b"<html>\n<title> - FEDERAL CYBERSECURITY DETECTION, RESPONSE, AND MITIGATION</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n \n       FEDERAL CYBERSECURITY DETECTION, RESPONSE, AND MITIGATION\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 20, 2016\n\n                               __________\n\n                           Serial No. 114-157\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                      \n                      \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 26-066 PDF              WASHINGTON : 2017       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001              \n  \n  \n  \n                      \n                      \n                      \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY'' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                          Mike Flynn, Counsel\n                      Sean Brebbia, Senior Counsel\n                          William Marx, Clerk\n                 David Rapallo, Minority Staff Director\n                                 ------                                \n\n                 Subcommittee on Information Technology\n\n                       WILL HURD, Texas, Chairman\nBLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking \nMARK WALKER, North Carolina              Minority Member\nROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia\nPAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois\n                                     TED LIEU, California\n                                     \n                                     \n                                     \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on April 20, 2016...................................     1\n\n                               WITNESSES\n\nMr. Sanjeev Bhagowalia, Deputy Assistant Scretary for Information \n  Systems and Chief Information Officer, Department of Treasury\n    Oral Statement...............................................     5\n    Written Statement............................................     8\nMr. Steven C. Taylor, Chief Information Officer, Department of \n  State\n    Oral Statement...............................................    16\n    Written Statement............................................    18\nMr. Andy Ozment, Assistant Secretary for Cybersecurity and \n  Communications, Department of Homeland Security\n    Oral Statement...............................................    21\n    Written Statement............................................    23\nMr. Richard Barger, Chief Intelligence Officer, ThreatConnect, \n  Inc.\n    Oral Statement...............................................    32\n    Written Statement............................................    34\n\n                                APPENDIX\n\nReport titled, ``Liberty and Security in a Changing World,'' \n  submitted by Mr. Lieu..........................................    64\nLA Times article titled, ``4.5 Million Smartphones Were Lost or \n  Stolen in U.S. in 2013,'' submitted by Mr. Lieu................    65\nLetter for the Record submitted by Gibson, Dunn & Crutcher LLP...    66\nQuestions for the Record for Mr. Steven Taylor, submitted by Mr. \n  Hurd...........................................................    69\nQuestions for the Record for Mr. Steven Taylor, submitted by Mr. \n  Farenthold.....................................................    83\nQuestions for the Record for Mr. Andy Ozment, submitted by Mr. \n  Farenthold.....................................................    87\nQuestions for the Record for Mr. Andy Ozment, , submitted by Ms. \n  Kelly..........................................................    91\nQuestions for the Record for Mr. Steven Taylor, submitted by Mr. \n  Connolly.......................................................   101\n\n\n       FEDERAL CYBERSECURITY DETECTION, RESPONSE, AND MITIGATION\n\n                              ----------                              \n\n\n                       Wednesday, April 20, 2016\n\n                  House of Representatives,\n            Subcommittee on Information Technology,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to call, at 9:34 a.m., in \nRoom 2154, Rayburn House Office Building, Hon. Will Hurd \n[chairman of the subcommittee] presiding.\n    Present: Representatives Hurd, Chaffetz, Farenthold, \nWalker, Blum, Kelly, Connolly, and Lieu.\n    Mr. Hurd. The Subcommittee on Information Technology will \ncome to order. And without objection, the chair is authorized \nto declare a recess at any time.\n    Good morning, everyone.\n    Every day, Federal agencies face a barrage of attacks on \ntheir information systems from a number of different actors. \nAttacks on both the public and private sectors consistently \nreveal one common truth: No one is immune.\n    In December of last year, Juniper Networks announced that \nmalicious code had been placed in its ScreenOS software leaving \na gaping vulnerability in one of its legacy products. This \nparticular vulnerability may have allowed outside actors to \nmonitor network traffic, potentially decrypt information, and \neven take control of firewalls.\n    Within a matter of days, the company provided its clients, \nwhich include various U.S. intelligence entities and at least \n12 Federal agencies, with an emergency security patch.\n    DHS and other law enforcement agencies acted swiftly to \nnotify Federal agencies of the breach in Juniper's security \nadvisory. Both of their actions may have averted a potentially \ndevastating breach of sensitive data. This is just one \nsophisticated example of the attacks that U.S. companies and \ntheir Federal clients face on a daily basis.\n    In January of this year, the committee sent letters to the \nheads of 24 Federal agencies requesting an inventory of systems \nrunning the aforementioned software. Additionally, the \ncommittee asked for an update of their progress in installing \nthe corresponding security patch.\n    Of the 12 agencies affected, 3, including the Department of \nTreasury, took longer than 50 days to fully install patches and \nmitigate the threat posed by this vulnerability. This is \nabsolutely unacceptable.\n    The inability of Federal agencies to maintain a \ncomprehensive view and inventory of their information systems \nand to respond to Congress in a timely manner cannot be the \nstatus quo.\n    Last December, Congress passed landmark information-sharing \nlegislation, the Cybersecurity Act of 2015, which creates a \nvoluntary cybersecurity information-sharing process to \nencourage public and private sector entities to collaborate and \nshare information. Moreover, the bill established the \nDepartment of Homeland Security as the sole portal for \ncompanies to share information with the Federal Government.\n    With their newly codified role, I look forward to working \nwith Dr. Ozment and DHS on how to strengthen their own posture \nand ensure that they possess the necessary technical tools to \ndetect and mitigate threats and disseminate threat information \nwithin the Federal Government. Only by fostering this framework \nwhere government and private entities are able to freely share \nknowledge of security vulnerabilities, threat indicators, and \nsignatures can we be sure that our network defenses are getting \nthe best intelligence available.\n    In addition, we must continue to learn from the private \nsector. Industry leaders like ThreatConnect and FireEye are \nconsistently pushing the envelope in what is possible in \ncybersecurity. The government should not seek to compete with \nthem, but rather they should harness these engines of \ninnovation, learn from them, and safely cooperate with them \nunder the guidance of good sense and personal liberty.\n    I hope that this hearing will serve as a starting line for \na larger conversation on attribution. Various international \ngroups and state-sponsored actors are constantly attempting to \nsteal military secrets and expose the personally identifiable \ninformation of American citizens and we cannot stand idly by \nwhile this happens. I believe that attribution is a form of \ndeterrence.\n    This hearing presents an opportunity to learn how Federal \nagencies can improve their overall cybersecurity postures, \nshare more timely and relevant information, and work with the \nprivate sector in a way that benefits all involved, while \nrespecting the institutions of commerce and privacy.\n    I welcome our witnesses and look forward to hearing your \ntestimony today.\n    I would like to yield to the chairman from the great State \nof Utah, Mr. Chaffetz.\n    Mr. Chaffetz. I thank the gentleman. And Mr. Hurd, I thank \nyou for your leadership on this issue. You are such a valuable \npart of our team in making this happen.\n    But to those that are in the Federal Government, we've got \nto up our game. I was elected the same time as President Obama \nwas. Starting in 2009, if you look at the expenditure on the IT \nbudget, the Federal Government has spent more than $525 billion \non IT and it doesn't work. It doesn't work.\n    And so I see that the President has a proposal, he needs \nanother $3 billion. As if $525 billion wasn't enough, he needs \n$528 billion in order to actually solve these problems. I have \na hard time believing that we're just 3 more billion away from \nactually solving this.\n    I understand the predicament that we're in because as best \nI can see on a macro level, we are spending about 70 percent of \nour $80-plus billion a year now on legacy systems. And it is \ndifficult, to say the least, on making that transition from \nthose legacy systems to newer, more progressive, more secure \nnetworks and using the basic software.\n    I got to review a document from the Department of Justice. \nWas on WordPerfect. WordPerfect was a great company back in \n1990. They were a Utah company, and had a good product, but \nthey still are using WordPerfect at the Department of Justice. \nAnd I'm sorry, with all due respect to Corel, it maybe is not \nthe most up to speed and very difficult to share with others.\n    And it just begs the question of why in the world we \ncontinue to have to teach people how to use COBOL. We have some \nthat I have heard are using punch cards still. I mean, it's \nunbelievable how far behind we are. And yet, I don't think it's \nfor a lack of funding.\n    It is just unexcusable for, in my mind--it is just \ninexcusable, I should say--inexcusable that we need a patch and \nit takes 50 days to do it. Fifty, really? Come on. Patching a \nvulnerability should be priority one and should be done within \nthe day. There is no excuse for waiting nearly 2 months to \npatch what is known as a vulnerability.\n    At the Department of Education, it's something Mr. Ozment, \nI hope, would look at personally, because the inspector general \nwas able to go into the Department of Education and look into \ntheir system, surf around for 3 days, and come out undetected, \ndespite their deploying EINSTEIN, which begs the question of, \nwith all due respect to the inspector general, I'm guessing \nthey are good, but they are probably not as good as the \nRussians, the Chinese, the others that do this type of thing \nfor a living.\n    And so I do agree with Mr. Hurd that one of the things we \nhave to talk about is how to fight back. And attribution, just \nflat-out acknowledgment and pointing the finger at who is doing \nwhat, might be a form of deterrent. But I do think it's one of \nthe big questions--we won't answer it today--but I do think \nit's a big question for those of us in Congress, how do you \nfire back? You know, if somebody fired a weapon on us we could \nfire back at them. But if they're attacking us online, how do \nwe fight back? And I don't know the answer to that.\n    But we need all of your help here today. We have got a lot \non the line, a lot of personal information, a lot of \nvulnerabilities for the country itself. And so we thank you for \nyour expertise and your commitment. We want to be part of the \nsolution, not part of the problem, not just fire arrows. We are \nsupposed to be oversight, but then government reform. And we \ncan, I think, help you solve these problems, because this is \nthe first time in the Congress we have actually had a \nsubcommittee focused on just information technology.\n    And so we are going to highlight the problems, but our next \nstep is, how do we solve those? And, collectively, we need to \ncome together in a bipartisan way and help you accomplish that \nand achieve that. So that's the spirit in which we do this.\n    I thank the gentleman. Thank you for the time. I yield \nback.\n    Mr. Hurd. Thank you, Chairman.\n    And now this subcommittee in 17, 18 short months has done, \nI think, a lot of good work in government reform and \nidentifying the problem. And part of that is because of the \nbipartisan nature in which we do that. And we are able to do \nthat because of the leadership of the ranking member on the \nSubcommittee on Information Technology, Ms. Kelly from \nIllinois, and I would like to recognize her for her opening \nstatement.\n    Ms. Kelly. Thank you, Mr. Chairman, for holding this \nhearing on how Federal agencies detect, respond, and mitigate \nthe growing number of cyber threats they encounter each year.\n    And thank you to our witnesses for being here.\n    The Federal Government and the private sector are facing a \nvolume of cyber attacks that just a few years ago would have \nbeen unimaginable. According to a new report by security firm \nSymantec, 54 zero-day vulnerabilities were discovered in 2015, \nmore than twice as many as in 2014. Compared to the previous \nyear, in 2015, the instances of ransomware increased by 35 \npercent.\n    We need to ensure that the Federal Government has the \nresources necessary to respond to these vulnerabilities and \nthreats. Agencies are spending up to three-quarters of their \ninformation technology budgets maintaining legacy systems that \nwere never designed to deal with today's cybersecurity risks. \nAdding to the problem is the increasing difficulties agencies \nare having in filling more than 10,000 vacant cyber positions \nacross the Federal Government.