b"<html>\n<title> - THE EXPANDING CYBER THREAT</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n                       THE EXPANDING CYBER THREAT\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            JANUARY 27, 2015\n\n                               __________\n\n                            Serial No. 114-2\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n\n\n\n       \n                                      ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n93-880PDF                     WASHINGTON : 2015 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n                              \n \n \n \n \n \n \n \n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.          ZOE LOFGREN, California\nDANA ROHRABACHER, California         DANIEL LIPINSKI, Illinois\nRANDY NEUGEBAUER, Texas              DONNA F. EDWARDS, Maryland\nMICHAEL T. McCAUL                    FREDERICA S. WILSON, Florida\nSTEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon\nMO BROOKS, Alabama                   ERIC SWALWELL, California\nRANDY HULTGREN, Illinois             ALAN GRAYSON, Florida\nBILL POSEY, Florida                  AMI BERA, California\nTHOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut\nJIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, TEXAS\nRANDY K. WEBER, Texas                KATHERINE M. CLARK, Massachusetts\nBILL JOHNSON, Ohio                   DON S. BEYER, JR., Virginia\nJOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado\nSTEVE KNIGHT, California             PAUL TONKO, New York\nBRIAN BABIN, Texas                   MARK TAKANO, California\nBRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois\nBARBARA COMSTOCK, Virginia\nDAN NEWHOUSE, Washington\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nMICHAEL T. MCCAUL, Texas\nSTEVEN M. PALAZZO, Mississippi\nRANDY HULTGREN, Illinois\nJOHN R. MOOLENAAR, Michigan\nSTEVE KNIGHT, California\nBRUCE WESTERMAN, Arkansas\nGARY PALMER, Alabama\nLAMAR S. SMITH, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                            January 27, 2015\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     7\n    Written Statement............................................     8\n\nStatement by Representative Daniel Lipinski, Ranking Minority \n  Member, Subcommittee on Research and Technology, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..     8\n    Written Statement............................................    10\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    11\n    Written Statement............................................    12\n\n                               Witnesses:\n\nMs. Cheri McGuire, Vice President, Global Government Affairs & \n  Cybersecurity Policy, Symantec Corporation\n    Oral Statement...............................................    13\n    Written Statement............................................    16\n\nDr. James Kurose, Assistant Director, Computer and Information \n  Science and Engineering (CISE) Directorate, National Science \n  Foundation\n    Oral Statement...............................................    30\n    Written Statement............................................    32\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology\n    Oral Statement...............................................    56\n    Written Statement............................................    58\n\nDr. Eric A. Fischer, Senior Specialist in Science and Technology, \n  Congressional Research Service\n    Oral Statement...............................................    66\n    Written Statement............................................    68\n\nMr. Dean Garfield, President and CEO, Information Technology \n  Industry Council\n    Oral Statement...............................................    83\n    Written Statement............................................    85\n\nDiscussion.......................................................    94\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMs. Cheri McGuire, Vice President, Global Government Affairs & \n  Cybersecurity Policy, Symantec Corporation.....................   108\n\nDr. James Kurose, Assistant Director, Computer and Information \n  Science and Engineering (CISE) Directorate, National Science \n  Foundation.....................................................   110\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology.....   117\n\nDr. Eric A. Fischer, Senior Specialist in Science and Technology, \n  Congressional Research Service.................................   118\n\nMr. Dean Garfield, President and CEO, Information Technology \n  Industry Council...............................................   122\n\n \n                       THE EXPANDING CYBER THREAT\n\n                              ----------                              \n\n\n                       TUESDAY, JANUARY 27, 2015\n\n                  House of Representatives,\n                    Subcommittee on Research and Technology\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 2:03 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Barbara \nComstock [Chairwoman of the Subcommittee] presiding.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairwoman Comstock. The Subcommittee on Research and \nTechnology will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time. We might be having \nsome votes, I understand. I would just like to welcome everyone \nto today's hearing entitled ``The Expanding Cyber Threat.''\n    Without objection, the Chair authorizes the participation \nof Mr. Lipinski, Ms. Lofgren, Ms. Bonamici, Ms. Clark, and Mr. \nBeyer for today's hearing. I understand Mr. Lipinski will serve \nas the Ranking Minority Member today and give an opening \nstatement.\n    In front of you are packets containing the written \ntestimony, biographies, and truth-in-testimony disclosures for \ntoday's witnesses.\n    Now, I will recognize myself for five minutes for an \nopening statement.\n    Okay. I want to begin by thanking everyone for attending \nthe first hearing of the Research and Technology Subcommittee \nin the 114th Congress. I look forward to working with the \nMembers of the Subcommittee on the many issues that fall under \nthe jurisdiction of this Subcommittee.\n    The need to secure our information technology systems is a \npervasive concern. Today's hearing marks the first of what will \nbe several hearings, I imagine, to examine the topic of \ncybersecurity. We know we heard the President speak about this \nand we have--and the Chairman has been a big advocate of \nincreased activity and concerns on this front so I look forward \nto continuing to work on this issue.\n    The Subcommittee has jurisdiction over the National Science \nFoundation, the National Institute of Standards and Technology \nand the Department of Homeland Security's Science and \nTechnology Directorate. These organizations play a role in \nsupporting basic research and development, establishing \nstandards and best practices, and working with industry on \ncybersecurity concerns. Advances in technology and the growing \nnature of every individual's online presence means \ncybersecurity needs to become an essential part of our everyday \nlife.\n    Instances of harmful cyber attacks are in the news \nregularly and expose the very real threats growing in this \narea. Financial information, medical records, personal data \nmaintained on computer systems by individuals and organizations \nall continue to be vulnerable. Cyber attacks on companies like \nSony or Target, as well as the U.S. Central Command, will not \ngo away and we have to constantly adapt and intercept and stop \nthese threats and engage in finding the best practices so that \nwe make sure these attacks don't happen and we understand where \nand how they are coming at us and how we can stay ever \nvigilant.\n    Utilizing targeted emails, spam, malware, bots and other \ntools, cyber criminals, ``hacktivists'' and nation states are \nevery day attempting to access information technology systems \nall over the world and all over our country and in every area \nof our activities. The defense of these systems relies on \nprofessionals who can react to threats and proactively prepare \nthose systems for attack.\n    Our discussion about cybersecurity should examine the \nresearch that supports understanding how to defend and support \nour systems, as well as how to better prepare our workforce by \nproducing experts in these fields and learning of best \npractices in both the public and private sector. Well-trained \nprofessionals are essential to the implementation of the best \ntechniques. Institutions of higher education are working to \ncreate and improve cyber education and training programs \nfocused on ensuring there are enough trained professionals to \nmeet the needs of this growing industry.\n    I look forward to hearing from our witnesses today as they \nprovide an overview of the state of cybersecurity from the \nindustry perspective and we learn how the federal government is \nplaying a role in this important area.\n    [The prepared statement of Ms. Comstock follows:]\n\n                   Prepared Statement of Subcommittee\n                      Chairwoman Barbara Comstock\n\n    I want to begin by thanking everyone for attending the first \nhearing of the Research and Technology Subcommittee in the 114th \nCongress. I look forward to working with the Members of the \nSubcommittee on the many issues that fall under the jurisdiction of \nthis Subcommittee.\n    The need to secure our information technology systems is a \npervasive concern. Today's hearing marks the first of what will be \nseveral hearings to examine the topic of cybersecurity.\n    The Subcommittee has jurisdiction over the National Science \nFoundation, the National Institute of Standards and Technology and the \nDepartment of Homeland Security's Science and Technology Directorate. \nThese organizations play a role in supporting basic research and \ndevelopment, establishing standards and best practices, and working \nwith industry on cybersecurity concerns.\n    Advances in technology and the growing nature of every individual's \nonline presence means cybersecurity needs to become an essential part \nof our vernacular.\n    Instances of harmful cyber-attacks are reported regularly and \nexpose the very real threats growing in this area. Financial \ninformation, medical records, and personal data maintained on computer \nsystems by individuals and organizations continue to be vulnerable. \nCyber-attacks on companies like Sony or Target and the U.S. Central \nCommand will not go away and we have to constantly adapt and intercept \nand stop these threats before they happen and understand where and how \nthey are happening and stay ever vigilant.\n    Utilizing targeted emails, spam, malware, bots and other tools, \ncyber criminals, ``hacktivists'' and nation states are attempting to \naccess information technology systems all the time. The defense of \nthese systems relies on professionals who can react to threats and \nproactively prepare those systems for attack.\n    Our discussions about cybersecurity should examine the research \nthat supports understanding how to defend and support our systems as \nwell as how to better prepare our workforce by producing experts in \nthese fields and learning of best practices in both the public and \nprivate sector. Well-trained professionals are essential to the \nimplementation of security techniques. Institutions of higher education \nare working to create and improve cyber education and training programs \nfocused on ensuring there are enough trained professionals to meet the \nneeds of industry.\n    I look forward to hearing from our witnesses today as they provide \nan overview of the state of cybersecurity from the industry perspective \nand we learn how the federal government is playing a role in this \nimportant area.\n\n    Chairwoman Comstock. Now, I would like to recognize Ranking \nMember Mr. Lipinski for his opening statement.