[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]



 
                             CYBERSECURITY:
                      WHAT THE FEDERAL GOVERNMENT
                   CAN LEARN FROM THE PRIVATE SECTOR

=======================================================================

                             JOINT HEARING

                               BEFORE THE

               SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY &
                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            January 8, 2016

                               __________

                           Serial No. 114-56

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 

 


       Available via the World Wide Web: http://science.house.gov
       
       
       
       
                             ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 20-826PDF              WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001          
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DONALD S. BEYER, JR., Virginia
BILL JOHNSON, Ohio                   ED PERLMUTTER, Colorado
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
STEPHEN KNIGHT, California           MARK TAKANO, California
BRIAN BABIN, Texas                   BILL FOSTER, Illinois
BRUCE WESTERMAN, Arkansas
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DRAIN LAHOOD, Illinois
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon
GARY PALMER, Alabama                 ERIC SWALWELL, California
RALPH LEE ABRAHAM, Louisiana         EDDIE BERNICE JOHNSON, Texas
DRAIN LAHOOD, Illinois
LAMAR S. SMITH, Texas
                                 ------                                

                       Subcommittee on Oversight

                 HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia
    Wisconsin                        ALAN GRAYSON, Florida
BILL POSEY, Florida                  ZOE LOFGREN, California
THOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
DRAIN LAHOOD, Illinois
LAMAR S. SMITH, Texas

                            C O N T E N T S

                            January 8, 2016

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     7
    Written Statement............................................     9

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research and Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    11
    Written Statement............................................    13

Statement by Representative Barry Loudermilk, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    15
    Written Statement............................................    17

Statement by Representative Donald S. Beyer, Jr., Ranking 
  Minority Member, Subcommittee on Oversight, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    19
    Written Statement............................................    20

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    22
    Written Statement............................................    24

                               Witnesses:

Mr. John B. Wood, Chief Executive Officer and Chairman, Telos 
  Corporation
    Oral Statement...............................................    27
    Written Statement............................................    30

Dr. Martin Casado, Senior Vice President and General Manager, 
  Networking and Security Business Unit, VMWare
    Oral Statement...............................................    39
    Written Statement............................................    41

Mr. Ken Schneider, Vice President of Technology Strategy, 
  Symantec Corporation
    Oral Statement...............................................    49
    Written Statement............................................    51

Mr. Larry Clinton, President and Chief Executive Officer, 
  Internet Security Alliance
    Oral Statement...............................................    61
    Written Statement............................................    63
Discussion.......................................................    80

             Appendix I: Answers to Post-Hearing Questions

Mr. John B. Wood, Chief Executive Officer and Chairman, Telos 
  Corporation....................................................   106

Dr. Martin Casado, Senior Vice President and General Manager, 
  Networking and Security Business Unit, VMWare..................   108

Mr. Ken Schneider, Vice President of Technology Strategy, 
  Symantec Corporation...........................................   109

Mr. Larry Clinton, President and Chief Executive Officer, 
  Internet Security Alliance.....................................   110

            Appendix II: Additional Material for the Record

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................   114


                             CYBERSECURITY:



                      WHAT THE FEDERAL GOVERNMENT



                   CAN LEARN FROM THE PRIVATE SECTOR

                              ----------                              


                        FRIDAY, JANUARY 8, 2016

                  House of Representatives,
  Subcommittee on Research and Technology &
                         Subcommittee on Oversight,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 9:04 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee on Research and 
Technology] presiding.

 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




    Chairwoman Comstock. The Subcommittees on Research and 
Technology and Oversight will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    Good morning. Welcome to today's hearing titled 
``Cybersecurity: What the federal government Can Learn from the 
Private Sector.''
    In front of you are packets containing the written 
testimony, biographies, and Truth in Testimony disclosures for 
today's witnesses.
    I now recognize myself for five minutes for an opening 
statement.
    Today's hearing continues this Committee's commitment to 
find solutions for one of the great challenges of the 21st 
Century: cybersecurity. This is the second hearing we have held 
on cybersecurity since the news over the summer that the Office 
of Personnel Management was the target of two massive data 
breaches, exposing the sensitive information of over 21.5 
million Americans, including many of my constituents. The OPM 
breach highlighted the growing challenge of preventing and 
responding to cyber threats for both the public and private 
sectors.
    In 2014 and 2015, cyber-attacks on Target, eBay, Home 
Depot, and Anthem Health Insurance were only a few of the many 
publicly disclosed breaches. The data breach of Anthem alone 
exposed the Social Security numbers of 80 million Americans.
    The time has come for every manager and every employee in 
both government and private organizations to make cybersecurity 
a top priority in their daily work, and for leaders to be held 
accountable for negligent failures to protect information. The 
American public and shareholders are demanding it.
    When criminal hackers gained access to some 40 million 
Target customer credit cards, the CEO and the CIO were fired, 
in the private sector. Although the OPM Director resigned in 
the wake of the OPM breaches, I am still not satisfied that the 
responsible parties have been held accountable for the failure 
of the agency to address known security vulnerabilities.
    The most recent IG audit found that OPM still has 23 
systems that have not been subject to a thorough security 
controls assessment. OPM does not even have a complete 
inventory of servers, databases and network devices in their 
system.
    Just this week I met with newly appointed Senior Cyber and 
Information Technology Advisor Clifton Triplett and the OMB 
Senior Advisor on Cyber and National Security.
    I look forward to working with my colleagues and all 
federal agencies to ensure we are protecting the identities of 
our employees, applicants, and their families.
    The cyber criminals, hacktivists, and state-sponsored cyber 
terrorists are getting more creative and bolder in their 
attacks. The private sector has been at the forefront of 
dealing with these threats for some time, as both the target of 
many of these attacks and as the leaders in developing the 
technology and workforce necessary to counter cyber threats.
    Visa, which is in my district, is preparing to open a new 
Cyber Fusion Center in my district just this week. This state-
of-the-art cyber facility brings together nearly 100 highly 
trained security professionals into one high-tech campus, and 
provides for collaboration both internally and with payments 
and with partners enabling information sharing, rapid response, 
et cetera. I am privileged to have a number of companies who 
are very much on the forefront in this area in my district, and 
we have a number of those witnesses here today, and I look 
forward to hearing from our witnesses, who are all innovative 
thinkers from the private sector.
    I hope we can take the lessons we learn from you today, and 
help apply them towards protecting our federal information 
systems and the sensitive and valuable information they 
contain. We clearly must work together and be able to be more 
agile and adaptive to the ongoing threats that we know with the 
multiplication of information in our all of our systems which 
is just going to exponentially increase over the coming years. 
This will be a permanent employment area for all of you, I'm 
sure.
    [The prepared statement of Chairwoman Comstock follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
  
    
    Chairwoman Comstock. I now recognize the Ranking Member of 
the Research and Technology Subcommittee, the gentleman from 
Illinois, Mr. Lipinski, for his opening statement.
    Mr. Lipinski. Thank you, Chairwoman Comstock and Chairman 
Loudermilk, for holding this hearing. I want to thank all the 
witnesses for being here today, and I look forward to hearing 
your testimony.
    Chairwoman Comstock had mentioned in her opening statement 
the real need to make sure we do more in this area. We need to 
make sure that both in the public and private sector that 
people are held responsible for the hacks that do occur. We 
need to make sure that we have in place what we can do here, 
that Congress does what it can do to make sure that there is an 
incentive both in the public and private sector to try to avoid 
these hacks, this loss of information, so I'm very interested 
to hear more from our witnesses on this.
    I am certainly pleased that we're holding our first hearing 
on cybersecurity, which is certainly an increasingly urgent 
challenge for our national security and the personal security 
of every American. It's important that we continue to hear from 
experts in government and the private sector about the latest 
developments with respect to both the risks that confront 
security in cyberspace, and the technologies and policies to 
combat those threats.
    Our Committee plays an important role in both the 
technology side and the policy side, and this is an area in 
which Members have successfully collaborated across the aisle. 
In December 2014, Congress enacted the Cybersecurity 
Enhancement Act, a bipartisan research, education, and 
standards bill that I worked on with Mr. McCaul over several 
years. Over the last month, Congress enacted a cybersecurity 
law to promote information sharing and strengthen coordination 
between the private and public sectors. As a Committee and as 
Congress, we need to continue to confront these serious cyber 
threats.
    Unfortunately, we continue to see an increase in major 
cyber-attacks in both the public and private sectors. In a 
hearing we held here in July, we heard about the significant 
breach at the Office of Personnel Management, in which the 
personal information of millions of current and former federal 
employees and job applicants was compromised, including some of 
us here. Highly sensitive security-clearance files were also 
compromised, making it not just a problem for all those 
individuals but a national security issue as well.
    We have laws in place to address the security of federal 
information systems. The Federal Information Security 
Management Act, or FISMA, and subsequent amendments establish 
the necessary policies and procedures for the development of 
standards and protocols. NIST has an important role in this. 
But it is clear that federal agencies need to do a better job 
implementing NIST's standards and protocols, and that Congress 
needs to give them adequate resources to do so.
    The private sector is also under constant threat from 
cyberattacks. In the case of large-size companies, a recent 
study conducted by the Ponemon Institute found that there was a 
19 percent increase in cybercrimes between 2014 and 2015. The 
study also found that cybercrimes cause significant economic 
damage. For 2015, cyber attacks resulted in a total average 
cost of $15 million. While the threats continue to grow, many 
in the private sector are increasingly taking steps to protect 
their information systems and the personal information of 
Americans that they gather in their routine business.
    To reduce our risk and improve the security of cyberspace, 
it will take the combined effort of the Federal government, the 
private sector, our researchers and engineers, and the general 
public. Although cyber attacks are becoming more sophisticated, 
often cyber attacks are successful because of human error, such 
as unknowingly opening a malicious email or allowing one's 
credentials to be compromised. Part of our effort must be to 
educate the public. Another part must be to better understand 
human behavior in order to make new tools and technologies more 
effective, such as the work being done at NIST and elsewhere to 
move beyond passwords.
    I look forward to hearing from our witnesses today about 
industry cybersecurity best practices as well as opportunities 
for public-private partnerships that could help address our 
shared cybersecurity challenges. I'm also interested in hearing 
to what extent private businesses and organizations voluntarily 
implement FISMA standards developed by NIST, and how you may be 
participating in or benefiting from other efforts at NIST, 
including the Cybersecurity Center for Excellence and the 
Framework for Critical Infrastructure.
    Thank you, and I yield back the balance of my time.
    [The prepared statement of Mr. Lipinski follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
    Chairwoman Comstock. Thank you, Mr. Lipinski.
    I now recognize the Chair of the Oversight Subcommittee, 
the gentleman from Georgia, Mr. Loudermilk, for his opening 
statement.
    Mr. Loudermilk. Well, thank you, Chairwoman Comstock, 
especially for continuing this important discussion on the 
security of our federal information systems.
    I would also like to thank our witnesses for being here 
today to help us understand industry's best practices when it 
comes to cybersecurity. I look forward to hearing about lessons 
learned and how to apply those lessons to our federal systems 
to help prevent future cyber-attacks.
    It is clear that our federal systems are not adequately 
protected. In fact, just this past summer, a witness from the 
Government Accountability Office before this Committee stated, 
``It is incumbent upon federal agencies to implement the 
appropriate security controls to mitigate those risks at a 
cost-effective and acceptable level, and we found out that 
agencies have not consistently implemented agency-wide 
information security programs to mitigate that risk 
effectively.'' When I asked that same witness to grade our 
federal cybersecurity, he gave it a D. A rating of D is not an 
acceptable grade.
    This Administration owes it to the American people to 
significantly improve this deplorable standing in order to 
sufficiently protect government information and thereby our 
national security. This Administration also needs to explain 
how it is protecting the American people's personal 
information. As I stated at the hearing this summer, the breach 
of data from the Office of Personnel Management is exactly why 
the Oversight Subcommittee that I chair continues to look into 
the collection of Americans' personal data through the website 
HealthCare.gov. In fact, I am still waiting for complete 
answers from the Administration to questions I posed in letters 
to the Office of Science and Technology Policy and the Centers 
for Medicare and Medicaid Services back in June. This 
Administration has not sufficiently explained why it was ever 
necessary to indefinitely store Americans' personnel--personal 
data they submitted when logging into the HealthCare.gov 
website, particularly those who did not end up enrolling. One 
would think that President Obama would agree that such a 
practice is unnecessary as he identified cybersecurity as one 
of the most serious economic and national security challenges 
we face as a nation, but one that we as a government or as a 
country are not adequately prepared to counter. If 
cybersecurity is one of the most serious challenges that this 
government faces, why on earth would the government ever 
consider storing all of this personal information indefinitely 
in data warehouses? As the Chairman of the Oversight 
Subcommittee, I will continue to ask questions and demand 
answers until we are satisfied that federal departments and 
agencies are making decisions in the best interest of 
protecting the personal information of all Americans. The 
safety and security of Americans and this Nation must be our 
number one priority.
    Having continuously subpar security of our federal systems 
is embarrassing and must be rectified immediately. The delays 
must stop. It's time to finally do something about federal 
cybersecurity.
    I look forward to the witnesses' testimony at today's 
hearing. I hope to learn more about the various industry best 
practices and lessons learned in hopes that it will shed light 
on what the government could and should be doing to protect our 
citizens from constantly evolving cyber threats.
    Madam Chairwoman, I yield back the balance of my time.
    [The prepared statement of Mr. Loudermilk follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    Chairwoman Comstock. Thank you, Chairman Loudermilk.
    And I now recognize the Ranking Member of the Subcommittee 
on Oversight for his opening statement.
    Mr. Beyer. Thank you, Chairwoman Comstock and Chairman 
Loudermilk, for holding today's hearing. Thank you, witnesses, 
for spending Friday morning with us.
    As we keep relearning after each new attack, cybersecurity 
is obviously a critical and daunting challenge. Today the data 
we create, store, access, and often share online contains 
information about almost every aspect of our lives. Our 
collective digital universe is composed of banking records, 
birth records, personal health files, government records, tax 
filings, on and on.
    Last week, I was going on realage.com to see how long I was 
going to live, and now the cybersecurity attackers are going to 
know my cholesterol, my weight, the name of my dog, and the 
last year I had a cigarette. I took an Alzheimer's test last 
night online, which results I hope don't show up in my next 
campaign.
    We electronically communicate with our kids' teachers about 
their academic achievements. I find that none of my kids will 
return my phone calls but they will text me right back. News 
flash: None of this information is secure, and immediate access 
to these digital connections provides tremendous advantages for 
businesses and consumers. In our family business, we're highly 
dependent on all the information we've gathered on our 
customers, the next time Congresswoman Bonamici needs an oil 
change on her Subaru, for example. It also offers abundant 
nefarious opportunities for cyber criminals, foreign 
governments intent on cyber espionage, and perhaps even more 
dangerous actors.
    Protecting against known and emerging cyber threats is an 
ongoing enterprise that requires consistent vigilance and 
continuing adoption. Last year's OPM attack was a huge concern 
for all the federal workers that live in our districts across 
the country, and there were management and procedural failures 
at OPM that are now being addressed.
    But nobody is immune to cyber attacks, not in the 
government and not in the private sector. According to Privacy 
Rights Clearinghouse, a nonprofit, nonpartisan, organization 
that tracks cyberattacks, in 2015 there were 17 reported 
breaches against .gov or .mil addresses that resulted in access 
to 27.8 million records. The big one there obviously was OPM. 
During the same time period, the private sector experienced 184 
confirmed breaches that resulted in exposure of 131.5 million 
records. It's a huge problem for both sides.
    I believe that sharing best practices to reduce IT 
vulnerabilities, educate federal workers is very important. I 
really look forward to today's hearing. I'm sure there are many 
lessons that we will learn from you today. I also look forward 
to the equal certainty that there is much that the private 
sector can learn from the government, especially the Department 
of Defense and our intelligence community.
    So I look forward to today's discussion, and thank you so 
much for being with us.
    Mr. Chair--Madam Chair, I yield back.
    [The prepared statement of Mr. Beyer follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
  
