[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





                       THE EXPANDING CYBER THREAT

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            JANUARY 27, 2015

                               __________

                            Serial No. 114-2

                               __________

 Printed for the use of the Committee on Science, Space, and Technology

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





       Available via the World Wide Web: http://science.house.gov






       
                                      ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

93-880PDF                     WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                              
 
 
 
 
 
 
 


              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.          ZOE LOFGREN, California
DANA ROHRABACHER, California         DANIEL LIPINSKI, Illinois
RANDY NEUGEBAUER, Texas              DONNA F. EDWARDS, Maryland
MICHAEL T. McCAUL                    FREDERICA S. WILSON, Florida
STEVEN M. PALAZZO, Mississippi       SUZANNE BONAMICI, Oregon
MO BROOKS, Alabama                   ERIC SWALWELL, California
RANDY HULTGREN, Illinois             ALAN GRAYSON, Florida
BILL POSEY, Florida                  AMI BERA, California
THOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, TEXAS
RANDY K. WEBER, Texas                KATHERINE M. CLARK, Massachusetts
BILL JOHNSON, Ohio                   DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado
STEVE KNIGHT, California             PAUL TONKO, New York
BRIAN BABIN, Texas                   MARK TAKANO, California
BRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas
STEVEN M. PALAZZO, Mississippi
RANDY HULTGREN, Illinois
JOHN R. MOOLENAAR, Michigan
STEVE KNIGHT, California
BRUCE WESTERMAN, Arkansas
GARY PALMER, Alabama
LAMAR S. SMITH, Texas



















                            C O N T E N T S

                            January 27, 2015

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     7
    Written Statement............................................     8

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research and Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..     8
    Written Statement............................................    10

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    11
    Written Statement............................................    12

                               Witnesses:

Ms. Cheri McGuire, Vice President, Global Government Affairs & 
  Cybersecurity Policy, Symantec Corporation
    Oral Statement...............................................    13
    Written Statement............................................    16

Dr. James Kurose, Assistant Director, Computer and Information 
  Science and Engineering (CISE) Directorate, National Science 
  Foundation
    Oral Statement...............................................    30
    Written Statement............................................    32

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology
    Oral Statement...............................................    56
    Written Statement............................................    58

Dr. Eric A. Fischer, Senior Specialist in Science and Technology, 
  Congressional Research Service
    Oral Statement...............................................    66
    Written Statement............................................    68

Mr. Dean Garfield, President and CEO, Information Technology 
  Industry Council
    Oral Statement...............................................    83
    Written Statement............................................    85

Discussion.......................................................    94

             Appendix I: Answers to Post-Hearing Questions

Ms. Cheri McGuire, Vice President, Global Government Affairs & 
  Cybersecurity Policy, Symantec Corporation.....................   108

Dr. James Kurose, Assistant Director, Computer and Information 
  Science and Engineering (CISE) Directorate, National Science 
  Foundation.....................................................   110

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology.....   117

Dr. Eric A. Fischer, Senior Specialist in Science and Technology, 
  Congressional Research Service.................................   118

Mr. Dean Garfield, President and CEO, Information Technology 
  Industry Council...............................................   122

 
                       THE EXPANDING CYBER THREAT

                              ----------                              


                       TUESDAY, JANUARY 27, 2015

                  House of Representatives,
                    Subcommittee on Research and Technology
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 2:03 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee] presiding.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chairwoman Comstock. The Subcommittee on Research and 
Technology will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time. We might be having 
some votes, I understand. I would just like to welcome everyone 
to today's hearing entitled ``The Expanding Cyber Threat.''
    Without objection, the Chair authorizes the participation 
of Mr. Lipinski, Ms. Lofgren, Ms. Bonamici, Ms. Clark, and Mr. 
Beyer for today's hearing. I understand Mr. Lipinski will serve 
as the Ranking Minority Member today and give an opening 
statement.
    In front of you are packets containing the written 
testimony, biographies, and truth-in-testimony disclosures for 
today's witnesses.
    Now, I will recognize myself for five minutes for an 
opening statement.
    Okay. I want to begin by thanking everyone for attending 
the first hearing of the Research and Technology Subcommittee 
in the 114th Congress. I look forward to working with the 
Members of the Subcommittee on the many issues that fall under 
the jurisdiction of this Subcommittee.
    The need to secure our information technology systems is a 
pervasive concern. Today's hearing marks the first of what will 
be several hearings, I imagine, to examine the topic of 
cybersecurity. We know we heard the President speak about this 
and we have--and the Chairman has been a big advocate of 
increased activity and concerns on this front so I look forward 
to continuing to work on this issue.
    The Subcommittee has jurisdiction over the National Science 
Foundation, the National Institute of Standards and Technology 
and the Department of Homeland Security's Science and 
Technology Directorate. These organizations play a role in 
supporting basic research and development, establishing 
standards and best practices, and working with industry on 
cybersecurity concerns. Advances in technology and the growing 
nature of every individual's online presence means 
cybersecurity needs to become an essential part of our everyday 
life.
    Instances of harmful cyber attacks are in the news 
regularly and expose the very real threats growing in this 
area. Financial information, medical records, personal data 
maintained on computer systems by individuals and organizations 
all continue to be vulnerable. Cyber attacks on companies like 
Sony or Target, as well as the U.S. Central Command, will not 
go away and we have to constantly adapt and intercept and stop 
these threats and engage in finding the best practices so that 
we make sure these attacks don't happen and we understand where 
and how they are coming at us and how we can stay ever 
vigilant.
    Utilizing targeted emails, spam, malware, bots and other 
tools, cyber criminals, ``hacktivists'' and nation states are 
every day attempting to access information technology systems 
all over the world and all over our country and in every area 
of our activities. The defense of these systems relies on 
professionals who can react to threats and proactively prepare 
those systems for attack.
    Our discussion about cybersecurity should examine the 
research that supports understanding how to defend and support 
our systems, as well as how to better prepare our workforce by 
producing experts in these fields and learning of best 
practices in both the public and private sector. Well-trained 
professionals are essential to the implementation of the best 
techniques. Institutions of higher education are working to 
create and improve cyber education and training programs 
focused on ensuring there are enough trained professionals to 
meet the needs of this growing industry.
    I look forward to hearing from our witnesses today as they 
provide an overview of the state of cybersecurity from the 
industry perspective and we learn how the federal government is 
playing a role in this important area.
    [The prepared statement of Ms. Comstock follows:]

                   Prepared Statement of Subcommittee
                      Chairwoman Barbara Comstock

    I want to begin by thanking everyone for attending the first 
hearing of the Research and Technology Subcommittee in the 114th 
Congress. I look forward to working with the Members of the 
Subcommittee on the many issues that fall under the jurisdiction of 
this Subcommittee.
    The need to secure our information technology systems is a 
pervasive concern. Today's hearing marks the first of what will be 
several hearings to examine the topic of cybersecurity.
    The Subcommittee has jurisdiction over the National Science 
Foundation, the National Institute of Standards and Technology and the 
Department of Homeland Security's Science and Technology Directorate. 
These organizations play a role in supporting basic research and 
development, establishing standards and best practices, and working 
with industry on cybersecurity concerns.
    Advances in technology and the growing nature of every individual's 
online presence means cybersecurity needs to become an essential part 
of our vernacular.
    Instances of harmful cyber-attacks are reported regularly and 
expose the very real threats growing in this area. Financial 
information, medical records, and personal data maintained on computer 
systems by individuals and organizations continue to be vulnerable. 
Cyber-attacks on companies like Sony or Target and the U.S. Central 
Command will not go away and we have to constantly adapt and intercept 
and stop these threats before they happen and understand where and how 
they are happening and stay ever vigilant.
    Utilizing targeted emails, spam, malware, bots and other tools, 
cyber criminals, ``hacktivists'' and nation states are attempting to 
access information technology systems all the time. The defense of 
these systems relies on professionals who can react to threats and 
proactively prepare those systems for attack.
    Our discussions about cybersecurity should examine the research 
that supports understanding how to defend and support our systems as 
well as how to better prepare our workforce by producing experts in 
these fields and learning of best practices in both the public and 
private sector. Well-trained professionals are essential to the 
implementation of security techniques. Institutions of higher education 
are working to create and improve cyber education and training programs 
focused on ensuring there are enough trained professionals to meet the 
needs of industry.
    I look forward to hearing from our witnesses today as they provide 
an overview of the state of cybersecurity from the industry perspective 
and we learn how the federal government is playing a role in this 
important area.