\n    As Tony Scott, the chief information officer for the \nFederal Government, has said, and I quote, ``We have a broad \nsurface area of old, outdated technology that is hard to \nsecure, expensive to operate, and on top of all of that, the \nskill sets needed to maintain those systems are disappearing \nrather rapidly.''\n    But we are making progress in fixing that. I, along with my \ncolleagues on this subcommittee and Ranking Member Cummings, \nwere original cosponsors of Congressman Steny Hoyer's \nInformation Technology Modernization Act. The act would \nauthorize the creation of an Information Technology \nModernization Fund to help Federal agencies upgrade their aging \ninformation technology systems. Over the first 10 years the \nfund would help facilitate upgrades to $12 billion worth of \ncivilian IT programs and make sure the Federal Government has \nthe most effective, secure IT infrastructure possible.\n    Legislation like the ITMA sends a clear message that \nCongress understands the challenges facing our Nation's Federal \nIT systems. But there is more to be done. I look forward to \nhearing from our witnesses today when their threat response \nprocesses in place, and I look forward to working with you, Mr. \nChairman, to do what's needed to ensure that we keep the \nFederal Government secure from the growing number of cyber \nthreats.\n    I yield back.\n    Mr. Hurd. I would like to thank the ranking member for her \ncomments.\n    We will hold the record open for 5 legislative days for any \nmembers who would like to submit a written statement.\n    Mr. Hurd. Now I'd like to recognize our panel of witnesses. \nI'm pleased to welcome Mr. Sanjeev Bhagowalia. He's the deputy \nassistant secretary for information systems and chief \ninformation officer at the Department of Treasury. Mr. Steven \nTaylor, chief information officer at the Department of State. \nDr. Andy Ozment, assistant secretary for cybersecurity and \ncommunication at the Department of Homeland Security. And Mr. \nRichard Barger, chief intelligence officer at ThreatConnect \nIncorporated.\n    I would like to welcome you all.\n    And pursuant to committee rules, all witnesses will be \nsworn in before they testify. So please rise and raise your \nright hands.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    Thank you. Please be seated.\n    And let the record reflect the witnesses answered in the \naffirmative.\n    In order to allow time for discussion, please limit your \ntestimony to 5 minutes, and your entire written statement will \nbe made part of the record.\n    Mr. Bhagowalia, we will start with you, and you are \nrecognized for 5 minutes.\n\n                       WITNESS STATEMENTS\n\n                STATEMENT OF SANJEEV BHAGOWALIA\n\n    Mr. Bhagowalia. Thank you, Chairman.\n    Chairman Hurd, Ranking Member Kelly, and members of the \nsubcommittee, thank you for the opportunity to testify on \nTreasury's approach to the detection and mitigation of \ncybersecurity vulnerabilities.\n    Treasury relies on technology to meet our mission of \nserving the American taxpayers and acting as a steward of the \nnational economy. Cybersecurity is one of the top priorities of \nTreasury, not only for the CIO, but also for the Department and \nbureau senior leadership. We are continuously and incrementally \nimproving in management oversight over the IT environment, \nincluding cybersecurity. We are leveraging synergy \nopportunities across the enterprise through authorities in law, \nlike FITARA and FISMA, to more effectively use our people, \npolicy, processes, technology, and governance in cyberspace.\n    Detecting and mitigating vulnerabilities in our environment \nbefore they are exploited by our adversaries is an essential \ncomponent in Treasury's ``defense-in-depth'' strategy.\n    I have divided my testimony into two parts. The first part \nwill explain how we tackle vulnerability mitigation of the \nDepartment, and the second part will outline how we participate \nin the governmentwide Federal cybersecurity community.\n    Part one, vulnerability detection, reporting, response, and \nmitigation within Treasury. As you know, Treasury is a large, \ngeographically and technically diverse enterprise with bureaus \nhaving widely varying missions requiring widely varying IT \nenvironments. While Treasury bureaus are empowered to make IT \ndecisions necessary to execute their individual missions and \ncarry out operational security functions within their \nenvironments, the Treasury CIO is accountable to ensure that \nthose decisions properly consider security implications and \nevaluate risk and vulnerabilities.\n    Treasury has aligned our departmental cybersecurity \nstrategy with the five-part NIST national Cybersecurity \nFramework and the Cybersecurity National Action Plan, CNAP, to \nensure common objectives across the enterprise.\n    Vulnerability detection. IT companies, government agencies, \nsecurity researchers, and others identify thousands of security \nweaknesses each year. Critical vulnerabilities are a far \nsmaller number, in hundreds. Vulnerability detection requires a \nmultidimensional approach involving asset management, automated \ntools, monitoring of communication channels, and human \nanalysis. The foundation of good comprehensive vulnerability \ndetection is strong asset management.\n    To this end, Treasury has policies in place requiring \nbureaus to perform regular asset and vulnerability inventory \nscans using automated tools. Treasury maintains a central \nDepartment-wide security operations center that operates around \nthe clock. It's called the SOC. The SOC monitors classified and \nunclassified government channels, as well as open source and \nindustry channels, for news of critical vulnerabilities.\n    In response, reporting, mitigation of known \nvulnerabilities, we follow the maxim that cybersecurity is \nabout risk management. Bureau IT organizations undertake risk \nanalysis for each vulnerability and schedule testing and patch \ndeployment as appropriate. A risk analysis may result in \nseveral mitigation approaches, such as patching, instituting \ncompensating security controls, and migrating to a new software \nor hardware solution. Treasury and its bureaus start by \nremediating vulnerabilities on assets with the greatest risk \nexposure first and then moving systematically to remediate the \nremaining assets.\n    The recent Juniper vulnerability offers an example of this \nprocess in action. Table 1 in my written testimony illustrates \nhow 57 affected devices across Treasury were remediated from a \ntime and risk perspective. Treasury coordinated an \nenterprisewide response to the Juniper vulnerability within a \ncouple of hours of receiving the information from open source \nvendor channels and DHS. Treasury fixed 25 percent of the \npatches within a day, 84 percent within a week, and 86 percent \nwithin 2 weeks, and 93 percent 7 weeks. But if you look at it \nfrom a risk lens, we fixed 40 out of the 57 devices, \nrepresenting 100 percent of high-risk devices, within 6 days. \nOf the remaining 17 low-risk devices, 13, or 76 percent, were \ncompleted by February 4, and the remaining 4 devices were \ncompleted over the next 10 days.\n    A detailed analysis determined that the configuration posed \nlow risk of the exploitation of the vulnerability because the \ndevices were not directly connected to the Internet, were not \ndirectly affected by the vulnerability, and each had multiple \nlayers of compensating controls in place.\n    So a challenge faced by large agencies in complying with \ngovernmentwide mandates to address particular vulnerabilities \nis the need to balance operational and security risk. In many \ncases the device must be patched as part of a complex \noperational system with several legacy components that may not \nbe compatible with the security fix. So we respectfully request \nand suggest that factor should be considered in reporting. \nCould we have done it a little bit faster? Yes.\n    Part two, Treasury's role in governmentwide vulnerability \ndetection, response, and mitigation. I would like to thank DHS \nfor the leadership role in coordinating Federal cybersecurity. \nTreasury fully participated in the EINSTEIN program and looks \nforward to EINSTEIN 3A. The CDM program led by DHS will help us \nmove as the entire U.S. Government from federated compliance to \nintegrated continuous monitoring and mitigation.\n    Treasury is an enthusiastic participant in the CDM program. \nWe expect CDM will improve situational awareness regarding \nvulnerabilities and will move us to better automation of \ntracking in real time.\n    In conclusion, while Treasury has established a solid \nprocedural and operational foundation to identify and mitigate \nvulnerabilities, our adversaries are constantly changing their \nmethods. I see two opportunities where congressional support \ncould aid our efforts.\n    First, hiring and retaining cybersecurity staff remains a \nchallenge. We ask for continued support to streamline hiring \nand offering appropriate incentives to attract and retain that \ntalent.\n    Second, we ask for some consideration in the fiscal year \n2017 budget request for a cybersecurity enhancement account \nwhich will enable us to keep pace with the rapidly evolving \nadversaries through targeted and accountable spending.\n    Thank you for your attention to this important matter. I \nappreciate this opportunity to testify today, and I will be \nglad to answer any questions you may have. Thank you.\n    [Prepared statement of Mr. Bhagowalia follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n        \n    Mr. Hurd. Thank you, sir.\n    Mr. Taylor, you are recognized for 5 minutes.\n\n                 STATEMENT OF STEVEN C. TAYLOR\n\n    Mr. Taylor. Chairman Hurd, Ranking Member Kelly, \ndistinguished members, thank you for inviting me to testify \nabout the Department of State's cybersecurity program.\n    The Department of State, as the lead U.S. foreign affairs \nagency, has over 70,000 employees in our 275 overseas and 30-\nplus domestic locations. Like all government agencies and \nbusinesses, particularly organizations the size of the \nDepartment, we face a dilemma. The Department relies on the \nInternet and email to conduct our day-to-day operations, \ncommunicating with U.S. and foreign citizens and organizations \nabout a wide variety of issues. We use these tools to support \npassport and visa applications, to communicate about foreign \npolicy initiatives, and to conduct the day-to-day business of \nthe Department.\n    We also know that email and the Internet are avenues \nthrough which our networks and databases can be attacked. As a \nbreach of our own unclassified email system in 2014 \ndemonstrated, our adversaries see information handled by the \nDepartment and many other U.S. Government agencies as a \ndesirable target. Annually, we experience millions of attempts \nto breach our networks and gain possession of our information.\n    Protecting our information as we face increasingly \nsophisticated, frequent, and well-organized cyber attacks is a \ntop priority for the Department of State. The Bureaus of \nInformation Resource Management and the Diplomatic Security \nshare the role of defending our networks through our joint \nsecurity operations center and through collaborative long-range \nplanning.\n    Alongside our partner Federal agencies, we've developed \nincreasingly robust defenses as the sophistication and \nintensity of these threats increases. The foundation of our \ncybersecurity framework is the Federal Information Security \nModernization Act, or FISMA, along with OMB guidance and the \nNational Institute for Standards and Technology guidelines. But \nwe go far beyond these guidelines to protect our network and \ndata while protecting privacy and civil liberties.\n    The Department of Homeland Security serves as a first line \nof defense by filtering our traffic through the EINSTEIN system \nwhich detects and blocks cyber attacks on Federal agencies and \nthrough its trusted Internet connections and continuous \ndiagnostics and mitigation initiatives. In addition, we monitor \nour networks with an extensive defensive toolset.\n    We also make great efforts to educate our network users so \nthat they, themselves, are defending our systems. Annually, the \nDepartment of State employees must complete security and \nprivacy awareness training. In addition, network users must \nanswer a security challenge question prior to logging on to the \nsystems each and every day.\n    We amplify the effectiveness of our defenses through \npartnerships with US-CERT, the Department of Homeland Security, \nthe Federal Bureau of Investigation, the National Security \nAgency, U.S. Digital Services, and other agencies in the \nprivate sector. Our partners in the intelligence community, \nDHS, and other agencies in the private sector perform \npenetration testing to ensure our defenses are capable of \nwithstanding persistent attacks. They also provide us with a \nsteady stream of information about probable sources, methods of \nattack, and recommended countermeasures.\n    We recognize that intrusion is possible even with the best \ndefenses. Today we train and prepare for a wide range of cyber \nthreats. Some can be contained by removing a hard drive, while \nothers may require that we take a system offline. We are \nconstantly working with our partners to defend against the \nknown and evolving threats.\n    Looking to the future, we are creating a safe zone between \nour data and the Internet through segmentation of our networks, \nby reengineering our business practices, and leveraging cloud \nservices. The most powerful and promising tools for our defense \nare effective risk management, our public and private \npartnerships, clearly defined agency roles, effective \ninformation sharing, employee education, and of course next \ngeneration technology.