    
    Chairwoman Comstock. Thank you, and I now recognize the 
distinguished Chairman of the full Committee, Mr. Smith.
    Chairman Smith. Thank you, Madam Chair.
    Last year, more than 178 million records of Americans were 
exposed in cyber-attacks. The breach of the Office of Personnel 
Management alone compromised the personal information of more 
than 20 million people, which included Members and staff of 
this Committee.
    The United States is a top target for foreign countries. 
Cyber criminals and hacktivists exploit vulnerabilities in our 
networks and cyber systems to obtain valuable information. The 
number of cybersecurity incidents reported by federal agencies 
has increased over 1,000 percent in the last eight years. In 
2014, more than 67,000 cyber-attacks were reported, and many 
others, of course, were not.
    A number of federal agencies guard America's cybersecurity 
interests. Several are under the jurisdiction of the Science 
Committee. These include the National Science Foundation, the 
National Institute of Standards and Technology, the Department 
of Homeland Security's Science and Technology Directorate, and 
the Department of Energy. All of these agencies support 
critical research and development to promote cybersecurity and 
set federal standards.
    However, it is clear that too many federal agencies, like 
OPM, fail to meet the basic standards of information security. 
More must be done to ensure agencies make cybersecurity a top 
priority.
    Last year, audits revealed that 19 of 24 major federal 
agencies failed to meet the basic cybersecurity standards 
mandated by law yet the Administration has allowed deficient 
systems to stay online.
    What are the consequences when a federal agency fails to 
meet its basic duties to protect sensitive information? What 
does it say to federal employees, not to mention our 
adversaries, when cabinet secretaries don't take cybersecurity 
seriously and fail to follow the most basic email security 
practices involving our country's classified information?
    In the private sector, those who neglect their duty to keep 
the information of their customers secure are usually fired. In 
the federal government, it seems the only people penalized are 
the millions of innocent Americans who have their personal 
information exposed.
    During the last Congress, the Science Committee approved 
the Cybersecurity Enhancement Act, which was signed into law. 
This law improves America's cybersecurity abilities and 
strengthens strategic planning for federal cybersecurity 
research and development. It supports NSF scholarships to 
improve the quality of our cybersecurity workforce. It also 
improves cybersecurity research, development, and public 
outreach organized by NIST.
    Last month, a similar bill, the Cybersecurity Act of 2015, 
was signed into law. Very importantly, this bill encourages 
private companies to voluntarily share information about 
eminent cyber threats with each other as well as with the 
federal government.
    The Science Committee will continue its efforts to support 
research and development to strengthen America's cyber 
defenses. I look forward to hearing from our witnesses today 
about what more we can do to support innovation and help set 
national standards and guidelines that will enhance our 
country's cybersecurity.
    Thank you again, Madam Chair, and I yield back.
    [The prepared statement of Chairman Smith follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
  
    
    Chairwoman Comstock. Thank you, Mr. Chairman.
    At this time I would now like to introduce our witnesses.
    John Wood is Chief Executive Officer and Chairman of the 
Board for Telos Corporation, a leading technology company that 
addressees cybersecurity, secure mobility, and identity 
management for corporations and governments worldwide. Mr. Wood 
serves on the Boards of the Northern Virginia Technology 
Council, the Wolf Trap Foundation for the Performing Arts, home 
of the nationally acclaimed Wolf Trap Institute for Early 
Learning through the Arts and its Early STEM Arts Program. He 
is also the founding chairman of the Loudoun County CEO Cabinet 
and served for five years as Chairman of Loudoun County's 
Economic Development Commission. Prior to joining Telos in 
1992, Mr. Wood worked on Wall Street after earning his degree 
in finance and computer science at Georgetown University. I 
know he also is very active in STEM education throughout 
Loudoun County in our district in getting young people engaged 
and involving them personally, I know both with your company 
and with our school system. We appreciate all you do in that 
area.
    Dr. Martin Casado is a VMWare Fellow and Senior Vice 
President and General Manager for the Networking and Security 
Business Unit. Dr. Casado joined VMWare in 2012 when the 
company acquired Nicira, of which he was Co-Founder and Chief 
Technology Officer. Dr. Casado has previously held a research 
position at Lawrence Livermore National Laboratory, where he 
worked on network security in the information operations 
assurance center. Dr. Casado has been recognized as one of the 
industry's leading innovators and has been featured as one of 
Business Insider's 50 Most Powerful People in Enterprise Tech, 
Forbes Next Generation Innovators, and Dr. Casado received his 
master's and Ph.D. from Stanford.
    Mr. Ken Schneider serves as Vice President of Technology 
Strategy at Symantec, where his focus is on driving an overall 
technology strategy across the company. He was previously Chief 
Technology Officer of the Enterprise Security and Security and 
Data Management Groups. Prior to joining Symantec, Mr. 
Schneider served as CTO and VP of operations for Brightmail, 
the leading anti-spasm software company that was acquired by 
Symantec. Before Brightmail, Mr. Schneider South Beach 
Software, a software consulting company that developed products 
for the professional video market. He also received a master of 
science in mechanical engineering from University of California 
Berkeley and a bachelor of science in engineering from 
Swarthmore.
    Mr. Clinton is the President and Chief Executive Officer of 
the Internet Security Alliance, a multisector trade association 
focused on cyber thought leadership, policy advocacy, and 
promoting sound security practices for corporations. Mr. 
Clinton has widely published on cybersecurity and is the 
principal author of the Cyber Risk Handbook for corporate 
boards published by the National Association of Corporate 
Directors in 2014 and endorsed by the Department of Homeland 
Security in 2015. The NACD also named Mr. Clinton as one of the 
100 most influential individuals in the field of corporate 
governance last year. Mr. Clinton is in demand internationally, 
having spoken in Europe, Asia, and Latin America, and we are 
glad to have him here today.
    In order to allow time for your discussion, please limit 
your testimony to five minutes, and then your entire written 
statements, which I know are more extensive and have lots of 
good information that we'll have in our public record, and 
since we're on C-SPAN today, I would encourage the public to 
also look at those full statements to get more information 
there, and with that, I will recognize Mr. Wood for five 
minutes to present his testimony.

                 TESTIMONY OF MR. JOHN B. WOOD,

             CHIEF EXECUTIVE OFFICER AND CHAIRMAN,

                       TELOS CORPORATION

    Mr. Wood. Thank you. I'd like to thank Chairwoman Comstock 
and the other Chairs and Ranking Members for the invitation to 
share some thoughts on behalf of Telos Corporation on industry 
best practices for cybersecurity and risk management.
    As I noted in my written testimony, Telos protects the 
world's most security-conscious enterprises, providing our 
customers with solutions and services for cybersecurity, secure 
mobility, and identity management.
    The first point I'd like to highlight is that all 
enterprises, public and private, need to emphasis cyber hygiene 
in their day-to-day operational practices and employee 
training.
    Why do I make this first point? Because the 2015 Verizon 
data breach investigations report found that the overwhelming 
common denominator in security incidents is people. Nearly all 
of the security incidents Verizon cataloged might have been 
avoided if organizations had taken basic steps to help their 
employees follow simple cybersecurity precautions.
    Here are five basic steps that organizations should take to 
help better protect themselves from attacks. First, establish 
and enforce cybersecurity policies and procedures. Second, 
include effective password management practices. Third, require 
regular security awareness training. Fourth, implement timely 
updates and patches to manage vulnerabilities. And fifth, to 
use up-to-date endpoint security solutions. These five basic 
steps serve as the foundation for a strong cybersecurity 
program. Every IT security professional knows them, and yet the 
importance of following through with them cannot be overstated.
    Further, these practices must be embraced in the boardroom, 
and by management, so that a culture of cybersecurity is 
created throughout the organization from the top town.
    That being said, every organization with high-value digital 
assets needs to assume it has already been breached or will be. 
This leads to my second point, and that is that incident 
response and remediation are just as important to organizations 
as cyber defense and depth strategies.
    Telos has developed a rigorous framework for incident 
response with essential steps like preparation, containment, 
eradication and recovery, which we use ourselves and implement 
for our customers.
    Further, it isn't realistic to expect every organization to 
have the time or financial and human resources needed to 
successfully defend everything. That's why management is so 
critical to effective cybersecurity. Risk management involves 
identifying, evaluating, and either accepting or mitigating 
uncertainty in decision making.
    Private and public sector organizations need to make cost-
benefit choices about which systems to defend and how to defend 
them based on the likelihood of an asset being attacked, the 
value of the asset being attacked, the cost of defending the 
asset, and the cost of losing the asset. That approach is 
reflected in the continuous diagnostic and mitigation program 
established by Congress ``to provide adequate risk-based and 
cost-effective cybersecurity and more efficiently allocate 
cybersecurity resources.'' This continuous diagnostic to 
mediation program, or CDM program, extends continuous 
monitoring into the areas of diagnostics and mitigation while 
acknowledging that risk management is called for when you have 
to meet nearly infinite needs with finite resources.
    That's also the value of initiatives like the NIST risk 
management framework and the NIST cybersecurity framework. They 
put cybersecurity solutions and best practices in the context 
of risk management and compliance, which brings me to my third 
point. The standards in the NIST cybersecurity framework are 
very good but they cannot succeed unless companies follow them. 
We should be looking for ways that market forces can 
incentivize companies to voluntarily take the strongest 
possible actions to protect themselves, which includes 
following the NIST standards and best practices.
    The various critical infrastructure sectors are just that: 
critical. They're so important to our national defense, our 
economy, and our way of life that it's imperative government 
and private sectors encourage organizations in these sectors to 
use best security practices.
    One promising area of incentivizing companies is tied to 
the growth of the cyber insurance market. The Commerce 
Department has described cyber insurance as ``an effective 
market-driven way of increasing cybersecurity.'' The Treasury 
Department has also suggested that the increasing demand for 
cyber insurance may help drive private sector policyholders to 
adopt the NIST cybersecurity framework. As insurance companies 
get their arms around the cybersecurity actuarial data they 
accumulate with each new breach, they'll want to have insights 
into what their clients are doing to protect themselves. Are 
they applying sufficient ongoing protection for their systems 
and data? Are they using the NIST framework or an equivalent 
standard? In fact, insurance companies may well require their 
clients to adopt the NIST framework in order to demonstrate 
insurability and reduce their premiums. When that happens, we 
could see greater market-based pressure brought to bear that 
will effectively require companies to do the same. So market 
forces and the fear of legal liability may make NIST voluntary 
guidelines the de facto standards for companies to demonstrate 
to insurers or in court that they've exercised all due care to 
protect their customers and their assets.
    One additional point: Cybersecurity is just too important 
to do on the cheap. Overreliance on ``lowest price technically 
acceptable'' contracts can be very risky in a field that has so 
little room for error.
    Similarly, our fifth war-fighting domain, cyberspace, must 
be appropriately funded. U.S. Cyber Command has been funded at 
a level this year that represents a mere 1/1000ths of the 
overall DOD budget. By contrast, just four banks--JP Morgan 
Chase, Bank of America, Citibank and Wells Fargo--are spending 
three times the amount on cybersecurity. JP Morgan, after they 
got hacked, decided to double their IT security spend from $250 
million a year to $500 million a year, more than all of Cyber 
Command. The financial sector is an example of the private 
sector taking its cybersecurity risk management 
responsibilities very seriously and devoting the resources 
necessary to protect themselves.
    Again, I appreciate the opportunity to share with you 
Telos's perspective, and I'd be glad to answer any questions. 
Thank you.
    [The prepared statement of Mr. Wood follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairwoman Comstock. Thank you.
    And now we'll hear from Dr. Casado.