    Chairwoman Comstock. Now, I would like to recognize Ranking 
Member Mr. Lipinski for his opening statement.
    Mr. Lipinski. Thank you, Chairwoman Comstock, for holding 
this hearing on cybersecurity and I want to welcome you to the 
Science, Space, and Technology Committee. I am looking forward 
to working with you. I know that you worked for former member 
Frank Wolf and Frank Wolf was--I have a tremendous amount of 
respect for him and he was a big supporter of funding for 
research. He is a big supporter of research and technology, 
science, so I think hopefully we will have a lot of things that 
we can work together on on this Subcommittee, on the Committee.
    I also want to thank our witnesses for being here today on 
this very important topic.
    Cybersecurity remains a timely topic, the topic on which 
this Committee has an important role, and finally, is one for 
which we have much more agreement than disagreement across the 
aisle. So I am pleased that the Research and Technology 
Subcommittee is starting off the new Congress with this 
hearing.
    Cyber crimes are ever increasing. The threats are not only 
growing in number but in level of sophistication. Some cases, 
such as the recent Sony hack and a 2013 Target breach, are very 
high profile and are covered extensively in the media. Many, 
many more receive less attention. Two weeks ago the New York 
Times reported that hacking has gone mainstream. A website has 
been created to connect hackers to potential clients. And as of 
early January, at least 500 hacking jobs have been laid out to 
bid and at least 50 hackers signed up to do the dirty work.
    Cyber crime threatens our privacy, our pocketbooks, our 
safety, our economy, and our national security. Arriving at any 
precise value of losses to the American people and American 
economy is impossible, but the Center for Strategic and 
International Studies, in a study completed last June, reported 
that on average the United States loses .64 percent of its GDP 
to cybercrime. I know we will hear much more from our witnesses 
about the extent and the nature of the cyber threat.
    Two years ago President Obama signed an Executive Order to 
begin the process of strengthening our networks and critical 
infrastructure against cyber attack by increasing information-
sharing and establishing a framework for the development of 
standards and best practices, and this plays a key role in 
several of these efforts. You will hear about some of it today. 
But the President reminded us just two weeks ago that Congress 
must still act to pass comprehensive cybersecurity legislation. 
Fortunately, this is one area in which this Committee has 
responsibly legislated in the last few years.
    At the very end of 2014, the Cybersecurity Enhancement Act 
that I joined Mr. McCaul in introducing for several Congresses 
in a row was finally signed into law. That law does a number of 
things: it strengthens coordination and strategic planning for 
federal cybersecurity R&D it codifies the NIST-led voluntary 
framework in the President's Executive Order; it strengthens 
and streamlines NIST-led processes by which federal agencies 
track security risks to their own systems; it codifies NSF's 
long-standing CyberSecurity Scholarship for Service program to 
ensure more qualified cyber experts are employed by federal, 
state, and local governments; it codifies the cybersecurity 
education and awareness efforts led by NIST; and finally, it 
authorizes several more important actions and programs led by 
NIST.
    I list all of these things in part so that all of the new 
members of the Science Committee understand just how essential 
NIST is to our government's cybersecurity efforts. It is one of 
the most important, least-known agencies in our government. I 
look forward to hearing about NIST's effort from Dr. Romine and 
how the new law will further strengthen NIST's leadership role 
in cybersecurity.
    I also look forward to hearing from Dr. Kurose about the 
critical and potentially transformative cybersecurity research 
programs funded by the National Science Foundation.
    And I look forward to hearing from the other three 
witnesses who can help educate us further about the importance 
of public-private partnerships and the areas where this 
Committee might look to address cybersecurity vulnerabilities 
during this Congress.
    Thank you, Madam Chairwoman, and I yield back the balance 
of my time.
    [The prepared statement of Mr. Lipinski follows:]

                   Prepared Statement of Subcommittee
                Minority Ranking Member Daniel Lipinski

    Thank you, Chairwoman Comstock for holding this hearing on 
cybersecurity, and welcome to the Science, Space, and Technology 
Committee. I look forward to working with you this Congress. I also 
want to thank our witnesses for being here today.
    Cybersecurity remains a timely topic, it is a topic on which this 
Committee has an important role, and finally it is one for which we 
have much more agreement than disagreement across the aisle. So I am 
pleased that the Research and Technology Subcommittee is starting off 
the new Congress with this hearing.
    Cybercrimes are ever-increasing. The threats are not only growing 
in number, but in the level of sophistication. Some cases, such as the 
recent Sony hack and the 2013 Target breach, are very high profile and 
are covered extensively in the media. Many, many more receive less 
attention. Two weeks ago, the New York Times reported that hacking has 
gone mainstream. A website has been created to connect hackers to 
potential clients, and as of early January, at least 500 hacking jobs 
had been laid out to bid and at least 50 hackers signed up to do the 
dirty work.
    Cybercrime threatens our privacy, our pocketbooks, our safety, our 
economy, and our national security. Arriving at any precise value of 
losses to the American people and the American economy is impossible. 
But the Center for Strategic and International Studies, in a study 
completed last June, reported that, on average, the U.S. loses 0.64 
percent of its GDP to cybercrime. I know we will hear more from our 
witnesses about the extent and nature of the cyber threat.
    Two years ago, President Obama signed an Executive Order to begin 
the process of strengthening our networks and critical infrastructure 
against cyberattack by increasing information sharing and establishing 
a framework for the development of standards and best practices. NIST 
plays a key role in several of these efforts, and we will hear about 
some of it today. But the President reminded us just two weeks ago that 
Congress must still act to pass comprehensive cybersecurity 
legislation.
    Fortunately, this is one area in which this Committee has 
responsibly legislated in the last few years. At the very end of 2014, 
the Cybersecurity Enhancement Act that I joined Mr. McCaul in 
introducing for several Congresses in a row was finally signed into 
law. That law does a number of things.

      It strengthens coordination and strategic planning for 
federal cybersecurity R&D

      It codifies the NIST-led voluntary Framework in the 
President's Executive Order;

      It strengthens and streamlines the NIST-led processes by 
which federal agencies track security risks to their own systems;

      It codifies NSF's longstanding cybersecurity scholarship 
for service program to ensure more qualified cyber experts are employed 
by federal, state, and local governments;

      It codifies the cybersecurity education and awareness 
efforts led by NIST;

      And finally it authorizes several more important actions 
and programs led by NIST.

    I list all of these things in part so that all of the new Members 
to the Science Committee understand just how central NIST is to our 
government's cybersecurity efforts. It is one of the most important 
leastknown agencies in our government. I look forward to hearing about 
NIST's efforts from Dr. Romine, and how the new law will further 
strengthen NIST's leadership role in cybersecurity. I also look forward 
to hearing from Dr. Kurose about the critical and potentially 
transformative cybersecurity research programs funded by the National 
Science Foundation. And I look forward to hearing from the other three 
witnesses who can help educate us further about the importance of 
public-private partnerships and the areas where this Committee might 
look to address cybersecurity vulnerabilities during this Congress.
    Thank you, Madam Chairwoman and I yield back the balance of my 
time.

    Chairwoman Comstock. And now I recognize the Chairman of 
the full Committee, Mr. Smith.
    Chairman Smith. And thank you, Madam Chair.
    Madam Chair, let me say I look forward to your Chairing 
this Subcommittee and also to the gentleman from Illinois, Mr. 
Lipinski, continuing to be the Ranking Member of this 
Subcommittee as well. He has been a great Ranking Member and I 
know that we both will all be able to work together for more 
bipartisan legislation that we enjoyed in the last Congress and 
that we can look forward to in this new Congress as well.
    I also look forward to today's hearing on cyber threats, a 
topic that continues to grow in importance. With technological 
advances come new methods that foreign countries, cyber 
criminals and ``hacktivists'' use to attack and access our 
networks.
    America is vulnerable and there is an increasing need for 
technically trained cybersecurity experts to identify and 
defend against cyber attacks. Protecting America's cyber 
systems is critical to our economic and national security.
    As our reliance on information technology expands, so do 
our vulnerabilities. A number of federal agencies guard 
America's cybersecurity interests. Several are under the 
jurisdiction of the Science Committee. These include the 
National Science Foundation, the National Institute of 
Standards and Technology, the Department of Homeland Security's 
Science and Technology Directorate, and the Department of 
Energy. All of these support critical research and development 
to promote cybersecurity in hardware, software and our critical 
infrastructure.
    At the beginning of the last Congress, the Science 
Committee considered two cybersecurity bills, the Cybersecurity 
Enhancement Act and a bill to reauthorize the Networking and 
Information Technology Research and Development program. Both 
bills passed the House last April. At the end of the last 
Congress, the House and Senate did come to an agreement on the 
Cybersecurity Enhancement Act, which was signed into law in 
December. The Science Committee will continue its efforts to 
support the research and development essential to fortifying 
our nation's cyber defenses.
    From the theft of credit card information at retailers like 
Target and Home Depot, to successful attacks at Sony and on the 
U.S. Central Command, no further wakeup calls are necessary to 
understand our call to action. As America continues to become 
more advanced, we must better protect our information 
technology systems from attack. Any real solution should adapt 
to changing technology and tactics while also protecting 
private sector companies, public institutions and personal 
privacy.
    Again, Madam Chair, I look forward to today's hearing and 
yield back.
    [The prepared statement of Mr. Smith follows:]

                  Prepared Statement of Full Committee
                        Chairman Lamar S. Smith

    Thank you Madam Chair, I look forward to today's hearing on cyber 
threats, a topic that continues to grow in importance.
    In the 60 years since the last major patent reform, America has 
experienced tremendous technological advancements. Computers the size 
of a closet have evolved into wireless technology that fits in the palm 
of our hand.
    With technological advances come new methods that foreign 
countries, cyber criminals and ``hacktivists'' can use to attack and 
access our networks.
    America is vulnerable and there is an increasing need for 
technically-trained cybersecurity experts to identify and defend 
against cyber-attacks. Protecting America's cyber-systems is critical 
to our economic and national security. As our reliance on information 
technology expands, so do our vulnerabilities.
    A number of federal agencies guard America's cybersecurity 
interests. Several are under the jurisdiction of the Science Committee. 
These include the National Science Foundation (NSF), the National 
Institute of Standards and Technology (NIST), the Department of 
Homeland Security's Science and Technology Directorate, and the 
Department of Energy.
    All of these support critical research and development to promote 
cybersecurity in hardware, software and our critical infrastructure.
    At the beginning of the last Congress, the Science Committee 
considered two cybersecurity bills, the Cybersecurity Enhancement Act 
and a bill to reauthorize the Networking and Information Technology 
Research and Development program. Both bills passed the House in April 
2013.
    At the end of the last Congress, the House and Senate came to 
agreement on the Cybersecurity Enhancement Act, which was signed into 
law in December. That law improves America's cybersecurity abilities. 
It strengthens strategic planning for cybersecurity research and 
development needs across the federal government. It supports NSF 
scholarships to improve the quality of the cybersecurity workforce. And 
it improves research, development and public outreach organized by NIST 
related to cybersecurity.
    The Science Committee will continue its efforts to support the 
research and development essential to fortifying our nation's cyber 
defenses.
    From the theft of credit card information at retailers like Target 
and Home Depot, to successful attacks at Sony and on the U.S. Central 
Command, no further wake-up calls are necessary to understand our call 
to action.
    As America continues to become more advanced, we must better 
protect our information technology systems from attack. Any real 
solution should adapt to changing technology and tactics while also 
protecting private sector companies, public institutions and personal 
privacy.
    I look forward to hearing from our witnesses today and yield back.