\n    We appreciate the support on cybersecurity issues, and we \nlook forward to working with Congress and our partners to \ndefend our critical information and systems. Thank you.\n    [Prepared statement of Mr. Taylor follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n  \n    Mr. Hurd. Thank you, Mr. Taylor.\n    Dr. Ozment, you are recognized for 5 minutes.\n\n                    STATEMENT OF ANDY OZMENT\n\n    Mr. Ozment. Chairman Hurd, Ranking Member Kelly, and \nmembers of the committee, thank you for the opportunity to \nappear before you today.\n    Recent compromises clearly demonstrate the challenge facing \nthe Federal Government in protecting our systems and networks \nagainst sophisticated, agile, and persistent threats. \nAddressing these threats is an important shared responsibility.\n    Today I will focus on how we protect Federal civilian \ndepartments and agencies. It is important to note that each \nagency is responsible for managing its own cybersecurity risk \nunder the Federal Information Security Modernization Act, or \nFISMA 2014. My organization assists agencies in performing that \nrisk management through four lines of effort.\n    First, we provide cybersecurity protections where it is \neffective and cost efficient. This baseline is principally \nprovided by two programs. The EINSTEIN program detects and \nblocks cyber attacks outside of agency perimeters, and the \nContinuous Diagnostics and Mitigation, or CDM program, provides \ntools for agencies to identify and prioritize vulnerabilities \nwithin their networks.\n    Second, we measure and motivate agencies to implement best \npractices through risk assessments and targeted guidance.\n    Third, we serve as a hub for cybersecurity information \nsharing between the government and the private sector through \nautomated means whenever possible.\n    And fourth, we provide incident response assistance to \nagencies.\n    The committee is well aware that cybersecurity \nvulnerabilities are all too common. My organization serves a \nkey role in helping agencies resolve significant \nvulnerabilities.\n    Upon learning of a new vulnerability, our first priority is \nto rapidly promulgate actionable information to our partners. \nWhen the vulnerability is particularly critical, we hold an \nemergency interagency coordination call. These calls allow DHS \nto quickly convey key information to chief information security \nofficers across the Federal civilian government.\n    Additionally, we share information through secure portals \nmanaged by our National Cybersecurity and Communications \nIntegration Center, or NCCIC.\n    After disseminating information about a significant \nvulnerability, DHS at times collects information about \ngovernmentwide remediation progress. This information is used \nfor two purposes: to understand the prevalence of a particular \nvulnerability across government and to drive individual \nagencies to more quickly implement required mitigations.\n    Currently, this data-collection process is largely manual, \nbut the CDM program will fundamentally change this paradigm. \nThrough the CDM program, DHS will provide civilian agencies \nwith tools to monitor their internal networks. CDM will allow \nus to shift from current manual methods of collecting \nvulnerability data to automated data collection.\n    We have provided CDM Phase 1 tools to 97 percent of the \nFederal civilian government. Agencies are now deploying these \nPhase 1 tools on their networks. But this is not a simple or \neasy process. Deploying new technologies across 23 agencies and \nover 2 million users is a significant undertaking. We will see \nincremental progress over the next year and expect the first \nagency data to be available in early fiscal year 2017.\n    It is also important to note what CDM will not do. The \nfirst phase of CDM will detect vulnerabilities in workstations, \nservers, network infrastructure, and operating systems in \ndevices like routers. But other devices, like printers, will be \nidentified by these tools, but will not be assessed for \nvulnerabilities.\n    Perhaps most importantly, CDM relies on individual agencies \nto rapidly deploy these sensors across their networks and to \nuse CDM data to, in fact, address the identified \nvulnerabilities.\n    Even after learning of a vulnerability, agencies have \nvaried capabilities to fix the problems. We can also provide \nagencies with technical assistance and consultation upon \nrequest. These services help agencies mitigate complex \nvulnerabilities and design more secure systems and assets.\n    We appreciate the help of Congress in passing several key \nstatutes for Federal cybersecurity over the past 2 years, \nincluding modernizing FISMA and enacting the Cybersecurity Act \nof 2015.\n    This year, the fiscal year 2017 President's budgets funds \nseveral activities that will significantly enhance our ability \nto manage vulnerability detection and mitigation across the \nFederal civilian executive branch.\n    First, the fiscal year 2017 budget funds a further \nacceleration of the CDM program and a new CDM phase focused on \nsecuring high-value data on agency networks.\n    Second, the budget provides resources for additional \npersonnel to help agencies remediate complex vulnerabilities or \nto design more secure systems.\n    Finally, the budget funds more proactive assessment teams \nusing the same techniques as malicious hackers, known as red \nteams.\n    With the help of Congress, we will continue driving towards \nadditional automation and deploy the resources required to \nsupport expedited remediation. This must be a shared effort. \nDHS, our partner agencies, and Congress must join together to \nensure that vulnerabilities are rapidly mitigated before \nsensitive information or government services are placed at \nrisk.\n    Thank you.\n    [Prepared statement of Mr. Ozment follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n      \n    \n    Mr. Hurd. Thank you, Dr. Ozment.\n    Mr. Barger, you are recognized for 5 minutes.\n\n                  STATEMENT OF RICHARD BARGER\n\n    Mr. Barger. Chairman Hurd, Ranking Member Kelly, members of \nthe subcommittee, thank you for the opportunity to appear here \ntoday.\n    My name is Rich Barger. I'm the chief intelligence officer \nand cofounder of ThreatConnect, a Virginia-based security \ncompany. I lead our research team. It's responsible for \ntracking existing and emerging threats, to ensure that our \nsoftware platform is uniting security teams, their processes, \nand their technologies to bring together a cohesive unity of \neffort so that organizations can more efficiently conduct \nintelligence-driven security operations.\n    ThreatConnect was founded in 2011 and our platform launched \nin 2013. Since then, we have seen 40 percent of the Fortune 100 \nuse our platform and amassed over 9,000 global users.\n    Today my testimony will focus on fragmentation as the root \ncause behind our continuing struggle to detect, respond to, and \nmitigate modern threats. The four key areas I will discuss are \npeople, processes, technologies and community.\n    Our customers within both public and private sectors often \nexpress the same problem, but they do so in different ways. \nFragmentation across their security operations is both their \nbiggest frustration as well as their biggest risk. Whether they \nare a global financial services firm, a U.S. energy company, or \na Federal agency, the fissures that exist across people, \nprocesses, and technologies create the very footholds into our \nnetworks that give malicious actors access to our finances, \nsensitive personal data, and corporate intellectual property.\n    Now, it's important to understand that information security \nis heavy work. There is no easy button. There is no silver-\nbullet solution. Today's network defenders face a gargantuan \ntask of protecting networks that were not originally designed \nwith security in mind.\n    In terms of security teams and practitioners, as we \nincrease our numbers of individuals and teams required to work \ntogether, organizational agility, transparency, and situational \nawareness will often suffer, making us our own worst enemy. Too \noften as an organization's domain expertise and institutional \nmemory is scattered across these diverse teams, share drives \nand emails, it is often rendered functionally inaccessible.\n    Fragmentation also exists across the executive staff, from \nC-suites to boards. There is a communication deficit which \nnegatively impacts leadership's ability to interpret and \nprioritize core challenges and subsequently leads to \nineffective decisionmaking.\n    This brings us to process. There is no one-size-fits-all \napproach. Enterprises, much like snowflakes, are made of the \nsame elements but uniquely configured. Different business \nobjectives drive different business processes and \nmultidisciplinary security operations reflect a company's \noverarching sector, vertical, legal, and regulatory \nrequirements.\n    In a lot of cases the answer to, ``Why do you do it this \nway?'' is simply, ``We've always done it this way.'' It's much \neasier to advocate for a new tool or more head count. \nOptimizing process seems mundane and intelligible by \ncomparison. But this is the dirty little secret. Developing \ncoordinated intelligence-driven processes is the linchpin to \nidentify, protect, and respond to threats in an efficient, \nmeasurable way.\n    In terms of technology, security teams worldwide feel that \nthey spend too much time wrangling their various security \nsolutions. Instead, they should be delivering that much-needed \nbreathing room for these overburdened teams. Instead, these \nsolutions often consume additional resources, and many are not \ndesigned to be interoperable. Better orchestration of security \nsystems creates a combined-arms approach that allows the sum of \nthe parts to yield mutually supporting effects against threats.\n    The first three areas, people, processes and technologies, \nare internal to the enterprise. The last source of \nfragmentation is at the community level, outside the \nenterprise. Sharing today centers around atomic indicators of \ncompromise.\n    Now, this is a good start, but we need to do more of it and \nwe need to also include sharing of the recipes that created the \nindicators in the first place. So let's continue to evolve \ntoday's baseline sharing practices to our broader goal of \ncross-sector coordination and collaboration.\n    In conclusion, the disconnect between expectation and \nreality that fragmentation presents is a catalyst which is \nelevating the priority of enterprise security within the \ncorporate structure. This rise must continue, and organizations \nmust be properly incentivized to look at enterprise security as \na critical business function.\n    The security professionals of tomorrow must be educated and \nenabled to meet the current demand of security talent, and the \nmarket must drive the need for interoperable security \ntechnologies. The gap between compromise and detection is not \nclosing, and that is why we are committed to reducing that \nthorny reality of fragmentation across both public and private \nsector security operations.\n    I thank you for your time, and I look forward to any of \nyour questions.\n    [Prepared statement of Mr. Barger follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n       \n    \n    Mr. Hurd. Thank you, sir.\n    And I would like to recognize first, for the first set of \nquestions, my colleague from the great State of Texas, Mr. \nFarenthold. He is recognized for 5 minutes.\n    Mr. Farenthold. Thank you very much.\n    I'm going to start with you, Mr. Ozment.\n    The FBI for years has been pushing for encryption backdoors \nso they can easily access device content. However, security \nexperts, including Ash Carter and NSA Director Admiral Rogers, \nas well as former leaders from the intelligence community, have \nall said that encryption is essential to national security, \ncybersecurity, and economic security.\n    What is your take on the call for back doors? Do you think \nthat makes us safer or less safe, and why?\n    Mr. Ozment. Thank you, sir.\n    The administration has highlighted a number of times that \nthis is a very complicated issue with legitimate and important \nperspectives on both sides of the issue. We do have law \nenforcement concerns and the need to access data from malicious \nadversaries, whether they be terrorists or criminals, to deter \nand catch those individuals responsible for malicious actions. \nAt the same time, from a cybersecurity perspective, we want \nmore broad and secure encryption and other technologies to be \nwidely disseminated.\n    I would reflect the administration's position here that we \ndo need a national conversation on this issue, and I think it's \nimportant that Congress has taken this issue up and has focused \non it.\n    Mr. Farenthold. All right.\n    Mr. Barger, do you have a take on that?\n    Mr. Barger. So the encryption issue is a very, very \ncomplicated subject. I would encourage the government to \nconsider how they should be able to conduct investigations in \nstriking a balance between privacy and also the need----\n    Mr. Farenthold. We see in the case of the San Bernardino \nterrorist's iPhone that the FBI hired a hacker to break into, \nand they, the FBI, won't tell us how they did it. Haven't they \ndiscovered a cyber vulnerability in iPhones that needs to be \ndisclosed so it can be patched?\n    Mr. Barger. Well, I don't necessarily know the situation, \nthe sources and methods which they applied to that, but it \nseems that they have found a creative workaround to the \nenvironmental conditions in which they were forced to operate \nand have been able to carry their investigation forward. \nWhether or not that was used for a specific vulnerability, I \nwouldn't know.\n    Mr. Farenthold. All right, let's shift a little bit here to \nthe Cybersecurity Information Sharing Act. And since DHS is \nkind of the hub, as you say, for that, what kind of success are \nwe having on that? Are you tracking how many attacks have been \nshared that way and whether companies are actually applying the \ninformation that's being shared there? Do we have some numbers \non any successes or failures there?