\n    Mr. Lipinski. Thank you, Chairwoman Comstock, for holding \nthis hearing on cybersecurity and I want to welcome you to the \nScience, Space, and Technology Committee. I am looking forward \nto working with you. I know that you worked for former member \nFrank Wolf and Frank Wolf was--I have a tremendous amount of \nrespect for him and he was a big supporter of funding for \nresearch. He is a big supporter of research and technology, \nscience, so I think hopefully we will have a lot of things that \nwe can work together on on this Subcommittee, on the Committee.\n    I also want to thank our witnesses for being here today on \nthis very important topic.\n    Cybersecurity remains a timely topic, the topic on which \nthis Committee has an important role, and finally, is one for \nwhich we have much more agreement than disagreement across the \naisle. So I am pleased that the Research and Technology \nSubcommittee is starting off the new Congress with this \nhearing.\n    Cyber crimes are ever increasing. The threats are not only \ngrowing in number but in level of sophistication. Some cases, \nsuch as the recent Sony hack and a 2013 Target breach, are very \nhigh profile and are covered extensively in the media. Many, \nmany more receive less attention. Two weeks ago the New York \nTimes reported that hacking has gone mainstream. A website has \nbeen created to connect hackers to potential clients. And as of \nearly January, at least 500 hacking jobs have been laid out to \nbid and at least 50 hackers signed up to do the dirty work.\n    Cyber crime threatens our privacy, our pocketbooks, our \nsafety, our economy, and our national security. Arriving at any \nprecise value of losses to the American people and American \neconomy is impossible, but the Center for Strategic and \nInternational Studies, in a study completed last June, reported \nthat on average the United States loses .64 percent of its GDP \nto cybercrime. I know we will hear much more from our witnesses \nabout the extent and the nature of the cyber threat.\n    Two years ago President Obama signed an Executive Order to \nbegin the process of strengthening our networks and critical \ninfrastructure against cyber attack by increasing information-\nsharing and establishing a framework for the development of \nstandards and best practices, and this plays a key role in \nseveral of these efforts. You will hear about some of it today. \nBut the President reminded us just two weeks ago that Congress \nmust still act to pass comprehensive cybersecurity legislation. \nFortunately, this is one area in which this Committee has \nresponsibly legislated in the last few years.\n    At the very end of 2014, the Cybersecurity Enhancement Act \nthat I joined Mr. McCaul in introducing for several Congresses \nin a row was finally signed into law. That law does a number of \nthings: it strengthens coordination and strategic planning for \nfederal cybersecurity R&D; it codifies the NIST-led voluntary \nframework in the President's Executive Order; it strengthens \nand streamlines NIST-led processes by which federal agencies \ntrack security risks to their own systems; it codifies NSF's \nlong-standing CyberSecurity Scholarship for Service program to \nensure more qualified cyber experts are employed by federal, \nstate, and local governments; it codifies the cybersecurity \neducation and awareness efforts led by NIST; and finally, it \nauthorizes several more important actions and programs led by \nNIST.\n    I list all of these things in part so that all of the new \nmembers of the Science Committee understand just how essential \nNIST is to our government's cybersecurity efforts. It is one of \nthe most important, least-known agencies in our government. I \nlook forward to hearing about NIST's effort from Dr. Romine and \nhow the new law will further strengthen NIST's leadership role \nin cybersecurity.\n    I also look forward to hearing from Dr. Kurose about the \ncritical and potentially transformative cybersecurity research \nprograms funded by the National Science Foundation.\n    And I look forward to hearing from the other three \nwitnesses who can help educate us further about the importance \nof public-private partnerships and the areas where this \nCommittee might look to address cybersecurity vulnerabilities \nduring this Congress.\n    Thank you, Madam Chairwoman, and I yield back the balance \nof my time.\n    [The prepared statement of Mr. Lipinski follows:]\n\n                   Prepared Statement of Subcommittee\n                Minority Ranking Member Daniel Lipinski\n\n    Thank you, Chairwoman Comstock for holding this hearing on \ncybersecurity, and welcome to the Science, Space, and Technology \nCommittee. I look forward to working with you this Congress. I also \nwant to thank our witnesses for being here today.\n    Cybersecurity remains a timely topic, it is a topic on which this \nCommittee has an important role, and finally it is one for which we \nhave much more agreement than disagreement across the aisle. So I am \npleased that the Research and Technology Subcommittee is starting off \nthe new Congress with this hearing.\n    Cybercrimes are ever-increasing. The threats are not only growing \nin number, but in the level of sophistication. Some cases, such as the \nrecent Sony hack and the 2013 Target breach, are very high profile and \nare covered extensively in the media. Many, many more receive less \nattention. Two weeks ago, the New York Times reported that hacking has \ngone mainstream. A website has been created to connect hackers to \npotential clients, and as of early January, at least 500 hacking jobs \nhad been laid out to bid and at least 50 hackers signed up to do the \ndirty work.\n    Cybercrime threatens our privacy, our pocketbooks, our safety, our \neconomy, and our national security. Arriving at any precise value of \nlosses to the American people and the American economy is impossible. \nBut the Center for Strategic and International Studies, in a study \ncompleted last June, reported that, on average, the U.S. loses 0.64 \npercent of its GDP to cybercrime. I know we will hear more from our \nwitnesses about the extent and nature of the cyber threat.\n    Two years ago, President Obama signed an Executive Order to begin \nthe process of strengthening our networks and critical infrastructure \nagainst cyberattack by increasing information sharing and establishing \na framework for the development of standards and best practices. NIST \nplays a key role in several of these efforts, and we will hear about \nsome of it today. But the President reminded us just two weeks ago that \nCongress must still act to pass comprehensive cybersecurity \nlegislation.\n    Fortunately, this is one area in which this Committee has \nresponsibly legislated in the last few years. At the very end of 2014, \nthe Cybersecurity Enhancement Act that I joined Mr. McCaul in \nintroducing for several Congresses in a row was finally signed into \nlaw. That law does a number of things.\n\n    <bullet>  It strengthens coordination and strategic planning for \nfederal cybersecurity R&D;\n\n    <bullet>  It codifies the NIST-led voluntary Framework in the \nPresident's Executive Order;\n\n    <bullet>  It strengthens and streamlines the NIST-led processes by \nwhich federal agencies track security risks to their own systems;\n\n    <bullet>  It codifies NSF's longstanding cybersecurity scholarship \nfor service program to ensure more qualified cyber experts are employed \nby federal, state, and local governments;\n\n    <bullet>  It codifies the cybersecurity education and awareness \nefforts led by NIST;\n\n    <bullet>  And finally it authorizes several more important actions \nand programs led by NIST.\n\n    I list all of these things in part so that all of the new Members \nto the Science Committee understand just how central NIST is to our \ngovernment's cybersecurity efforts. It is one of the most important \nleastknown agencies in our government. I look forward to hearing about \nNIST's efforts from Dr. Romine, and how the new law will further \nstrengthen NIST's leadership role in cybersecurity. I also look forward \nto hearing from Dr. Kurose about the critical and potentially \ntransformative cybersecurity research programs funded by the National \nScience Foundation. And I look forward to hearing from the other three \nwitnesses who can help educate us further about the importance of \npublic-private partnerships and the areas where this Committee might \nlook to address cybersecurity vulnerabilities during this Congress.\n    Thank you, Madam Chairwoman and I yield back the balance of my \ntime.\n\n    Chairwoman Comstock. And now I recognize the Chairman of \nthe full Committee, Mr. Smith.\n    Chairman Smith. And thank you, Madam Chair.\n    Madam Chair, let me say I look forward to your Chairing \nthis Subcommittee and also to the gentleman from Illinois, Mr. \nLipinski, continuing to be the Ranking Member of this \nSubcommittee as well. He has been a great Ranking Member and I \nknow that we both will all be able to work together for more \nbipartisan legislation that we enjoyed in the last Congress and \nthat we can look forward to in this new Congress as well.\n    I also look forward to today's hearing on cyber threats, a \ntopic that continues to grow in importance. With technological \nadvances come new methods that foreign countries, cyber \ncriminals and ``hacktivists'' use to attack and access our \nnetworks.\n    America is vulnerable and there is an increasing need for \ntechnically trained cybersecurity experts to identify and \ndefend against cyber attacks. Protecting America's cyber \nsystems is critical to our economic and national security.\n    As our reliance on information technology expands, so do \nour vulnerabilities. A number of federal agencies guard \nAmerica's cybersecurity interests. Several are under the \njurisdiction of the Science Committee. These include the \nNational Science Foundation, the National Institute of \nStandards and Technology, the Department of Homeland Security's \nScience and Technology Directorate, and the Department of \nEnergy. All of these support critical research and development \nto promote cybersecurity in hardware, software and our critical \ninfrastructure.\n    At the beginning of the last Congress, the Science \nCommittee considered two cybersecurity bills, the Cybersecurity \nEnhancement Act and a bill to reauthorize the Networking and \nInformation Technology Research and Development program. Both \nbills passed the House last April. At the end of the last \nCongress, the House and Senate did come to an agreement on the \nCybersecurity Enhancement Act, which was signed into law in \nDecember. The Science Committee will continue its efforts to \nsupport the research and development essential to fortifying \nour nation's cyber defenses.\n    From the theft of credit card information at retailers like \nTarget and Home Depot, to successful attacks at Sony and on the \nU.S. Central Command, no further wakeup calls are necessary to \nunderstand our call to action. As America continues to become \nmore advanced, we must better protect our information \ntechnology systems from attack. Any real solution should adapt \nto changing technology and tactics while also protecting \nprivate sector companies, public institutions and personal \nprivacy.\n    Again, Madam Chair, I look forward to today's hearing and \nyield back.\n    [The prepared statement of Mr. Smith follows:]\n\n                  Prepared Statement of Full Committee\n                        Chairman Lamar S. Smith\n\n    Thank you Madam Chair, I look forward to today's hearing on cyber \nthreats, a topic that continues to grow in importance.\n    In the 60 years since the last major patent reform, America has \nexperienced tremendous technological advancements. Computers the size \nof a closet have evolved into wireless technology that fits in the palm \nof our hand.\n    With technological advances come new methods that foreign \ncountries, cyber criminals and ``hacktivists'' can use to attack and \naccess our networks.