, by the way, it is probably such a big catastrophe 
that the Government is going to come in and save my rear end 
anyway, and so there are laggards and free riders and cheats on 
the system, basically. And without a standard, they will 
continue to be laggards and free riders and cheats. And so 
there is a significant cost to not having any standard as well.
    Where I come down on that is that there needs to be a 
standard, but it needs to be dynamic, and it needs to measure 
pursuit rather than any static point.
    Mr. Baker. The one area where I think there has already 
been a sort of distortion due to regulation and where we should 
be trying to find a way to use the existing regulatory schemes 
are some of the data breach notification laws say you do not 
have to notify if you had encryption. People are spending a lot 
of their security budget putting encryption on the hard drives 
of laptops so that if they get lost, they do not have to 
disclose that they had a breach. That is probably not their 
biggest threat, but it is the one that hurts the most. And so 
finding a way to get the FTC and the State Attorneys General to 
focus more on security as a whole rather than just this one 
thing is probably useful.
    Chairman Whitehouse. Mr. Mandia, any thoughts on the 
pursuit versus static regulatory problem? You deal with a lot 
of these companies as well.
    Mr. Mandia. I think when you look at legislation, I think 
it is a very complicated matter, and I have had these 
discussions for 15 years on how do you legislate security 
benchmarks. I think that is very complicated. I think that 
aligns by industry, and I think the private sector for the most 
part is doing a lot of that themselves.
    I think what I have heard here makes a lot of sense. If you 
can push for an agile defense mechanism here in the United 
States that our companies can take threat intelligence being 
shared with it and have the technology and the means processes 
to do something with it, I think that is a great next step to 
cover that security gap.
    I think there is already a hodgepodge of standards, 
legislation, and regulations that are covering the 80 percent 
of the problem out there, the white noise. But when we want to 
deal with the nation state, 10 to 20 percent of the problem, I 
think what needs to be pushed now is the means for the 
Government to be able to share intelligence with the private 
sector, the private sector to get it to the private sector 
without enormous liabilities in doing so, and just start that 
information sharing in a codified way where we can make it 
actionable quicker.
    Chairman Whitehouse. But all three of you agree that among 
the operators of critical infrastructure in this country, you 
can find companies that are not doing what they should be doing 
in this area and that are either just not paying the attention 
that it deserves or have made the economic decision not to 
invest or are just basically playing the role of the laggard 
and the free rider and letting other people drive it forward. I 
see--is that a yes, yes, and yes across the board?
    Mr. Mandia. I have a slightly differing opinion. I can say 
most of the organizations that we have responded to had 
breaches that were probably unreasonable to prevent. So we 
respond to over 30 of the Fortune 100. I do not think they had 
bad security. I think they were probably all getting a check in 
the go box for compliance with pretty aggressive standards, yet 
they were still breached. When it comes to the critical 
infrastructure, as I sit here today thinking about it, the 
majority of the organizations we have assisted had security 
programs that were mature and above compliance, yet they were 
still breached. But I am giving you an unfair frame of 
reference because we are responding to the highest end, that 10 
to 20 percent of the breaches that are hard to prevent.
    Chairman Whitehouse. There are really two problems. One is 
that even the high performers remain vulnerable to breach by 
very highly qualified and persistent attackers. And at the same 
time, there is a considerable set of critical infrastructure 
operators who make it easy by simply not being up to basic 
standards.
    Mr. Mandia. Sir, I would just describe in 10 seconds, as if 
you are a B in security or an F in security, the attackers that 
Mandiant responds to have the exact same chance of getting in. 
The only thing that separates the A's in security from the B's 
is the A's will detect the successful attack themselves, the 
B's will not. And we are responding to some A's and some B's 
right now.
    Chairman Whitehouse. Back to the point that I have heard 
many people articulate in this area, and that is that if you 
are looking at a company, it is in one of two categories: It 
either has been hacked and knows it, or it has been hacked and 
does not know it. But that any company of significance has all 
been hacked, and I think it was also important--Senator 
Klobuchar and Senator Coons both mentioned the interest in 
small business. As the attack broadens, small businesses, 
particularly those that have a specialized process or product 
or skill that is susceptible of being stolen and then 
replicated without having to pay license fees and without 
having to invent it on your own, are becoming more and more the 
target, particularly if they are in the supply chain to the 
defense industrial base.
    So we get to a point where, if you are a small shop in 
Rhode Island that is the best place in the world at 
manufacturing a very specific kind of metals technology, that 
is what we want you to be doing. We do not want you to have to 
stop everything and try to bring in best of class cybersecurity 
in the same way that a Raytheon or a McDonnell-Douglas or some 
really major contractor would, and yet they are just as much at 
risk. I think we all agree.
    Well, let me thank all of you. I know you work hard in this 
area every day and you think in very dynamic ways about this 
problem, and I look forward to working with all of you as we go 
forward. I will accept Senator Graham's invitation or 
suggestion that we try to come up with something on visas, 
perhaps in the framework of the immigration bill that is now 
pending. But as I said to the first panel, we are also re-
engaging and trying to basically do cyber legislation 2.0 now 
that the Executive order is in place, and we look forward to 
talking with all of you about the substance of that legislation 
and also to having you help us in communicating with our 
colleagues both the nature and the importance of this problem. 
So this has been very helpful. I am very grateful to all of 
you.
    The hearing will stay open for a week if anybody wishes to 
add anything to the record of the hearing. If I have not done 
it already, then by consent I will add the piece that Lindsey 
Graham and I wrote into the record of the hearing, and with 
that, we will stand adjourned.
    [Whereupon, at 10:54 a.m., the Subcommittee was adjourned.]
    [Additional material submitted for the record follows.]

                            A P P E N D I X

              Additional Material Submitted for the Record



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                 [all]