\n    Mr. Ozment, that's clearly in your alley.\n    Mr. Ozment. Thank you, Representative.\n    So we have, as you know, that Congress passed this act in \nDecember of 2015, and gave DHS some fairly aggressive \ndeadlines. I'm proud to report that we did meet those deadlines \nand the Secretary of Homeland Security formally certified that \nthe system was live on March 17 of this year.\n    We will grow the system incrementally. We are not going to \nreach all of the American economy in just a few months. I'm \nvery happy with our rate of growth to date. We have 14 non-\nFederal entities currently connected to our server and 82 who \nare in the process of connecting the server who have signed our \nterms of use.\n    So there's clearly an interest in doing this. It does \nrequire the other participant to build some IT infrastructure \non their side. So it's like we've built a phone system and we \nhave a phone. They also have to acquire a phone before they can \ncall us.\n    Mr. Farenthold. So you've been up and going a month now. Is \nthat correct? Roughly a month?\n    Mr. Ozment. That's right.\n    Mr. Farenthold. So have there been any threats shared? I \nmean, do you have a number?\n    Mr. Ozment. We have shared over 2,000 indicators to the \nprivate sector and we have received additional indicators that \nthe private sector did not allow us to share onward to other \ncompanies but that we did share internally within the Federal \nGovernment.\n    It is important to note that an indicator does not equal an \nincident. And so a company or government agency can learn about \nan indicator from a failed attack just as they can learn from a \nsuccessful attack. So these do not all represent incidents. \nThey represent ``be on the lookout for this bad guy'' activity.\n    Mr. Farenthold. And one of the big concerns with the act \nwas the sharing of personally identifiable information. How \nmuch personally identifiable information are we seeing coming \nand going with this?\n    Mr. Ozment. We have multiple layers of protection to \nprotect privacy. First, companies are required to vet what they \nshare themselves. We have some automated mechanisms to prevent \ninappropriate or incorrect information from being shared. And \nthen there are a few types of information that would require \nhuman review.\n    The way that we block in an automated way inappropriate \ninformation from being shared is that we just don't accept it, \nso it's not even possible to send it to us. So I can't tell you \nhow many of those blocks have occurred. I can tell you that our \nhuman review has not identified any inappropriate information, \nto my knowledge.\n    Mr. Farenthold. I will dive into this a little bit deeper \nif we get a second round of questioning. I see my time has \nexpired.\n    Mr. Hurd. Ms. Kelly, you are recognized for 5 minutes.\n    Ms. Kelly. Thank you, Mr. Chair.\n    According to its Web site, the United States Computer \nEmergency Readiness Team, US-CERT's role is to, and I quote, \n``leads efforts to improve the Nation's cybersecurity posture, \ncoordinate cyber information sharing, and proactively manage \ncyber risk to the Nation.''\n    Dr. Ozment, can you explain what that means?\n    Mr. Ozment. Absolutely. So the US-CERT is a part of the \nNCCIC, our National Cybersecurity and Communications \nIntegration Center. They have three broad roles shared by my \nlarger organization. First is to promulgate best practices, \nhelp companies and Federal agencies understand what do they \nneed to do to protect themselves?\n    Second, is to share information about what the adversaries \nare doing so that those companies and agencies can adapt their \ndefenses to the changing behavior of our adversaries.\n    And third is to respond to incidents. US-CERT will respond \nto incidents, whether in the private sector or Federal \nGovernment or State, local, and tribal and territorial \ngovernments. We do that either by going on site, which we try \nto minimize because of the expense and overhead of doing it, or \nwe can help remotely, sometimes just by analyzing the malicious \nsoftware that was used in an intrusion, other times by giving \nmore customized help to the situation.\n    We prioritize the victims that come to us for help based \nupon our national risk. But we really encourage companies to \nreach out to the Federal Government, whether law enforcement or \nthrough us doesn't matter, we will connect it on the back end, \nand let us know about incidents so that we can come and help.\n    Ms. Kelly. So if an government agency's computer is hacked \nand you say that part of your effort is to respond, does that \ninclude forensic analysis? What all does that include when you \nrespond?\n    Mr. Ozment. That's right. It includes--well, let me take a \nstep back. Our role is different from law enforcement, and by \nanalogy, every cyber incident is like an arson in the physical \nworld. You want to have both the police and the firefighters \nresponding to the incident.\n    Our role is similar to that of the firefighter. We want to \nhelp a victim figure out where is the bad guy on their network, \nhow do they get him off the network, work together to push that \nbad guy off the network, and then improve their defenses so \nthat they are not just compromised again immediately \nthereafter.\n    Then we take--well, all throughout that process, we take \nwhat we learn in this one incident and we broadcast it to other \nsectors, other companies, other agencies so that everybody can \nlearn from the incident and make sure that they are themselves \nnot victimized by the same approach that the adversary used in \nthis case.\n    Ms. Kelly. Okay. Now let's turn to government contractors. \nAs you know, the biggest cyber intrusions of 2015 involved \ngovernment contractors. Anthem is the largest provider of \nhealth insurance to government employees and it was hacked. \nKeyPoint is a provider of background investigation services and \nit was hacked, leading to the breach of OPM's network. What \nrole did US-CERT play in the company's responses to those major \ncyber attacks?\n    Mr. Ozment. I want to be careful not to speak to individual \ncompanies because we keep the confidentiality of our customers, \nif you will. But we have responded to attacks at both private \nsector companies, contractors, and Federal Government agencies. \nDepending on the situation, our role has been to analyze the \nmalicious software, figure out, how did they break in and what \ndid they once they got there? It has been to provide \nremediation advice: Here are the types of security measures you \ncan put in place to ensure that this doesn't happen again. And \nto help them kick the bad guy off their networks.\n    In an incident you often find a malicious actor, or you see \ntraces of them on, say, one computer, and that's how you figure \nout that you've been compromised. But if you just kick them off \nthat one computer, you can't be confident that you fully \nremoved them from your network. So the first thing you have to \ndo is look throughout your network, watch the bad guy, stay \nsilent and watch the bad guy, see who they are talking to and \nwhere else they are on your network. You have to do that for a \nperiod of time so that you can be confident that when you kick \nthem off you've gotten them entirely off your network, and we \nhelp victims with that as well.\n    Ms. Kelly. Okay, thank you.\n    Mr. Barger, when talking about the type of information \nforensics can provide, could it include information on the \nidentity of future victims as well as how those victims might \nbe attacked?\n    Mr. Barger. Absolutely. Being able to gather information \nabout an attacker, how they move, basically their genetic \nmakeup, their capabilities, their intent, these fingerprints, \nessentially, can be telltale traces of how they do what they \ndo. And to Dr. Ozment's point, you can leverage that intel gain \nand loss for everything that they show you. You can harness \nthat information to then democratize that across your customer \nbase and better understand who it is, what they're after, why \nthey're after it, and over time that develops a great picture \nwhen you can get feedback from various other individuals or \norganizations that are affected by it to develop a much clearer \ninformation intelligence picture.\n    Ms. Kelly. Okay, thank you. Looks like I have run out of \ntime.\n    Mr. Hurd. The distinguished gentleman from North Carolina, \nMr. Walker, is recognized for 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    Thank you, panel, for being here today.\n    Jumping right into questions for Dr. Ozment here, what \nparticipation rates have you seen from the private sector? Can \nyou speak to that just for a moment?\n    Mr. Ozment. Yes. We have, as you would expect, varying \nparticipation based on both the sector and also the program \nthat we're talking about. We have a very wide uptake of the \nbulletins and advisories that we send out advising companies \nabout security risks and mitigations. We have something like \n100,000 individuals signed up to receive those. And these tend \nto be the security individuals operating within a company.\n    Mr. Walker. Right. What engagement have you seen from the \nFederal sector?\n    Mr. Ozment. Federal sector, we also have pretty universal \nparticipation in our programs. And it is worth highlighting \nthat as of about a year ago Federal departments and agencies \nare required to report incidents to US-CERT, part of my \norganization.\n    Mr. Walker. Sure.\n    Mr. Bhagowalia, is that correct?\n    Mr. Bhagowalia. Yes, sir.\n    Mr. Walker. All right. How effective has the Department of \nHomeland Security been in notifying your agency or notifying \nother government agencies?\n    Mr. Bhagowalia. I think they have been very effective and \nthings are improving. As you know, the threats have been coming \nat us in increasing frequency over time. Obviously, as the \nthreats keep on coming at us, we work together with them, but \nwe also work with other intelligence community agencies. \nTogether, it's a community basically working together to make \nsure we are improving.\n    Mr. Walker. Thank you.\n    Mr. Barger, kind of the same question. How effective has \nDHS been in notifying the private entities?\n    Mr. Barger. I can't think of, like, one security company \nthat probably doesn't leverage the information that DHS puts \nout, whether it be on specific vulnerabilities or active \nthreats. In many cases, that information serves as a seed in \nwhich we leverage and then continue to leverage private sector \nsources and methods to gain a better understanding of what we--\n--\n    Mr. Walker. The world of cybersecurity is fairly new for \nall of us in the last decade or so. And to use your analogy, \nDr. Ozment, you were talking about an arson situation where you \nguys are the firefighters. But also, you guys are kind of the \nend all, kind of the central authority when it comes to all of \nthis.\n    Can you speak a little bit, because I'm concerned that if \nyou're going to be the central authority in this, I do believe, \nto go back to your analogy, that it's not just the \nfirefighter's part, the investigation part, but what role do \nyou have in the policing of it as well? Because I don't want \nthere to be any gaps here, because I do feel like you have a \nrole to maybe funnel information to both segments. Would you \nmind taking a minute to speak to that?\n    Mr. Ozment. Absolutely. This is a team sport, both in the \nprivate sector and in government, and so we do partner very \nclosely with Federal law enforcement agencies, particularly the \nFBI, the Secret Service, and Homeland Security investigators. \nThose agencies do prosecute cybercrimes and are very aggressive \nin reaching out to victims to help them figure out who did this \nand ideally prosecute the perpetrator.\n    And we often--we find out about incidents and with the \npermission of the victim we share that with law enforcement. \nThey do the same. And so we may not find out directly from a \nvictim. We may find out because the victim talked to law \nenforcement who then told us.\n    Mr. Walker. The larger point is, we want to make sure that \nwe are getting this right since this is relatively new, and \nyour role with the law as the law says, CISA says, you guys are \nthe central authority in this. So it's very important that the \ncommunication is exactly where and what it needs to be and to \nwhom this information needs to go to.\n    You know, we don't want this to be the IRS or the EPA where \nthere's decades of dysfunction. We have a chance at the ground \nlevel to make sure that the proper channels of communication to \nall the various departments or players in this is very \nimportant. I guess that's why I'm emphasizing this.\n    I have got one more thing before I yield back. This could \nbe to Mr. Taylor. Mr. Bhagowalia may want to respond as well.\n    Modern cybersecurity best practices require a much \ndifferent approach to information security than the Federal \nGovernment has done before, as we talked about this as being \nbrand new. Placing a premium on information sharing, continuous \nnetwork monitoring, and ensuring continuity of operation plans, \nthese, I guess, plans are in place when a breach or degradation \ndoes occur.\n    So here's the question, okay? How are your departments \nmodernizing to keep pace with these best practices and shifts \nin approach?\n    Mr. Barger, would you address that?\n    Mr. Barger. In terms of the----\n    Mr. Walker. Best practices shift in approach when it comes \nto this information.\n    Mr. Barger. The best practices in terms of vulnerability \nmanagement where sharing?\n    Mr. Walker. Sharing information, yes, networking.