    Chairwoman Comstock. If there are Members who wish to 
submit additional opening statements, your statements will be 
added to the record at this point.
    Chairwoman Comstock. I would also like to welcome our 
colleague from Washington, Mr. Newhouse, and authorize his 
participation in today's hearing.
    Okay. Now, at this time I would like to introduce our 
witnesses. Our first witness today is Ms. Cheri McGuire. Ms. 
McGuire is the Vice President of Global Government Affairs & 
Cybersecurity Policy at Symantec Corporation. Before joining 
Symantec, Ms. McGuire served as Director for Critical 
Infrastructure and Cybersecurity in Microsoft's Trustworthy 
Computing Group and as Acting Director at DHS's National 
Cybersecurity Division. Ms. McGuire received her bachelor's 
degree from the University of California Riverside and her MBA 
from the George Washington University.
    Our second witness is Dr. James Kurose. Dr. Kurose is the 
National Science Foundation's Assistant Director for the 
Computer and Information Science and Engineering Directorate. 
He also serves as Co-Chair of the Networking and Information 
Technology Research and Development Subcommittee at the 
National Science and Technology Council Committee on 
Technology.
    Now, do you say all that when--in one introduction? That is 
good.
    Prior to joining NSF, Dr. Kurose was a distinguished 
Professor in the School of Computer Science at the University 
of Massachusetts Amherst where he served as Chair of the 
Department of Computer Science. Dr. Kurose holds a bachelor's 
degree in physics from Wesleyan University and a Master of 
Science and Ph.D. in computer science from Columbia University.
    Our third witness today is Dr. Charles Romine, Director of 
the National Institute of Standards and Technology Information 
Technology Laboratory, or ITL. Before working at NIST he served 
as Senior Policy Analyst at the White House Office of Science 
and Technology Policy and as a Program Manager at the 
Department Of Energy's Advanced Scientific Computing Research 
Office. Dr. Romine received his bachelor's degree in 
mathematics and his Ph.D. in applied mathematics from the 
University of Virginia. Yea.
    Our fourth witness is Dr. Eric Fischer, who serves as a 
Senior Specialist in the Science and Technology for the 
Congressional Research Service. Prior to working for CRS, Dr. 
Fischer worked as a faculty member at the University of 
Washington in Seattle and as a Congressional Science and 
Technology Policy Fellow for the American Association for the 
Advancement of Science. Dr. Fischer received his bachelor's 
degree in biology from Yale and his Ph.D. in zoology from the 
University of California Berkeley.
    Our final witness is Mr. Dean Garfield, President and CEO 
of the Information Technology Industry Council, or ITI. Before 
joining ITI, Mr. Garfield served as Executive Vice President 
and Chief Strategic Officer for the Motion Picture Association 
of America and as the Vice President of Legal Affairs at the 
Recording Industry Association of America. Mr. Garfield 
received a joint degree from New York University School of Law 
and the Woodrow Wilson School of Public Administration and 
International Affairs at Princeton University.
    As our witnesses should know, spoken testimony is limited 
to five minutes each, after which the Members of the Committee 
will have five minutes each to ask questions.
    I now recognize Ms. McGuire for five minutes to present her 
testimony.

        TESTIMONY OF MS. CHERI MCGUIRE, VICE PRESIDENT,

       GLOBAL GOVERNMENT AFFAIRS & CYBERSECURITY POLICY,

                      SYMANTEC CORPORATION

    Ms. McGuire. Chairwoman Comstock, Chairman Smith, Ranking 
Member Lipinski, and other Members of the Subcommittee, thank 
you for the opportunity to testify today on behalf of Symantec 
Corporation.
    My name is Cheri McGuire and I am the Vice President for 
Global Government Affairs and Cybersecurity Policy. At Symantec 
we are the largest security software company in the world and 
our global intelligence network is made up of millions of 
sensors that give us a unique view into the entire internet 
threat landscape.
    As I am sure you have read, most of the recent headlines 
about cyber attacks have focused on data breaches and the theft 
of personally identifiable information, including identities 
and credit card numbers. According to Symantec's most recent 
internet security threat report, over 550 million identities 
were exposed in 2013 alone. Yet while the focus on these 
breaches is certainly warranted, it is important not to lose 
sight of other equally concerning types of cyber activity. 
Attackers run the gamut and include highly organized criminal 
enterprises, individual cyber criminals, so-called hacktivists, 
and state-sponsored groups. Common attack types range from 
distributed denial of service, or DDoS, to highly targeted 
attacks, to widely distributed financial fraud scams. A DDoS 
attack is an attempt to overwhelm a system with data, while 
targeted attacks tried to trick someone into opening an 
infected file or navigating to a bad website.
    Of course, scams and blackmail schemes seeking money 
continue. Some will fill a victim's screen with aggressive pop-
up windows that claim falsely that the system is infected. 
Others lock the victim's computer and display a screen that 
purports to be from law enforcement and demands payment of a 
fine for having illegal content on the computer. The most 
recent scheme has gone from trickery to straight up blackmail. 
Criminals now will encrypt or scramble all the data on your 
device and tell you to pay a ransom or they will erase all of 
it.
    Critical infrastructure such as the power grid, water 
system, and mass transit are also at risk. In June 2014 
Symantec released a report about a new threat that we named 
Dragonfly. This was a campaign against a range of targets 
mainly in the energy sector, but it was not the first to target 
energy. As we saw in 2012, cyber attackers mounted a campaign 
against the Saudi Arabian National Oil Company that destroyed 
30,000 computers and made them display the image of a burning 
American flag. Other sectors have seen attacks, too, and the 
German Government recently disclosed that a cyber attack on a 
steel plant resulted in massive physical damage.
    All of the attacks that I have outlined started with a 
common factor, a compromised computer. We frequently hear about 
advanced persistent threats, or APTs, but the discussion of 
cyber attacks too often ignores the psychology of the exploit. 
Most rely on social engineering, in the simplest terms, trying 
to trick people into doing something that they would never do 
if fully aware of their actions.
    Attack methods vary. Those spear fishing or customized 
targeted emails containing malware are the most common, and 
while good security will stop most of these attacks, which 
often seek to exploit older known vulnerabilities, many 
organizations and individuals do not have up-to-date security 
or properly patched operating systems. Social media is also an 
increasingly valuable tool for cyber criminals both to gather 
information and to spread malicious links.
    To combat cyber threats, Symantec partners with government 
and industry here and abroad. Working extensively with the FBI 
and international law enforcement, we have helped take down and 
dismantle some of the world's largest botnets, which has also 
led to charges against the criminal operators.
    In addition, together with Palo Alto Networks, McAfee, and 
Fortinet, we recently cofounded the Cyber Threat Alliance, a 
group of cybersecurity providers who share advanced cyber 
threat information. While we are competitors, we have found 
that there is great benefit to sharing information that will 
protect all of our customers and help fight cyber criminals. 
This model has worked well in other sectors such as banking and 
energy. And further, and even as important, the alliance has 
strict guidelines that protect our customer privacy and their 
proprietary information, and this of course must be included in 
any information-sharing regime.
    So what can we do? Good protection starts with a plan and 
strong security should include intrusion protection, 
reputation-based security, behavioral-based blocking, data 
encryption, backups, and data loss prevention tools. And while 
the criminals' tactics are constantly evolving, basic cyber 
hygiene is still the simplest and most cost-effective first 
step.
    Last week, the Online Trust Alliance found that 90 percent 
of last year's breaches could have been prevented if businesses 
implemented basic cyber best practices. At Symantec we are 
committed to improving online security across the globe and we 
will continue to work collaboratively with our partners on ways 
to do so.
    Thank you again for the opportunity to testify today and I 
look forward to your questions.
    [The prepared statement of Ms. McGuire follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    Chairwoman Comstock. I now recognize Dr. Kurose.

                 TESTIMONY OF DR. JAMES KUROSE,

                      ASSISTANT DIRECTOR,

              COMPUTER AND INFORMATION SCIENCE AND

                ENGINEERING (CISE) DIRECTORATE,

                  NATIONAL SCIENCE FOUNDATION.