                TESTIMONY OF DR. MARTIN CASADO,

           SENIOR VICE PRESIDENT AND GENERAL MANAGER,

         NETWORKING AND SECURITY BUSINESS UNIT, VMWARE

    Dr. Casado. Chairwoman Comstock, Chairman Loudermilk, 
Ranking Member Lipinski, Ranking Member Beyer, and other 
Members of the Committee, thank you for the opportunity to 
testify today. I'm super thrilled to be here.
    I'm Martin Casado, Senior Vice President and General 
Manager of Networking and Security at VMWare. VMWare is the 
fourth largest software company in the world with 2014 revenues 
of over $6 billion and over 18,000 employees.
    The nature of security breach at the Office of Personnel 
Management was not particularly unique. Hackers were able to 
penetrate perimeter networks' security systems and gain access 
to OPM and Department of Interior systems where they were free 
to access and steal sensitive data over a period of several 
months. Hackers typically use this attack methodology because 
traditional perimeter-centric security systems are structurally 
designed to be doors to the network. These doors allow 
authorized users access to network systems and prevent 
unauthorized users from entering a network or data center.
    However, perimeter security is a single point of entry that 
must be breached or circumvented in order to enter the data 
center network. Once the intruder has passed the perimeter, 
there's no simple means to stop malicious activity from moving 
throughout the data center. In many cases, the response from 
companies, agencies, and network security vendors is to add 
more security technology to the perimeter, which ignores the 
structural issue, creating basically a Maginot line.
    VMWare submits three salient points for consideration. One: 
Every recent agency breach has had one thing in common: the 
attacker, once inside the perimeter security, was able to move 
freely around the agency's network. Two: Perimeter-centric 
cyber security policies, mandates, and techniques are 
necessary, but insufficient and ineffective in protecting U.S. 
government cyber assets alone. Three: These cyber-attacks will 
continue, but we can greatly increase our ability to mitigate 
them and limit the damage and severity of the attacks when they 
do.
    So in today's legacy networks, there are a lot of 
perimeter-centric technologies that are designed to stop an 
attacker from getting inside a network. Clearly, this approach 
is not sufficient to combat today's cyber-attacks. Perimeter-
centric security solutions are analogous to a locked door that 
can only be accessed with a key. The primary function of the 
door is to deny initial unauthorized entry by anyone who does 
not have a key. However, once the door is forced open or 
breached, the unauthorized actor is free to move throughout 
unabated.
    In order to effectively prevent an attacker from moving 
freely around the network, agencies must compartmentalize their 
existing network perimeter security by adding zero trust or 
micro-segmented network environments within the data center. A 
zero trust environment prevents unauthorized lateral movement 
within the data center by establishing automated governance 
rules that manage the movement of users and data between 
business systems or applications within the data center 
network. When a user or system breaks the rules, the potential 
threat incident is compartmentalized and security staff can 
take any appropriate remediation actions. To build on the 
analogy above, compartmentalization is equivalent to securing 
each interior room with locks, limiting the intruder's ability 
to move around freely within the house significantly. This 
mitigates the magnitude of a perimeter security breach, or 
break-in. These new approaches are already the gold standard in 
commercial industry and need to become the gold standard across 
the federal government.
    VMWare has seen many government agencies conclude that the 
most effective means of mitigating the potential for a breach 
is to build a new network or data center called a 
``greenfield'' environment with enhanced security protocols. 
Agencies reach this conclusion because existing data centers, 
or ``brownfield'' environments, are assumed to be compromised 
and unsalvageable. This is a legitimate strategy. However, it 
fails to address the persistent security threat to existing 
cyber infrastructure.
    There are two main issues with this approach. Existing 
networks or data centers continue to operate while the new 
environment is being provisioned, which leaves sensitive data 
vulnerable to continuing attack. It can take months or years to 
stand up a new greenfield environment. As we've seen, this is 
what happened with the attack at OPM. They were building a new, 
enhanced network but the attack occurred on the existing 
system. Without clear cyber security guidelines mandating new 
software based security strategies that go beyond perimeter-
centric security, the new environments are subject to attack as 
soon as they become operational.
    In an era of constrained resources and imminent threat, 
this approach is insufficient and untimely. Agencies have the 
ability today to upgrade the security posture of their existing 
cyber infrastructure and add zero trust software defined 
solutions that are inherently more cost-effective than new, 
expensive hardware-based solutions. By deploying these 
technologies within our nation's existing networks and data 
centers, agencies can avoid billions of dollars of additional 
investment in new greenfield infrastructure when the compelling 
driver for a greenfield investment is strictly security 
related.
    Thank you very much for the opportunity to testify today, 
and I look forward to answering the Committee's questions.
    [The prepared statement of Dr. Casado follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairwoman Comstock. Thank you.
    And now we will hear from Mr. Schneider.

                TESTIMONY OF MR. KEN SCHNEIDER,

             VICE PRESIDENT OF TECHNOLOGY STRATEGY,

                      SYMANTEC CORPORATION

    Chairwoman Comstock, Chairman Loudermilk, Chairman Smith, 
Ranking Members Lipinski and Beyer, thank you for the 
opportunity to testify today.
    The focus of today's hearing is right on point: 
Cybersecurity is a shared responsibility, and the public and 
private sectors must work together closely to counter ever-
evolving threats.
    Many of the recent headlines about cyber-attacks have 
focused on data breaches, both in government and across the 
spectrum of industries, but cyber-attacks do much more than 
that, and the incidents we see today range from basic 
confidence schemes to massive denial-of-service attacks to 
sophisticated and potentially destructive intrusions into 
critical infrastructure systems. The attackers run the gamut 
and include highly organized criminal enterprises, disgruntled 
employees, individual cyber criminals, so-called hacktivists, 
and state-sponsored groups. Attack methods vary, and the only 
constant is that the techniques are always evolving and 
improving. For instance, spearfishing, or customized targeted 
emails containing malware or malicious links, is still one of 
the common forms of attack. Social media is also an 
increasingly popular attack vector as people tend to trust 
links and postings that appear to come from a friend's social 
media feed.
    We've also seen the rapid growth of targeted web-based 
attacks known as ``watering hole attacks'' and trojanized 
updates where malware is cloaked in legitimate software 
updates. For example, last year, legitimate software developers 
were tricked into using compromised software to publish their 
apps. These apps were then pushed into Apple's App Store and 
downloaded by unsuspecting consumers.
    Further, the attack surface continues to expand as both the 
private and public sectors move to the cloud, and the internet 
of things and the billions of new devices coming online will 
bring them with a new generation of security challenges. For 
example, CCS Insight predicted the sale of 84 million wearables 
in 2015. Each of those 84 million users is transmitting 
sensitive data into cloud platforms that must be secure.
    Preventing these attacks requires layered security and an 
integrated attack. At Symantec, we refer to this as our 
uniformed security strategy. The National Institute of 
Standards and Technology's framework for improving critical 
infrastructure security reflects this holistic approach and its 
core five functions serve as a useful outline for discussing a 
unified approach to security.
    First is identify. Simply put, you can't protect what you 
can't see, but the task goes beyond just identifying hardware 
and software and includes a risk-based approach to ensure that 
the most critical assets are identified and protected.
    Next is protect, and it starts with people. An organization 
needs to ensure that its workforce practices good cyber hygiene 
and is alert for the latest scams and schemes. But of course, 
technology is important too. Modern endpoint security examines 
numerous characteristics of files to discover unknown or 
emerging threats that might otherwise be missed. It's critical 
to monitor the overall operation of a system to look for 
unusual, unexpected, or anomalous activity that could signal an 
infection. Information protection is equally important. This 
requires a data loss prevention system that indexes, tracks, 
and controls the access to and movement of data across an 
organization.
    The third function is detect. An organization needs to know 
what is going on inside of its systems as well as who is trying 
to access what and how they are trying to do so. Monitor 
security analytics platforms and just a whole volume of machine 
and user data and use advanced behavioral and reputational 
analytics to know whether a series of anomalies is an indicator 
of malicious activity. By doing so, these systems are able to 
detect threats that bypass other protections.
    Fourth is respond. Good planning is the foundation of an 
effective cybersecurity strategy. If and when an incident 
occurs, an organization must have a well-defined and practice 
playbook to be able to respond quickly and effectively. 
Interviewing potential vendors and assigning roles and 
responsibility is not a good use of time while an organization 
is hemorrhaging sensitive data.
    The last function is recover. This is twofold: getting the 
impacted systems back up and running, and improving security 
based on the lessons learned from the incident. Effective and 
efficient recovery requires preparation and planning. For 
example, poor preparation could leave an organization with 
incomplete or corrupted backups. But perhaps the most important 
part of fixing identified flaws in both systems and processes 
is to learn from the incident.
    Cooperation is key to improving cybersecurity, and Symantec 
participates in numerous industry consortia and public-private 
partnerships to combat cyber crime. These include National 
Cyber Forensics and Training Alliance, FBI, Europol, Interpol, 
NATO, and Ameripol. We've also been involved in several 
operations to take down criminal networks including several 
high-profile botnets such as the financial fraud botnet 
Gameover Zeus, the ransomware network Cryptolocker, and the 
Ramnet botnet.
    The only path to improving security for the Nation is 
through partnership and shared expertise, and the government 
can learn from the private sector's experience incorporating 
cutting-edge security tools into their security programs.
    We appreciate the Committee's interest in learning from 
Symantec's expertise and best practices, and I'll be happy to 
take any questions. Thank you.
    [The prepared statement of Mr. Schneider follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairwoman Comstock. Thank you.
    And now we'll hear from Mr. Clinton.