\n    Mr. Barger. So communities have different looks and feels, \ndifferent participants, different requirements, and so being \nable to understand who your audience is, what their needs and \ntheir requirements are, helps foment more user growth, user \nengagement and participation in that community. So not a one-\nsize-fits-all approach in that regard.\n    Mr. Walker. Well, my time has expired, so I will yield back \nto the chairman. Thank you.\n    Mr. Hurd. I would like to recognize the gentleman from \nCalifornia, Mr. Lieu, for his 5 minutes of questions.\n    Mr. Lieu. Thank you, Mr. Chair.\n    Mr. Ozment, are you familiar with this document \ncommissioned by the administration called ``Liberty and \nSecurity in a Changing World'' in 2013? It's a report and \nrecommendations of the President's Review Group on Intelligence \nand Communications Technologies?\n    Mr. Ozment. I am familiar with it, sir, yes.\n    Mr. Lieu. And I'm going to read to you recommendation 29, \nwhich says, ``We recommend that, regarding encryption, the U.S. \nGovernment should fully support and not undermine efforts to \ncreate encryption standards; not in any way subvert, undermine, \nweaken, or make vulnerable generally available commercial \nsoftware; and increase the use of encryption and urge U.S. \ncompanies to do so in order to better protect data in transit, \nat rest, in the cloud, and in other storage.''\n    Do you agree with that recommendation?\n    Mr. Ozment. Sir, the issue of encryption is a really \nchallenging one. And as administration officials have \nhighlighted a number of times, we have to weigh the balances of \nour law enforcement and counterterrorism needs with our desire \nand need to improve cybersecurity across the private sector and \ngovernment. So we are calling for a national conversation on \nthis topic so that we can plot a way forward together \nessentially.\n    Mr. Lieu. So do you agree or disagree with recommendation \n29?\n    Mr. Ozment. I think it is more complicated than one can \nsimply agree or disagree to. I think we do--it is a decision--\n--\n    Mr. Lieu. Let's be pretty specific. Do you believe that the \nU.S. Government should not in any way subvert, undermine, \nweaken, or make vulnerable generally available commercial \nsoftware? Do you disagree with that?\n    MrOzment So, sir, I think in the--there's a lens here that \nany attempt--there are some people who perceive that any \nattempt to have court-ordered access to devices would be viewed \nas weakening software. If that's what you're referring to, \nthat's really where I do think we need to have a national \nconversation to figure out what are our goals as a Nation.\n    Mr. Lieu. I'm going to, with the permission of the chair, \nenter this document into the record. I just note that this \ndocument was really written from the angle of U.S. national \nsecurity, and I think the proper frame for this debate is there \nis apparently some disagreement within the administration \nbetween law enforcement and U.S. national security. And my own \nview is we should not sacrifice U.S. national security, nor our \neconomy, so that some law enforcement investigations can be \nmade easier.\n    Now, let me ask you another question. Are you familiar with \nSignalling System No. 7 in a cell phone network, also known as \nSS7, and the flaws associated with it?\n    Mr. Ozment. Yes.\n    Mr. Lieu. And as you may know, hackers of foreign \ngovernments that can exploit SS7 can listen to phone \nconversations of cell phones as well as acquire text messages \nin real time. Do you agree with that?\n    Mr. Ozment. There are vulnerabilities that allow those \naccesses. Yes, sir.\n    Mr. Lieu. Do you have a recommendation how to fix that?\n    Mr. Ozment. These vulnerabilities were really first \npublicly highlighted in 2014. I think it's important to note \nthat they are design vulnerabilities. So essentially, as the \nsystem is designed, you cannot fix it, per se. What you can do \nis carriers can monitor their networks for suspicious activity \nand then block that suspicious activity.\n    When these vulnerabilities were disclosed, we reached out \nimmediately to the carriers. We are not a regulator. We do work \nwith the carriers through a voluntary partnership. The carriers \nhave assured us that they are taking this seriously and are \nlooking for malicious activity.\n    But, frankly, I do share your very deep concern about this \nand I was concerned by the fact that the hackers you \ncollaborated with on ``60 Minutes'' were so readily able to \nexploit that network. And so we are using this opportunity, \nfrankly, to reach back out to the carriers and really push them \nto highlight progress.\n    Mr. Lieu. Thank you. Would you agree that if a person using \na cellphone had end-to-end encryption for the text messages or \nend-to-end encryption for their voice data, that that would \nmitigate this problem?\n    Mr. Ozment. It would mitigate some aspects of this problem. \nIf that were implemented, the other aspects, such as the \nability to track location, would not be impacted.\n    Mr. Lieu. Got it. Thank you.\n    I forget, Mr. Chairman, if I requested to enter this into \nthe record? Did I ask that? Maybe I did.\n    Mr. Hurd. Without objection.\n    Mr. Lieu. Okay. Thank you. And with that, I yield back.\n    Mr. Hurd. Dr. Ozment, how long have you been at DHS?\n    Mr. Ozment. I have been at DHS for approximately 2 years \nnow.\n    Mr. Hurd. Well, I would like to thank you for your service. \nI know the job that you have is difficult, and I think you have \nhad an exemplary time at DHS, and I'm looking forward to \ncontinuing to working with you in the next few months.\n    My question, I would like to drill down on the Juniper \nbreach. The ScreenOS, there were several versions that were \nhacked, 6.30 version 17 through version 20. Were any of the \nversions that were vulnerable to the breach, were they \nsupported by Juniper? Were security patches supported by \nJuniper, are you aware?\n    Mr. Ozment. I'm not entirely sure. I believe that at least \na number of those were out of service and no longer supported, \ncertainly not all of them.\n    Mr. Hurd. So when something is out of service, that means \nthe vendor does not provide patch updates, or this is saying, \n``Hey, you are operating on your own. We are not responsible \nfor keeping this up to speed.'' Is that correct?\n    Mr. Ozment. That's correct.\n    Mr. Hurd. Mr. Bhagowalia, my question for you. Fifty-seven \ndevices had the Juniper vulnerability. Is that correct?\n    Mr. Bhagowalia. Yes, sir, they were affected by the release \nversions in question in the ScreenOS, yes.\n    Mr. Hurd. And do you agree that the vulnerable versions of \nthe ScreenOS software that is provided by Juniper is not \nsupported by a vendor, the security updates were not supported \nby the vendor?\n    Mr. Bhagowalia. We didn't know about whether it is \nsupported by the vendor, but we, obviously, the moment we got \nthe information----\n    Mr. Hurd. No, no, look, I'm not questioning about the--we \ncan talk about the four devices that you thought were low \nvulnerability. My question is, why were you using versions of \nJuniper software ScreenOS that was no longer supported by the \nvendor? And if I'm not mistaken, please correct me if I'm \nwrong, the vendor stopped supporting that software in 2014, \n2013, 2014. Why was the Department of Treasury still using \nsoftware that wasn't being supported by the vendor?\n    Mr. Bhagowalia. I would have to get back to you on the \nexact details as to how many of those devices were late on that \nversion that was not supported with 2014. We, obviously, work \ncontinuously with not only DHS, but with the vendor itself----\n    Mr. Hurd. Well, but DHS doesn't have anything to do with \nsupporting----\n    Mr. Bhagowalia. Yes, sir.\n    Mr. Hurd. --patching for a software.\n    Mr. Bhagowalia. No, it doesn't, but we are sharing----\n    Mr. Hurd. And the vendor has made it very clear that they \nare not going to continue to support that software. So what are \nyou working with the vendor on?\n    Mr. Bhagowalia. The vendor usually works with us to kind of \nfigure out if there are any challenges with particular versions \nof software and so on and so forth. We have not looked at it or \nbeen advised of any particular devices there that were behind. \nBut nevertheless the point is, we should, obviously, be----\n    Mr. Hurd. You are the CIO for Treasury, correct?\n    Mr. Bhagowalia. Yes, sir, I am.\n    Mr. Hurd. How much software are you using in the Department \nof Treasury that is not supported by a vendor?\n    Mr. Bhagowalia. We keep tabs on a lot of the legacy \nversions, that is----\n    Mr. Hurd. Do you have a number? How many systems are you \nrunning----\n    Mr. Bhagowalia. We have 329 systems, sir, overall in \nTreasury.\n    Mr. Hurd. Okay. And how many of the 329 systems that you \nare running are systems provided by a vendor that is no longer \nsupporting that version of the software that you're using?\n    Mr. Bhagowalia. It's a small percentage. I'll have to get \nback the exact number.\n    Mr. Hurd. Please get back with a specific number.\n    Mr. Bhagowalia. Yes, sir, I will. Yes, sir.\n    Mr. Hurd. Threat mitigation--threat assessment--or damage \nassessment is probably the most accurate number--of the 54 \nsystems that were using the Juniper's software ScreenOS, what \ndid the hackers, attackers, have you done a damage assessment \non what was possibly stolen?\n    Mr. Bhagowalia. Yes, we've obviously looked at the devices, \nand which there were two versions. Obviously, one had the \nadministrative access and one had the VPN. We looked at both of \nthose devices and seen whether there was anything going on in \nthose devices themselves. We looked at the risk analysis of \nthat. We also, obviously, made sure that those devices did not \nhave any lateral movement and other things like that.\n    We're doing more in this area. We're putting some other \ncountermeasures just to double-check, for example, using third \nparties to see if there's anything else going on in there.\n    Mr. Hurd. So you identified 17 of the 56 systems as high \nthreat? Is that correct? Fourteen?\n    Mr. Bhagowalia. No, sir, 40 of the devices, out of an \noverabundance of caution, we put at high risk. Only 4 out of \nthe 57 were really connected facing the Internet. The rest were \ninternal facing.\n    Mr. Hurd. Of those four that were facing the Internet, what \nkind of systems--what kind of information was traversing those \nsystems?\n    Mr. Bhagowalia. So one was--it was like, for example, it \nwas on an isolated Internet connection at one of the locations, \nlike Mint. Another location----\n    Mr. Hurd. Right. So the Mint, like where we make money?\n    Mr. Bhagowalia. Yes, sir, but it was not connected to the \ncorporate LAN. It was sitting outside in a public-facing sort \nof Internet.\n    Mr. Hurd. But it's still connected to the Internet, right? \nSo are you implying that that's not a significant \nvulnerability?\n    Mr. Bhagowalia. No, sir, we don't. We take cybersecurity \nvery seriously.\n    Mr. Hurd. So in your damage assessment, who did you think \npotentially took this information?\n    Mr. Bhagowalia. Well, there was no information that we are \naware of that has been taken, and we have looked at it very \ncarefully. We, obviously are obviously concerned if there's \nanything that's an external attempt. But there were multiple \nlayers of security in terms of what we were watching. And out \nof the version that we had, nothing was taken.\n    Mr. Hurd. So you don't think anything was taken. But based \non this vulnerability, you don't have to exfil data, right? If \nyou're able to read--if you're able to decrypt encrypted \ninformation, then if you're capturing that encrypted network, \nthe encrypted traffic traversing the network, you don't have to \nexfil it. So how would you know if something was taken or not?\n    Mr. Bhagowalia. So, for example, the four devices that are \nin question, they do not participate in the VPN connection at \nall. So there's no risk to that. So even if that was taken out, \nthere was no issue there.\n    They are connected between three levels of firewalls, in \naddition to what's already at Juniper. They are configured in \nsuch a way without giving the configuration away. Since admins \nhave special access to that, we were pretty confident, and we \ndid a detailed risk analysis, and that's why we took a little \nbit of time to kind of, to your question, to really look into \ndetail and make sure there's nothing going on.\n    We absolutely appreciate a concern. We've also read your \narticle, and we also know that this vulnerability was quite \nserious. We looked at it, and there was nothing that we can \nsee. But we're also going further and making sure that we're \nbringing in other experts. And so far one of the vendors--one \nof the vendors who was going to be briefing today, Mandiant, we \nthink is very, very good, is one of the other folks, and \namongst others, that we're looking at bringing in.\n    Mr. Hurd. Well, my time has expired, but there will \ndefinitely be several more rounds of question.\n    I would like now to recognize the gentleman from Virginia, \nMr. Connolly, for 5 minutes.\n    Mr. Connolly. Thank you, Mr. Chairman, on what is, I think, \none of the most important topics we can be addressing here in \nCongress with respect to our future.\n    Mr. Taylor, can you explain what the Consular Consolidated \nDatabase is, briefly?\n    Mr. Taylor. Thank you for the question, sir. Briefly----\n    Mr. Connolly. Well, because I've only got 5 minutes.\n    Mr. Taylor. I appreciate that, sir.\n    The Consular Consolidated Database is a number of \ndatabases, actually. I think the total is around 18. It handles \nvarious activities, such as visa issuance, passport issuance, \nand that sort of thing. It manages our consular workload.\n    Mr. Connolly. So hundreds of millions of records?\n    Mr. Taylor. Hundreds of millions of records, sir.\n    Mr. Connolly. Hundreds of millions of records. Would you \nagree, Mr. Taylor, that makes it a juicy cyber target?\n    Mr. Taylor. We've identified it certainly as a target and \nas a critical system for the Department.