    Dr. Kurose. Thank you. Good afternoon, Chairwoman Comstock, 
Chairman Smith, and Representative Lipinski, and Members of the 
Subcommittee. I am Jim Kurose, National Science Foundation 
Assistant Director for Computer and Information Science and 
Engineering. As you know, NSF advances and supports fundamental 
research in all disciplines, advances the progress of science 
and engineering, and educates the next generation of innovative 
leaders. I welcome this opportunity to provide an overview of 
NSF-funded cybersecurity research and its impact on the nation.
    Long-term unclassified research is critical to achieving a 
secure and trustworthy cyberspace. In 2011 NSF contributed to 
the Administration's Strategic Plan for Federal Cybersecurity 
Research and Development. It specifies a coordinated research 
agenda for agency investments that change the game by 
establishing a science of cybersecurity, transitioning research 
into practice, and bolstering cybersecurity education and 
training.
    With the rapid pace of technological advancement, we are 
witnessing the tight integration of financial, business, 
manufacturing, and telecommunications systems into a networked, 
global society. These interdependencies can lead to 
vulnerabilities and threats that challenge the security, 
reliability, and overall trustworthiness of critical 
infrastructure. The result is a dramatic shift in the size, 
complexity, and diversity of cyber attacks.
    In response to these changing threats, NSF has long 
supported fundamental cybersecurity research resulting in many 
powerful approaches deployed today. NSF continuously brings the 
problem-solving capabilities of the nation's best minds to bear 
on these challenges. It also promotes connections between 
academia and industry.
    In Fiscal Year 2014 NSF invested $158.28 million in 
cybersecurity research, including $126 million in the cross-
cutting Secure and Trustworthy Cyberspace program. Projects 
range from security at the foundational level, including 
detecting whether a silicon chip contains a malicious circuit 
or developing new cryptographic solutions, to the systems 
level, including strategies for securing the electric power 
grid.
    Projects are increasingly interdisciplinary spanning 
computer science, mathematics, economics, behavioral science, 
and education. They seek to understand, predict, and explain 
prevention, attack, and defense behaviors and contribute to 
developing strategies for remediation while preserving privacy 
and promoting usability.
    Projects also include center scale activities representing 
far-reaching explorations motivated by deep scientific 
questions and grand challenge problems in, for example, 
privacy, encryption, cloud, and healthcare systems.
    In addition, NSF promotes the transition of discoveries 
into the field as threats and solutions co-evolve over time. 
Partnerships continuously improve the security of our critical 
infrastructure ensuring U.S. leadership, economic growth, and a 
skilled workforce. For example, with the Semiconductor Research 
Corporation, NSF supports research into the design of secure 
hardware. With Intel Corporation, NSF invests in the security 
and privacy of cyber-physical systems such as transportation 
networks and medical devices.
    NSF also invests in industry university cooperative 
research centers that feature high-quality industrially-
relevant fundamental research enabling direct transfer of 
university-developed ideas to U.S. industry, improving its 
competitiveness globally. In recent years, we have seen 
research outcomes lead to new products and services and to 
numerous startups in the IT sector bringing innovative 
solutions to the marketplace.
    Cybersecurity education is also important. For example, the 
Scholarship for Service program provides tuition to 
cybersecurity college majors in exchange for government service 
following graduation. To date, this program has provided 1,700 
scholarships at over 50 institutions and has placed graduates 
in over 140 federal, state, local, and tribal government 
agencies. NSF participates in the interagency Networking and 
Information Technology Research and Development program. I 
serve as the Co-Chair the NITRD Subcommittee and many NSF 
division directors and program directors actively participate 
in NITRD cybersecurity and information assurance activities 
ensuring coordination of investments across 18 government 
agencies.
    To conclude, my testimony today has emphasized that the 
pace and scope of today's cyber threats pose grand challenges 
to our nation's critical infrastructure and that NSF continues 
to make significant investments in fundamental cybersecurity 
research. I have discussed how NSF partners with industry to 
advance cybersecurity R&D that will effectively address cyber 
threats as they evolve.
    I very much appreciate the opportunity for dialogue with 
Members of this Subcommittee on these very important topics. 
With robust, sustained support for foundational and 
multidisciplinary cybersecurity R&D in the executive and 
legislative branches, there is a unique opportunity to protect 
our national security and enhance our economic prosperity for 
decades to come.
    This concludes my remarks. I am happy to answer any 
questions.
    [The prepared statement of Dr. Kurose follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Chairwoman Comstock. All right. Thank you, Doctor.
    And now we now recognize Dr. Romine for his testimony.

         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Romine. Chairwoman Comstock, Chairman Smith, Mr. 
Lipinski, and Members of the Subcommittee, I am Dr. Charles 
Romine, Director of the Information Technology Laboratory at 
NIST, and thank you for the opportunity to discuss our role in 
cybersecurity.
    In the area of cybersecurity, NIST has worked with federal 
agencies, industry, and academia since 1972. Our role--to 
research, develop, and deploy information security standards 
and technology to protect information systems against threats 
to the confidentiality, integrity, and availability of 
information and services--was strengthened through the Computer 
Security Act of 1987, broadened through the Federal Information 
Security Management Act of 2002, and recently reaffirmed in the 
Federal Information Security Modernization Act of 2014. The 
Cybersecurity Enhancement Act of 2014 also authorizes NIST to 
facilitate and support the development of voluntary, industry-
led cybersecurity standards and best practices for critical 
infrastructure.
    NIST accomplishes its mission in cybersecurity through 
collaborative partnerships. The resulting NIST special 
publications and interagency reports provide operational and 
technical security guidelines for federal agencies and cover a 
broad range of topics such as electronic authentication, 
intrusion detection, access control, and malware.
    NIST maintains the National Vulnerability Database, or NVD, 
a repository of standards-based vulnerability management 
reference data, which enables security automation capabilities 
for all organizations. The payment card industry uses the NVD 
vulnerability metrics to discern the IT vulnerability in point-
of-sale devices and determine acceptable risk.
    NIST researchers develop and standardize cryptographic 
mechanisms used worldwide to protect information. The NIST 
algorithms and guidelines are developed in a transparent and 
inclusive process leveraging cryptographic expertise around the 
world. The results are standard, interoperable, cryptographic 
mechanisms that can be used by all.
    Recently, NIST initiated a research program on usability of 
cybersecurity focused on password policies, user perceptions of 
cybersecurity risk, and privacy. This will enhance 
cybersecurity through increased attention to user interactions 
with cybersecurity technologies.
    The impacts of NIST's cybersecurity activities extend 
beyond providing the means to protect federal IT systems. They 
provide the cybersecurity foundations for the public trust that 
is essential to realizing the national and global economic, 
productivity, and innovation potential of electronic business. 
Many organizations voluntarily follow NIST standards and 
guidelines reflecting their worldwide acceptance.
    NIST also houses the National Program Office of the 
National Strategy for Trusted Identities in Cyberspace, or 
NSTIC. The NSTIC initiative aims to address one of the most 
commonly exploited vectors of attack in cyberspace, the 
inadequacy of passwords for authentication. The 2013 data 
breach investigations report noted that in 2012 76 percent of 
network intrusions exploited weak or stolen credentials. NSTIC 
is addressing this issue by collaborating with the private 
sector, including funding 13 pilots, to catalyze a marketplace 
of better identity and authentication systems.
    Another critical component of NIST cybersecurity work is 
the National Cybersecurity Center of Excellence, or NCCoE, a 
partnership between NIST, the State of Maryland, Montgomery 
County, and the private sector. NCCoE is accelerating the 
adoption of applied, standards-based solutions to cybersecurity 
challenges. The NCCOE is now supported by the nation's first 
federally funded research and development center dedicated to 
cybersecurity.
    Through NCCoE, NIST works directly with businesses across 
various industry sectors on applied solutions to cybersecurity 
challenges with current activities addressing the healthcare, 
financial services, and energy sectors.
    Almost one year ago NIST issued the Framework for Improving 
Critical Infrastructure Cybersecurity in response to Executive 
Order 13636. The framework, created through collaboration 
between industry and government, consists of standards, 
guidelines, and practices to promote the protection of critical 
infrastructure. The framework is being implemented by industry 
and adopted by infrastructure sectors to reduce cyber risks to 
our critical infrastructure.
    As the cyber threats and technology environments evolve, 
the cybersecurity workforce must continue to adapt so as to 
continuously improve cybersecurity, including in our nation's 
critical infrastructure. In 2010, the National Initiative for 
Cybersecurity Education was established to enhance the overall 
cybersecurity posture of the United States by accelerating the 
availability of educational, training, and workforce 
development resources designed to improve the cybersecurity 
behavior, skills, and knowledge of every segment of the 
population.
    As the lead agency for this initiative, NIST works with 
more than 20 federal departments and agencies, industry, and 
academia to raise national awareness about risks in cyberspace, 
broaden the pool of individuals prepared to enter the 
cybersecurity profession, and cultivate a globally competitive 
cybersecurity workforce.
    NIST recognizes our essential role in helping industry, 
consumers, and government to counter cyber threats. We are 
extremely proud of our role in establishing and improving the 
comprehensive set of cybersecurity technical solutions, 
standards, guidelines, and best practices, and the robust 
collaborations with our federal government partners, private 
sector collaborators, and international colleagues.
    Thank you for the opportunity to testify today on NIST's 
work in cybersecurity. I would be happy to answer any questions 
that you may have.
    [The prepared statement of Dr. Romine follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Chairwoman Comstock. Thank you, Doctor.
    And now I recognize Dr. Fischer for his testimony.