                TESTIMONY OF MR. LARRY CLINTON,

             PRESIDENT AND CHIEF EXECUTIVE OFFICER,

                   INTERNET SECURITY ALLIANCE

    Mr. Clinton. Thank you, Madam Chair and Members of the 
Committee. It's an honor to be here. I appreciate the 
opportunity.
    I'd like to focus on five areas I think where the federal 
government can learn from the private sector. First, government 
needs to invest much more in cybersecurity. Private-sector 
spending on cybersecurity has nearly doubled in the last 
several years to $120 billion annually. The federal non-defense 
spending on cybersecurity this year will be between $6 and $7 
billion. Private-sector spending on cybersecurity will increase 
24 percent next year. Federal government spending is increasing 
about 11 percent. I know of two banks who have a combined 
cybersecurity budget of $1.25 billion for next year. DHS's 
entire budget for cybersecurity next year is about $900 
million, 75 percent of what two banks are spending by 
themselves. Cyber crime costs our nation a half trillion 
dollars a year, yet we are successfully prosecuting maybe one 
percent of cyber criminals. We simply need to spend more on 
cybersecurity.
    Two, government needs to act with greater urgency. It took 
Congress six years to pass a modest information-sharing bill. 
In 2009, major trade associations presented Congress and the 
Administration detailed recommendations on cybersecurity. In 
2011, the House GOP task force report on cybersecurity embraced 
these recommendations, as did President Obama's Executive 
Order, but four years after the House task force report, we 
still have not seen any substantial work on the top 
recommendation in that report or the Executive Orders. For 
example, the GAO task force report and the Executive Order and 
the national infrastructure protection plan all call for the 
creation of a menu of incentives to promote the adoption of 
cybersecurity yet aside from the information-sharing bill, the 
President has not proposed, Congress has not introduced a 
single incentive strategy bill. Last month GAO reported that 12 
of 15 sector-specific agencies had not identified incentives to 
promote cybersecurity even though that's called for in the 
national infrastructure protection plan. The President's 
Executive Order called for the NIST cybersecurity framework to 
be both cost-effective and prioritized. Three years later, 
there has been no objective measurement of the framework's 
effect on improving security, adoption or its cost-
effectiveness.
    Three: The government needs to educate top leadership as 
the private sector is doing. In 2014, ISA and AIG created 
handbook on cybersecurity for corporate boards, which was 
published by the National Association of Corporate Directors 
and is the heart of the training program that they are 
launching. PriceWaterhouseCoopers recently validated the 
success of this approach. They said boards appear to be 
listening to the NACD guidance. This year we saw a double-digit 
increase in board participation in cybersecurity leading to a 
24 percent boost in security spending. Other notable outcomes 
include the identification of key risks, fostering an 
organizational culture of security, and better alignment of 
security with overall risk management and business goals.
    We believe, Madam Chair, that the government needs a 
similar program to educate the government equivalence of 
corporate boards: Members of Congress, members of the Cabinet, 
agency Secretaries. Most senior government officials are not 
sophisticated with their understanding of cybersecurity. If 
they are educated as we're educating the private sector, we 
think we could have more effective policy.
    Four: The government needs to reorganize for the digital 
age. Over the past several years, the private sector has moved 
away from the IT department as the central focus of 
cybersecurity and is evolving a more integrated enterprise-wide 
risk management approach. Unfortunately, the federal government 
is still caught up in legacy structure and turf wars that are 
impeding our efforts. A Bank of America/Merrill Lynch study 
found in 2015 that the U.S. government is still in the process 
of determining who will have jurisdiction in cyberspace. 
Departments, agencies, and commands are all battling for 
jurisdiction and funding. The result is a fragmented system, 
muddled political agendas that is hindering the development of 
a secure system.
    And finally, five: Government needs to become more 
sophisticated in managing their own cybersecurity programs. A 
2015 study compared federal civilian agencies with the private 
sector, and found that the federal agencies ranked dead last in 
terms of understanding cybersecurity, fixing software problems, 
and failed to comply with industry standards 75 percent of the 
time. The reason the government does so badly, according to 
GAO, is that they simply evaluate by a predetermined checklist. 
The private sector, on the other hand, uses a risk management 
approach wherein we anticipate what the future attacks are 
going to be based on our risk posture and then forward looking 
attempt to adopt standards and practices.
    We believe that the government needs to follow the private 
sector's lead. They need to become more educated, more 
sophisticated, and more innovative and act with greater 
emergency and commitment with respect to cybersecurity.
    I appreciate the opportunity to speak to you today. Thank 
you.
    [The prepared statement of Mr. Clinton follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    Chairwoman Comstock. I thank the witnesses for their 
testimony, and we now will move to questioning. I will 
recognize myself for the first five minutes.
    Thank you all so much for your expertise and your passion 
about this important issue. I remember back in 2014, I was able 
to sit down with Mr. Wood, and we spent a pretty long afternoon 
identifying a lot of the problems, and I'm sorry to say that 
everything you said came true and all the problems you 
identified were dead-on, but I appreciate that you're here to 
help us address that.
    I was at the consumer technology conference earlier this 
week, and so we're seeing a lot of the new things that are in 
practice, and certainly the concept of ``innovate or die'' is 
very much a reality here.
    So I was wondering, because I think you've all addressed a 
little bit, but how do existing government contracting 
provisions impact the ability for the public sector to be agile 
and to be able to do what you do in the private sector? I know 
this is a little bit out of our jurisdiction in terms of 
government contracting but sort of identifying the problem and 
how we can address it. You know, we have the standards, we have 
the practices. We know we need to be more risk management-based 
instead of just a checklist. How can we all get those type of 
policies in the government that are as agile as what you're 
dealing with in the private sector? Do you want to start, John?
    Mr. Wood. One suggestion I would have is that I think it 
would be very helpful for the government to move more towards a 
best-value approach to government contracting versus lowest 
price, technically acceptable approach. The same individuals 
that we put on assignment with the government often we will 
receive a much higher rate for those individuals when we're 
working commercially because commercial companies tend to value 
the kind of capabilities that our security professionals have, 
and when I say ``much higher,'' often it's, you know, 200 to 
300 percent higher, and I think at the end of the day, that's a 
really big issue that the government needs to at least address, 
because otherwise you tend to get what you pay for.
    Chairwoman Comstock. Yes, Mr. Clinton?
    Mr. Clinton. I agree completely with Mr. Wood, and I think 
this speaks to part of the education issue that I was speaking 
to. We need to have a better understanding of the breadth of 
cybersecurity. What you're talking about, Madam Chairman, is 
frankly not an IT problem; it is an economic problem. That's 
what cybersecurity is. It is not an IT problem, it is an 
economic problem, and we need to find a way to move away from, 
as Mr. Wood said, lowest cost items, particularly in the 
federal space. We have examples where federal agencies are 
buying equipment off eBay from nonsecure suppliers because it's 
lower in cost, and while we appreciate the tension and the need 
for economy in these times, we have to understand that there is 
a direct tradeoff between economy and security, and we're just 
going to have to come to grips with that, and we haven't. I 
think if we could educate the federal leadership in the way 
we're educating corporate boards--where by the way we had 
exactly the same problem a few years ago. We might be able to 
get a better appreciation of the interplay between the 
economics of cybersecurity and the technology of cybersecurity.
    The real problem that you're speaking to, in my opinion, 
mostly comes in the smaller business elements of cybersecurity. 
If you're going to deal with, for example, the major defense 
contractors, frankly, you compensate them perfectly well and 
they have pretty good cybersecurity, but because of the 
procurement system, they are required essentially to farm out a 
lot of the procurement to smaller firms across the country in 
Congressional districts and those smaller firms do not have the 
economies of scale to meet the cybersecurity standards that the 
primes have. We have to find a way to provide incentives for 
those smaller companies to come up to grade because it is not 
economic from their business point of view in order to do that. 
Now, we think that there are a number of suggestions that we've 
made and I referred to in my oral statement and in the trade 
association paper that can talk about how we can better 
incentivize the smaller companies so that we can get them up 
closer to where the majors are, and if we can do that, we can 
achieve our goal, which is a cybersecure system as opposed to 
cybersecure entities.
    Chairwoman Comstock. Mr. Schneider?
    Mr. Schneider. I think another thing--this isn't directly a 
contract issue--is to use the tools that they've already 
purchased. I think one thing we see a lot in both the private 
sector and in the public sector is the acquisition of 
technologies that then aren't even configured properly and used 
properly. So a lot of the investment that happens both within 
private organizations as well as the public organizations is to 
take the technology purchases and make sure that you have the 
right human capital and the right best practices to deploy 
those properly. I mean, the most cost-effective thing you can 
do is use the money that you've already spent more wisely, so I 
think that's one key that we see as well.
    Chairwoman Comstock. Okay. Thank you.
    Dr. Casado?
    Dr. Casado. Just kind of quickly more on a positive note, 
I'm kind of a personal success story of this, so when I 
graduated with my Ph.D., I was thinking about being a 
professor, and instead I started working in the intelligence 
community, who decided to fund a startup that we were doing, 
and they were great to work with early on, and kind of to 
Congressman Beyer's point, I do think that there's a lot that 
we can learn from the government, and that turned into kind of 
one of the largest tech acquisitions in the private sector ever 
and a huge security initiative. So I think, you know, more 
working with the startup ecosystem--I mean, I'm a Silicon 
Valley guy--but more working with the startup ecosystem, 
funding that, allowing us access to the way that you think 
about the security technology I think will hugely help 
innovation.
    Chairwoman Comstock. Thank you, and I want to particularly 
note the--I think, Mr. Wood, you call it the fifth war fighting 
command is cyber here. I'm running out of my time, but if we 
can get--and Mr. Clinton, the numbers and the comparison 
between private sector and the public sector and what we're 
spending and sort of the quality, I think that's a very helpful 
contrast and understanding. This is part of our defense system, 
and certainly as we've seen social media being used in the 
terrorism area and all those. So I appreciate you putting real 
emphasis on that. Thank you.
    And I'll now recognize Mr. Lipinski.
    Mr. Lipinski. Thank you. There are so many things to talk 
about here, and I just got set off in another direction by what 
Dr. Casado had just said, so first I'll say it's good to see a 
Stanford and Berkeley guy be able to sit next to each other. 
I'm a Stanford guy.
    So I'm going to ask Dr. Casado, you had just mentioned 
there should be more done by the government to engage Silicon 
Valley entrepreneurs. What more could the federal government be 
doing right now in this area?
    Dr. Casado. I'm actually very positive about the actions 
that the government has taken over the last few years. I mean, 
I've worked with Incutel, I've worked directly with government 
agencies, and I think continuing to fund efforts that engage 
directly with startups, understanding that they're risky 
propositions and understanding that there's a high level of 
risk, I think is very beneficial. Again, I mean, all of the 
work that I've done in the last eight years has been based on 
my experience personally in the government and then funding 
from the government and it's turned into a major industry 
initiative, and so I would just encourage you to continue a lot 
of the work that you're doing, and----
    Mr. Lipinski. Is there anything that's not being done now 
that you think should be done on the federal government side of 
engagement?
    Dr. Casado. Well, I think--I mean I think--I think it--the 
problem is, you're great at funding on the early stage, and 
then I think when things get a little bit bigger, it's harder 
for the startups to engage with the government because you get 
into these difficult procurement processes that are kind of 
owned by a number of people. So I would say normally what 
happens is, you do a great job kind of getting these guys 
incubating and then they find out that we can't really actually 
sell to the government because it's too hard and it's too 
sticky, so we go ahead and sell it to the private sector.
    So one thing that you could really help out with is not 
only get these guys incubated and starting and providing them 
the initial funding but actually give them inroads into selling 
to the government, being an actual vendor to the government and 
helping that out. That was my--so originally we tried to 
actually engage the government, and it wasn't until eight years 
later that we could actually do it in a viable way, and now 
we're doing it in a way that we're very excited about, but 
actually having hand-holding of the procurement process early 
on would have been hugely helpful.
    Mr. Lipinski. Thank you.
    Anyone else on this subject before we move on? Mr. 
Schneider?
    Mr. Schneider. Yeah, we're starting to see a lot more 
engagement in Silicon Valley from various elements of the 
government. One example is the DHS has obviously been very 
active over the last couple of years. There's a new DOD project 
called DIUX where they've now established in Moffett Field 
right across from Silicon Valley trying in much the way that 
Incutel's been able to invest in startups to bring some of 
their technology needs to the Valley, so I think we're seeing a 
lot more engagement over the last year.
    Mr. Lipinski. Anyone else? Mr. Wood?
    Mr. Wood. Thank you, sir. I'm honored to sit on the 
Commonwealth of Virginia's Cybersecurity Commission as well, 
and one of the things that I've been encouraging the 
Commonwealth of Virginia to do is to encourage much closer 
relationships between the university ecosystem and the business 
ecosystem, and to really promote research. I think that will 
help propel a lot of the startup activity that the gentlemen to 
my left are both talking about. Whether it's in Silicon Valley 
or Research Triangle or in the State of Virginia, at the end of 
the day we need far more research than we currently have, and 
the reason is because when I talked about earlier the dollars, 
the difference between spent in the federal government and the 
commercial side, it's very simple. We have a real scarcity of 
resources in terms of cybersecurity professionals, and so we 
need more tools being able to deal with the complex environment 
that's going on out there and those tools, i.e. automation, are 
the way forward, I think, in order to help deal with that 
scarcity of personnel resources. There are other things we can 
do as well, but I think that research would really help us a 
lot from a cybersecurity perspective, really as a nation.
    Mr. Lipinski. And very quickly, and continuing with Mr. 