\n    America is vulnerable and there is an increasing need for \ntechnically-trained cybersecurity experts to identify and defend \nagainst cyber-attacks. Protecting America's cyber-systems is critical \nto our economic and national security. As our reliance on information \ntechnology expands, so do our vulnerabilities.\n    A number of federal agencies guard America's cybersecurity \ninterests. Several are under the jurisdiction of the Science Committee. \nThese include the National Science Foundation (NSF), the National \nInstitute of Standards and Technology (NIST), the Department of \nHomeland Security's Science and Technology Directorate, and the \nDepartment of Energy.\n    All of these support critical research and development to promote \ncybersecurity in hardware, software and our critical infrastructure.\n    At the beginning of the last Congress, the Science Committee \nconsidered two cybersecurity bills, the Cybersecurity Enhancement Act \nand a bill to reauthorize the Networking and Information Technology \nResearch and Development program. Both bills passed the House in April \n2013.\n    At the end of the last Congress, the House and Senate came to \nagreement on the Cybersecurity Enhancement Act, which was signed into \nlaw in December. That law improves America's cybersecurity abilities. \nIt strengthens strategic planning for cybersecurity research and \ndevelopment needs across the federal government. It supports NSF \nscholarships to improve the quality of the cybersecurity workforce. And \nit improves research, development and public outreach organized by NIST \nrelated to cybersecurity.\n    The Science Committee will continue its efforts to support the \nresearch and development essential to fortifying our nation's cyber \ndefenses.\n    From the theft of credit card information at retailers like Target \nand Home Depot, to successful attacks at Sony and on the U.S. Central \nCommand, no further wake-up calls are necessary to understand our call \nto action.\n    As America continues to become more advanced, we must better \nprotect our information technology systems from attack. Any real \nsolution should adapt to changing technology and tactics while also \nprotecting private sector companies, public institutions and personal \nprivacy.\n    I look forward to hearing from our witnesses today and yield back.\n\n    Chairwoman Comstock. If there are Members who wish to \nsubmit additional opening statements, your statements will be \nadded to the record at this point.\n    Chairwoman Comstock. I would also like to welcome our \ncolleague from Washington, Mr. Newhouse, and authorize his \nparticipation in today's hearing.\n    Okay. Now, at this time I would like to introduce our \nwitnesses. Our first witness today is Ms. Cheri McGuire. Ms. \nMcGuire is the Vice President of Global Government Affairs & \nCybersecurity Policy at Symantec Corporation. Before joining \nSymantec, Ms. McGuire served as Director for Critical \nInfrastructure and Cybersecurity in Microsoft's Trustworthy \nComputing Group and as Acting Director at DHS's National \nCybersecurity Division. Ms. McGuire received her bachelor's \ndegree from the University of California Riverside and her MBA \nfrom the George Washington University.\n    Our second witness is Dr. James Kurose. Dr. Kurose is the \nNational Science Foundation's Assistant Director for the \nComputer and Information Science and Engineering Directorate. \nHe also serves as Co-Chair of the Networking and Information \nTechnology Research and Development Subcommittee at the \nNational Science and Technology Council Committee on \nTechnology.\n    Now, do you say all that when--in one introduction? That is \ngood.\n    Prior to joining NSF, Dr. Kurose was a distinguished \nProfessor in the School of Computer Science at the University \nof Massachusetts Amherst where he served as Chair of the \nDepartment of Computer Science. Dr. Kurose holds a bachelor's \ndegree in physics from Wesleyan University and a Master of \nScience and Ph.D. in computer science from Columbia University.\n    Our third witness today is Dr. Charles Romine, Director of \nthe National Institute of Standards and Technology Information \nTechnology Laboratory, or ITL. Before working at NIST he served \nas Senior Policy Analyst at the White House Office of Science \nand Technology Policy and as a Program Manager at the \nDepartment Of Energy's Advanced Scientific Computing Research \nOffice. Dr. Romine received his bachelor's degree in \nmathematics and his Ph.D. in applied mathematics from the \nUniversity of Virginia. Yea.\n    Our fourth witness is Dr. Eric Fischer, who serves as a \nSenior Specialist in the Science and Technology for the \nCongressional Research Service. Prior to working for CRS, Dr. \nFischer worked as a faculty member at the University of \nWashington in Seattle and as a Congressional Science and \nTechnology Policy Fellow for the American Association for the \nAdvancement of Science. Dr. Fischer received his bachelor's \ndegree in biology from Yale and his Ph.D. in zoology from the \nUniversity of California Berkeley.\n    Our final witness is Mr. Dean Garfield, President and CEO \nof the Information Technology Industry Council, or ITI. Before \njoining ITI, Mr. Garfield served as Executive Vice President \nand Chief Strategic Officer for the Motion Picture Association \nof America and as the Vice President of Legal Affairs at the \nRecording Industry Association of America. Mr. Garfield \nreceived a joint degree from New York University School of Law \nand the Woodrow Wilson School of Public Administration and \nInternational Affairs at Princeton University.\n    As our witnesses should know, spoken testimony is limited \nto five minutes each, after which the Members of the Committee \nwill have five minutes each to ask questions.\n    I now recognize Ms. McGuire for five minutes to present her \ntestimony.\n\n        TESTIMONY OF MS. CHERI MCGUIRE, VICE PRESIDENT,\n\n       GLOBAL GOVERNMENT AFFAIRS & CYBERSECURITY POLICY,\n\n                      SYMANTEC CORPORATION\n\n    Ms. McGuire. Chairwoman Comstock, Chairman Smith, Ranking \nMember Lipinski, and other Members of the Subcommittee, thank \nyou for the opportunity to testify today on behalf of Symantec \nCorporation.\n    My name is Cheri McGuire and I am the Vice President for \nGlobal Government Affairs and Cybersecurity Policy. At Symantec \nwe are the largest security software company in the world and \nour global intelligence network is made up of millions of \nsensors that give us a unique view into the entire internet \nthreat landscape.\n    As I am sure you have read, most of the recent headlines \nabout cyber attacks have focused on data breaches and the theft \nof personally identifiable information, including identities \nand credit card numbers. According to Symantec's most recent \ninternet security threat report, over 550 million identities \nwere exposed in 2013 alone. Yet while the focus on these \nbreaches is certainly warranted, it is important not to lose \nsight of other equally concerning types of cyber activity. \nAttackers run the gamut and include highly organized criminal \nenterprises, individual cyber criminals, so-called hacktivists, \nand state-sponsored groups. Common attack types range from \ndistributed denial of service, or DDoS, to highly targeted \nattacks, to widely distributed financial fraud scams. A DDoS \nattack is an attempt to overwhelm a system with data, while \ntargeted attacks tried to trick someone into opening an \ninfected file or navigating to a bad website.\n    Of course, scams and blackmail schemes seeking money \ncontinue. Some will fill a victim's screen with aggressive pop-\nup windows that claim falsely that the system is infected. \nOthers lock the victim's computer and display a screen that \npurports to be from law enforcement and demands payment of a \nfine for having illegal content on the computer. The most \nrecent scheme has gone from trickery to straight up blackmail. \nCriminals now will encrypt or scramble all the data on your \ndevice and tell you to pay a ransom or they will erase all of \nit.\n    Critical infrastructure such as the power grid, water \nsystem, and mass transit are also at risk. In June 2014 \nSymantec released a report about a new threat that we named \nDragonfly. This was a campaign against a range of targets \nmainly in the energy sector, but it was not the first to target \nenergy. As we saw in 2012, cyber attackers mounted a campaign \nagainst the Saudi Arabian National Oil Company that destroyed \n30,000 computers and made them display the image of a burning \nAmerican flag. Other sectors have seen attacks, too, and the \nGerman Government recently disclosed that a cyber attack on a \nsteel plant resulted in massive physical damage.\n    All of the attacks that I have outlined started with a \ncommon factor, a compromised computer. We frequently hear about \nadvanced persistent threats, or APTs, but the discussion of \ncyber attacks too often ignores the psychology of the exploit. \nMost rely on social engineering, in the simplest terms, trying \nto trick people into doing something that they would never do \nif fully aware of their actions.\n    Attack methods vary. Those spear fishing or customized \ntargeted emails containing malware are the most common, and \nwhile good security will stop most of these attacks, which \noften seek to exploit older known vulnerabilities, many \norganizations and individuals do not have up-to-date security \nor properly patched operating systems. Social media is also an \nincreasingly valuable tool for cyber criminals both to gather \ninformation and to spread malicious links.\n    To combat cyber threats, Symantec partners with government \nand industry here and abroad. Working extensively with the FBI \nand international law enforcement, we have helped take down and \ndismantle some of the world's largest botnets, which has also \nled to charges against the criminal operators.\n    In addition, together with Palo Alto Networks, McAfee, and \nFortinet, we recently cofounded the Cyber Threat Alliance, a \ngroup of cybersecurity providers who share advanced cyber \nthreat information. While we are competitors, we have found \nthat there is great benefit to sharing information that will \nprotect all of our customers and help fight cyber criminals. \nThis model has worked well in other sectors such as banking and \nenergy. And further, and even as important, the alliance has \nstrict guidelines that protect our customer privacy and their \nproprietary information, and this of course must be included in \nany information-sharing regime.\n    So what can we do? Good protection starts with a plan and \nstrong security should include intrusion protection, \nreputation-based security, behavioral-based blocking, data \nencryption, backups, and data loss prevention tools. And while \nthe criminals' tactics are constantly evolving, basic cyber \nhygiene is still the simplest and most cost-effective first \nstep.\n    Last week, the Online Trust Alliance found that 90 percent \nof last year's breaches could have been prevented if businesses \nimplemented basic cyber best practices. At Symantec we are \ncommitted to improving online security across the globe and we \nwill continue to work collaboratively with our partners on ways \nto do so.\n    Thank you again for the opportunity to testify today and I \nlook forward to your questions.\n    [The prepared statement of Ms. McGuire follows:]\n   \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    Chairwoman Comstock. I now recognize Dr. Kurose.\n\n                 TESTIMONY OF DR. JAMES KUROSE,\n\n                      ASSISTANT DIRECTOR,\n\n              COMPUTER AND INFORMATION SCIENCE AND\n\n                ENGINEERING (CISE) DIRECTORATE,\n\n                  NATIONAL SCIENCE FOUNDATION.\n\n    Dr. Kurose. Thank you. Good afternoon, Chairwoman Comstock, \nChairman Smith, and Representative Lipinski, and Members of the \nSubcommittee. I am Jim Kurose, National Science Foundation \nAssistant Director for Computer and Information Science and \nEngineering. As you know, NSF advances and supports fundamental \nresearch in all disciplines, advances the progress of science \nand engineering, and educates the next generation of innovative \nleaders. I welcome this opportunity to provide an overview of \nNSF-funded cybersecurity research and its impact on the nation.