               TESTIMONY OF DR. ERIC A. FISCHER,

          SENIOR SPECIALIST IN SCIENCE AND TECHNOLOGY,

                 CONGRESSIONAL RESEARCH SERVICE

    Dr. Fischer. Good afternoon, Chairwoman Comstock, Chairman 
Smith, Ranking Member Lipinski, and distinguished Members of 
the Subcommittee. On behalf of the Congressional Research 
Service, thank you for the opportunity to testify today.
    I will try to put what you have heard from previous 
witnesses in context with respect to both long-term challenges 
and near-term needs in cybersecurity and the federal role in 
addressing them.
    The technologies that process and communicate information 
have become ubiquitous and are increasingly integral to almost 
every facet of modern life. These technologies and the 
information they manage are collectively known as a cyberspace, 
which may well be the most rapidly evolving technology space in 
human history. This growth refers not only to how big 
cyberspace is but also to what it is. Social media, mobile 
devices, cloud computing, big data, and the internet of 
things-- these are all recent developments and all are 
increasingly important facets of cyberspace. It is difficult to 
predict how cyberspace will continue to evolve but it is 
probably safe to expect the evolution to continue for many 
years.
    That is not to say that all of cyberspace has changed. 
Basic aspects of how the internet works are decades old, and 
obsolete hardware, software, and practices may persist for many 
years. All of this makes the cyberspace environment a daunting 
challenge for cybersecurity. Three other major challenges 
relate to design, incentives, and consensus. Building security 
into the design of cyberspace has proven to be difficult. The 
incentive structure within cyberspace does not particularly 
favor cybersecurity, and significant barriers persist for 
developing consensus on what cybersecurity to involves and how 
to implement it effectively.
    No matter how important such challenges are, they do not 
diminish the need to secure cyberspace in the short-term. That 
includes reducing risk by removing threats, hardening 
vulnerabilities, and taking steps to lessen the impacts of 
cyber attacks. It also includes addressing needs such as 
reducing barriers to information-sharing, building a capable 
cybersecurity workforce, and fighting cybercrime.
    Federal agencies play significant roles in addressing those 
near-term needs and meeting the long-term challenges. Under the 
Federal Information Security Management Act, known as FISMA, 
all federal agencies are responsible for securing their own 
systems. Private-sector contractors acting on behalf of federal 
agencies must also meet FISMA requirements. In Fiscal Year 
2013, federal agencies spent $10.3 billion on those activities, 
about 14 percent of agency information-technology budgets. 
federal agencies also have responsibilities for other 
cybersecurity functions. Research and development, along with 
education, are the two probably most focused on addressing 
long-term challenges. Others, such as technical standards and 
support, law enforcement, and regulation, focus more on meeting 
immediate needs.
    You have already heard about NIST and NSF. Among other 
agencies, the Department of Energy supports cybersecurity 
efforts in the energy sector. Several of its 17 National 
Laboratories also engage in cybersecurity R&D and education. 
The Department of Defense, in addition to military operations, 
also engages in cybersecurity R&D and education. Altogether, 
DOD agencies account for more than 60 percent of reported 
federal funding for cybersecurity R&D.
    The Department of Homeland Security fulfills several 
cybersecurity functions. In the Science and Technology 
Directorate, the Cybersecurity Division focuses on developing 
and delivering new cybersecurity technologies and other tools. 
The Department spent $75 million on cybersecurity R&D in 2013, 
more than DOE and NIST but also less than NSF and much less 
than DOD.
    Another department responsibility is coordinating the 
operational security of federal systems under FISMA. The 
department also plays a significant role in law enforcement but 
perhaps is best known for coordinating federal efforts to 
improve the security of critical infrastructure, most of which 
is controlled by the private sector.
    Most private-sector department activities are voluntary, 
but the department also has some regulatory authority over the 
transportation and chemical sectors. Several other agencies 
also have regulatory responsibilities relating to cybersecurity 
in the 16 recognized critical infrastructure sectors.
    The role of federal regulation in cybersecurity has been a 
significant source of controversy, along with how to remove 
barriers to information-sharing while protecting proprietary 
and personal information, and the proper roles of different 
federal agencies in various cybersecurity activities.
    That concludes my testimony. Once again, thank you for 
asking me to appear before you today.
    [The prepared statement of Dr. Fischer follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Chairwoman Comstock. Thank you. I now recognize Mr. Dean 
Garfield.