\n    Mr. Connolly. And on March 31 of this year there was a \nreport that an internal review revealed lots of vulnerabilities \nin the CCD? Is that correct? There was an ABC News report that \nsaid you did.\n    Mr. Taylor. Right. The ABC News report was referring to, \nsir, the process that we go through for all our significant \nsystems, which is penetration testing and a host of other types \nof tests that we run against our system on a regular basis. So \nthrough that process, yes, in fact, we identified \nvulnerabilities. That's the point and purpose of the \npenetration testing. And we're well on our way to reconciling \nthose and remediating it.\n    Mr. Connolly. In response to the ABC story, the Department \nofficially sort of took issue with those reports on the \nseverity of the vulnerability and referred to it, the \nvulnerability of the CCD, as in the lowest threat category.\n    Can you put that in perspective? I mean, how many \ncategories are there at the State Department in terms of \nthreat, cyber threat?\n    Mr. Taylor. If I could, sir, I'd rather try to answer the \nquestion through the way we look at risk mitigation, and that's \nto look at the probability as well as the potential damage \nassociated with the threat.\n    The probability was very low, but, obviously, clearly, \ngiven the type of private information that's available on that \nsystem and the quantity, even with a low risk, we take that \nvery, very seriously. In fact, I mean, we meet on this on a \nweekly basis with the under secretary and with the deputy \nsecretary and with the senior leadership in Consular Affairs to \ntrack the progress against our remediation efforts.\n    Mr. Connolly. Okay. Well, the reason I think it's important \nis because one of the concerns I've got with respect to cyber \nthroughout the Federal Government is you look for--if I were a \nhacker or up to no good, I'd look to low-hanging, vulnerable \nfruit. And we, this committee, this subcommittee, has found \nlots of that in what might look ostensibly like an attractive \ntarget, Department of Education. Huge database, lots of \ninformation in it, and potentially ripe for the picking. Which \nis why we think implementation of FITARA is so important and \nbecause we've got to sharpen up our ability and make wise \ninvestments and so forth.\n    Let me ask you while I've got you, Mr. Taylor, I've just \ngotten back from China, and on this particular trip there were \nprobably 20 Members of Congress, Senators and House Members, \nRepublicans and Democrats.\n    I mean, everybody was told when we got there, you do \nunderstand that any device you bring will be compromised, \nperiod. Is it routine for the Department of State to provide \ncounsel to Members of Congress when they're traveling to places \nthat have a known reputation with respect to cyber?\n    Mr. Taylor. Thank you, sir, for the question.\n    I understand the question, but to be honest, it's a little \noutside of my wheelhouse. I'm not sure if those briefings take \nplace. I would expect that Congress would receive those \nbriefings either through our Diplomatic Security or another \nentity in State. It really isn't within the purview of the CIO \nresponsibilities to do that.\n    Mr. Connolly. I mean, you work for the State Department.\n    Mr. Taylor. I do, sir.\n    Mr. Connolly. Yeah. Well, maybe you can take it back with \nsomebody whose purview it is.\n    Mr. Taylor. Yes.\n    Mr. Connolly. But it just worries me that a whole branch of \ngovernment is unwittingly putting itself at risk. And remember \nI've got messages here from the State Department, from the \nWhite House, from lots of other Federal agencies, all of which, \nif I bring this to Beijing, is going to be compromised.\n    Mr. Taylor. Yes, sir.\n    Mr. Connolly. And it just seems to me a prudent measure for \nthe executive branch to--if it isn't--to be more proactive in \nnot only discouraging, but strongly providing guidance, quite \nexplicit guidance, to Members of Congress, rather than having \nit be on our own. I mean, what could go wrong with 535 \nindividuals and their spouses traveling hither and yon with \ndevices that are official that could be compromised?\n    Mr. Taylor. Yes, sir.\n    Mr. Connolly. It might be outside your purview, Mr. Taylor, \nbut we both work for the U.S. Government and are concerned \nabout U.S. security, and we're talking about cyber, and this is \na big issue I think in your wheelhouse. So I would appreciate \nyour cooperation in going back to whoever's purview it is in \nthe Department and maybe beefing up our protective preemptive \nmeasures.\n    Mr. Taylor. Yes, sir. I understand the question, and I will \ncertainly take that back.\n    Mr. Connolly. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Hurd. Thank you.\n    Now I'd like to recognize Mr. Blum for 5 minutes.\n    Mr. Blum. Thank you, Chairman Hurd.\n    And I'd like to thank the panelists for appearing here \ntoday to talk about this most important issue.\n    Mr. Barger, in your testimony you state that information is \nless a technical issue and more of a cultural issue. To me, \nthis gets at the very importance of building trusting \nrelationships. I'm from the private sector and trust is so \nimportant. Without trust, it's hard to run an effective \nbusiness, trust between employer and employee, trust between \nthe company and its vendors, trust between the company and its \ncustomers. Trust to me is ultra-important. And it gets to the \nimportance of your statement of building trusting relationships \nbetween parties to ensure effective information-sharing \npractices.\n    In your opinion, is there a trust deficiency between the \nprivate sector and the public sector when it comes to the \nsharing of threat intelligence?\n    Mr. Barger. In terms of efficiencies, I believe sharing in \ngeneral within public sector as well as within the private \nsector is still somewhat new, and everyone's feeling around the \nedges to figure out how to best approach it. I think the \nInformation Sharing Act of 2015 kind of helped break the ice \nand give folks a renewed interest and focus in that area.\n    In terms of private sector sharing, we find organizations \nare still challenged internally with communicating effectively, \nlet alone some of the more advanced moves of sharing across \nparties or Bank A sharing with Bank B. But there's interest to \nget there.\n    I think DHS and some of their initiatives are good starting \npoints where there's a centralized area where folks can go. The \nprivate sector has a thirst for information, and so as much \ninformation you can send our way is always appreciated.\n    Mr. Blum. There is a willingness in the private sector, I \nagree, and I hear that time and time again. Is there something \nthe government, the public sector, can be doing to help \nfacilitate this? Because there is that willingness, I agree \nwith you.\n    Mr. Barger. I think timeliness of reporting can help. I \nthink there's optics and perceptions as to how much value \ninformation is coming out of the government in terms of the \nflash to bang. There's many cases where the private sector will \nbe a little--a few steps ahead of the government in terms of \nsharing some information, and then several weeks or months \nlater you'll get an FBI flash bulletin or a DHS report which \nechoes some of the same details you already know.\n    However, there's also instances where, like I pointed out \nearlier, where the information that may come out of DHS or FBI \nwill serve as a feed or will shore up a loose end that the \nprivate sector may have not have necessarily figured out or \nunderstand fully, but that then fills in some of the blanks.\n    Mr. Blum. I hear from the private sector also sometimes the \ngovernment is viewed as a black hole. And they deploy a fair \nnumber of assets, time, people's talent, to obtain information, \nshare it with the government, and never hear back, never hear \nback. And that to them is a problem, and I'd say it probably is \na problem. You know, was the problem resolved? Was it helpful \nor not? They just want to hear back.\n    Any ideas there on what we can do to have a two-way \ncommunication street here versus, ``Give me, give me, give me, \nand, hey, don't ask what happened with it''?\n    Mr. Barger. Correct. I am part of that group of folks who \nshared information into the black hole, if you will, and have \nwondered, was this effective, do you need more? But what \nhappens is over time, when you don't hear back, you just say, \nreally, what's the point of me continuing this if I don't \nreally see the value?\n    Mr. Blum. Exactly. Exactly.\n    Mr. Barger. So having a thumbs-up or a thumbs-down or quick \n``got it'' is always helpful and I think lends to what you're \ntalking about is improving that sharing relationship and that \ntrust.\n    Mr. Blum. Very good.\n    I'll yield back the balance of my time, Mr. Chairman.\n    Mr. Hurd. I'd like to recognize Mr. Lieu for another round \nof questions.\n    Mr. Lieu. Thank you, Mr. Chair.\n    Question for Mr. Barger, sir. Are you familiar with the SS7 \nflaw?\n    Mr. Barger. I am not.\n    Mr. Lieu. Okay. That's fine. I will now go to Mr. Ozment.\n    In February of this year, The New York Times published an \narticle quoting Defense Secretary Ash Carter, and he is quoted \nin there regarding back doors as saying the following: ``Just \nto cut to the chase, I'm not a believer in back doors or a \nsingle technical approach. I don't think it's realistic.'' Do \nyou agree with his statement?\n    Mr. Ozment. I think part of the challenge here is an \nargument about what constitutes a back door or not. You know, I \nthink what I have heard from law enforcement agencies is that \nthey hope for a solution that allows them court-ordered access \nwithout introducing vulnerabilities. I think if you are to \nenter----\n    Mr. Lieu. Let me just stop you there.\n    Do you believe it's technologically possible to put in a \nback door only for the good guys?\n    Mr. Ozment. I think there are solutions that add--that make \nthat possible.\n    Mr. Lieu. Just give me one.\n    Mr. Ozment. However, to get to our point, I think any time \nyou add a solution, you add complexity. And every time you add \ncomplexity, you increase the risk of compromise.\n    Mr. Lieu. Thank you.\n    Do you know how many smartphones were lost or stolen in the \nU.S., let's say, in 2013?\n    Mr. Ozment. I do not.\n    Mr. Lieu. Okay. According to an article in the LA Times, \nabout 4.5 million smartphones were lost or stolen.\n    If hackers could hack into a smartphone, they could access \nall sorts of data on Americans. Wouldn't you agree that it \nwould be important that if government finds a flaw in \nsmartphone encryption that they let the manufacturer know about \nit so we can protect American consumers if their cell phones \nare lost or stolen?\n    Mr. Ozment. There is a process for deciding whether or not \nto disclose vulnerabilities that the government finds. My \norganization's role in this process is to advocate for the \nbroad sharing of vulnerabilities, because that does increase \nthe cybersecurity of our Nation.\n    There are other perspectives that have to be viewed in that \nprocess, law enforcement intelligence perspectives, but the \nadministration has gone on record to highlight that the \nprocess, the strong default, is to share information to \nincrease the security of devices and systems.\n    Mr. Lieu. So through this process the way the FBI was able \nto hack the recent iPhone in the San Bernardino case, that may \nbe released to Apple at some point. Am I understanding that \ncorrectly?\n    Mr. Ozment. If the FBI did, in fact, use a vulnerability it \nwould go through this process and could potentially result in a \nrelease. But I don't know of the specifics of this, whether or \nnot the FBI used a vulnerability in this case, so I would have \nto defer to the FBI on that.\n    Mr. Lieu. Thank you.\n    Before I forget, Mr. Chair, could I enter into the record \nthis article, ``4.5 million smartphones were lost or stolen in \nthe U.S. in 2013,'' from the Los Angeles Times?\n    Mr. Hurd. Without objection.\n    Mr. Lieu. Thank you.\n    Mr. Barger, let me ask you a similar question. Do you agree \nwith Defense Secretary Ash Carter's statement that we should \nnot have back doors in encryption?\n    Mr. Barger. I think that, again, introduces a very complex \nconversation. I think that we need strong encryption. As a \nmember of industry, I would be very concerned and challenged, I \nguess, with any sort of approach by the government to weaken \nanything or weaken security or encryption of any sort of \nproduct or solution that we delivered. So I would say no.\n    Mr. Lieu. Thank you.\n    And with that, I yield back.\n    Mr. Hurd. Mr. Farenthold from Texas is recognized for 5 \nminutes.\n    Mr. Farenthold. Thank you very much.\n    I would like to follow up on a line of questioning the \nchairman had about legacy systems. We talked about some of the \nlegacy and unsupported systems in the IRS. We've had hearings \nwhere various government agencies are still running pre-Windows \n98 or Windows 98, again, not supported by Microsoft, the \nsecurity patches are not coming up.\n    Dr. Ozment, do you have any idea the scope of this problem?\n    Mr. Ozment. I think this is a major problem for the Federal \nGovernment. It's something that is concerning to me.\n    I'll tell you that we do scan agencies externally, so the \nsystems they have connected to the Internet, and we look for \ncritical vulnerabilities. We do consider an unsupported device \nto be a critical vulnerability.\n    And some of our most challenging discoveries in that \nprocess are unsupported devices, particularly at smaller \ndepartments and agencies who may lack the resources or the \nexpertise to upgrade these very legacy systems. I think this is \na major risk for the government. And I do believe that any \napproach that we can take to upgrading and replacing legacy \nsystems is a good approach.