\n    Long-term unclassified research is critical to achieving a \nsecure and trustworthy cyberspace. In 2011 NSF contributed to \nthe Administration's Strategic Plan for Federal Cybersecurity \nResearch and Development. It specifies a coordinated research \nagenda for agency investments that change the game by \nestablishing a science of cybersecurity, transitioning research \ninto practice, and bolstering cybersecurity education and \ntraining.\n    With the rapid pace of technological advancement, we are \nwitnessing the tight integration of financial, business, \nmanufacturing, and telecommunications systems into a networked, \nglobal society. These interdependencies can lead to \nvulnerabilities and threats that challenge the security, \nreliability, and overall trustworthiness of critical \ninfrastructure. The result is a dramatic shift in the size, \ncomplexity, and diversity of cyber attacks.\n    In response to these changing threats, NSF has long \nsupported fundamental cybersecurity research resulting in many \npowerful approaches deployed today. NSF continuously brings the \nproblem-solving capabilities of the nation's best minds to bear \non these challenges. It also promotes connections between \nacademia and industry.\n    In Fiscal Year 2014 NSF invested $158.28 million in \ncybersecurity research, including $126 million in the cross-\ncutting Secure and Trustworthy Cyberspace program. Projects \nrange from security at the foundational level, including \ndetecting whether a silicon chip contains a malicious circuit \nor developing new cryptographic solutions, to the systems \nlevel, including strategies for securing the electric power \ngrid.\n    Projects are increasingly interdisciplinary spanning \ncomputer science, mathematics, economics, behavioral science, \nand education. They seek to understand, predict, and explain \nprevention, attack, and defense behaviors and contribute to \ndeveloping strategies for remediation while preserving privacy \nand promoting usability.\n    Projects also include center scale activities representing \nfar-reaching explorations motivated by deep scientific \nquestions and grand challenge problems in, for example, \nprivacy, encryption, cloud, and healthcare systems.\n    In addition, NSF promotes the transition of discoveries \ninto the field as threats and solutions co-evolve over time. \nPartnerships continuously improve the security of our critical \ninfrastructure ensuring U.S. leadership, economic growth, and a \nskilled workforce. For example, with the Semiconductor Research \nCorporation, NSF supports research into the design of secure \nhardware. With Intel Corporation, NSF invests in the security \nand privacy of cyber-physical systems such as transportation \nnetworks and medical devices.\n    NSF also invests in industry university cooperative \nresearch centers that feature high-quality industrially-\nrelevant fundamental research enabling direct transfer of \nuniversity-developed ideas to U.S. industry, improving its \ncompetitiveness globally. In recent years, we have seen \nresearch outcomes lead to new products and services and to \nnumerous startups in the IT sector bringing innovative \nsolutions to the marketplace.\n    Cybersecurity education is also important. For example, the \nScholarship for Service program provides tuition to \ncybersecurity college majors in exchange for government service \nfollowing graduation. To date, this program has provided 1,700 \nscholarships at over 50 institutions and has placed graduates \nin over 140 federal, state, local, and tribal government \nagencies. NSF participates in the interagency Networking and \nInformation Technology Research and Development program. I \nserve as the Co-Chair the NITRD Subcommittee and many NSF \ndivision directors and program directors actively participate \nin NITRD cybersecurity and information assurance activities \nensuring coordination of investments across 18 government \nagencies.\n    To conclude, my testimony today has emphasized that the \npace and scope of today's cyber threats pose grand challenges \nto our nation's critical infrastructure and that NSF continues \nto make significant investments in fundamental cybersecurity \nresearch. I have discussed how NSF partners with industry to \nadvance cybersecurity R&D that will effectively address cyber \nthreats as they evolve.\n    I very much appreciate the opportunity for dialogue with \nMembers of this Subcommittee on these very important topics. \nWith robust, sustained support for foundational and \nmultidisciplinary cybersecurity R&D in the executive and \nlegislative branches, there is a unique opportunity to protect \nour national security and enhance our economic prosperity for \ndecades to come.\n    This concludes my remarks. I am happy to answer any \nquestions.\n    [The prepared statement of Dr. Kurose follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairwoman Comstock. All right. Thank you, Doctor.\n    And now we now recognize Dr. Romine for his testimony.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n               INFORMATION TECHNOLOGY LABORATORY,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Chairwoman Comstock, Chairman Smith, Mr. \nLipinski, and Members of the Subcommittee, I am Dr. Charles \nRomine, Director of the Information Technology Laboratory at \nNIST, and thank you for the opportunity to discuss our role in \ncybersecurity.\n    In the area of cybersecurity, NIST has worked with federal \nagencies, industry, and academia since 1972. Our role--to \nresearch, develop, and deploy information security standards \nand technology to protect information systems against threats \nto the confidentiality, integrity, and availability of \ninformation and services--was strengthened through the Computer \nSecurity Act of 1987, broadened through the Federal Information \nSecurity Management Act of 2002, and recently reaffirmed in the \nFederal Information Security Modernization Act of 2014. The \nCybersecurity Enhancement Act of 2014 also authorizes NIST to \nfacilitate and support the development of voluntary, industry-\nled cybersecurity standards and best practices for critical \ninfrastructure.\n    NIST accomplishes its mission in cybersecurity through \ncollaborative partnerships. The resulting NIST special \npublications and interagency reports provide operational and \ntechnical security guidelines for federal agencies and cover a \nbroad range of topics such as electronic authentication, \nintrusion detection, access control, and malware.\n    NIST maintains the National Vulnerability Database, or NVD, \na repository of standards-based vulnerability management \nreference data, which enables security automation capabilities \nfor all organizations. The payment card industry uses the NVD \nvulnerability metrics to discern the IT vulnerability in point-\nof-sale devices and determine acceptable risk.\n    NIST researchers develop and standardize cryptographic \nmechanisms used worldwide to protect information. The NIST \nalgorithms and guidelines are developed in a transparent and \ninclusive process leveraging cryptographic expertise around the \nworld. The results are standard, interoperable, cryptographic \nmechanisms that can be used by all.\n    Recently, NIST initiated a research program on usability of \ncybersecurity focused on password policies, user perceptions of \ncybersecurity risk, and privacy. This will enhance \ncybersecurity through increased attention to user interactions \nwith cybersecurity technologies.\n    The impacts of NIST's cybersecurity activities extend \nbeyond providing the means to protect federal IT systems. They \nprovide the cybersecurity foundations for the public trust that \nis essential to realizing the national and global economic, \nproductivity, and innovation potential of electronic business. \nMany organizations voluntarily follow NIST standards and \nguidelines reflecting their worldwide acceptance.\n    NIST also houses the National Program Office of the \nNational Strategy for Trusted Identities in Cyberspace, or \nNSTIC. The NSTIC initiative aims to address one of the most \ncommonly exploited vectors of attack in cyberspace, the \ninadequacy of passwords for authentication. The 2013 data \nbreach investigations report noted that in 2012 76 percent of \nnetwork intrusions exploited weak or stolen credentials. NSTIC \nis addressing this issue by collaborating with the private \nsector, including funding 13 pilots, to catalyze a marketplace \nof better identity and authentication systems.\n    Another critical component of NIST cybersecurity work is \nthe National Cybersecurity Center of Excellence, or NCCoE, a \npartnership between NIST, the State of Maryland, Montgomery \nCounty, and the private sector. NCCoE is accelerating the \nadoption of applied, standards-based solutions to cybersecurity \nchallenges. The NCCOE is now supported by the nation's first \nfederally funded research and development center dedicated to \ncybersecurity.\n    Through NCCoE, NIST works directly with businesses across \nvarious industry sectors on applied solutions to cybersecurity \nchallenges with current activities addressing the healthcare, \nfinancial services, and energy sectors.\n    Almost one year ago NIST issued the Framework for Improving \nCritical Infrastructure Cybersecurity in response to Executive \nOrder 13636. The framework, created through collaboration \nbetween industry and government, consists of standards, \nguidelines, and practices to promote the protection of critical \ninfrastructure. The framework is being implemented by industry \nand adopted by infrastructure sectors to reduce cyber risks to \nour critical infrastructure.\n    As the cyber threats and technology environments evolve, \nthe cybersecurity workforce must continue to adapt so as to \ncontinuously improve cybersecurity, including in our nation's \ncritical infrastructure. In 2010, the National Initiative for \nCybersecurity Education was established to enhance the overall \ncybersecurity posture of the United States by accelerating the \navailability of educational, training, and workforce \ndevelopment resources designed to improve the cybersecurity \nbehavior, skills, and knowledge of every segment of the \npopulation.\n    As the lead agency for this initiative, NIST works with \nmore than 20 federal departments and agencies, industry, and \nacademia to raise national awareness about risks in cyberspace, \nbroaden the pool of individuals prepared to enter the \ncybersecurity profession, and cultivate a globally competitive \ncybersecurity workforce.\n    NIST recognizes our essential role in helping industry, \nconsumers, and government to counter cyber threats. We are \nextremely proud of our role in establishing and improving the \ncomprehensive set of cybersecurity technical solutions, \nstandards, guidelines, and best practices, and the robust \ncollaborations with our federal government partners, private \nsector collaborators, and international colleagues.\n    Thank you for the opportunity to testify today on NIST's \nwork in cybersecurity. I would be happy to answer any questions \nthat you may have.\n    [The prepared statement of Dr. Romine follows:]\n   \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairwoman Comstock. Thank you, Doctor.\n    And now I recognize Dr. Fischer for his testimony.\n\n               TESTIMONY OF DR. ERIC A. FISCHER,\n\n          SENIOR SPECIALIST IN SCIENCE AND TECHNOLOGY,\n\n                 CONGRESSIONAL RESEARCH SERVICE\n\n    Dr. Fischer. Good afternoon, Chairwoman Comstock, Chairman \nSmith, Ranking Member Lipinski, and distinguished Members of \nthe Subcommittee. On behalf of the Congressional Research \nService, thank you for the opportunity to testify today.\n    I will try to put what you have heard from previous \nwitnesses in context with respect to both long-term challenges \nand near-term needs in cybersecurity and the federal role in \naddressing them.