                TESTIMONY OF MR. DEAN GARFIELD,

                       PRESIDENT AND CEO,

            INFORMATION TECHNOLOGY INDUSTRY COUNCIL

    Mr. Garfield. Thank you, Chairwoman Comstock, Chairman 
Smith, Ranking Member Lipinski.
    On behalf of 60 of the most dynamic and innovative 
companies in the world that make up the global IT sector, I 
would like to thank you for the opportunity to be in front of 
you today and to thank you as well for focusing on this issue. 
We think it is an issue that has the potential for bipartisan 
collaboration and want to seize that opportunity.
    With that in mind, I would like to focus on three things: 
1) how we are experiencing the cybersecurity threat today; 2) 
what we are doing about it; and then 3) how Congress can help. 
With regard to the first, as Dr. Fischer pointed out, we are 
living in an increasingly globally integrated and 
interconnected world. As a result, cyber criminals are seeking 
to exploit that. Gone are the days when we had intermittent 
viruses and instead we face a world, as my colleague Cheri 
McGuire pointed out, where we consistently face a threat that 
is increasingly global, increasingly sophisticated, and 
increasingly persistent. We are seeing advanced persistent 
threats where cyber criminals are penetrating our networks in 
phase, avoiding detection, and doing damage over a long period 
of time. As well, the threat is increasingly asymmetric and so 
the risks to the banking sector are often quite distinct from 
the risks to the manufacturing sector or the tech sector.
    The reality is there is no silver bullet solution so what 
are we doing about it? In a word, a lot. Increasingly, our 
approach is based on risk mitigation and resilience. You see 
that both in the products that we are bringing into the 
marketplace, as well as the processes that we are integrating 
into our businesses. With the products in the marketplace, you 
are already seeing the results of the billions of dollars that 
we spend on R&D, whether that is through advanced data 
analytics that is allowing us to get ahead of cyber criminals 
or in the integration of biometrics, as you see in many of your 
mobile devices today, including your cell phone, which are all 
making a difference.
    In addition to the work that we undertake with our products 
that are making their way into the market, we are making 
changes in our business processes that we would advocate for 
all businesses generally. One, we are increasingly making 
cybersecurity the default norm, so rather than turning on a 
cybersecurity feature, we are building products and developing 
systems where they come as a built-in part of the practice.
    Secondly, we are increasingly relying on managed services. 
So rather than relying on the IT person who may or may not know 
anything about cybersecurity, we are relying heavily on 
cybersecurity professionals in carrying out work on 
cybersecurity within our company in network management.
    As well, we are making sure that cybersecurity is a part of 
every aspect of our business, and with that in mind, it is 
worth commending NIST for the work that they have done on the 
cybersecurity framework, which has done a great job in making 
that the case for both large and small businesses.
    So what can Congress do? There are four things that we 
would recommend. One is making sure that the laws that are on 
the books and our enforcement of those laws are adequate to 
meet the challenge and the evolving nature of that challenge 
that we face today.
    Second, as all of the doctors on the panel have pointed 
out, it is important to have adequate funding for early-stage 
research, as well as for the work that NIST is doing to advance 
a framework to make it increasingly the norm for all 
businesses.
    Third, it is important that we have legislation that helps 
us to disseminate cyber threat information more broadly. That 
is an opportunity for a bipartisan consensus in action and we 
hope that Congress will act on that this year.
    Fourth, cybersecurity and cybersecurity risk management is 
not a technology issue; it is a national issue, and so it is 
important that all of us, including the Members of Congress, 
take advantage of the bully pulpit we have to educate the 
public about cybersecurity. So when you have your roundtables 
in your district, or I speak, it is important to include 
cybersecurity as one of the default points that we share with 
the public.
    There is--the challenge, as all of the panelists have 
pointed out, is quite significant, but if we take advantage of 
those four steps and work collaboratively, we think there is an 
opportunity to make significant headway in addressing this 
issue. So thank you.
    [The prepared statement of Mr. Garfield follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    Chairwoman Comstock. I thank the witnesses for their 
testimony and now the Committee rules limit our questioning to 
five minutes and so as the Chair I will do the opening round of 
questions.
    So actually I would like to pick up on your four points, 
Mr. Garfield, but have you all address. Given it is a national 
issue, what would you recommend that we, when we go home, that 
we tell people how to--you know, at our town halls, how to 
engage, what they can do personally at home and maybe some of 
these 90 percent of the breaches that we can prevent, what can 
we do with the public education to prevent those most common?
    Mr. Garfield. I can start and do something quite simple, 
which is you have heard a lot of data around the risk that we 
all present because oftentimes cyber breaches are caused by 
human error, and so making sure that we are using multilevel 
authentication, for example, so not just relying simply on a 
password. To the extent that your technology isn't deploying 
cyber as a default, turning it on so that you have the benefit 
of all the research and development that is taking place.
    The other thing that I would say is we often make common 
mistakes. You know, we post our passwords on our computer, and 
so moving away from doing things like that makes us vulnerable 
is an impostant part of----
    Chairwoman Comstock. Sort of like don't leave the keys in 
the car.
    Mr. Garfield. Exactly.
    Chairwoman Comstock. Okay.
    Ms. McGuire. So there are a couple of additional things 
that I will add to Dean's list. The first is make sure that you 
are using very strong and complex passwords. You have heard a 
lot about the research and development going on today both 
within the NSF and NIST around new authentication methods and 
password technology but this is one of the most basic things 
that people can do today. Be careful when you are developing 
your passwords not to use things that you have posted on your 
social media site. What an easy way to socially engineer your 
password. Also make sure that you keep your security products 
and your systems up-to-date, keep them patched, and that will 
help give you quite a bit of protection, and then be aware--
always be aware. Just as you are walking down the street, being 
aware of your surroundings, be aware of your surroundings when 
you are online. Be careful about accepting emails or clicking 
on attachments for things that you may not be sure of what they 
are and be very aware of that because that is the most common 
way of getting your computer infected is clicking on something 
that maybe you shouldn't have.
    Chairwoman Comstock. Any--sure.
    Dr. Kurose. Yes. I would like to just raise two quick 
points. First, in terms of what we do, certainly a sustained 
investment in fundamental research is incredibly important, but 
we need to really focus on the root causes of cybersecurity 
challenges, not just treating the symptoms. I mean we do need 
to do both but I think the need for fundamental research is 
critical.
    And something that I think you have heard all the panelists 
talk about is that it is a socio-technical problem. Technology 
alone is not going to solve the problem. It is technology 
together with the correct application and the understanding of 
the human dimension and the social dimension of security is 
very important.
    Chairwoman Comstock. And then maybe to all of you again, 
how do you, as you gather this expertise and we constantly have 
to adapt and change, how do you prevent the person who is 
working with your company or working within the government 
today, kind of catching the bad guys and catching the cyber 
threats and the hacktivists, from not turning into the bad guy 
who is now going out with that knowledge and doing that and how 
do we prevent that and what kind of safety measures and 
processes do we have to have in place in the public sector and 
the private sector? I know that is pretty broad but----
    Dr. Romine. Well, certainly I can--the insider threat is 
one of the most challenging things to address principally 
because, by definition, you are talking about someone that you 
view as a trusted entity so you have to be very cautious about 
demonstrating that you don't trust your own people, so you have 
to be very careful about that.
    From our perspective I think we are coming to a situation 
where increasingly we have more tools at our disposal to do the 
data analytics for some of the things that are going on within 
an organization, and there are opportunities to detect 
anomalous behavior that might reveal that kind of insider 
threat.
    Ms. McGuire. And I would just add to that that there are 
technologies out there today such as data loss prevention 
technologies, setting your controls appropriately within 
corporations and governments that will allow you to see how 
data traverses your network and actually alarm and trigger when 
your data is moving to places that it shouldn't be. So those 
are technologies that are very much available today and could 
in fact prevent a lot of bad things from happening.
    Chairwoman Comstock. Okay. Thank you. Thank you. And now I 
recognize Mr. Lipinski for five minutes.
    Mr. Lipinski. Thank you, Madam Chairwoman. I want to thank 
the witnesses for their testimony and I just want to pick up on 
one thing that we were discussing in the Chairwoman's questions 
is that Dr. Kurose talked about--he said it was a socio-
technical problem in terms of security, and I think that points 
out the importance of social science research that is done to 
help us better understand and to teach people how to, you know, 
avoid stepping into these--a lot of these cyber problems and 
being victims of cyber crimes.
    But I wanted to--my first question I wanted to ask Dr. 
Kurose, Dr. Romine, and Dr. Fischer. For years we have heard 
from nongovernmental experts about weaknesses in interagency 
coordination of cybersecurity R&D. The civilian agencies with 
cybersecurity research programs developed a federal 
cybersecurity R&D strategy in December 2011. As I noted in my 
opening, the Cybersecurity Enhancement Act that passed last 
month strengthened interagency coordination in this area. And I 
know the Cybersecurity Enhancement Act is very new so there may 
or may not be anything much you can say about that.
    But I want to also ask how the--how has the federal R&D 
strategy influenced your own agency's cybersecurity R&D 
portfolio and how has it strengthened interagency coordination 
and collaboration. Dr. Kurose?
    Dr. Kurose. Thank you. I would like to just quickly mention 
then the Networking and Information Technology Research and 
Development program, NITRD, that we talked about a little bit 
earlier. This provides an interagency coordination mechanism 
and there are specific subcommittees there, one on 
cybersecurity and information assurance, and that is a vehicle 
by which representatives from multiple agencies can get 
together and activities can be coordinated. And one of the co-
chairs from the cybersecurity subcommittee there is from the 
National Science Foundation and the activities there very much 
find their way back into our discussions at the National 
Science Foundation.
    Mr. Lipinski. Thank you. Dr. Romine?
    Dr. Romine. Yes, I would like to echo what Dr. Kurose said 
about the value of having a standing interagency working group 
on cybersecurity and information assurance. That is one of the 
more robust groups I think under the NITRD program and there is 
a lot of conversation that takes place across federal agencies 
and a lot of coordination around specific topics.
    There have been some strategic planning activities in the 
past that the interagency working group has undertaken. The 
agencies among the NITRD program established a senior steering 
group in this arena to bring together more senior people who 
have budget authority within their organizations to coordinate 
some of the investments that are being made, and so I think 
that has paid dividends, in particular, the emphasis on the 
science of cybersecurity emerged from that conversation that 
was taking place.
    Mr. Lipinski. Dr. Fischer.
    Dr. Fischer. I would just like to add that certainly I 
think if one looks at the history of coordination across 
federal agencies with respect to cybersecurity, clearly there 
have been--that has increased. One of the questions one has to 
keep in mind is that coordination also has some cost associated 
with it. That is to say one doesn't want--potential costs I 
should say. One doesn't want the coordination to reduce the 
ability of individual agencies to invest in, you know, 
consensus mission goals and so that has to be taken into 
account. And sometimes for somebody like us looking at, you 
know, trying to analyze some of the interagency documents, it 
can be a little difficult to figure out exactly what they mean 
just because it is relatively complicated.
    Mr. Lipinski. Thank you. And I want to ask Mr. Garfield and 
Ms. McGuire, anything quickly you could add about your view of 
federal cybersecurity R&D, something else that--anything else 
that should be done, done differently? Ms. McGuire, Mr. 
Garfield, whoever wants to----
    Mr. Garfield. I wouldn't necessarily suggest that something 
different has to be done. I think there is research that has to 
occur in early stages that have impact over the long-term that 
the public sector is well-positioned to do, and so making sure 
that there is adequate funding for that innovation and R&D to 