Wood, I want to thank you for your work in STEM education and 
thank you for bringing up how important it is that the human 
behavior is critical in preventing so much of this, and I think 
you said nearly all of these attacks could have been avoided 
with better behavior, and I think that brings up the 
importance, as I always talk about here, in understanding human 
behavior and funding social science research into things like 
this.
    But the last thing I wanted to ask you is, you talked about 
insurance, and I'm very interested in how do we incentivize the 
private sector. Is this something that you think should be 
required or do you just think that this will develop over time? 
Do you see a need for the government to require insurance for 
these--against these types of attacks?
    Mr. Wood. Sir, I personally don't think there's a need for 
the government to require it because I think the lawyers will--
at the end of the day will help corporations and other 
organizations understand the legal liability associated with 
not taking the appropriate actions.
    Mr. Lipinski. Have companies really suffered that much who 
have been--who've had these data breaches?
    Mr. Wood. Oh, I definitely think they're beginning to. I'm 
seeing more and more boardroom kind of calls being made to our 
company than ever before. I think the very public retail 
breaches that have occurred are now heading into not just the 
CEO's office but right into the boardrooms. So I also believe 
that the critical infrastructure industries that we have out 
there that are already regulated feel the pressure associated 
with doing something, and that's why I think that the insurance 
companies are doing what they are in terms of really trying to 
promote cyber insurance. Their feeling is that if they can--if 
the corporations can provide evidence that they are doing 
what's appropriate from a risk management point of view, that 
that will result in two things. One is lower premiums to the 
corporation who is looking to get the insurance, and then 
secondly, a better legal defense to the extent that they are 
sued.
    Mr. Lipinski. Thank you. I yield back.
    Chairwoman Comstock. Mr. Clinton wanted to----
    Mr. Clinton. If I could just very quickly, Mr. Lipinski, 
first of all, we're big fans of insurance so we've been 
promoting cyber insurance for over a decade, but I don't think 
that a requirement is appropriate, and----
    Mr. Lipinski. If you've been promoting it for over a decade 
and it doesn't seem like it's that widespread, is it?
    Mr. Clinton. No, and that's because of systemic problems 
within the insurance market, the lack of actuarial data, and in 
particular, the enormous risk that the insurance companies 
realize that if they insure and there is a major catastrophe, 
they're on the line for everything.
    We faced the same problem in terms of insurance in the last 
century with crop insurance and flood insurance, and there are 
systemic ways that we can work with the federal government in 
order to address that problem, and I'd be happy to go into 
those in some detail, but I wanted to get to the specifics of 
the requirement piece.
    I think one of the things the federal government could do 
is require insurance, cyber insurance, for your information 
systems in the same way that you require physical insurance 
when you build buildings and everything else, and I think if 
the government did that, it would be a market leader in that 
regard.
    The other thing I just want to point out, and this bears, I 
think, a little more conversation because I think this is a 
widespread misnomer, of the reality when you look at the data 
of the economic impacts of the high-profile breaches is not 
what you think. If you go back and look 6 months after the Sony 
attack, their stock price was up 30 percent. If you go back and 
look at six months after Target, the stock price was up about 
26 percent. If you look at most of the high-profile breaches, 
you find that there's an initial reduction and then there's a 
bounce back, and I can explain why that is, because the smart 
guys on Wall Street say ooh, nice distribution system, I like 
the price point of their products, and ooh, the price is down, 
buy opportunity. So the natural things that we assume are going 
to happen really are not happening when we look at the data, 
but Mr. Wood is exactly right about the fact that corporate 
boards are spending much more attention on this, but I think 
that has to do more with the threat to their intellectual 
property which is being vacuumed out and is a tremendous 
economic risk.
    Mr. Lipinski. So they're not concerned about the consumers 
and the people who are using their business, they're----
    Mr. Clinton. Well, no, they're----
    Mr. Lipinski. --concerned about their own----
    Mr. Clinton. Yeah, so----
    Mr. Lipinski. That's a suggestion there, that----
    Chairwoman Comstock. We're going to have to move on to our 
next question.
    Mr. Clinton. I will get back to that but----
    Chairwoman Comstock. And please do submit----
    Mr. Lipinski. Okay.
    Chairwoman Comstock. And I'd appreciate you submitting some 
more information on the insurance area. I think that would be 
very interesting.
    Mr. Clinton. Sure.
    Chairwoman Comstock. And I now recognize Mr. Loudermilk for 
his five minutes.
    Mr. Loudermilk. Thank you, Madam Chair.
    And after spending 30 years in the IT industry myself, I 
can equate to a lot of what you're saying, especially the cyber 
insurance. Big supporter of cyber insurance simply because of 
the standards that the insurance companies put upon these 
businesses, and I sold my business a year ago, was greatly 
relieved when I sold the business because while cybersecurity 
was on my mind 24 hours a day owning this small company and 
managing it, it was not on the minds of my customers.
    Mr. Clinton mentioned eBay. We had many instances where we 
put a secure network into place, a network of a small 
government managing power distribution systems, and we engineer 
it, we put the products in, some of the products that some of 
you represent everything from spam filters, firewalls, 
gateways, content managers, bandwidth managers, and then we 
would find out that they would go and buy parts for these off 
of eBay that would come from somewhere overseas, and we don't 
know the firmware that's on it, and I understand that what's on 
their mind, especially when you're dealing with small 
businesses, is bottom line. Doctors are being doctors, lawyers 
are being lawyers, they are doing what they're doing. We're 
supposed to take care of that. But when we go forward and we 
say this is what we need to do to upgrade and say we don't want 
to do that right now, do we have to do it? Well, your network 
will still function but you're at a high amount of risk. Well, 
that usually doesn't change their mindset. So having those sets 
of standards I think is important.
    Another thing that was brought up is this risk-based 
management. That's what we live by. We used to emphasize to our 
employees, there's two types of computer users: those that have 
been hacked and those that don't know that they've been hacked. 
Another part of risk management is, we emphasize to our 
customers, don't keep what you don't need. If you don't need 
the data, you don't have it, you don't have to secure it.
    And that really brings an issue that I have great concern 
about here in federal government here and that's with the Midas 
system, which according to news reports is storing information 
on Americans who access the HealthCare.gov website, not just 
those who got their health insurance, but those who even 
shopped it, and it's storing personal identifiable information 
of Americans without their knowledge in a data warehouse.
    And for Mr. Wood, considering what's happened to the 
federal government, the recent expansive data breaches, does it 
concern you that the federal government will be holding 
information on citizens without their knowledge, even for 
citizens who did not get their healthcare coverage through this 
system? Am I justified in my concern over the risk of storing 
this data, especially data that is not needed.
    Mr. Wood. So you're raising both a privacy perspective as 
well as a cybersecurity, you know, issue. You know, at the risk 
of being a Monday morning quarterback, you know, which is what 
I would be doing if I were to reflect on the OPM situation, the 
very unfortunate OPM situation because like all of you, I also 
received my letter that gave me the good news. I think that in 
retrospect, had OPM been using, you know, two-factor 
authentication, had they been using encryption at rest, had 
they had log files, we would've had a much different situation 
than perhaps we ended up having with OPM.
    So as it relates to the HealthCare.gov situation, I don't 
know how they're storing the data to be able to reflect to you 
about what is appropriate, but I think generally speaking, most 
people are a little nervous because those of us that are in the 
know worry that there just isn't enough resources being applied 
from a financial perspective to the IT security issue, and it's 
not just at the federal level, it's at the state level too.
    Commercial corporations, on the other hand, I see around 
the world are taking the appropriate steps. You know, I gave 
the example early on in my testimony about JP Morgan Chase. You 
know, when they were hacked, they were spending at that time 
about $250 million. After the customer PII got out, they went 
to the board. The board looked at it and determined that they 
had to increase substantially their spend to do a couple 
things. One was to actually buttress what they were doing from 
an IT security perspective, but the other thing was to do was 
to raise the confidence of their customers. So at the end of 
the day, I would argue that while their shareholder price has 
gone up over time, they absolutely--and every corporation cares 
about their customer data. Thank you, sir.
    Mr. Loudermilk. And I'd like to ask Mr. Clinton to respond 
to the same question, but also Mr. Wood, part of mitigating 
your risk is not keeping data that you don't need. Would you 
agree that that is a good practice, if you don't need data to 
not store it?
    Mr. Wood. Yes, sir.
    Mr. Loudermilk. Okay. Thank you.
    Mr. Clinton? Microphone.
    Mr. Clinton. I'll say it again: that's absolutely right, 
sir. Thank you.
    Mr. Loudermilk. Okay. Thank you.
    Chairwoman Comstock. Thank you.
    And now I'll recognize Mr. Beyer.
    Mr. Beyer. Thank you, Madam Chairman--Chairwoman.
    Dr. Casado, I was fascinated by your testimony, especially 
the--I'm quoting you a little bit: Once the intruders pass the 
perimeter security, there's no simple means to stop malicious 
activity from propagating throughout the data center. This 
whole notion of unauthorized lateral movement and your call for 
zero trust micro-segmented network environments, interior rooms 
with locks, is this recognition built into NIST's cybersecurity 
framework, moving from just the perimeter security to the 
internal stuff?
    Dr. Casado. Yes. So we're actually working with NIST now 
but I don't believe it's currently codified within NIST, so I 
think that making it part of a standard would be greatly 
beneficial.
    Mr. Beyer. It sounds like an essential part of the 
cybersecurity framework, it should be?
    Dr. Casado. Yeah, I think this is rapidly becoming a best 
practice within industry and the private sector, and actually 
in some areas of management as well. I think putting it as part 
of a standard would be very beneficial.
    Mr. Beyer. Closely related to that, Mr. Schneider, you 
said, and I quote again, ``We are well past the days when a 
password, even a complex one, will be much more than a speed 
bump for a sophisticated attacker, and multifactor 
authentication, combining something you know like a password 
with something you don't know like a text message is essential 
for any system to be secure. Is this part of the cybersecurity 
framework that NIST developed?
    Mr. Schneider. I think it's very similar in that it's a 
best practice that's not codified directly into the framework 
but it's something that in the ability to protect your 
information is becoming an industry best practice. The example 
I would give in the discussion about in the future there 
probably should not even be passwords as a core element of how 
we access information because it's so eminently hackable, and 
we really feel like a future with rich, multifactor levels of 
authentication is the right approach, and you can imagine 
yourself. You go back to your office afterwards, you sit down 
to check your email. If you're using a mobile device that 
tracks your location, there's already two or three factors of 
authentication that say I'm supposed to be in my office, I'm in 
my office, I'm accessing email, my device says I'm there, you 
may then ask for a PIN or additional kind of level of 
authentication but it's really having those kinds of dynamic 
authentication we see in the future and not static passwords 
that have been such a broken part of security today.
    Mr. Beyer. So both of these are evolutions to CSF, which 
leads me to Mr. Wood. You wrote very eloquently on page 4 of 
your testimony that ``most businesses would prefer the 
government impose the fewest possible requirements on them.'' 
We hear that every day in the House. But how many breaches will 
it take before it's recognized that allowing the private 
sector, especially critical infrastructure companies, to choose 
the path of least resistance creates an opportunity that might 
put our citizens' personal information at risk, put our 
critical infrastructure at risk and put our national economy at 
risk. NIST standards, the CSF, is purely voluntary. When do 
businesses come together to recognize that this really needs to 
be the mandated standard across the country?
    Mr. Wood. So earlier we were talking about insurance, and 
the insurance industry and why hasn't it adopted more cyber 
insurance more quickly. The simple reason is because there was 
no standard, there was no agreed upon standard until not that 
long ago, and so I think that ultimately I look at the NIST 
cybersecurity framework as a baseline, and what these gentlemen 
are talking about are in fact good points, and they are 
additive to the baseline, if you will, but if we can all get to 
an agreement about what the baseline is and we all adhere to a 
baseline, at least we know that the other person I'm dealing 
with is going to be able to evidence for me that I can do 
business with them because they're taking the appropriate 
steps.
    Mr. Beyer. It just seems to me--thank you very much--that 
we look at so many things that affect us and we have mandated 
it, and the regulations have to be cost-effective, but we did 
airbags in cars and 5-mile-an-hour bumpers and seatbelts, you 
know, healthcare in terms of the FDA. This may be, if it really 
is this huge threat to our national security and to our 
personal security, that we think about mandatory standards 
rather than voluntary, rather than relying on the threat of a 
lawyer's lawsuit and insurance to somehow cover this. Mr. 
Clinton?
    Mr. Clinton. With respect, sir, I would push back the 
opposite direction. I would point out that in my testimony I 
pointed to the fact that the federal government, which 
basically does operate in the model that you're taking about 
with FISMA standards that they must comply with, et cetera, and 
when we evaluate them independently versus the private sector, 
the federal government comes out dead last. The reason is, is 
that this is not airbags, this is not consumer product safety 
where there's some magic standard that we just come up to the 
standard and we are set. The problem is not that the technology 
is below standard. The problem is that the technology is under 
attack. That's a very, very different problem. We need to be 
forward looking. If we talked about mandating standards a 
couple of years ago, we'd probably be talking about mandating 
firewalls and things like that that we now see as basically 
obsolete, and all of our companies would be spending a lot of 
money complying with these outdated standards. So we need a 
different model. The digital age is much more forward looking. 
That's why the Obama Administration and the House Republican 
Task Force and the private sector all agree that what we need 
is a forward-looking, incentive-based model and we need to get 
industries to understand that it is in their best interest to 
be continually advancing security. They can't be looking 
backward; they have to be looking forward.
    We can do this, by the way, but it is a completely 
different mindset, and I think we need to understand that in 
the digital age, the old model just isn't going to work for 