\n    The technologies that process and communicate information \nhave become ubiquitous and are increasingly integral to almost \nevery facet of modern life. These technologies and the \ninformation they manage are collectively known as a cyberspace, \nwhich may well be the most rapidly evolving technology space in \nhuman history. This growth refers not only to how big \ncyberspace is but also to what it is. Social media, mobile \ndevices, cloud computing, big data, and the internet of \nthings-- these are all recent developments and all are \nincreasingly important facets of cyberspace. It is difficult to \npredict how cyberspace will continue to evolve but it is \nprobably safe to expect the evolution to continue for many \nyears.\n    That is not to say that all of cyberspace has changed. \nBasic aspects of how the internet works are decades old, and \nobsolete hardware, software, and practices may persist for many \nyears. All of this makes the cyberspace environment a daunting \nchallenge for cybersecurity. Three other major challenges \nrelate to design, incentives, and consensus. Building security \ninto the design of cyberspace has proven to be difficult. The \nincentive structure within cyberspace does not particularly \nfavor cybersecurity, and significant barriers persist for \ndeveloping consensus on what cybersecurity to involves and how \nto implement it effectively.\n    No matter how important such challenges are, they do not \ndiminish the need to secure cyberspace in the short-term. That \nincludes reducing risk by removing threats, hardening \nvulnerabilities, and taking steps to lessen the impacts of \ncyber attacks. It also includes addressing needs such as \nreducing barriers to information-sharing, building a capable \ncybersecurity workforce, and fighting cybercrime.\n    Federal agencies play significant roles in addressing those \nnear-term needs and meeting the long-term challenges. Under the \nFederal Information Security Management Act, known as FISMA, \nall federal agencies are responsible for securing their own \nsystems. Private-sector contractors acting on behalf of federal \nagencies must also meet FISMA requirements. In Fiscal Year \n2013, federal agencies spent $10.3 billion on those activities, \nabout 14 percent of agency information-technology budgets. \nfederal agencies also have responsibilities for other \ncybersecurity functions. Research and development, along with \neducation, are the two probably most focused on addressing \nlong-term challenges. Others, such as technical standards and \nsupport, law enforcement, and regulation, focus more on meeting \nimmediate needs.\n    You have already heard about NIST and NSF. Among other \nagencies, the Department of Energy supports cybersecurity \nefforts in the energy sector. Several of its 17 National \nLaboratories also engage in cybersecurity R&D and education. \nThe Department of Defense, in addition to military operations, \nalso engages in cybersecurity R&D and education. Altogether, \nDOD agencies account for more than 60 percent of reported \nfederal funding for cybersecurity R&D.\n    The Department of Homeland Security fulfills several \ncybersecurity functions. In the Science and Technology \nDirectorate, the Cybersecurity Division focuses on developing \nand delivering new cybersecurity technologies and other tools. \nThe Department spent $75 million on cybersecurity R&D in 2013, \nmore than DOE and NIST but also less than NSF and much less \nthan DOD.\n    Another department responsibility is coordinating the \noperational security of federal systems under FISMA. The \ndepartment also plays a significant role in law enforcement but \nperhaps is best known for coordinating federal efforts to \nimprove the security of critical infrastructure, most of which \nis controlled by the private sector.\n    Most private-sector department activities are voluntary, \nbut the department also has some regulatory authority over the \ntransportation and chemical sectors. Several other agencies \nalso have regulatory responsibilities relating to cybersecurity \nin the 16 recognized critical infrastructure sectors.\n    The role of federal regulation in cybersecurity has been a \nsignificant source of controversy, along with how to remove \nbarriers to information-sharing while protecting proprietary \nand personal information, and the proper roles of different \nfederal agencies in various cybersecurity activities.\n    That concludes my testimony. Once again, thank you for \nasking me to appear before you today.\n    [The prepared statement of Dr. Fischer follows:]\n   \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairwoman Comstock. Thank you. I now recognize Mr. Dean \nGarfield.\n\n                TESTIMONY OF MR. DEAN GARFIELD,\n\n                       PRESIDENT AND CEO,\n\n            INFORMATION TECHNOLOGY INDUSTRY COUNCIL\n\n    Mr. Garfield. Thank you, Chairwoman Comstock, Chairman \nSmith, Ranking Member Lipinski.\n    On behalf of 60 of the most dynamic and innovative \ncompanies in the world that make up the global IT sector, I \nwould like to thank you for the opportunity to be in front of \nyou today and to thank you as well for focusing on this issue. \nWe think it is an issue that has the potential for bipartisan \ncollaboration and want to seize that opportunity.\n    With that in mind, I would like to focus on three things: \n1) how we are experiencing the cybersecurity threat today; 2) \nwhat we are doing about it; and then 3) how Congress can help. \nWith regard to the first, as Dr. Fischer pointed out, we are \nliving in an increasingly globally integrated and \ninterconnected world. As a result, cyber criminals are seeking \nto exploit that. Gone are the days when we had intermittent \nviruses and instead we face a world, as my colleague Cheri \nMcGuire pointed out, where we consistently face a threat that \nis increasingly global, increasingly sophisticated, and \nincreasingly persistent. We are seeing advanced persistent \nthreats where cyber criminals are penetrating our networks in \nphase, avoiding detection, and doing damage over a long period \nof time. As well, the threat is increasingly asymmetric and so \nthe risks to the banking sector are often quite distinct from \nthe risks to the manufacturing sector or the tech sector.\n    The reality is there is no silver bullet solution so what \nare we doing about it? In a word, a lot. Increasingly, our \napproach is based on risk mitigation and resilience. You see \nthat both in the products that we are bringing into the \nmarketplace, as well as the processes that we are integrating \ninto our businesses. With the products in the marketplace, you \nare already seeing the results of the billions of dollars that \nwe spend on R&D, whether that is through advanced data \nanalytics that is allowing us to get ahead of cyber criminals \nor in the integration of biometrics, as you see in many of your \nmobile devices today, including your cell phone, which are all \nmaking a difference.\n    In addition to the work that we undertake with our products \nthat are making their way into the market, we are making \nchanges in our business processes that we would advocate for \nall businesses generally. One, we are increasingly making \ncybersecurity the default norm, so rather than turning on a \ncybersecurity feature, we are building products and developing \nsystems where they come as a built-in part of the practice.\n    Secondly, we are increasingly relying on managed services. \nSo rather than relying on the IT person who may or may not know \nanything about cybersecurity, we are relying heavily on \ncybersecurity professionals in carrying out work on \ncybersecurity within our company in network management.\n    As well, we are making sure that cybersecurity is a part of \nevery aspect of our business, and with that in mind, it is \nworth commending NIST for the work that they have done on the \ncybersecurity framework, which has done a great job in making \nthat the case for both large and small businesses.\n    So what can Congress do? There are four things that we \nwould recommend. One is making sure that the laws that are on \nthe books and our enforcement of those laws are adequate to \nmeet the challenge and the evolving nature of that challenge \nthat we face today.\n    Second, as all of the doctors on the panel have pointed \nout, it is important to have adequate funding for early-stage \nresearch, as well as for the work that NIST is doing to advance \na framework to make it increasingly the norm for all \nbusinesses.\n    Third, it is important that we have legislation that helps \nus to disseminate cyber threat information more broadly. That \nis an opportunity for a bipartisan consensus in action and we \nhope that Congress will act on that this year.\n    Fourth, cybersecurity and cybersecurity risk management is \nnot a technology issue; it is a national issue, and so it is \nimportant that all of us, including the Members of Congress, \ntake advantage of the bully pulpit we have to educate the \npublic about cybersecurity. So when you have your roundtables \nin your district, or I speak, it is important to include \ncybersecurity as one of the default points that we share with \nthe public.\n    There is--the challenge, as all of the panelists have \npointed out, is quite significant, but if we take advantage of \nthose four steps and work collaboratively, we think there is an \nopportunity to make significant headway in addressing this \nissue. So thank you.\n    [The prepared statement of Mr. Garfield follows:]\n   \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    Chairwoman Comstock. I thank the witnesses for their \ntestimony and now the Committee rules limit our questioning to \nfive minutes and so as the Chair I will do the opening round of \nquestions.\n    So actually I would like to pick up on your four points, \nMr. Garfield, but have you all address. Given it is a national \nissue, what would you recommend that we, when we go home, that \nwe tell people how to--you know, at our town halls, how to \nengage, what they can do personally at home and maybe some of \nthese 90 percent of the breaches that we can prevent, what can \nwe do with the public education to prevent those most common?\n    Mr. Garfield. I can start and do something quite simple, \nwhich is you have heard a lot of data around the risk that we \nall present because oftentimes cyber breaches are caused by \nhuman error, and so making sure that we are using multilevel \nauthentication, for example, so not just relying simply on a \npassword. To the extent that your technology isn't deploying \ncyber as a default, turning it on so that you have the benefit \nof all the research and development that is taking place.\n    The other thing that I would say is we often make common \nmistakes. You know, we post our passwords on our computer, and \nso moving away from doing things like that makes us vulnerable \nis an impostant part of----\n    Chairwoman Comstock. Sort of like don't leave the keys in \nthe car.\n    Mr. Garfield. Exactly.\n    Chairwoman Comstock. Okay.\n    Ms. McGuire. So there are a couple of additional things \nthat I will add to Dean's list. The first is make sure that you \nare using very strong and complex passwords. You have heard a \nlot about the research and development going on today both \nwithin the NSF and NIST around new authentication methods and \npassword technology but this is one of the most basic things \nthat people can do today. Be careful when you are developing \nyour passwords not to use things that you have posted on your \nsocial media site. What an easy way to socially engineer your \npassword. Also make sure that you keep your security products \nand your systems up-to-date, keep them patched, and that will \nhelp give you quite a bit of protection, and then be aware--\nalways be aware. Just as you are walking down the street, being \naware of your surroundings, be aware of your surroundings when \nyou are online. Be careful about accepting emails or clicking \non attachments for things that you may not be sure of what they \nare and be very aware of that because that is the most common \nway of getting your computer infected is clicking on something \nthat maybe you shouldn't have.