\n    Mr. Farenthold. And the National Institute of Standards \npublication 800-40 lays out guidance for agencies on enterprise \npatch management and states that it would be, quote, ``ideal'' \nto deploy patches immediately so as to minimize the timeframe \nsystems that are vulnerable. You know, obviously, immediately \nisn't possible. We've got a couple--we've got the State \nDepartment and Treasury Department here. How good are you guys \nat getting this out? I mean, what is immediately for you? A \nsecurity patch comes out, how long does it take you to get it \nout, Mr. Taylor?\n    Mr. Taylor. So our security patches, we look at it two \nways, critical threat patches and typical required patches. So \nfor our critical patches--we begin immediately, I want to be \nclear about that--we have a 3-day timeline to deploy a patch \nworldwide, to all locations worldwide. We meet that with \napproximately 98 percent success rate.\n    Mr. Farenthold. And how are you all doing at Treasury?\n    Mr. Bhagowalia. We obviously take the most critical patches \nfirst, sir, and we move on it. And as you saw in my testimony, \nwe fix those in 5 days, 6 days. For the rest of the enterprise, \nwe work with the bureaus to make sure those critical patches go \nfirst. As far as the medium and low patches, they take a little \nbit more time. And we also are, obviously, looking at \noperational risk, making sure those systems are a continuing \nmission. And then we schedule that, and then the report, the \nbureau CIO's report, back to us.\n    So the answer is it's ongoing. As to exact numbers, I can \nget back to you and give you the exact numbers.\n    Mr. Farenthold. All right.\n    And, Dr. Ozment, in May of 2015, it's my understanding that \nthe Secretary issued a binding operational directive requiring \nall agencies to mitigate critical vulnerabilities on their \nInternet-facing devices within 30 days. That seems like an \nawful long time to me, but before I go criticizing how long it \nis, how much success do we have getting them done in 30 days?\n    Mr. Ozment. I would agree with you that it is a somewhat \ngenerous amount of time. I would highlight that, to the points \nthat my colleagues have made, the criticality of the patch and \nthe type of system will dictate timing. There are systems that \nare more complicated than your normal desktop operating system \nthat do take additional time. And since we were doing a one-\nsize-fits-all policy, we had to be somewhat generous.\n    Even with that somewhat generous timeframe, when we \nstarted, when we released this directive, there were over 360 \nInternet-facing systems with critical vulnerabilities in them. \nI view that as the backlog, what we started with, because of \ncourse new vulnerabilities are discovered all the time.\n    We reduced that backlog, not as rapidly as I would like for \nthe government to have reduced it, but we are now down--we \nhave, obviously, eliminated that backlog. Even right now we \nhave 39 vulnerabilities across the government that are critical \nbut have been unpatched for more than 30 days. There is good \nnews in that, which is when we started we were over 360, and, \nclearly, not enough attention was being paid on it.\n    Mr. Farenthold. I mean, are these some obscure operating \nsystem or ultracomplicated software or are we just not running \nWindows update?\n    Mr. Ozment. The majority of these are now legacy systems at \nsmall agencies that are struggling to manage their IT and to \nfind the budget to replace these legacy systems. These have \nbeen the toughest nuts for us to crack.\n    Mr. Farenthold. All right. I am loathe to ask what you \nthink Congress could do to help with that, because I suspect \nthe answer will be: Give us more money. But is there something \nbesides give us more money that we can do in Congress? And then \nI'll yield back after your answer.\n    Mr. Ozment. You know, I would like to highlight that \nCongress has been incredibly helpful to date. The recent \nlegislation passed in both 2014 and 2015 has been very \nimportant. This type of attention is very important.\n    I do think that one of the challenges that agencies \nconsistently have is when you replace a legacy system, you \noften have to operate that system for a period of time even as \nyou're paying to build the new system. So you do functionally \nneed to pay for two things at once for a period of time.\n    The IT modernization bill sponsored in part by \nRepresentative Kelly, the ranking member, would really assist \nwith that, because it would essentially give you that fund to \ntemporarily support the building of a second system even as you \noperate the original, older system.\n    Mr. Farenthold. Thank you.\n    I yield back.\n    Mr. Hurd. The ranking member from Illinois is recognized \nfor 5 more minutes.\n    Ms. Kelly. Thank you.\n    Mr. Bhagowalia----\n    Mr. Bhagowalia. Yes. Yes, ma'am.\n    Ms. Kelly. --Mr. Taylor, this question is for both of you. \nAs the people with ultimate responsibility for the security of \nyour agencies' computer networks, I imagine that you would \nwelcome any information that would help you with cyber defense. \nIf a company that plays a critical role in your agencies' \nmission was hacked, would knowing how that hack happened help \nyou to do your job?\n    Mr. Bhagowalia. Yes. We work with a lot of vendors, and we, \nobviously, work very closely with them. I believe the cyber \nclimate, the way things are in the prevailing world, we work \ntogether as a team and we look out for each other. We are all \nin the boat together. And that's the way we want to manage \nthis.\n    We share information also across not only the government, \nnot only with DHS, but with the law enforcement and the \nintelligence community. I myself Came from the law enforcement \nintelligence community. And I can tell you that--and I have \ncome from industry--we are in a different world now, and the \nadversary is growing in sophistication, volume, brazenness, and \nimpact and frequency.\n    So if that's the case, the only way we can do this together \nis to work together and make this thing happen. So absolutely, \nma'am.\n    Ms. Kelly. Mr. Taylor.\n    Mr. Taylor. Thank you for the question.\n    Partnership is the basis of our cyber defense. We learned \nthat in 2014 when we had our challenges with our unclassified \nemail. We reached out to DHS. We reached out to NSA. We get \nwonderful support from the FBI. We support and established a \njoint operations center for cyber. So we have folks from \ninteragency there sitting with us 24/7, 7 days a week, 365 days \na year.\n    We receive threat and mitigation information from just a \nhost of partners. It would not be possible for the Department \nof State or any other agency to successfully defend our systems \nwithout support, without continuing information, both threat \ninformation and mitigation information, private sector and \npublic. We recognize that. As I said, that's a keystone for us.\n    Ms. Kelly. What means do you have--and this is for both of \nyou--to learn about the details about a hack of one of your \ncontractors? How do you learn about that?\n    Mr. Bhagowalia. We work very, very closely, first of all, \nwith our vendors in terms of our governance, that they have to \ntell us what's going on, and I think in that regard, we watch \nthat. We monitor classified and unclassified channels, \nincluding vendor community, from our security operations center \nthat looks for that. We work with the US-CERT, NCCIC, and DHS, \nwho gives information to us. We work on the Federal CIO Council \nwhere we are all sharing information as a sort of a network of \nCIOs and also CISOs.\n    We also work within our folks and our staff who have sort \nof an organic network. And I don't want to underplay the \nimportance of that organic network that's looking and looking \nout. So I think we're doing a pretty good job there.\n    Ms. Kelly. And, Mr. Taylor, you would agree with----\n    Mr. Taylor. Absolutely. We actively maintain our \nrelationship with our vendors. I travel regularly, we meet with \nthem regularly.\n    Ms. Kelly. Okay. Thank you.\n    Ms. Ozment, just two quick yes or noes. Are government \ncontractors required to share detailed forensic analysis about \nattempted or successful cyber attacks, yes or no?\n    Mr. Ozment. Not in general. There may be some specific \ncontracts where that's required.\n    Ms. Kelly. Okay. Are government contractors required to \nnotify the FBI if they are the victims of a successful cyber \nattack? Yes or no?\n    Mr. Ozment. Again, not in general. There may be specific \ncontracts.\n    Ms. Kelly. Are there examples where US-CERT has offered its \nservices to government contractors who were hacked and the \ncompany declined the offer?\n    Mr. Ozment. Not to my knowledge. I don't believe so.\n    Ms. Kelly. Okay. All right then.\n    Thank you. And I yield back.\n    Mr. Hurd. Mr. Bhagowalia, some very basic questions, and I \napologize for not knowing the answer to this.\n    At Treasury, what floor does the Secretary of Treasury sit?\n    Mr. Bhagowalia. Main Treasury, third floor, sir.\n    Mr. Hurd. And where do you sit?\n    Mr. Bhagowalia. I sit in one of the buildings next to the \nMain Treasury.\n    Mr. Hurd. Do you have budgetary and operational control? \nI'm assuming there's a CIO specifically for IRS, right?\n    Mr. Bhagowalia. There's a separate CIO for IRS, sir.\n    Mr. Hurd. Does that person report to you?\n    Mr. Bhagowalia. No, he does not. Reports to the \nCommissioner. But he has a dotted line under FITARA that I have \ngiven him some CIO commitments that he has to report with me \nand work with me.\n    Mr. Hurd. But isn't part of FITARA to empower you to have \ncontrol over the entire organization?\n    Mr. Bhagowalia. Yes, sir. The Department has the authority, \nand I'm working very closely with the bureau's CIOs to make the \nmission happen.\n    Mr. Hurd. CDFI, what is that?\n    Mr. Bhagowalia. It's one of the consolidated funds that is \na smaller program that sits within the departmental offices.\n    Mr. Hurd. So earlier this year or late last year, we sent a \nletter, this committee sent a letter to every agency asking for \nan update or asking for a review of legacy hardware and legacy \nsoftware. And thank you, you get back to us. And I know I asked \na question earlier about old systems. I have eight pages worth \nof information. Some of the software, when we asked when was \nthe last date of support, the answer was ``unknown'' because \nthe vendor is no longer in business.\n    Some of the other software stopped being supported in 2007. \nAnd then we asked the question: If no longer supported by \nvendor, how is it supported? The reply was: Unsupported, IRS \nassumes expired product risk.\n    Now, I'm not going to go through each one of these. But my \nquestion is, do you, as the CIO of Treasury, have the authority \nto go through, identify which one of these are high risk, and \nfiguring out why and moving away from unsupported software?\n    Mr. Bhagowalia. Yes, the bureau CIO and I do, I have the \nauthority, and we look at using what they call critical POAM \nitem, and they have to report to me as to whether they are \ntesting and is there enough security, that there's any \nvulnerability, if there's anything critical. And they have \nsigned to that and I can--I, obviously, check and verify that. \nIf they have not done that, I have the authority to turn it off \nand so do they. And, obviously, this particular system I'll \nhave to take a look at----\n    Mr. Hurd. No, look, we're going to get into a much larger \nconversation at some other point about this. But some of these \nsystems that stopped being supported in 2013 deal with software \nto manage cell phone communications, right? So this is--to me, \nthat would be a high priority vulnerability or a system that \nshould be of high priority to ensure that--and, again, the \nFederal Government shouldn't be in the business of providing \nsupport to products. We should be upgrading and buying the \nlatest version. So I'm more interested in making sure you have \nthe authorities in order to solve these problems.\n    Dr. Ozment, how much, you know, with the new cybersecurity \nrules that DHS has, how much influence do you all have in \ntelling another department or agency, ``Hey, guys, you all need \nto sort this out''?\n    Mr. Ozment. The new authorities that Congress has provided \nus and, frankly, the congressional attention on this issue have \nreally dramatically helped us more deeply engage with \ndepartments and agencies. We focus on working collaboratively \nwith those departments and agency, essentially because when \nthey trust us, we can accomplish more together. And we also \nlook at OMB holding agencies accountable. And together, we \nreally work to improve----\n    Mr. Hurd. Dr. Ozment, do you have a list of all the \nunsupported software that's being used across the 24 CFO \nagencies?\n    Mr. Ozment. I do not, but I'll be honest with you, I want \nthat--I will have that when CDM phase one is deployed.\n    Mr. Hurd. Copy.\n    Mr. Ozment. And I want an automated list of that. I don't \nwant a manual data----\n    Mr. Hurd. Good. Copy.\n    Mr. Barger, should enterprises be concerned with using \nsoftware that is no longer supported by a vendor?\n    Mr. Barger. They should. Unfortunately, organizations over \ntime will set up systems that just become systems of record, \nthat they just cannot pull these systems out, that they age \nwithin the organization, both within public and private sector. \nIt's not just one sector or the other. So it's a very hard to \nnecessarily pull them out. If you consider some medical devices \nare FDA regulated, so if you were to patch them, in some cases \nyou change that regulation.\n    And so there's these very nuanced details in accepting risk \nin and around these nuanced systems of record that could be \nsupporting command and control or medical systems. And so there \ncan be creative workarounds that are put in place, be it \npolicies or solutions, that can help manage that risk a little \nbetter.\n    Mr. Hurd. No, thank you for that.