occur so that we can stay ahead of the cybercriminals is 
critically important.
    Mr. Lipinski. Thank you. I yield back.
    Chairwoman Comstock. Thank you. I now recognize Mr. 
Hultgren for five minutes.
    Mr. Hultgren. Thank you, Chairwoman.
    Thank you all for being here. This is obviously a very 
important subject for us and have--I have got a lot of 
questions in a lot of different directions.
    But first, I would like to just get a little bit of a 
response from you. There was some mention--I think Dr. Romine 
mentioned about passwords and effectiveness of passwords. It 
seems like there was a lot of nodding heads going on with that. 
To me it seems like passwords are very effective of keeping me 
off my own computer because I keep forgetting them. I am 
wondering if there could be a way that the hackers could remind 
me of my passwords because I keep forgetting them.
    But I wonder if you could talk just a little bit more about 
that, of what is the next step, what is the research, where are 
we at on that? Specifically, is there R&D that holds promise 
for a better option or solutions in passwords?
    Chairwoman Comstock. Great question.
    Dr. Romine. Absolutely. I can talk from the NIST 
perspective. We have started a program on what we call the 
usability of security, and usability is a scientific 
discipline, a quantitative discipline to determine--our mantra 
in this case is we want to make it easy to do the right thing, 
hard to do the wrong thing, and easy to recover when the wrong 
thing happens anyway. Those are the three principles that I 
like to talk about. By the way, I shamelessly stole that from a 
colleague.
    Mr. Hultgren. It is a good one.
    Dr. Romine. From our perspective, we now have research 
results suggesting exactly as you say. We have had, for years, 
anecdotal evidence suggesting that passwords just don't work. 
We have been able to collect validated data now suggesting that 
when you make passwords more complex, which you have to do 
because if they are easy, if they are simple, then they are 
guessable. But if you make them too complex, then people find 
ways around of the security by writing them down, by storing 
them in plain text files and so on. So it is really sort of 
counter--it can be counterproductive.
    The NSTIC program that NIST manages, which is a nationwide 
program where we have the program office, is pledged to 
essentially deal with this authentication problem. Password is 
only one way of authenticating to the system, and it is, as we 
know, now a pretty poor way to do it in general and yet it is 
ubiquitous. It is universal. And the NSTIC program is pledged 
to, as they say, put a stake in the heart of the password. We 
are trying to transition to other means but----
    Mr. Hultgren. What is your guess on when that could happen? 
I mean what is a timeline, possible time frame?
    Dr. Romine. Well, the investments that have been made in 
pilots, and we have 13 pilots running now, sort of span from, 
you know, authentication through a mechanism, a token, through 
biometrics, through two-factor authentication I think, as Dean 
alluded to earlier, or as Dr. Fischer alluded to.
    So I don't know the exact timeline. I know that we are 
making strides in that area, we are making investments, and we 
are making it clear that we have now validated evidence that 
passwords are flawed as a mechanism for authentication.
    Mr. Garfield. Some of those technologies are already in the 
marketplace. I think Ms. McGuire made the point as well. I mean 
many of the mobile devices that are being sold today do have 
biometric authentication instead of passwords, and so 
increasingly that is being deployed commercially.
    Mr. Hultgren. Okay.
    Dr. Kurose. So if I might add that I think you really hit 
the nail on the head. Passwords are something that we all have 
to wrestle with and I think research has shown that a one-size-
fits-all approach isn't really a good way to proceed forward. 
There has been work that looks at trying to adapt the kinds of 
authentication that a system is going to use to determine who 
the individual is; there is a research project at Berkeley 
going on, and also some very interesting research that went on 
at Carnegie Mellon about passwords in particular. Is it length, 
is it complexity--what are the best ways to have users work 
with passwords when you have password-protected systems, and 
then how do you feed information back to the user to help the 
user along?
    Mr. Hultgren. Let me switch gears real quick. As a parent, 
I am amazed at how quickly young people pick up on new 
technology. I have seen in my own office when I struggle with a 
new technology, I call my staff and leave them a voicemail 
message, wait for them to get back to me. If they can't figure 
it out, they text my kids and get an answer right away. But 
with the access kids have, there is also concern that comes 
with that and I just wonder if you could talk briefly about 
current parental control technology. Is it adequately 
protecting minors? I still have a 10-year-old and 13-year-old 
at home, as well as older kids, but concerned certainly of 
protection but then also something that predators are coming 
after them, not waiting for them to find problem areas. So I 
wanted to just get your thoughts of how adequate this is and 
what is happening there.
    Ms. McGuire. So I will jump in on this one.
    Mr. Hultgren. Thanks.
    Ms. McGuire. So online child safety is a critical concern 
that all of us have, and particularly, as you mentioned, as 
kids are surfing and going everywhere, it is really hard to 
monitor that as a parent so there are tools available. 
Certainly we have them in our Norton Security products. Other 
products out there have--give the parent to the ability to go 
in and type in keywords, block certain websites, and so forth. 
So those are there today.
    Mr. Hultgren. Do you feel like they are pretty effective 
in----
    Ms. McGuire. Our customers tell us that they are effective 
and so we believe that they help significantly that--there.
    The other part of this, though, and it goes to this socio-
technological issue, is we have to start with our kids when 
they are first picking up a device and start training them to 
be careful, to be aware online, to be safe online. It has got 
to start immediately and also we need to include that in our 
school curriculum. You know, we teach kids in general safety 
but we don't often teach them about cybersecurity, so that is a 
big area that can help.
    Mr. Hultgren. I see my time is up. Thank you, Chairwoman. I 
appreciate your generosity.
    Chairwoman Comstock. Thank you. And I now recognize Mr. 
Moolenaar, our Vice Chairman.
    Mr. Moolenaar. Thank you, Madam Chair. And I appreciate the 
testimony today.
    I also wanted to follow up on some of the areas of 
cybersecurity with respect to our critical infrastructure, and 
you had mentioned earlier, you know, the area of energy, our 
electric grid, I would think water, our water supply. And I 
guess my basic question is what is the role of research in this 
area? How important is that? And also, if there is research 
done and that is applied, how much time is it good for? Is this 
something that, you know, it lasts for a year? Is it 
something--you know, what is the length of duration that 
information is valid?
    Dr. Romine. So I would like to talk to the first half of 
that question on the protection of critical infrastructure. 
This is something that NIST was called upon to do in the 
development of the framework under the Executive Order 13636. 
And the way that we approached that was to hold a series of 
workshops around the country with the vigorous participation of 
industry across all of the sectors, as well as the information 
technology industry itself, and I know Ms. McGuire's company 
and Mr. Garfield's, the companies that he represents were also 
vigorous participants in that process. That led to a consensus 
document that was spearheaded principally by the private sector 
but with our sort of guidance with regard to what is effective 
as a document. So we were able to put together a framework that 
I think really helps to improve--or has the potential to help 
improve critical infrastructure cybersecurity and I think it is 
beginning to have that effect.
    Mr. Garfield. And if I may add, I think the approach that 
was taken by NIST in putting that together is really a model 
for undertaking this work.
    Related to the second question you asked about the time 
period, it is important to keep in mind that cybersecurity 
criminals are always adapting and evolving and so it's 
important that we continue this work and continue to evolve it 
as well.
    Dr. Kurose. So I would like to add also the notion of 
``security by design'' rather than reacting to particular 
threats--designing security is really a first-class 
consideration and the systems that we are building and the 
components in the system that we are building are critical. I 
would point out--I had mentioned the collaboration NSF has with 
the Semiconductor Research Corporation. There the notion is 
that the chips that we are building we want to be able to make 
sure that there haven't been back doors or other malware 
actually inserted into the chips during the fabrication process 
and during the design process, so that when those chips come 
out we are sure that they are going to act and behave the way 
they are supposed to be behaving. That is an instance of 
security by design.
    The other point I would make is critical infrastructure, it 
is not just social networks that affect society, but personal 
devices like medical devices as well, so a lot of activity is 
going on there also.
    Dr. Fischer. If I could just add that with respect to the 
question of what kinds of R&D is needed, there are many 
different aspects to protecting critical infrastructure--for 
example, control systems which we really haven't talked about 
today, many of which have been very much a legacy and not 
really designed with security in mind. And so R&D to determine 
what the best way is to design control systems so that they 
work in a highly connected environment is important. The 
question of to what degree you can actually separate out 
critical infrastructure systems from the rest of the internet 
is important.
    And also worth noting, as some of the other witnesses have 
mentioned, is the importance of social and behavioral research 
in determining what are the best ways for operators to help 
protect critical infrastructure.
    Mr. Moolenaar. I guess just one final question also is when 
you are working on something like this in the area of critical 
infrastructure, let's just say in the electric grid, how--and 
this gets to the question of oversight, collaboration with 
different agencies. You have got, you know, Homeland Security 
involved, you have the energy--FERC. I mean is that something 
that is--are you collaborating industry by industry?
    Dr. Romine. The workshops that we undertook were in general 
inclusive of many different sectors. However, we have had 
conversations with sector-specific groups as well, and in fact, 
the output, the actual document or the framework itself is 
reliant upon much of the input that we got from these regulated 
sectors, including the regulators themselves who showed up at 
the workshops and gave us input on what could be valuable for 
them.
    Mr. Moolenaar. Okay. Thank you, Madam Chair.
    Chairwoman Comstock. Thank you. I now recognize Mr. 
Newhouse for five minutes.
    Mr. Newhouse. First of all, thank you, Madam Chair, for 
allowing me to sit in on your Committee. You know, as a 
freshman, we had the opportunity for several sessions on 
cybersecurity at our orientation retreats. We learned just 
enough to be concerned and not enough to know what to do about 
it and so I appreciate the opportunity to sit here. In fact, in 
one of those sessions, just an hour before we sat down, my wife 
called me and told me someone was using our Visa card in Texas. 
We hadn't been to Texas in several years so we were concerned 
about that.
    So I have a couple questions and just real quickly and I 
know that we are probably going to be leaving for the Floor 
shortly, but, first of all, last week--and since you read it in 
the paper it must be true--the Associated Press reported at 
least 50 data-mining companies are allowed to perch on the 
HealthCare.gov website and access personal information entered 
by millions of Americans who come to the website for health 
insurance. As you know, these data-mining companies scour the 
internet constantly for all kinds of information about us. 
Without permission or consent from those who are being spied 
on, they sell that information to any number of people. So 
perhaps Dr. Romine and Ms. McGuire, first Dr. Romine, does the 
NIST Cybersecurity Framework contemplate that, that a federal 
agency would be certified and then allow scores of data-mining 
companies to set up shop at a website like that and collect 
sensitive information?
    Dr. Romine. It certainly does not address that very 
specific issue. What it does address, however, is privacy 
considerations in a more general context. And I think one of 
the things that the Framework spells out is the need for 
companies who are setting up cybersecurity risk management 
structures within their company, whether it is a 10-person 
company or whether it is a multibillion-dollar, multinational 
corporation, that they have to ensure that privacy 
considerations are taken into account and there are guidelines 
for how to do that.
    So I don't have any remarks to make on the specific issues 
in this case, but in general, the Framework does have a pretty 
strong statement about privacy, and NIST has embarked on a 
privacy engineering research activity partly as a result of 
what we learned from the Framework process, that there needs to 
be more guidance and more tools available for people to promote 
privacy considerations.
    Mr. Newhouse. And, Ms. McGuire, if you could comment on the 
presence of so many of those data-mining companies and whether 
or not that makes the website more vulnerable to attacks.
    Ms. McGuire. So I can't obviously speak to the specifics of 