\n    Chairwoman Comstock. Any--sure.\n    Dr. Kurose. Yes. I would like to just raise two quick \npoints. First, in terms of what we do, certainly a sustained \ninvestment in fundamental research is incredibly important, but \nwe need to really focus on the root causes of cybersecurity \nchallenges, not just treating the symptoms. I mean we do need \nto do both but I think the need for fundamental research is \ncritical.\n    And something that I think you have heard all the panelists \ntalk about is that it is a socio-technical problem. Technology \nalone is not going to solve the problem. It is technology \ntogether with the correct application and the understanding of \nthe human dimension and the social dimension of security is \nvery important.\n    Chairwoman Comstock. And then maybe to all of you again, \nhow do you, as you gather this expertise and we constantly have \nto adapt and change, how do you prevent the person who is \nworking with your company or working within the government \ntoday, kind of catching the bad guys and catching the cyber \nthreats and the hacktivists, from not turning into the bad guy \nwho is now going out with that knowledge and doing that and how \ndo we prevent that and what kind of safety measures and \nprocesses do we have to have in place in the public sector and \nthe private sector? I know that is pretty broad but----\n    Dr. Romine. Well, certainly I can--the insider threat is \none of the most challenging things to address principally \nbecause, by definition, you are talking about someone that you \nview as a trusted entity so you have to be very cautious about \ndemonstrating that you don't trust your own people, so you have \nto be very careful about that.\n    From our perspective I think we are coming to a situation \nwhere increasingly we have more tools at our disposal to do the \ndata analytics for some of the things that are going on within \nan organization, and there are opportunities to detect \nanomalous behavior that might reveal that kind of insider \nthreat.\n    Ms. McGuire. And I would just add to that that there are \ntechnologies out there today such as data loss prevention \ntechnologies, setting your controls appropriately within \ncorporations and governments that will allow you to see how \ndata traverses your network and actually alarm and trigger when \nyour data is moving to places that it shouldn't be. So those \nare technologies that are very much available today and could \nin fact prevent a lot of bad things from happening.\n    Chairwoman Comstock. Okay. Thank you. Thank you. And now I \nrecognize Mr. Lipinski for five minutes.\n    Mr. Lipinski. Thank you, Madam Chairwoman. I want to thank \nthe witnesses for their testimony and I just want to pick up on \none thing that we were discussing in the Chairwoman's questions \nis that Dr. Kurose talked about--he said it was a socio-\ntechnical problem in terms of security, and I think that points \nout the importance of social science research that is done to \nhelp us better understand and to teach people how to, you know, \navoid stepping into these--a lot of these cyber problems and \nbeing victims of cyber crimes.\n    But I wanted to--my first question I wanted to ask Dr. \nKurose, Dr. Romine, and Dr. Fischer. For years we have heard \nfrom nongovernmental experts about weaknesses in interagency \ncoordination of cybersecurity R&D. The civilian agencies with \ncybersecurity research programs developed a federal \ncybersecurity R&D strategy in December 2011. As I noted in my \nopening, the Cybersecurity Enhancement Act that passed last \nmonth strengthened interagency coordination in this area. And I \nknow the Cybersecurity Enhancement Act is very new so there may \nor may not be anything much you can say about that.\n    But I want to also ask how the--how has the federal R&D \nstrategy influenced your own agency's cybersecurity R&D \nportfolio and how has it strengthened interagency coordination \nand collaboration. Dr. Kurose?\n    Dr. Kurose. Thank you. I would like to just quickly mention \nthen the Networking and Information Technology Research and \nDevelopment program, NITRD, that we talked about a little bit \nearlier. This provides an interagency coordination mechanism \nand there are specific subcommittees there, one on \ncybersecurity and information assurance, and that is a vehicle \nby which representatives from multiple agencies can get \ntogether and activities can be coordinated. And one of the co-\nchairs from the cybersecurity subcommittee there is from the \nNational Science Foundation and the activities there very much \nfind their way back into our discussions at the National \nScience Foundation.\n    Mr. Lipinski. Thank you. Dr. Romine?\n    Dr. Romine. Yes, I would like to echo what Dr. Kurose said \nabout the value of having a standing interagency working group \non cybersecurity and information assurance. That is one of the \nmore robust groups I think under the NITRD program and there is \na lot of conversation that takes place across federal agencies \nand a lot of coordination around specific topics.\n    There have been some strategic planning activities in the \npast that the interagency working group has undertaken. The \nagencies among the NITRD program established a senior steering \ngroup in this arena to bring together more senior people who \nhave budget authority within their organizations to coordinate \nsome of the investments that are being made, and so I think \nthat has paid dividends, in particular, the emphasis on the \nscience of cybersecurity emerged from that conversation that \nwas taking place.\n    Mr. Lipinski. Dr. Fischer.\n    Dr. Fischer. I would just like to add that certainly I \nthink if one looks at the history of coordination across \nfederal agencies with respect to cybersecurity, clearly there \nhave been--that has increased. One of the questions one has to \nkeep in mind is that coordination also has some cost associated \nwith it. That is to say one doesn't want--potential costs I \nshould say. One doesn't want the coordination to reduce the \nability of individual agencies to invest in, you know, \nconsensus mission goals and so that has to be taken into \naccount. And sometimes for somebody like us looking at, you \nknow, trying to analyze some of the interagency documents, it \ncan be a little difficult to figure out exactly what they mean \njust because it is relatively complicated.\n    Mr. Lipinski. Thank you. And I want to ask Mr. Garfield and \nMs. McGuire, anything quickly you could add about your view of \nfederal cybersecurity R&D, something else that--anything else \nthat should be done, done differently? Ms. McGuire, Mr. \nGarfield, whoever wants to----\n    Mr. Garfield. I wouldn't necessarily suggest that something \ndifferent has to be done. I think there is research that has to \noccur in early stages that have impact over the long-term that \nthe public sector is well-positioned to do, and so making sure \nthat there is adequate funding for that innovation and R&D to \noccur so that we can stay ahead of the cybercriminals is \ncritically important.\n    Mr. Lipinski. Thank you. I yield back.\n    Chairwoman Comstock. Thank you. I now recognize Mr. \nHultgren for five minutes.\n    Mr. Hultgren. Thank you, Chairwoman.\n    Thank you all for being here. This is obviously a very \nimportant subject for us and have--I have got a lot of \nquestions in a lot of different directions.\n    But first, I would like to just get a little bit of a \nresponse from you. There was some mention--I think Dr. Romine \nmentioned about passwords and effectiveness of passwords. It \nseems like there was a lot of nodding heads going on with that. \nTo me it seems like passwords are very effective of keeping me \noff my own computer because I keep forgetting them. I am \nwondering if there could be a way that the hackers could remind \nme of my passwords because I keep forgetting them.\n    But I wonder if you could talk just a little bit more about \nthat, of what is the next step, what is the research, where are \nwe at on that? Specifically, is there R&D that holds promise \nfor a better option or solutions in passwords?\n    Chairwoman Comstock. Great question.\n    Dr. Romine. Absolutely. I can talk from the NIST \nperspective. We have started a program on what we call the \nusability of security, and usability is a scientific \ndiscipline, a quantitative discipline to determine--our mantra \nin this case is we want to make it easy to do the right thing, \nhard to do the wrong thing, and easy to recover when the wrong \nthing happens anyway. Those are the three principles that I \nlike to talk about. By the way, I shamelessly stole that from a \ncolleague.\n    Mr. Hultgren. It is a good one.\n    Dr. Romine. From our perspective, we now have research \nresults suggesting exactly as you say. We have had, for years, \nanecdotal evidence suggesting that passwords just don't work. \nWe have been able to collect validated data now suggesting that \nwhen you make passwords more complex, which you have to do \nbecause if they are easy, if they are simple, then they are \nguessable. But if you make them too complex, then people find \nways around of the security by writing them down, by storing \nthem in plain text files and so on. So it is really sort of \ncounter--it can be counterproductive.\n    The NSTIC program that NIST manages, which is a nationwide \nprogram where we have the program office, is pledged to \nessentially deal with this authentication problem. Password is \nonly one way of authenticating to the system, and it is, as we \nknow, now a pretty poor way to do it in general and yet it is \nubiquitous. It is universal. And the NSTIC program is pledged \nto, as they say, put a stake in the heart of the password. We \nare trying to transition to other means but----\n    Mr. Hultgren. What is your guess on when that could happen? \nI mean what is a timeline, possible time frame?\n    Dr. Romine. Well, the investments that have been made in \npilots, and we have 13 pilots running now, sort of span from, \nyou know, authentication through a mechanism, a token, through \nbiometrics, through two-factor authentication I think, as Dean \nalluded to earlier, or as Dr. Fischer alluded to.\n    So I don't know the exact timeline. I know that we are \nmaking strides in that area, we are making investments, and we \nare making it clear that we have now validated evidence that \npasswords are flawed as a mechanism for authentication.\n    Mr. Garfield. Some of those technologies are already in the \nmarketplace. I think Ms. McGuire made the point as well. I mean \nmany of the mobile devices that are being sold today do have \nbiometric authentication instead of passwords, and so \nincreasingly that is being deployed commercially.\n    Mr. Hultgren. Okay.\n    Dr. Kurose. So if I might add that I think you really hit \nthe nail on the head. Passwords are something that we all have \nto wrestle with and I think research has shown that a one-size-\nfits-all approach isn't really a good way to proceed forward. \nThere has been work that looks at trying to adapt the kinds of \nauthentication that a system is going to use to determine who \nthe individual is; there is a research project at Berkeley \ngoing on, and also some very interesting research that went on \nat Carnegie Mellon about passwords in particular. Is it length, \nis it complexity--what are the best ways to have users work \nwith passwords when you have password-protected systems, and \nthen how do you feed information back to the user to help the \nuser along?