\n    And my next question kind of shifting gears slightly. Can \nyou do--can an enterprise do proper damage assessment without \nunderstanding who the threat actor was?\n    Mr. Barger. So as a former analyst, I am always \nappreciative of as much information as possible so that I can \nuse that and form the basis to make better decisions. So I \nthink maybe to your point around attribution, that sort of \ninformation, always helps to understand what the adversary's \nmotivations are, because that can frame how I respond and \nsubsequent decisions down the line, be it technical or \nnontechnical type response.\n    Mr. Hurd. So would this be a fair statement, that \nunderstanding who the attacker is, we would better--we can do \nbetter damage assessment?\n    Mr. Barger. Absolutely. It's an integral part. I mean, one \nof the first questions everybody asks when you're the bearer of \nbad news and there's a breach is: Who did it? Or why? The boss \nalways wants to know that. And so understanding that can, \nagain, help frame how you respond and the decisionmaking cycle \nafterwards.\n    Mr. Hurd. When it comes to the Juniper ScreenOS breach, do \nyou have opinions on who was responsible?\n    Mr. Barger. These are personal opinions and not necessarily \nrooted in fact, but just reading, casually reading----\n    Mr. Hurd. The record reflects that.\n    Mr. Barger. Roger. Okay. So if you look at the type of \nvulnerabilities potentially introduced for the term in which \nthey're reporting that, I could think of a handful of nation-\nstate entities that would leverage key weakening and an \nadministrative back door for core infrastructure. And that core \ninfrastructure is kind of one of those more strategic areas of \nthe domain, if you will, the contested domain, that if you lay \nup in there, you can do quite a bit in terms of----\n    Mr. Hurd. So let's talk about the nature of the Juniper \nScreenOS breach. Source code was manipulated, correct?\n    Mr. Barger. From what I understand, correct.\n    Mr. Hurd. And code was inserted in the source code used for \nScreenOS. Is that your understanding?\n    Mr. Barger. From what I understand, correct.\n    Mr. Hurd. How difficult is it to do that?\n    Mr. Barger. I would imagine if it were, for me, putting on \na bad guy hat, that I would have to have a significant \nunderstanding of how that system works as well as a very robust \nquality assurance capability to make----\n    Mr. Hurd. But when you're designing software protecting--\nensuring that your source code cannot be seen, is a pretty--\nthat's a pretty key--that's a key software development.\n    Mr. Barger. Correct. That's what I was driving at, is that \nthere had to have been a robust team that would be able to make \nsure that that implant or that key weakening was not detected \nfor the term that's being reported.\n    Mr. Hurd. Could Juniper have protected its source code \nbetter?\n    Mr. Barger. I don't know enough about their development \nprocess and their internal security to be able to say that, \nbut----\n    Mr. Hurd. So based on your experience and your--this is \nyour personal observation--it was a state actor--it was an \nentity supported by a nation-state?\n    Mr. Barger. I would certainly think that a criminal or \nideological group probably wouldn't have necessarily the \nresources or the motivation to leverage that type of attack.\n    Mr. Hurd. Why are--and maybe, Dr. Ozment, this is a better \nquestion directed to you--who is responsible in the Federal \nGovernment for attribution?\n    Mr. Ozment. We look to the intelligence community, so the \nDirector of National Intelligence for attribution.\n    Mr. Hurd. So DNI is the one responsible for making \nattribution. Even in a case when it's a breach of a private \nsector entity?\n    Mr. Ozment. That's right.\n    Mr. Hurd. But that private sector entity could make it \naware, right? Because if a private sector company is hacked, \nthey usually--they will bring in--they'll probably reach out to \nsome Federal Government agencies, whether it's DHS--it should \nbe DHS now, after the Cybersecurity Act of 2015. They're going \nto bring you in. They're probably going to hire another company \nthat does incident response and threat mitigation. But are \nthere barriers from having the company that's hacked from \narticulating who they believe was responsible for the breach?\n    Mr. Ozment. No. Any company could point to anybody if they \nhad a view on the perpetrator.\n    Mr. Hurd. Why--and this is my opinion now--I feel like in \nthis case of the Juniper ScreenOS hack people have been \nreticent to do attribution, even general attribution. Do you \nhave an opinion on that, Dr. Ozment?\n    And, Mr. Barger, I'm going to ask you the same question.\n    Mr. Ozment. You know, I don't, other than to say that the \ngovernment has historically been--has used attribution in a \nfairly relatively few cases. And so I don't view it as unusual \nthat the government has not attributed this particular \nincident. That's it.\n    Mr. Hurd. Copy.\n    I will now recognize my friend from California, the \ndistinguished gentleman, Mr. Lieu, for another round of \nquestions.\n    Mr. Lieu. Thank you, Mr. Chair.\n    My understanding is that Juniper was invited to testify, \nbut they refused to come. I just want to note for the record \nthat I--well, let me first ask questions.\n    Mr. Ozment, is Juniper a government contractor?\n    Mr. Ozment. I don't know for sure. I would assume that they \nare. I do want to highlight that they're a victim here and that \nfrom our perspective we ask all IT vendors to give us advanced \nnotice when they are making a major patch so that we can \namplify their patch announcement and make sure that it reaches \nthe public and private sector, that everybody who knows needs \nto know about it.\n    In this case they did notify us in advance that they were \ndeveloping a major patch. I think they did a very responsible \njob of this, and I salute them for working hard to make sure \nthat all of their customers were aware of this vulnerability \nand helping us amplify their message as well.\n    Mr. Lieu. I note for the record that Juniper had their \nsystems breached. I find it disrespectful that they did not \ncome here to testify and it insinuates that they have something \nto hide.\n    So let me ask some questions for Mr. Bhagowalia. I'm trying \nto understand your agency's response to the breaches of \nJuniper.\n    My understanding is that within 1 week, 48 out of 57 \naffected systems on Treasury's network were patched. Is that \ncorrect?\n    Mr. Bhagowalia. Yes, sir.\n    Mr. Lieu. But for the other nine, it took, from my \nunderstanding, another 2 months. What's the reason that it took \nthat amount of time?\n    Mr. Bhagowalia. We made a risk-based decision, and we found \nthat out of those devices--first of all, anything--only 4 of \nthose 57 were Internet facing. Everything inside had many \nlayers of firewalls. We found that of those devices, a certain \namount had--did not even have the VPN vulnerability as such. So \nwe looked at that and made a risk-based decision as one of the \nbureaus to delay the patch. And the others were mitigated in \nterms of compensating controls that they had in place. So it \nwas done a little bit later.\n    Obviously, in retrospect, one could look at balancing \nmission and risk, and we could have gone a little faster, but \nit was basically a low risk for the devices that were done \nafter the first week.\n    Mr. Lieu. So when I patch something on my computer it's, I \ndon't know, a few minutes. Are these very complicated patches? \nAre these something that takes a long time? I'm trying to \nunderstand why it just wouldn't have been done rather quickly.\n    Mr. Bhagowalia. Yes, sir. Let me just say, as an engineer, \nwe obviously, obviously, look at first what is the risk \nanalysis as to what the thing is. We understood the details of \nthis once we were told what the thing was and exactly what the \nvendor was saying and what DHS told us. We went and looked at \nwhat the risk analysis is, is it in our network?\n    We looked at where they were facing. A lot of these \nconfigurations, without giving them away, we have multiple \nlayers of firewalls and protection and proxying and all kinds \nof various means that allows sort of a maze of things that we \ndo to basically confuse anyone from getting in.\n    And third, you know, five of those device didn't have the \nVPN vulnerability. So even if there was nothing to decrypt, we \nactually covered that.\n    So it just, if you look at it in isolation, obviously, one \ncan only always look at something being a little faster, but we \nalways balance operational risk. Because think of it has a \nneighborhood, gated community, and then you get in, and then \nyou've got multiple layers of firewalls and a backbone network \nthat had one or two of these devices between many layers just \nto get into that. And beyond that, there were various firewall \nsubdivisions and these were deeply imbedded inside those \nfirewall divisions. So to get to those would require a lot of \ncompromise before someone gets in.\n    So we looked at that, and based on that, it was made--a \nrisk-base decision was made. And in addition to that, I would \njust add that we are actively using other kinds of red teaming, \nshould I say, penetration testing, and we are also looking at \nsome hunt operations to make sure there's nothing in there. We \nare aware of some of these nation-states, and I think in this \ncase we have not seen anything.\n    Mr. Lieu. Thank you.\n    Ms. Ozment, you're familiar with the ransomware attacks on \nhospitals, some of which were in southern California?\n    Mr. Ozment. I am, sir.\n    Mr. Lieu. And do you have a sense of how many hospitals \nhave been hit with ransomware attacks in the last year or last \nfew months?\n    Mr. Ozment. I don't have those numbers in hand, but we have \ncertainly seen an increase in ransomware, not just the health \nsector, but across the Nation.\n    Mr. Lieu. If this is something we could follow up with your \noffice to see if you could let us know about how many attacks \nwe're experiencing?\n    Mr. Ozment. Absolutely, sir. Will do.\n    Mr. Lieu. Great. Thank you.\n    And then let me just conclude with a comment.\n    In this case, Juniper made firewalls to try to prevent \nimportant information from going to foreign governments. \nJuniper is not the victim in this case, as the witness from DHS \nhad said. The U.S. Government and the American people are, and \nwe need to view this in a whole different lens, that when \nproducts are made to try to protect the U.S. Government and \nthey fail, the companies that made those products are not the \nvictims. They failed. And I think we just need to put this in \nproper perspective. The victims here are the U.S. Government, \nthe American people.\n    Thank you.\n    I yield back.\n    Mr. Hurd. Thank you.\n    Dr. Ozment, is DHS MPPD built and organized to deal with \nthe problems of the future?\n    Mr. Ozment. It is not, sir. And we have proposed a \nreorganization that we would very much appreciate support of \nthe Congress in performing that reorganization.\n    Mr. Hurd. And, again, I'd just like to point out, I think, \nwhen it comes to the Juniper breach, I think DHS played an \nimportant and key role in organizing the government's response \nto this.\n    I still have a problem with attribution. And, Dr. Ozment, \ncan attribution play a deterrence role?\n    Mr. Ozment. I think it absolutely can. You know, depending \non the circumstances, actual attribution could be used to play \na deterrence role. In other circumstances the threat of \nattribution may play a deterrence role. I do think it depends \non the particular actor and the dynamics of the relationship, \nbut it can absolutely be a tool for deterrence.\n    Mr. Hurd. Copy.\n    Mr. Bhagowalia, would you like to know who was responsible \nfor or have some idea of attribution for this Juniper breach?\n    Mr. Bhagowalia. Absolutely, sir. You know, we have, \nobviously, been reading all the news and watching various \nchannels, but we'd love to know.\n    Mr. Hurd. Now, Mr. Taylor, I know the Department of State \nwasn't affected, because you didn't have any of the ScreenOS \nsoftware running on there.\n    But does anybody on the panel like to make any comments on \nattribution?\n    Mr. Barger.\n    Mr. Barger. To your point about attribution serving as a \ndeterrent, we conducted research into a specific series of \nattacks that had been targeting entities within the South China \nSea for quite some many years and put out an attribution \nproduct with the assistance of some of our partners. And, \nbasically, after this attribution product was released, we \nbasically saw no more activity from it. Not to say that they \nare done forever, but I do believe that it can slow down, \nmitigate active threats as well as enter into the adversary's \ndecisionmaking cycle as to how important this sort of thing is \non the world stage and how to recognize those.\n    Mr. Hurd. I appreciate that.\n    And, Mr. Taylor, we have--I have extended my time on too \nmany occasions, but I'd like to let you know that there was a \nreport that the Department recently--Department of State \nrecently detected a vulnerability within its own systems, and \nwe're going to provide you all with some questions that we \nwould like to have answered on the record. And one of those \nquestions is I hope that information has been shared with DHS \nin order to communicate that across the rest of the Federal \ninfrastructure.\n    Mr. Hurd. Barring no further business, I'd like to thank \nour witnesses for taking the time to appear before us today. \nAnd if there's no further business, without objection, the \nsubcommittee stands adjourned.\n    [Whereupon, at 11:25 a.m., the subcommittee was adjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n               \n               \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]               \n               \n\n\n\n                                 <all>\n</pre></body></html>\n"