the technology of what is being used as I am not intimately 
familiar with the HealthCare.gov website. I do find it 
surprising, though, that there are that many additive websites 
or technologies that are able to access the data. Certainly 
opening up the network, that would indicate that it would 
provide some additional vulnerability but I don't know all the 
specifics so----
    Mr. Newhouse. Fair enough. Yeah. Then if I may, one last 
question, Madam Chair. And perhaps again, Ms. McGuire and 
perhaps Mr. Garfield, business sectors that may be most 
vulnerable to cyber attack and, you know, we are in Congress 
looking at what role government could or should play in helping 
protect businesses from cyber threats, could you help us a 
little bit, enlighten us there?
    Ms. McGuire. Sure. So I talked briefly about what some of 
our telemetry tells us about specific sectors and what--the 
ones that are most targeted for attacks. Interestingly enough, 
public sector entities, government institutions because they 
are such a wealth of knowledge and information. From Social 
Security identity numbers, all the way to healthcare to 
retirement benefits, these public sector websites and data 
repositories clearly are targeted at a very high rate.
    Also, we see the banking and finance sector, pretty much 
anywhere that you are going to have a rich set of data, that is 
where the cyber criminals will target. And happy to provide and 
follow up but we have a pretty good list of sort of a ranking 
of the most targeted sectors that we see from our global 
telemetry.
    Mr. Newhouse. Maybe what can we do about that?
    Mr. Garfield. Yeah, the one thing I would add is related to 
that. The reality is that criminals are looking for 
vulnerabilities wherever they can find them, and so to the 
extent that we can figure out ways of sharing the threat matrix 
more broadly, then I think it would be a great assistance to 
us. And there is already movement in Congress around advancing 
legislation that would deal with the sharing of cyber threat 
information. Passing that legislation is one very concrete 
thing that I think you could do in the short term.
    Mr. Newhouse. Thank you.
    Mr. Garfield. You are welcome.
    Mr. Newhouse. Thank you, Madam Chair.
    Chairwoman Comstock. Thank you.
    I just had one. I think we have votes so we may not get to 
a second round but I did have one question I wanted to follow 
up on.
    Do you see attacks sort of--the Christmas holidays and the 
opportunity for financial attacks, is that a time to sort of 
flood the zone and have attacks--like I usually would get 
called--like the gentleman said, they call, hey, are you in 
Hawaii buying such and such? Like no, that is not me, don't 
okay it.
    But I had a situation where after Christmas I show up in a 
store, my card has a problem in a department store and they 
said we have--we see something that you had $7,000 worth of 
cosmetics that you sent to California right before Christmas. 
No, we didn't do that. But they had not called me, which got me 
thinking do they target that sort of Christmas time, that rush 
time because they know sort of in their rush to get things 
through, that may be the time they weren't calling people? In 
this case it was the 23rd, the 24th, and the 26th but all those 
things were purchased and shipped. Fortunately, they took them 
off the card before they showed up at my home and horrified 
everybody but----
    Ms. McGuire. Yeah, so your observation is spot on in that 
cyber criminals will take advantage of any social activity, any 
major events. We saw, for example, around the Summer Olympics 
we saw lots of new types of scams associated with that, the 
World Cup, lots of new scams with that. Even the royals wedding 
in the U.K., there were a plethora of new online scams that 
were built around that knowing that people would be searching 
and going to websites to look up these types of current events. 
So, yes, in short those international events, major national 
holidays, et cetera, do create additional levels of risk.
    Chairwoman Comstock. So in terms of best practices, those 
kind of things should be--set off bells or time frames so that 
we are doing extra work in those time frames?
    Ms. McGuire. Yeah. You should be careful all of the time 
but those especially can be more intense if you will.
    Dr. Fischer. I should mention that this relates certainly 
to cybercrime aimed at consumers, but there is also the 
question about timing of cyber attacks aimed at, say, critical 
infrastructure, and one of the sort of hallmarks of cyber 
criminals who are interested or spies who are interested in, 
say, getting proprietary information, intellectual property 
information, national security secrets, or whatever is that 
they will try to target a system in such a way that they can 
get in, exfiltrate the information, and then get out without 
anybody knowing. So it is common--one of the sort of common 
assessments is that businesses can often take months before 
they actually realized that they have been the victim of a 
successful cyber attack and it can just take hours to 
exfiltrate the information. So to a certain extent, with 
respect to--as I say, it really depends on the importance of 
the timing really depends on what the sector is that is being 
targeted.
    Mr. Garfield. If I could add, too, just some things that 
Congress can do very concretely around this question, one is 
making sure that there adequate resources to address the 
criminals, right, because if it is viewed as a crime without a 
penalty, then people will be incentivized to continue to do it. 
The second is you make the point that you would normally--in 
the normal course be warned about it, but during that period of 
time, it wasn't, making sure that there are adequate resources 
around R&D so that the technologies that are being deployed 
that detect abnormal behavior are widely distributed. And so 
those are two things that Congress can do that can be helpful 
in this area.
    Chairwoman Comstock. And then how do we--because, you know, 
the concerns of privacy, you know, people--you always 
appreciate when you get that phone call but then the next 
question is, well, how do you know where I am and what I am 
buying? It gives people a bit--but obviously in this case I was 
lucky they took it all off my credit card. You know, how do 
they balance that?
    Ms. McGuire. So today there are mostly algorithms that are 
all predominantly----
    Chairwoman Comstock. Right.
    Ms. McGuire. --done by the machines themselves to catch 
those exact kinds of flags if you will of unusual behavior or 
unusual activity. And then of course you end up getting a phone 
call from a real person hopefully to----
    Chairwoman Comstock. So part of the public education that 
we do with the public is we need to separate the algorithms and 
the patterns that you are looking at there are separate from, 
say, when Google is getting all of our HealthCare.gov 
information. So there--these are two--they often get lumped 
together whereas it is two very separate things. This is the 
machine kind of going through data, not looking at what I am 
buying at the department store, just flagging things as opposed 
to somebody getting my data and knowing when I am on a 
particular site and that getting pushed out somewhere. So those 
are two very different types of situations, right?
    Mr. Garfield. You could have a whole hearing around data 
analytics. I am not suggesting--necessarily suggesting it but 
you make a very good point that often people will hear big data 
or data analytics and think that it is personal to them. In 
almost all instances what is happening, there are computers 
that are looking at patterns and then not looking at 
individuals or individual data, and based on normal patterns, 
then passing that on to someone else. And so in this instance 
and in most instances it is actually an advancement that we 
want to see because in the end it helps us in society.
    Chairwoman Comstock. Right. Thank you.
    And, Mr. Lipinski, did you have additional questions?
    Mr. Lipinski. Yeah, thank you, Madam Chair. I think this 
will be probably quick.
    I just wanted to get back to HealthCare.gov, and my 
understanding is that companies are not actually perched on the 
HealthCare.gov but they are receiving--they are being given 
data from there. Now, that is very different. It is still, I 
understand, a privacy issue, which is something certainly 
Congress can look at that, but as Mr. Garfield was talking 
about data analytics, that is a whole different issue, 
certainly something that, you know, we should be always 
concerned about privacy.
    But I want to ask Dr. Romine, HealthCare.gov is FISMA-
compliant. Could you just tell us what that means, what the 
FISMA standards are and how federal agency computer systems 
are--become FISMA-compliant?
    Dr. Romine. Sure. The Federal Information Security 
Management Act, or FISMA, provides NIST the opportunity to 
develop a collection of standards and guidelines that are used 
by federal agencies to secure their information systems. We do 
that in a collaborative way with private sector involvement to 
try to understand exactly what the right approach is for 
securing those systems. What we don't really have very often is 
insight into that because we don't have an operational role; we 
have a guidance role. We don't have insight into how federal 
agencies are doing--are complying with FISMA requirements or 
FISMA guidelines.
    And so in the case of HealthCare.gov, for example, I have 
no direct information about the actual implementation of the 
FISMA guidelines but it is predicated on taking cybersecurity 
in a risk management approach, in an analogous way to what we 
did with the framework for critical infrastructure 
cybersecurity improvement. And so the idea is to identify the 
risks associated with the system and a catalog of risks and a 
catalog of mitigations to adopt steps that are necessary to 
mitigate those risks and then assess the level of risk that the 
individual organization that is appropriate for that 
organization or for that particular system. So that is the 
approach that is taken, but as I say, with regard to any 
specific agency, it is really the CIO responsibility along with 
the Inspector General who follows up on ensuring that the 
guidelines are met.
    Mr. Lipinski. Thank you very much. I don't want in any way 
my statements or questions to suggest that everything is 
wonderful with HealthCare.gov or especially the D.C. website, 
which was completely atrocious once again for the second year 
in a row as we had to deal with that being in the system this 
year. But I think the important thing is looking here at 
security and, you know, we--as I said, privacy is another issue 
but the security is something that I think we have talked about 
here and had hearings here and have not found any issues with 
that. So thank you very much.
    Chairwoman Comstock. Okay. I believe, Mr. Newhouse, you 
wanted an additional question?
    Mr. Newhouse. Well, I certainly could. We could talk about 
some of these things for a long time but I guess following up a 
little bit, Dr. Romine--and I hope you don't feel picked on 
today, but----
    Dr. Romine. Quite all right.
    Mr. Newhouse. --that is the risk you take.
    Dr. Romine. That is right.
    Mr. Newhouse. You do play an important role, though, with 
regard to FISMA and it is--you talked a little bit about that 
role in your work up-to-date. I just wanted to know if there 
are any recommendations that you might have that would be 
valuable to us in any changes to the law?
    Dr. Romine. Well, certainly I don't have any changes to the 
statutes to recommend. I would--it will at least give me the 
opportunity to thank this Subcommittee and the Committee for 
the work that we have done collaboratively. We have had a 
really good working relationship between NIST and the 
Subcommittee and Committee over time and we appreciate that.
    I think we are in a good spot with regard to a few things. 
One is the FISMA risk management framework is really an 
important--it provides an important understanding of the 
appropriate balance between ensuring the ability of the private 
sector to innovate in this space and provide new services while 
at the same time maintaining an overall approach that balances 
that against the associated risks. And because the information 
technology space is so dynamic, the risk management framework 
is also very adaptive and dynamic as well. And so I think it is 
the appropriate mechanism. I appreciate the support.
    Mr. Newhouse. And the Congress must be just as dynamic 
then?
    Dr. Fischer. If I may just mention with respect to FISMA 
implementation, the last Congress enacted, as was mentioned, 
the Federal Information Security Modernization Act of 2014, and 
that act gave statutory authority to DHS for some operational 
aspects of helping to ensure that agencies have adequate 
cybersecurity. The Obama Administration had administratively 
delegated it, but previous to that the responsibilities lay 
entirely with OMB, which doesn't have operational capabilities. 
So it remains to be seen to what extent the changes in the law 
will lead to improvements in agencies' cybersecurity. Certainly 
DHS has a number of programs and activities that are aimed at 
that.
    Chairwoman Comstock. Okay. Well, I want to thank the 
witnesses for their very valuable testimony and we so 
appreciate all of your expertise, both the public sector and 
the private sector, and all that you are doing to bring that 
information to us and to the public, and we look forward to 
continuing to work with you. And I thank all the Members for 
their questions.
    And I do want to note that the record will remain open for 
two weeks for additional comments or any information you would 
like to provide and any written questions from the Members. So 
the witnesses are now excused and this hearing is adjourned. 
Thank you very much.
    [Whereupon, at 3:28 p.m., the Subcommittee was adjourned.]



                               Appendix I

                              ----------                              


      
                   Answers to Post-Hearing Questions

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                 [all]