\n    Mr. Hultgren. Let me switch gears real quick. As a parent, \nI am amazed at how quickly young people pick up on new \ntechnology. I have seen in my own office when I struggle with a \nnew technology, I call my staff and leave them a voicemail \nmessage, wait for them to get back to me. If they can't figure \nit out, they text my kids and get an answer right away. But \nwith the access kids have, there is also concern that comes \nwith that and I just wonder if you could talk briefly about \ncurrent parental control technology. Is it adequately \nprotecting minors? I still have a 10-year-old and 13-year-old \nat home, as well as older kids, but concerned certainly of \nprotection but then also something that predators are coming \nafter them, not waiting for them to find problem areas. So I \nwanted to just get your thoughts of how adequate this is and \nwhat is happening there.\n    Ms. McGuire. So I will jump in on this one.\n    Mr. Hultgren. Thanks.\n    Ms. McGuire. So online child safety is a critical concern \nthat all of us have, and particularly, as you mentioned, as \nkids are surfing and going everywhere, it is really hard to \nmonitor that as a parent so there are tools available. \nCertainly we have them in our Norton Security products. Other \nproducts out there have--give the parent to the ability to go \nin and type in keywords, block certain websites, and so forth. \nSo those are there today.\n    Mr. Hultgren. Do you feel like they are pretty effective \nin----\n    Ms. McGuire. Our customers tell us that they are effective \nand so we believe that they help significantly that--there.\n    The other part of this, though, and it goes to this socio-\ntechnological issue, is we have to start with our kids when \nthey are first picking up a device and start training them to \nbe careful, to be aware online, to be safe online. It has got \nto start immediately and also we need to include that in our \nschool curriculum. You know, we teach kids in general safety \nbut we don't often teach them about cybersecurity, so that is a \nbig area that can help.\n    Mr. Hultgren. I see my time is up. Thank you, Chairwoman. I \nappreciate your generosity.\n    Chairwoman Comstock. Thank you. And I now recognize Mr. \nMoolenaar, our Vice Chairman.\n    Mr. Moolenaar. Thank you, Madam Chair. And I appreciate the \ntestimony today.\n    I also wanted to follow up on some of the areas of \ncybersecurity with respect to our critical infrastructure, and \nyou had mentioned earlier, you know, the area of energy, our \nelectric grid, I would think water, our water supply. And I \nguess my basic question is what is the role of research in this \narea? How important is that? And also, if there is research \ndone and that is applied, how much time is it good for? Is this \nsomething that, you know, it lasts for a year? Is it \nsomething--you know, what is the length of duration that \ninformation is valid?\n    Dr. Romine. So I would like to talk to the first half of \nthat question on the protection of critical infrastructure. \nThis is something that NIST was called upon to do in the \ndevelopment of the framework under the Executive Order 13636. \nAnd the way that we approached that was to hold a series of \nworkshops around the country with the vigorous participation of \nindustry across all of the sectors, as well as the information \ntechnology industry itself, and I know Ms. McGuire's company \nand Mr. Garfield's, the companies that he represents were also \nvigorous participants in that process. That led to a consensus \ndocument that was spearheaded principally by the private sector \nbut with our sort of guidance with regard to what is effective \nas a document. So we were able to put together a framework that \nI think really helps to improve--or has the potential to help \nimprove critical infrastructure cybersecurity and I think it is \nbeginning to have that effect.\n    Mr. Garfield. And if I may add, I think the approach that \nwas taken by NIST in putting that together is really a model \nfor undertaking this work.\n    Related to the second question you asked about the time \nperiod, it is important to keep in mind that cybersecurity \ncriminals are always adapting and evolving and so it's \nimportant that we continue this work and continue to evolve it \nas well.\n    Dr. Kurose. So I would like to add also the notion of \n``security by design'' rather than reacting to particular \nthreats--designing security is really a first-class \nconsideration and the systems that we are building and the \ncomponents in the system that we are building are critical. I \nwould point out--I had mentioned the collaboration NSF has with \nthe Semiconductor Research Corporation. There the notion is \nthat the chips that we are building we want to be able to make \nsure that there haven't been back doors or other malware \nactually inserted into the chips during the fabrication process \nand during the design process, so that when those chips come \nout we are sure that they are going to act and behave the way \nthey are supposed to be behaving. That is an instance of \nsecurity by design.\n    The other point I would make is critical infrastructure, it \nis not just social networks that affect society, but personal \ndevices like medical devices as well, so a lot of activity is \ngoing on there also.\n    Dr. Fischer. If I could just add that with respect to the \nquestion of what kinds of R&D is needed, there are many \ndifferent aspects to protecting critical infrastructure--for \nexample, control systems which we really haven't talked about \ntoday, many of which have been very much a legacy and not \nreally designed with security in mind. And so R&D to determine \nwhat the best way is to design control systems so that they \nwork in a highly connected environment is important. The \nquestion of to what degree you can actually separate out \ncritical infrastructure systems from the rest of the internet \nis important.\n    And also worth noting, as some of the other witnesses have \nmentioned, is the importance of social and behavioral research \nin determining what are the best ways for operators to help \nprotect critical infrastructure.\n    Mr. Moolenaar. I guess just one final question also is when \nyou are working on something like this in the area of critical \ninfrastructure, let's just say in the electric grid, how--and \nthis gets to the question of oversight, collaboration with \ndifferent agencies. You have got, you know, Homeland Security \ninvolved, you have the energy--FERC. I mean is that something \nthat is--are you collaborating industry by industry?\n    Dr. Romine. The workshops that we undertook were in general \ninclusive of many different sectors. However, we have had \nconversations with sector-specific groups as well, and in fact, \nthe output, the actual document or the framework itself is \nreliant upon much of the input that we got from these regulated \nsectors, including the regulators themselves who showed up at \nthe workshops and gave us input on what could be valuable for \nthem.\n    Mr. Moolenaar. Okay. Thank you, Madam Chair.\n    Chairwoman Comstock. Thank you. I now recognize Mr. \nNewhouse for five minutes.\n    Mr. Newhouse. First of all, thank you, Madam Chair, for \nallowing me to sit in on your Committee. You know, as a \nfreshman, we had the opportunity for several sessions on \ncybersecurity at our orientation retreats. We learned just \nenough to be concerned and not enough to know what to do about \nit and so I appreciate the opportunity to sit here. In fact, in \none of those sessions, just an hour before we sat down, my wife \ncalled me and told me someone was using our Visa card in Texas. \nWe hadn't been to Texas in several years so we were concerned \nabout that.\n    So I have a couple questions and just real quickly and I \nknow that we are probably going to be leaving for the Floor \nshortly, but, first of all, last week--and since you read it in \nthe paper it must be true--the Associated Press reported at \nleast 50 data-mining companies are allowed to perch on the \nHealthCare.gov website and access personal information entered \nby millions of Americans who come to the website for health \ninsurance. As you know, these data-mining companies scour the \ninternet constantly for all kinds of information about us. \nWithout permission or consent from those who are being spied \non, they sell that information to any number of people. So \nperhaps Dr. Romine and Ms. McGuire, first Dr. Romine, does the \nNIST Cybersecurity Framework contemplate that, that a federal \nagency would be certified and then allow scores of data-mining \ncompanies to set up shop at a website like that and collect \nsensitive information?\n    Dr. Romine. It certainly does not address that very \nspecific issue. What it does address, however, is privacy \nconsiderations in a more general context. And I think one of \nthe things that the Framework spells out is the need for \ncompanies who are setting up cybersecurity risk management \nstructures within their company, whether it is a 10-person \ncompany or whether it is a multibillion-dollar, multinational \ncorporation, that they have to ensure that privacy \nconsiderations are taken into account and there are guidelines \nfor how to do that.\n    So I don't have any remarks to make on the specific issues \nin this case, but in general, the Framework does have a pretty \nstrong statement about privacy, and NIST has embarked on a \nprivacy engineering research activity partly as a result of \nwhat we learned from the Framework process, that there needs to \nbe more guidance and more tools available for people to promote \nprivacy considerations.\n    Mr. Newhouse. And, Ms. McGuire, if you could comment on the \npresence of so many of those data-mining companies and whether \nor not that makes the website more vulnerable to attacks.\n    Ms. McGuire. So I can't obviously speak to the specifics of \nthe technology of what is being used as I am not intimately \nfamiliar with the HealthCare.gov website. I do find it \nsurprising, though, that there are that many additive websites \nor technologies that are able to access the data. Certainly \nopening up the network, that would indicate that it would \nprovide some additional vulnerability but I don't know all the \nspecifics so----\n    Mr. Newhouse. Fair enough. Yeah. Then if I may, one last \nquestion, Madam Chair. And perhaps again, Ms. McGuire and \nperhaps Mr. Garfield, business sectors that may be most \nvulnerable to cyber attack and, you know, we are in Congress \nlooking at what role government could or should play in helping \nprotect businesses from cyber threats, could you help us a \nlittle bit, enlighten us there?\n    Ms. McGuire. Sure. So I talked briefly about what some of \nour telemetry tells us about specific sectors and what--the \nones that are most targeted for attacks. Interestingly enough, \npublic sector entities, government institutions because they \nare such a wealth of knowledge and information. From Social \nSecurity identity numbers, all the way to healthcare to \nretirement benefits, these public sector websites and data \nrepositories clearly are targeted at a very high rate.\n    Also, we see the banking and finance sector, pretty much \nanywhere that you are going to have a rich set of data, that is \nwhere the cyber criminals will target. And happy to provide and \nfollow up but we have a pretty good list of sort of a ranking \nof the most targeted sectors that we see from our global \ntelemetry.\n    Mr. Newhouse. Maybe what can we do about that?\n    Mr. Garfield. Yeah, the one thing I would add is related to \nthat. The reality is that criminals are looking for \nvulnerabilities wherever they can find them, and so to the \nextent that we can figure out ways of sharing the threat matrix \nmore broadly, then I think it would be a great assistance to \nus. And there is already movement in Congress around advancing \nlegislation that would deal with the sharing of cyber threat \ninformation. Passing that legislation is one very concrete \nthing that I think you could do in the short term.\n    Mr. Newhouse. Thank you.\n    Mr. Garfield. You are welcome.\n    Mr. Newhouse. Thank you, Madam Chair.\n    Chairwoman Comstock. Thank you.\n    I just had one. I think we have votes so we may not get to \na second round but I did have one question I wanted to follow \nup on.