this modern problem that includes nation-states attacking 
private companies. There's no minimum standard that's going to 
protect them. We need a different model, and we think we can 
develop that, but it is going to be different.
    Chairwoman Comstock. Okay. Now I recognize Chairman Smith.
    Chairman Smith. Thank you, Madam Chair.
    Mr. Wood, let me direct a couple of questions to you, but 
let me describe this scenario first, and then ask you to 
comment on this particular situation. Let's say a senior 
government official at an Executive Branch department 
approached your company to set up a private email account and 
server for conducting both official and personal business. 
These emails could include sensitive or classified information 
about national security. In addition, all emails would be 
stored on a server located in their private residence. Cyber-
attacks and attempted intrusions would be obvious threats, 
among other security risks. The material being transmitted on 
the private email account could be a matter of national 
security.
    So two questions. Could this scenario unnecessarily expose 
classified information to being attacked?
    Mr. Wood. Yes.
    Chairman Smith. Do you want to elaborate, or that's pretty 
clear?
    Second question is this: How would your company respond to 
such a request?
    Mr. Wood. We wouldn't do it.
    Chairman Smith. Does any other witness want to comment on 
the scenario? And if----
    Mr. Wood. Well, for the simple reason that you're exposing 
classified data in the open, and at the end of the day, 
that's--that would not be prudent and would also be illegal.
    Chairman Smith. And why illegal?
    Mr. Wood. Because the government requirement is that all 
official information be used through official means, meaning 
through government networks.
    Chairman Smith. Okay. Thank you, Mr. Wood. I don't have any 
other questions, and yield back, Madam Chair.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Tonko.
    Mr. Tonko. Thank you, Madam Chair.
    All of this hearing isn't focused on research. I know that 
Mr. Wood had addressed research as a component for growth in 
this region, in this area.
    As you know, the government plays an important role in 
supporting cutting-edge research on all aspects of 
cybersecurity from prevention to detection to recovery. And 
through agencies such as the National Science Foundation, the 
National Institute of Standards and Technology, and the 
Department of Homeland Security, we fund everything from basic 
research to testbeds for emerging technologies. And all these 
federal investments in cybersecurity R&D are coordinated under 
the longstanding networking and information technology R&D 
programs.
    So while Mr. Wood did raise the issue of research, are 
there recommendations that you, Mr. Wood, or any of our 
individuals who are testifying, any recommendations that you 
would have about federal agencies and how to set research 
priorities and what major research gaps might exist out there 
so that we can better partner in a more effective manner with 
research opportunity? Mr. Wood?
    Mr. Wood. Sir, thank you for your question. I agree. I 
think the national labs are doing a tremendous amount of work 
around all kinds of initiatives that regrettably many don't see 
the light of day ultimately. I think more can be done to, A, 
make industry aware of what the national labs are up to, and 
then B, provide a mechanism for industry to license some of 
those very critical research and development initiatives that 
really may have one specific customer but ultimately could have 
an entire industry that it could help serve. I think that would 
do a couple things. One, it would provide potentially an income 
stream back to the labs and therefore the government, and the 
other thing it would do is provide, if you will, more 
innovation without having to spend a whole lot more dollars. 
Thank you, sir.
    Mr. Tonko. Thank you.
    Anyone else? Mr. Schneider.
    Mr. Schneider. One area that we're very invested in right 
now is on helping kind of the people part of the equation. I 
mean, technology will continue to be an important element of 
any security approach and automation underneath, but clearly 
it's the people on top that we have to make sure are adequately 
trained, and one of the areas we've been highly invested in 
over the last couple years is simulation platforms to help us 
all understand what cyber breaches look like, what cyber 
incidents look like and be able to respond to those. So many 
companies today, for example, they send out fake phishing 
emails to their employees and see whether they respond or not, 
and if they report it to their security organizations. That's 
one simple example. There's also simulation platforms that take 
real-world breaches and model those and allow security 
professionals to interact with those. So that's an area that's 
been, I think, on the DOD side, you know, things like cyber 
range initiatives, very mature for a number of years. This is 
really now coming into the private sector and civilian agencies 
and a scenario that Symantec has invested heavily in, and I 
think there's a lot of potential for cooperation with some of 
the labs.
    Mr. Tonko. Thank you.
    Mr. Clinton?
    Mr. Clinton. Mr. Tonko, perhaps a slightly different level 
of abstraction. I think we would strongly support the notion of 
the government doing some research on the cost-effectiveness of 
the NIST framework. We are big fans of the NIST framework. In 
fact, we like to think it was our idea. At ISA, we published 
material on this a number of years ago. The Executive Order 
says it's supposed to be prioritized and cost-effective and 
voluntary. We believe that if properly tested, we would be able 
to determine various elements of the framework, and the 
framework is enormous and applies in different ways to 
different companies and sectors, but I think if we did cost-
effectiveness studies, we could demonstrate what elements of 
that framework are most effective to varying sizes and sectors 
of industry, and once you can demonstrate that the framework is 
cost-effective, you don't need mandates for it. Companies will 
do what it is cost-effective. But when you go to a boardroom, 
you know, you can't just say hey, this is a great idea and 
Congress passed it. They're going to say where are the numbers, 
you know, show me that it's cost-effective, and if we did that 
kind of research, which is pretty easy and pretty inexpensive, 
I think we could get a lot of bang for the buck in terms of 
doing what I think we all want, which is for industry to adopt 
these things on a forward-looking voluntary basis.
    Mr. Tonko. Thank you, and Dr. Casado, please?
    Dr. Casado. Yes. I think for the last 15 years, I've had a 
lot of experience getting kind of research grants from the 
government. I was a research scientist in the National Lab. You 
guys, you know--DHS paid for my Ph.D. program. I was a DHS 
fellow and started my company. I've done a number of research 
grants while I was at the Ph.D., and the biggest difference in 
my experience between very useful funds and not very useful 
funds is the number of constraints that are on them, so more 
flexibility in applying funds to our direct research agenda led 
to better research. So I think the more agenda that goes prior 
to the funding, the harder it is for us to basically fit it 
within our broader research agenda, and so I do think that it's 
great to fund certain areas. I don't think it's so great to 
overconstrain the problems that are being looked at.
    Mr. Tonko. Thank you very much, and with that, I yield 
back, Madam Chair.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
LaHood.
    Mr. LaHood. Thank you, Chairwoman Comstock, and I thank the 
witnesses for being here today and for your testimony.
    Question: When we talk about cybersecurity and these 
breaches whether in the private sector or in the government, 
and whether we describe them as hackers or something more 
sophisticated, every time this is done either in the private 
sector or to a government agency or entity, would you describe 
that as criminal behavior? Is that a violation of a state or 
federal statute in some respect?
    Mr. Schneider. I think one of the challenges of 
cybersecurity is it's a global phenomenon, and many of the 
attackers are not in the United States and they're not in a 
particular state in the United States, but the assets that 
they're protecting may be. So I think the legal kind of 
considerations can be pretty complicated.
    The other thing is, as more and more infrastructure moves 
to cloud platforms, which are also deployed globally, even 
where those assets are becomes more of a challenge. So I think 
in general, the answer is yes, but there's a lot of complexity 
to the global nature of cybersecurity.
    Mr. LaHood. And I guess as a follow-up to that then, you 
know, if we look at, you know, traditionally when there's 
criminal behavior that is engaged in, eventually there's 
somebody held accountable or responsible. There's a 
prosecution, there's a legal process that happens. I guess the 
question to you is, are you aware of a successful prosecution 
where somebody's held accountable, where there's a deterrent 
effect? It seems like there's no penalty, there's no pain, 
there's no consequences to anybody that engages in this 
activity. Yeah, Mr. Clinton?
    Mr. Clinton. Yeah, Congressman, I think you've put your 
finger on what I would think is one of the number one problems 
in this space. I would answer that it absolutely should be 
criminal, in many instances is criminal, but as Mr. Schneider 
points out, it's not in certain places so we need to be doing 
two things. We need to be dramatically increasing our law 
enforcement capability. As I said in my testimony, we are 
successfully prosecuting maybe one percent of cyber criminals. 
There's no deterrent really on the criminal side or no viable 
deterrent. So we need to be dramatically helping our law 
enforcement guys who are doing a great job but they are 
underresourced dramatically, and then we also need to be 
working aggressively with our international community to create 
an appropriate legal structure in the digital age. We don't 
have it. We are operating in an analog world with cyber-attacks 
and it simply is unsustainable. We need to be doing both of 
those things.
    Mr. LaHood. And I guess, is there anybody that's leading 
the way on that, Mr. Clinton, out there either, internationally 
or here domestically? I mean, where are we at with that 
process?
    Mr. Clinton. We are not doing nearly enough. I mean, there 
are people who will give a speech here and there, and again, 
I'm not going to point fingers at law enforcement. I think 
they're doing everything they can. They're underresourced. I 
think we need leadership from the Congress to demonstrate that 
this is a priority and we are going to fund it much more 
aggressively.
    Mr. LaHood. Thank you.
    Yeah, Mr. Wood?
    Mr. Wood. Thank you for your question, sir. The issue is 
that from a law enforcement perspective is first of all, as Mr. 
Clinton pointed out, it requires, you know, global cooperation 
but then the standards of prosecution also have to be the same. 
So in other words, a standard of prosecution here at the 
federal level might actually be different than at the 
Commonwealth level, which might actually be different than in 
Paris. So I think there needs to be some agreement as to what 
the standards are for prosecution as well.
    Mr. LaHood. Yeah, but why are we waiting around for that? 
It would seem that this is ongoing, there should be some 
standards set to do that instead and it doesn't sound like 
there's a framework in place to even address that.
    Mr. Wood. We did an analysis in the Commonwealth on just 
that point. You know, it was a really great analysis which I'd 
be more than happy to provide to you from the Commonwealth of 
Virginia. I don't know why. All I can say is that the standards 
even within the states are different for prosecution.
    Mr. LaHood. And can you point to me in the Commonwealth of 
Virginia where there's been a successful prosecution or that 
deterrence has been put in place in Virginia?
    Mr. Wood. We just changed the laws within the last six 
months, and I'd have to refer to my colleagues in law 
enforcement to let you know.
    Mr. LaHood. Okay. Thank you. I yield back.
    Mr. Wood. Thank you, sir.
    Mr. Schneider. Actually, one point if I can.
    Mr. LaHood. Go ahead.
    Mr. Schneider. There are a number of great examples where 
there's been cooperation between the private sector and law 
enforcement to do takedowns. I could give you a number of them. 
I mean, Gameover Zeus is a recent one where Zeus has been a 
financial fraud botnet that's been around, very successful for 
a number of years. It was put out by a private-public 
partnership. The next version of that came online. Symantec and 
a number of private companies as well as FBI and Europol 
brought down that botnet. And this is the botnet that actually 
was really propagating things like Cryptolocker, which maybe 
you heard about, where it takes people's machines and encrypts 
all the information and extorts you to get that information 
back. So there's some very kind of successful examples, but I 
think to your point, a much more consistent global approach is 
needed.
    Mr. LaHood. And in your case--I appreciate you mentioning 
that--was there actual individuals held accountable? They're in 
prison right now?
    Mr. Schneider. Yeah, there's a particular individual in 
Eastern Europe that has been prosecuted and convicted.
    Mr. LaHood. And are they in the United States in prison?
    Mr. Schneider. No. It's in Europe.
    Mr. LaHood. Thank you.
    Chairwoman Comstock. Thank you, and I now recognize Ms. 
Bonamici.
    Ms. Bonamici. Thank you very much, Madam Chair, and thank 
you for holding this hearing. It's such an important issue, and 
certainly one where there's a lot of room for bipartisan 
cooperation. I think Mr. Clinton identified the challenge of 
setting policy in this area because the technology always 
changes so much faster than policy changes, so that being said, 
I really look forward to working with all my colleagues and 
continuing to raise awareness about this important issue, and 
also come up with policy that not only addresses the issue but 
prevents it.
    I was recently out in Oregon visiting ID Experts, which is 
an Oregon business that specializes in healthcare, health data 
breaches. This is not just a federal issue, as some of my 
colleagues might have suggested. I mean, look at the Anthem 
Blue Cross. We're talking about millions of people here. And 
most people think--when they think about identity theft, think 
about the financial consequences, but with medical identity, if 
someone gets a procedure or prescription or something and that 
is entered into the individual's electronic health records, 
there are health risks involved in that as well as financial 
risks, and it's no surprise that the majority of people don't 
carefully review their explanation of benefits statements just 
like a lot of people don't carefully review their financial 
statements, their credit card statements that might alert them 
to something.
    I want to follow up on something Mr. Lipinski started this 
conversation about the psychological aspects and ask you, Mr. 
Schneider, in your testimony you say this is--put a picture in 
my mind here like the lion in the wild who stalks a watering 
hole for unsuspecting prey, cyber criminals lie in wait on 
legitimate websites that they previously compromised and used 
to infect visitors. Most of these attacks rely on social 
engineering, simply put, trying to trick people into doing 
something that they would never do if fully cognizant of their 
actions. For this reason, we often say that the most successful 
attacks are as much psychology as they are technology. So now 
I'm going to have this lion--this vision of a lion waiting and 
maybe that'll help stop me from clicking on things that I 
shouldn't click on.
    But Mr. Schneider, could you talk a little bit about 
whether do we need to fund more behavioral or social science 
research? Do we need to do a better job educating people about 
those risks and how to identify them? How do we get in--are we 
adequately addressing that psychological aspect? Because when 
we talk about the risk, and I think Mr. Casado, you--Dr. 
Casado, you brought this issue up as well that we have to do 
more to prevent that. So Dr. Casado or Mr. Schneider, could you 
address that, please?
    Mr. Schneider. Yeah. I think ultimately social engineering 
is always going to be part of the security equation because we 
as human beings are fallible. So I think systems have to be put 