\n    Do you see attacks sort of--the Christmas holidays and the \nopportunity for financial attacks, is that a time to sort of \nflood the zone and have attacks--like I usually would get \ncalled--like the gentleman said, they call, hey, are you in \nHawaii buying such and such? Like no, that is not me, don't \nokay it.\n    But I had a situation where after Christmas I show up in a \nstore, my card has a problem in a department store and they \nsaid we have--we see something that you had $7,000 worth of \ncosmetics that you sent to California right before Christmas. \nNo, we didn't do that. But they had not called me, which got me \nthinking do they target that sort of Christmas time, that rush \ntime because they know sort of in their rush to get things \nthrough, that may be the time they weren't calling people? In \nthis case it was the 23rd, the 24th, and the 26th but all those \nthings were purchased and shipped. Fortunately, they took them \noff the card before they showed up at my home and horrified \neverybody but----\n    Ms. McGuire. Yeah, so your observation is spot on in that \ncyber criminals will take advantage of any social activity, any \nmajor events. We saw, for example, around the Summer Olympics \nwe saw lots of new types of scams associated with that, the \nWorld Cup, lots of new scams with that. Even the royals wedding \nin the U.K., there were a plethora of new online scams that \nwere built around that knowing that people would be searching \nand going to websites to look up these types of current events. \nSo, yes, in short those international events, major national \nholidays, et cetera, do create additional levels of risk.\n    Chairwoman Comstock. So in terms of best practices, those \nkind of things should be--set off bells or time frames so that \nwe are doing extra work in those time frames?\n    Ms. McGuire. Yeah. You should be careful all of the time \nbut those especially can be more intense if you will.\n    Dr. Fischer. I should mention that this relates certainly \nto cybercrime aimed at consumers, but there is also the \nquestion about timing of cyber attacks aimed at, say, critical \ninfrastructure, and one of the sort of hallmarks of cyber \ncriminals who are interested or spies who are interested in, \nsay, getting proprietary information, intellectual property \ninformation, national security secrets, or whatever is that \nthey will try to target a system in such a way that they can \nget in, exfiltrate the information, and then get out without \nanybody knowing. So it is common--one of the sort of common \nassessments is that businesses can often take months before \nthey actually realized that they have been the victim of a \nsuccessful cyber attack and it can just take hours to \nexfiltrate the information. So to a certain extent, with \nrespect to--as I say, it really depends on the importance of \nthe timing really depends on what the sector is that is being \ntargeted.\n    Mr. Garfield. If I could add, too, just some things that \nCongress can do very concretely around this question, one is \nmaking sure that there adequate resources to address the \ncriminals, right, because if it is viewed as a crime without a \npenalty, then people will be incentivized to continue to do it. \nThe second is you make the point that you would normally--in \nthe normal course be warned about it, but during that period of \ntime, it wasn't, making sure that there are adequate resources \naround R&D so that the technologies that are being deployed \nthat detect abnormal behavior are widely distributed. And so \nthose are two things that Congress can do that can be helpful \nin this area.\n    Chairwoman Comstock. And then how do we--because, you know, \nthe concerns of privacy, you know, people--you always \nappreciate when you get that phone call but then the next \nquestion is, well, how do you know where I am and what I am \nbuying? It gives people a bit--but obviously in this case I was \nlucky they took it all off my credit card. You know, how do \nthey balance that?\n    Ms. McGuire. So today there are mostly algorithms that are \nall predominantly----\n    Chairwoman Comstock. Right.\n    Ms. McGuire. --done by the machines themselves to catch \nthose exact kinds of flags if you will of unusual behavior or \nunusual activity. And then of course you end up getting a phone \ncall from a real person hopefully to----\n    Chairwoman Comstock. So part of the public education that \nwe do with the public is we need to separate the algorithms and \nthe patterns that you are looking at there are separate from, \nsay, when Google is getting all of our HealthCare.gov \ninformation. So there--these are two--they often get lumped \ntogether whereas it is two very separate things. This is the \nmachine kind of going through data, not looking at what I am \nbuying at the department store, just flagging things as opposed \nto somebody getting my data and knowing when I am on a \nparticular site and that getting pushed out somewhere. So those \nare two very different types of situations, right?\n    Mr. Garfield. You could have a whole hearing around data \nanalytics. I am not suggesting--necessarily suggesting it but \nyou make a very good point that often people will hear big data \nor data analytics and think that it is personal to them. In \nalmost all instances what is happening, there are computers \nthat are looking at patterns and then not looking at \nindividuals or individual data, and based on normal patterns, \nthen passing that on to someone else. And so in this instance \nand in most instances it is actually an advancement that we \nwant to see because in the end it helps us in society.\n    Chairwoman Comstock. Right. Thank you.\n    And, Mr. Lipinski, did you have additional questions?\n    Mr. Lipinski. Yeah, thank you, Madam Chair. I think this \nwill be probably quick.\n    I just wanted to get back to HealthCare.gov, and my \nunderstanding is that companies are not actually perched on the \nHealthCare.gov but they are receiving--they are being given \ndata from there. Now, that is very different. It is still, I \nunderstand, a privacy issue, which is something certainly \nCongress can look at that, but as Mr. Garfield was talking \nabout data analytics, that is a whole different issue, \ncertainly something that, you know, we should be always \nconcerned about privacy.\n    But I want to ask Dr. Romine, HealthCare.gov is FISMA-\ncompliant. Could you just tell us what that means, what the \nFISMA standards are and how federal agency computer systems \nare--become FISMA-compliant?\n    Dr. Romine. Sure. The Federal Information Security \nManagement Act, or FISMA, provides NIST the opportunity to \ndevelop a collection of standards and guidelines that are used \nby federal agencies to secure their information systems. We do \nthat in a collaborative way with private sector involvement to \ntry to understand exactly what the right approach is for \nsecuring those systems. What we don't really have very often is \ninsight into that because we don't have an operational role; we \nhave a guidance role. We don't have insight into how federal \nagencies are doing--are complying with FISMA requirements or \nFISMA guidelines.\n    And so in the case of HealthCare.gov, for example, I have \nno direct information about the actual implementation of the \nFISMA guidelines but it is predicated on taking cybersecurity \nin a risk management approach, in an analogous way to what we \ndid with the framework for critical infrastructure \ncybersecurity improvement. And so the idea is to identify the \nrisks associated with the system and a catalog of risks and a \ncatalog of mitigations to adopt steps that are necessary to \nmitigate those risks and then assess the level of risk that the \nindividual organization that is appropriate for that \norganization or for that particular system. So that is the \napproach that is taken, but as I say, with regard to any \nspecific agency, it is really the CIO responsibility along with \nthe Inspector General who follows up on ensuring that the \nguidelines are met.\n    Mr. Lipinski. Thank you very much. I don't want in any way \nmy statements or questions to suggest that everything is \nwonderful with HealthCare.gov or especially the D.C. website, \nwhich was completely atrocious once again for the second year \nin a row as we had to deal with that being in the system this \nyear. But I think the important thing is looking here at \nsecurity and, you know, we--as I said, privacy is another issue \nbut the security is something that I think we have talked about \nhere and had hearings here and have not found any issues with \nthat. So thank you very much.\n    Chairwoman Comstock. Okay. I believe, Mr. Newhouse, you \nwanted an additional question?\n    Mr. Newhouse. Well, I certainly could. We could talk about \nsome of these things for a long time but I guess following up a \nlittle bit, Dr. Romine--and I hope you don't feel picked on \ntoday, but----\n    Dr. Romine. Quite all right.\n    Mr. Newhouse. --that is the risk you take.\n    Dr. Romine. That is right.\n    Mr. Newhouse. You do play an important role, though, with \nregard to FISMA and it is--you talked a little bit about that \nrole in your work up-to-date. I just wanted to know if there \nare any recommendations that you might have that would be \nvaluable to us in any changes to the law?\n    Dr. Romine. Well, certainly I don't have any changes to the \nstatutes to recommend. I would--it will at least give me the \nopportunity to thank this Subcommittee and the Committee for \nthe work that we have done collaboratively. We have had a \nreally good working relationship between NIST and the \nSubcommittee and Committee over time and we appreciate that.\n    I think we are in a good spot with regard to a few things. \nOne is the FISMA risk management framework is really an \nimportant--it provides an important understanding of the \nappropriate balance between ensuring the ability of the private \nsector to innovate in this space and provide new services while \nat the same time maintaining an overall approach that balances \nthat against the associated risks. And because the information \ntechnology space is so dynamic, the risk management framework \nis also very adaptive and dynamic as well. And so I think it is \nthe appropriate mechanism. I appreciate the support.\n    Mr. Newhouse. And the Congress must be just as dynamic \nthen?\n    Dr. Fischer. If I may just mention with respect to FISMA \nimplementation, the last Congress enacted, as was mentioned, \nthe Federal Information Security Modernization Act of 2014, and \nthat act gave statutory authority to DHS for some operational \naspects of helping to ensure that agencies have adequate \ncybersecurity. The Obama Administration had administratively \ndelegated it, but previous to that the responsibilities lay \nentirely with OMB, which doesn't have operational capabilities. \nSo it remains to be seen to what extent the changes in the law \nwill lead to improvements in agencies' cybersecurity. Certainly \nDHS has a number of programs and activities that are aimed at \nthat.\n    Chairwoman Comstock. Okay. Well, I want to thank the \nwitnesses for their very valuable testimony and we so \nappreciate all of your expertise, both the public sector and \nthe private sector, and all that you are doing to bring that \ninformation to us and to the public, and we look forward to \ncontinuing to work with you. And I thank all the Members for \ntheir questions.\n    And I do want to note that the record will remain open for \ntwo weeks for additional comments or any information you would \nlike to provide and any written questions from the Members. So \nthe witnesses are now excused and this hearing is adjourned. \nThank you very much.\n    [Whereupon, at 3:28 p.m., the Subcommittee was adjourned.]\n\n\n\n                               Appendix I\n\n                              ----------                              \n\n\n      \n                   Answers to Post-Hearing Questions\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n                                 [all]\n</pre></body></html>\n"