in place to enable us to do a better job of helping to secure 
our own information as well as, you know, our company, our 
agency's information, and I mean, I think some of the examples 
I would give you, though, are in the training area that we 
talked about, helping all of us to think more about security, 
be more thoughtful about security. But secondarily, it's the 
kind of security architecture underneath that makes it much, 
much harder for the attackers to get the information that we 
care the most about. So all the world's information is not 
created equal. As you identified, medical health records are 
much more important to us or financial records are much more 
important to us than the lunch menu that we're going to look at 
today. So it's taken a much more, I think, granular approach to 
information protection, identifying the sensitive information 
that we care the most about and put more security investment 
around those kinds of assets than kind of the generic assets 
that are out there.
    Ms. Bonamici. Dr. Casado, what's your thought on that?
    Dr. Casado. Yeah. So I'm 39 years old, and when I was 37, I 
got an email from my sister on my birthday and it was like, you 
know, dear brother, I'm so happy you're my brother, and there's 
a picture of us when we were kids that's really sweet, and 
then, you know, it was nice to see you last week. There was a 
picture of us more recently, and happy birthday, and there's a 
little link and so forth, and I was like--the first thing I 
thought, this is so sweet, you know, like my sister has never 
remembered my birthday before, and I thought you know what? My 
sister's never remembered my birthday before so I looked at the 
mail headers. It had come from Russia. Now, listen, I've got a 
technical background and I've got a sister that doesn't 
remember my birthday, and if either of these weren't----
    Ms. Bonamici. It's now on record.
    Dr. Casado. And if either of these weren't true, I'd have 
clicked on that link and I would have infected my computer, and 
I think this tells me fundamentally that it's very important to 
train users and it's very important to do passwords but a 
determined attacker will find a way in. I mean, they got these 
pictures off of Facebook. It wasn't that hard to do. That was 
probably two hours of work to send me that email, and if I was 
anybody else, I would have clicked on that link. And so I think 
that's why I----
    Ms. Bonamici. Can you just both real quickly--I'm almost 
out of time but I also serve on the Education and Workforce 
Committee. Where--what are we going to do in terms of educating 
the next generation and the workforce to make sure that we are 
getting a step ahead?
    Dr. Casado. Well, I think there's two approaches. I think 
core education around security perimeters--I think actually Mr. 
Wood was very, very clear, and I think that these best 
practices are important. The second thing is, there are 
technical implements we need to put in place assuming a breach 
will happen, because it will happen. I mean, it's just a 
determined adversary will get in. Therefore, we need to 
implement a zero trust-type model.
    Mr. Schneider. And I think the other point is, there's a 
huge gap of security professionals in this country today, so 
creating the educational programs to enable returning veterans 
and high school and college students to choose careers in 
cybersecurity is something that's very important as well.
    Ms. Bonamici. Thank you. My time is expired. I yield back. 
Thank you, Madam Chair.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Palmer, and actually, Dr. Casado, we'll have to work on that 
birthday if you want to let your sister know right now what the 
day is.
    Mr. Palmer. Thank you, Madam Chairwoman. I'm happy to 
report for the record that my sister does remember my birthday 
but my brothers do not.
    On that same line, though, Dr. Casado, you can have the 
best technology in the world, you can have great training, but 
if employees are negligent in their use of it, you're still 
exposing yourself, and I bring this up in the context of an 
article that was in the Wall Street Journal back June--actually 
it was June 9th, and it relates to the fact that the 
Immigration and Customs Enforcement Agency had sent a memo to 
their employees in 2011 because they had seen an uptick in 
cyber-attacks related to employees using the federal server to 
access their personal websites or their personal email. 
Unfortunately, the labor union filed a grievance and prevented 
them from doing that, and that's apparently where one of the 
breaches occurred later last year. And my question is, and this 
would be both for corporations and for the federal government, 
does it make sense to prevent employees either in the private 
sector or in the government sector from using their company 
servers or the federal servers to access personal information--
their personal servers, their personal websites, their emails?
    Dr. Casado. Just very quickly, I mean, it seems to me IT 
goes through these phases where it kind of collapses and 
expands. We had mainframes, and they went to a whole bunch of 
computers and then they collapsed recently, and now they're 
expanding again. You've got mobile, iPhones, clouds, all of 
this other stuff. I think it's unrealistic from a day-to-day 
perspective, from an innovation perspective to assume people at 
work aren't accessing outside information and people outside 
aren't accessing work information. Every time I travel, I am 
constantly connected no matter where I go, whether it's 
vacation or not, and so I think we need to assume that this 
information is going to be accessed no matter where they are or 
what capacity that we're running under.
    Mr. Palmer. Mr. Clinton?
    Mr. Clinton. Mr. Palmer, I agree with Dr. Casado's 
comments, particularly with respect to millennials. You know, 
if you adopt that kind of workforce policy, you're probably not 
going to be having much of a workforce left to deal with. But I 
do think that there are things that we can do and we are doing 
and some in the private sector.
    So one of the things we're trying to do is move out of this 
IT-centric notion of cybersecurity, and for example, involve 
the human resources departments in this, and what we're 
advocating and we're seeing some success with is that we are 
integrating good cybersecurity policy into the employee 
evaluation system so that, you know, if you have downloaded 
things you shouldn't be downloading, you know, you are less 
likely to get that step-up increase or that bonus at the end of 
the year. We've got to make this part of the overall process. 
And there are other things that we can do and we are seeing 
adapted in the private sector such as having separate rooms 
with separate equipment so that people can, you know, access 
their personal information or their data without using the 
corporate system.
    And so I think if we are a little bit more inventive about 
this and use that more incentive model, we're probably going to 
have more success.
    Mr. Palmer. I think that's a great point because you can 
have a public access, a separate environment where people could 
do that but they have to use it because, for instance, if you'd 
been a federal employee, Dr. Casado, and you had opened that 
email from your sister through the federal mainframe, would 
that have potentially infected----
    Dr. Casado. So I've worked in a SCIF. I had four computers 
that would measure like how far apart they were, so I'm very, 
very comfortable in these like high secure environments. I just 
think if you want to be competitive from a business perspective 
against other companies, you have to assume that your employees 
are going to be fully connected at all times.
    Mr. Palmer. But can you not create a separate environment?
    Dr. Casado. I don't think you can do this without having an 
operational overhead. I really don't. I think you will limit 
the ability for the business to function.
    Mr. Palmer. Mr. Wood, you wanted to comment?
    Mr. Wood. Yes, sir. I would just want to follow up on what 
Dr. Casado said. So as the use of the internet increases and as 
the ``internet of things'' becomes more prolific, everything 
has an IP address, so where do you draw the line? At some level 
I would almost prefer that people use my infrastructure because 
I know what we do from a security perspective. I don't know 
what they do from a security perspective. And so to the extent 
that, you know, you make the argument that there should be some 
separation, I think there are very good arguments on both 
sides. I'd rather have them in my infrastructure because I know 
what we do. Thank you, sir.
    Mr. Schneider. I think the approach that makes a huge 
amount of sense when you think about all this connectivity is 
to really understand and protect the information and the 
identities of the folks that are trying to access it, and 
that's really what we've seen in security over the last, you 
know, five-plus years is this move toward not just protecting 
systems and networks but truly understanding the information 
and the most sensitive information and putting the right kinds 
of protection around that.
    Mr. Palmer. My time's expired but I do want to thank the 
witnesses for the clarity of your answers. This has been an 
excellent hearing.
    Thank you, Madam Chairwoman, and I yield back.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Swalwell.
    Mr. Swalwell. Thank you, Madam Chairwoman, and I want to 
first thank each of the panelists for their service and for 
talking about this important issue, and Mr. Casado, I want to 
highlight that you graduated from Stanford University in the 
Bay Area and also that you began your career at Lawrence 
Livermore National Laboratory, which is in my Congressional 
district, and so I'm honored to represent the folks there as 
well as Sandia National Laboratory, and many of them are 
working on this issue.
    And Mr. Casado, your solution for cybersecurity is to wall 
off certain segments of one's network in order to prevent cyber 
intruders who have penetrated outer defenses from gaining 
access to particularly sensitive information. You argue that 
such new approaches are already the gold standard for 
commercial industry and need to become the gold standard across 
the federal government. How much time and resources would it 
take for the federal government to do this, and are the costs 
worth the benefits?
    Dr. Casado. That's a great question. So the technology and 
adoption has evolved enough that we know how to do this without 
disruption basically so early on it was kind of like well, you 
know, it's an extremely secure environment and extremely 
sensitive environment and, you know, we can kind of go and 
retrofit things and now we've got mostly software-based 
solutions that you can put in, you can do non-disruptively. 
Cost-benefits from a business perspective makes sense, so much 
so that, you know, this adoption is one of the fastest growing 
sectors of the enterprise software space. So I think it's not 
only practical but we have enough experience over the last 
couple of years to see adoption. So yeah, I think that actually 
this stuff is absolutely worth retrofitting.
    Mr. Swalwell. Great. And just for all of the witnesses, 
following up on Mr. LaHood's question earlier, as a former 
prosecutor I too am quite frustrated that it seems that 
individuals are able to attack networks and individuals with 
relative little punishment, and I understand the challenges if 
these attacks are originating in Russia, Ukraine or from state 
actors, but for non-state actors, I'm just wondering, what 
could we do internationally to maybe have an accord or an 
agreement where we could make sure that we bring people to 
justice?
    I remember I asked a high-ranking cybersecurity official at 
one of our laboratories, naively, I guess, you know, well, are 
we going after these individuals, and this person kind of 
laughed, not being rude but just saying we're not going after 
them, we're just trying to defend against what they're doing, 
and I agree with Mr. LaHood that until people start, you know, 
paying a stiff price, I don't know if this is going to change. 
And I know as a prosecutor, putting together a case like this 
is very, very difficult, just the chain of evidence and, you 
know, proving whose fingertips were touching the keys to carry 
out an attack can be difficult, but what more can we do 
internationally? Yes, Mr. Wood?
    Mr. Wood. Thank you for your question, sir. So right 
after--I'll answer your question over a period of time. Right 
after September 11th, I was sitting in a meeting with a large 
number of information security professionals from within the 
intelligence community, and the question was posed in the 
auditorium where there are about 250 people, when are we going 
to start sharing information, and the answer came back from one 
senior person, in 50 years, and the other--another answer came 
back from another person, not in my lifetime. And it was very, 
you know, disappointing to say the least.
    Now, you roll forward 15 years and you look at where the 
intelligence community at least in my opinion is today, it's 
not like that at all. Today I see the intelligence community 
sharing information in a way like they've never shared it 
before from DNI on down, and I think what's happened is, as 
more and more breaches are occurring and as more and more of 
this culture of trust is occurring, there's a willingness to 
work together that didn't happen before. I sit, as I mentioned 
earlier, on the Cybersecurity Commission in the Commonwealth of 
Virginia, and we work very closely with DHS and FBI and the 
state police, and they work very closely with Interpol and 
others, and I can say that there is a spirit of cooperation 
that I haven't seen in a long time. What is lacking, however, 
is the resources and the funding associated with actually 
prosecuting, number one, and then number two, having a common 
level of standards of what's prosecutorial and what's not.
    Mr. Swalwell. Great. Thank you, Mr. Wood. Thank you all for 
your service on this issue, and I yield back.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Westerman.
    Mr. Westerman. Thank you, Madam Chair, and I would also 
like to commend the panel today for your very informative 
testimony and also for the zeal that you have in working in 
cybersecurity, and I believe it's, you know, potentially the 
war of the future that we're fighting here in cybersecurity, 
and I'm from Arkansas, and just for personal reasons, Mr. 
Clinton, do you have any Arkansas ties just out of curiosity? 
Okay. And I've been listening to the testimony and the answers 
to the questions. I've got a 20-year-old college student, and I 
had a fascinating conversation over Christmas, and you guys 
were talking about how millennials are always connected, and he 
was telling me that that's a huge consideration where you take 
a job now, what the connectivity's feed is, you know, and that 
wasn't something we considered when I was getting out of 
college but it played a big key in where they would go to work 
and where they would eventually live. So I know we're in this 
connected world now.
    To follow up on Mr. Swalwell's question, he was talking 
about being on offense and the prosecution, but from the 
technology side, is it all defensive or are there proactive 
ways to combat hackers before they make their attack?
    Mr. Schneider. I mean, I think there's a set of approaches 
that are not defensive and are much more proactive that are in 
place today and will continue to expand. So one example is 
around things like honey pots, so if the bad guys are attacking 
you and you give them a place that looks like a legitimate part 
of your infrastructure that they go to and spend all of their 
time and energy attacking, you protect your real assets and 
you're able to study what they're doing at the same time. 
There's also things like shock absorbers where the harder an 
attacker hits you with traffic, the more you slow them down and 
do things like tar pitting. So there's a whole set I think of 
defensive and more proactive defensive measures that aren't 
offensive, don't go directly after the attackers that are in 
place today and are actually very successful within the 
enterprise.
    Mr. Clinton. Congressman, if I may, I think that's of 
course true, and there are some others, and I think I want to 
build off this point into having a better understanding of the 
multifaceted nature of the cyber problem. So for example, you 
know, one of the technological mechanisms that we use in the 
private sector is we understand that the bad guys are going to 
probably get in, you know, a determined attacker will peruse 
your system, but actually we have more control over the bad 
guys when they're inside the network than when they're outside 
the network, and if you are dealing with a cyber crime 
situation, you're basically dealing with theft, which means 
they have to get in the network, they have to find the data and 
they have to get back out. So if we block the outbound traffic 
rather than trying to block the inbound traffic, we can 
actually solve the cyber breach problem. They get to have a 
good look at our data but they don't get to use it at all, and 
from a criminal perspective, that's a problem. But if you're 
looking at this from a national security perspective, the 
attacker may be interested in disruption or destruction. They 
don't have to get back outside their network. They don't care 
about getting outside your network. So we need to understand 
that we're dealing with multiple different cyber problems, some 
of which are national security, defense critical 
infrastructure, making sure the grid doesn't go down, et 
cetera, and we need a different strategy with regard to that 
than we may need for the strictly criminal or theft problem, 
and when we have a more sophisticated policy in this regard, I 
think we're going to be able to make more progress.
    Mr. Westerman. And also just to briefly follow up on a 
question that Ms. Bonamici was talking about as far as 
developing new workers for the cybersecurity workforce. Are 
your companies seeing a workforce shortage? Do you foresee a 
lot of growth for the future in that? Mr. Wood?
    Mr. Wood. We do see an enormous shortfall of cybersecurity 
professionals. In the State of Virginia alone, the state 
government has announced that we've got about 17,000 unfilled 
cybersecurity professional positions just in the Commonwealth 
of Virginia.
    Sir, if I might go back to your other question if you don't 
mind about offensive?
    Mr. Westerman. All right.
    Mr. Wood. It's a question that's very much near and dear to 
my heart. You know, if someone were to come in my house 
uninvited and either hurt my children or my wife or take my 
stuff, I have the right to defend myself, but if someone were 
to come into my corporate house and virtually take my stuff, 
whether it be intellectual property or customer data or 
whatever it might be or financial information, whatever it 
might be, we need the ability to defend ourselves, particularly 
if our cyber command is not going to fund itself in a way that 
gives us the comfort the same way that we have the comfort, I 
think, as a nation from a standpoint of air, land, sea and 
space. Thank you, sir.
    Mr. Westerman. And Madam Chair, I'm out of time but I would 
like to plug our Congressional app challenge and encourage all 
Members to promote that in their district because it does help 
develop a new workforce for cybersecurity and a lot of other 
areas.
    Chairwoman Comstock. Thank you, Mr. Westerman, and I will 
also join you in plugging that. I know it's on our website and 
our Facebook page, and I think the date is January 15th when 
things are due, right?
    Mr. Westerman. Unless you extend it.
    Chairwoman Comstock. Now I recognize Mr. Abraham.
    Mr. Abraham. Thank you, Madam Chairman, for having this 
great hearing, and I want to thank the witnesses for giving 
direct answers to direct questions. That's refreshing and 
somewhat of a novel idea in a Committee hearing, so kudos to 
you guys for answering straight up. We appreciate that.
    Some of you have espoused the value of sharing 
cybersecurity information whether it be a cyber threat tread or 
a cyber crime with certainly other companies or government 
officials. This last cybersecurity bill that we passed last 
month, did that help or hurt in this area?
    Mr. Clinton. Sir, I think that that was a good bill. We 
endorsed the bill. We support the bill completely. The most 
important thing, however, is that that is not the cybersecurity 
bill. That's a very useful tool to have in the toolbox. It can 
help, but it is nowhere near sufficient.
    Mr. Abraham. So we need to do more is what you're saying?
    Mr. Clinton. Absolutely we need to do a great deal more.
    Mr. Abraham. And just give me your top three 
recommendations. What would be your bullet points for the new 
legislation?
    Mr. Clinton. For new legislation, we would like to see the 
incentive program that has been endorsed both by the President 
and by the House Republican Task Force put in place. That would 
include things like stimulating the cyber insurance market that 
we've talked about earlier today. It would include with 
providing some benefits for smaller businesses who don't have 
the economies of scale in order to get in here. It would 
include streamlining regulations so that we had an opportunity 
to reward entities that were doing a good job with 
cybersecurity in the way we do in other sectors of the economy. 
A lot of the incentives we talk about and I refer to in my 
testimony are things that we are already doing in aviation, 
ground transport, agriculture, even environment. We simply 
haven't applied these incentive programs to the cybersecurity 
issue and so I think if we did that, we could do more.
    And then the third thing would be, I think we need to have 
a much better, a more creative and innovative workforce 
development program. We've talked here about the fact that we 
are we're always connected now and we all know this, but the 
slogan that DHS uses for their workforce education program is 
Stop, Think, Connect, which is directly out of the dial-up age. 
No millennial stops and thinks before they connect. It just 
makes no sense. We need to be leveraging ESPN and reaching to 
the millions of young people who are interested in gaming and 
popularize that and use that as a bridge to get them interested 
in cybersecurity. We need to be much more aggressive, much more 
inventive in this space, and by the way, they are doing these 
things in other countries. We need to be taking a page from 
that.
    And then the final thing that I'll mention is, we would 
like to see--I'm not kidding. We need an education program for 
senior government officials like we're doing for corporate 
boards who are just like you guys: really busy, lots of things 
that they have to do, demands on their time. We found when we 
actually educated them about cybersecurity, we got better 
policy, we got more investment, we got better risk management. 
We need to be doing that on the government side just like we're 
doing that on the private-sector side.
    Mr. Abraham. Very enlightening. Any you guys want to 
comment anything else?
    Mr. Schneider. If you think about, you know, threat 
information, vulnerability information, I mean, for many, many 
years in the cybersecurity industry we've been sharing those 
kinds of information, and some of the keys are being able to 
take it and aggregate it and anonymize it and share it in a 
safe way because we're taking information that is, you know, 
specific to a particular industry or a set of customers and 
trying to gain the security knowledge but not, you know, not 
put any of that information at risk. So it's something that's 
been happening for many, many years in the security industry 
and I think it's an important element but not, of course, the 
final answer.
    Mr. Abraham. Thank you, Madam Chairman. I yield back.
    Chairwoman Comstock. Okay. And I will now recognize Mr. 
Hultgren for his fiv minutes.
    Mr. Hultgren. Thank you so much, Chairwoman. Thank you all 
for being here. I know a lot of things have already been asked 
and answered, but as we say around here, not everyone has asked 
that same question yet, so my turn.
    Now, I'm going to try and focus on a couple different 
things, but thank you. I do think this is so important and I do 
think the American people, our constituents, are waking up and 
feeling some of that fear, and wanting to know the right thing 
to do. So we always want to hear from you of how we can be 
informing our own constituents of wise decisions along with 
ourselves, our families and our staff to protect important 
information. So much of our society, so much of our financial 
systems is based on consumer confidence, and if there's a 
feeling that this isn't safe or whatever it is, I think we're 
going to lose the benefits that much of this technology has, so 
we want to do this well.
    I do want to talk briefly or ask you your thoughts. We've 
talked a little bit about what government can do better, 
learning from the private sector, and certainly the private 
sector is ahead of us in so many areas. We've also heard--I 
really appreciate it, Mr. Clinton, your response that, you 
know, for us to say that this is like an airbag problem, it 
isn't. It's completely different and, you know, so for us to be 
prescriptive of saying you have to do this, we always pick the 
wrong technologies always too late. So instead it's really this 
framework, I think, of a way of thinking of how to solve this 
problem, but a question I would have is really with impediments 
that government is putting up to your business or other 
businesses from new innovation. What would you say may be the 
greatest impediment that you feel from government from your 
business innovating or doing what you already do best? Is there 
something that has been a hurdle that you've had to overcome, 
Dr. Casado?
    Dr. Casado. So this is going to be an indirect answer to 
your question, but actually working with the government on the 
procurement side, something that's very difficult is when there 
isn't flexibility in budgeting, which I think it's actually 
difficult for the agencies and the departments to adopt new 
technology because the working capital that they have doesn't 
allow them to move as quickly as possible, and so from a purely 
financial side, more flexibility in their budgeting I think 
will help them and certainly help us be able to introduce new 
technologies into the government.
    Mr. Hultgren. Mr. Clinton?
    Mr. Clinton. I would offer two things, Congressman. First 
of all, we need to really rid our government partners from the 
``blame the victim'' attitude that they have, particularly at 
some of the independent agencies. I'm thinking of the FTC and 
the SEC, for example. As we have articulated here, and I think 
is fairly common knowledge up in Congress, it's been said the 
determined attacker is going to get in. The fact that you are 
subject to a breach is not evidence of malfeasance or 
nonfeasance. Now, there may be instances where you are 
malfeasant or nonfeasant, and we should investigate those, but 
breach per se is not one of them, and so we need to move beyond 
that particular notion.
    The second thing that I would say is that the government 
really needs to get its act together with respect to 
cybersecurity. Cybersecurity--you're right, sir. 
Cybersecurity's real hot now so every entity in the government, 
every state, every locality, they're coming up with their own 
cybersecurity programs, and a lot of times these things differ 
just a little bit and so when you try to do these things, 
you're forced to meet with multiple different compliance 
regimes trying to do essentially the same thing. Now, we're in 
favor of the NIST framework and using that, et cetera, but 
let's have one and let's make sure we're all working in the 
same direction, because as we've also pointed out, we do not 
have adequate resources in this space, and frankly, one of the 
big problems that my companies tell us is that they're spending 
all their time on compliance, which means they don't have time 
to spend on security. I have one company that told me a story 
about how they were following a legitimate best practice 
quarterly testing, you know, testing your system every quarter 
to make sure, you know, you've not been invaded, and they had 
to go from quarterly pen testing to annual pen testing because 
all their security were too busy doing compliance. That's a 75 
percent reduction in a key cybersecurity best practice due to 
overregulation coming from different elements. We need to 
streamline that process, have a good process, but have one 
process that is cost-effective.
    Mr. Hultgren. Yeah. That's great. Go ahead. I think if you 
both can speak on this, and then I'll be finished because I 
think this is very important.
    Mr. Schneider. The one point that I would make and kind of 
double-click on again is education. I mean, there's a huge and 
growing gap in the number of cybersecurity professionals 
available, and Symantec's been doing a lot of work with local 
universities, but it's not just universities, you know, it's 
primary education, it's getting the boys and girls that are in 
high school today and actually really focusing on girls as well 
to think about careers in cybersecurity and the skill sets that 
goes with that.
    Mr. Hultgren. Mr. Wood?
    Mr. Wood. Sir, I would just echo a comment but just follow 
on top of it. So yes, the determined hacker can get in today, 
there's no question, but as to the Verizon breach report 
focuses on, you know, 94 percent roughly of those hacks 
could've been avoided, and then you get the hacker has to focus 
on the six percent or the eight percent, which is a lot harder 
to get in then because we have the tools, we have the 
standards, we have the approach.
    The second point I make is the NIST framework is indeed 
something that I think we can all sort of get behind, and I 
think it's something that at least it's a baseline.
    And then the third thing I would say and the last thing I'd 
say is that look, compliance and mission are not mutually 
exclusive. You can make compliance work but it has to be 
automated and it has to be invisible to the guy that owns the 
mission so it doesn't inhibit their ability to get their 
mission done.
    Mr. Hultgren. That's a good point.
    Mr. Wood. Thank you.
    Mr. Hultgren. Thank you, all. I'm over time. Thank you, 
Chairwoman, and again, thank you all for being here.
    Chairwoman Comstock. Thank you, and I thank the witnesses 
for their very valuable testimony today and the Members for 
their questions. I've gotten a lot of sort of assignments for 
today and new issues and areas that we need to explore further. 
So I would like to invite you all to keep an open dialog with 
us and don't wait for us to call. Please provide us with any 
additional information that you think or as you see issues 
going on. This is going to be, as you all said, an 
exponentially growing problem. You know, we do have a cyber war 
that is being waged against us and we--it's a little bit like 
post 9/11 when they're at war with us but we weren't at war 
with them. And now we definitely have bad actors on all kinds 
of fronts from individuals to nation-states who are, you know, 
waging a cyber war on us, and we need to respond in kind and 
have that be reflected in our budget but also our 
responsiveness and how we plan and the 94 percent that we can 
get covered if we get the right systems into place will then 
allow us to spend our time on those six percent that we can't 
prevent because I think we all agree here and we all understand 
that no matter what we do, this exponentially increasing 
information world, we are going to have breaches because it's a 
little bit like I was talking earlier about when somebody 
before the hearing when I was out in Las Vegas, they said it's 
like asking never to get sick. You know, in the world that 
we're going to be dealing with, there will be breaches, but 
what systems do we have in place to identify them, and if it's 
only six percent that we have to deal with, then our creative 
resources and all that we need to do can be very quickly 
identified there and then move on to solve these bigger 
problems.
    So I thank you for the challenges that you've put before 
us, and the record will remain open for two weeks for 
additional comments and any questions from the Members so if 
there are questions that we didn't get an opportunity or people 
who aren't here, and I thank the witnesses very much. You're 
excused here and the hearing is adjourned.
    [Whereupon, at 11:05 a.m., the Subcommittees were 
adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions


                   Answers to Post-Hearing Questions
Responses by Mr. John B. Wood
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Responses by Dr. Martin Casado
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Responses by Mr. Ken Schneider
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Responses by Mr. Larry Clinton

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                              Appendix II

                              ----------                              


                   Additional Material for the Record




            Statement submitted by Committee Ranking Member
                         Eddie Bernice Johsnon
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]