[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


 
      INDUSTRY PERSPECTIVES ON THE PRESIDENT'S 
        CYBERSECURITY INFORMATION-SHARING PRO-
        POSAL

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                        PROTECTION, AND SECURITY
                              TECHNOLOGIES

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 4, 2015

                               __________

                            Serial No. 114-7

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________
                               
                               
                         U.S. GOVERNMENT PUBLISHING OFFICE
94-578 PDF                   WASHINGTON : 2015                         
  
___________________________________________________________________________________________                              
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
                              
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Steven M. Palazzo, Mississippi       Donald M. Payne, Jr., New Jersey
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Scott Perry, Pennsylvania            Bonnie Watson Coleman, New Jersey
Curt Clawson, Florida                Kathleen M. Rice, New York
John Katko, New York                 Norma J. Torres, California
Will Hurd, Texas
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                    John Ratcliffe, Texas, Chairman
Peter T. King, New York              Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             Loretta Sanchez, California
Steven M. Palazzo, Mississippi       Sheila Jackson Lee, Texas
Scott Perry, Pennsylvania            James R. Langevin, Rhode Island
Curt Clawson, Florida                Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Brett DeWitt, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk
       Christopher Schepis, Minority Subcommittee Staff Director
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Prepared Statement.............................................    14
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Oral Statement.................................................    13

                               Witnesses

Mr. Matthew J. Eggers, Senior Director, National Security and 
  Emergency Preparedness, U.S. Chamber of Commerce:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Ms. Mary Ellen Callahan, Jenner & Block, Former Chief Privacy 
  Officer, U.S. Department of Homeland Security:
  Oral Statement.................................................    24
  Prepared Statement.............................................    26
Mr. Gregory T. Garcia, Executive Director, Financial Services 
  Sector Coordinating Council:
  Oral Statement.................................................    30
  Prepared Statement.............................................    32
Mr. Martin C. Libicki, The Rand Corporation:
  Oral Statement.................................................    37
  Prepared Statement.............................................    39

                             For the Record

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Letter From the National Defense Industrial Association........     4
  Letter From the American Bankers Association...................     5
  Letter From the Retail Industry Leaders Association............     9
  Statement of the Financial Services Information Sharing & 
    Analysis Center and the National Council of Information 
    Sharing and Analysis Centers.................................    10


  INDUSTRY PERSPECTIVES ON THE PRESIDENT'S CYBERSECURITY INFORMATION-
                            SHARING PROPOSAL

                              ----------                              


                        Wednesday, March 4, 2015

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:06 p.m., in 
Room 311, Cannon House Office Building, Hon. John Ratcliffe 
[Chairman of the subcommittee] presiding.
    Present: Representatives Ratcliffe, Clawson, and Langevin.
    Mr. Ratcliffe. The Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies, will come to order.
    I now recognize myself for an opening statement.
    The subcommittee meets today to hear from key stakeholders, 
including industry, privacy advocates in academia, on the 
President's cybersecurity information-sharing proposal in 
recent cyber initiatives.
    Last week the full committee heard testimony from the 
Department of Homeland Security's top cyber officials on the 
growing cybersecurity threat and how this legislative proposal 
could enhance protection of our digital networks and American's 
most personal information.
    Today we turn to the private sector and look forward to 
hearing from our witnesses on what they think cyber threat-
sharing legislation should look like. For years, the private 
sector has been on the front line battling devastating cyber 
attacks from criminals, activists in nation-states such as 
Iran, China, Russia, and North Korea. Any cyber threat-sharing 
legislation produced by Congress should enhance existing 
capabilities and relationships while establishing procedures to 
safeguard personal privacy.
    Protecting privacy and the integrity of information is what 
compels us to act. The recent cyber breach of health insurance 
giant Anthem exposed the personal information of up to 80 
million Americans, approximately 1 in every 4 Americans, 
demonstrating that the quantity and sophistication of these 
attacks is only increasing.
    Just last week the director of national intelligence, James 
Clapper, underscored this fact, stating that cyber attacks 
against us are increasing in frequency, scale, sophistication, 
and severity of impact and that the methods of attack and the 
systems targeted and the victims are also expanding in 
diversity and intensity on a daily basis.
    He emphasized that privacy and the integrity of information 
are indeed at risk, stating that, ``In the future, we will 
probably see cyber operations that change or manipulate 
electronic information to compromise its integrity instead of 
simply deleting or disrupting access to it.''
    Director Clapper also revealed that, in 2014, America saw 
for the first time destructive cyber attacks carried out on 
U.S. soil by nation-state entities when he confirmed that Iran 
was behind the cyber attack against the Las Vegas Sands 
Corporation, which is owned by a vocal supporter of Israel. 
These breaches are now becoming the norm with attacks on Sony 
Pictures, Target, Home Depot, JPMorgan, and others as evidence 
of that fact.
    FBI director Jim Comey recently stated, ``There are two 
kinds of big companies in the United States, those who have 
been hacked by the Chinese and those who don't know they have 
been hacked by the Chinese.''
    Further, these attacks are not just affecting the largest 
businesses in financial institutions, but small and medium ones 
as well. Accordingly, we need to pass legislation that 
facilitates the sharing of cyber threat indicators and contains 
robust privacy protections to improve collaboration between 
Federal civilian agencies, like the DHS, and the private 
sector.
    The Department of Homeland Security's National 
Cybersecurity and Communications Integration Center, or NCCIC, 
has been at the forefront of working with the private sector to 
facilitate cyber threat sharing between the Government and the 
private sector. NCCIC is a civilian cyber operations center 
with an embedded statutorily-required privacy office.
    In fact, both industry and privacy advocates support NCCIC, 
which was codified into law last year in bipartisan legislation 
produced by this committee. NCCIC has been the lead civilian 
portal for cyber threat sharing between the private sector and 
the Government, and it is important that NCCIC and other 
civilian portals be the focus of any cyber threat-sharing 
legislation.
    Today many companies still choose not to share cyber threat 
indicators with one another or with NCCIC because they fear 
legal liability. Information about an attack experienced by one 
company can enable another to fortify its defenses. Yet, when 
the sharing does not occur, it leaves all of us more vulnerable 
because the same criminals can use the same tactics to target 
other companies, exposing even more Americans to having their 
private information compromised.
    Past legislative attempts to improve cyber threat sharing 
between the private sector and Government and private sector-
to-private sector have failed in large part because they could 
not balance privacy protections with the need for industry to 
share cyber threat indicators. This Congress I look forward to 
working with Chairman McCaul, Ranking Member Thompson, and 
Ranking Member Richmond to craft thoughtful cybersecurity 
legislation that achieves this balance.
    I look forward to hearing from each of the witnesses in 
their respective fields about the opinions on how best this 
committee should move forward on drafting legislation to 
address these issues and what perspectives each of you have on 
the President's recent legislative proposal and cyber 
initiatives.
    Every generation faces monumental moments where its 
tenacity to overcome the challenges of our time are tested. Now 
is our time, as we move deeper into the digital age, to ensure 
that the cybersecurity challenges we face today are met with 
the same resolve shown by previous generations of Americans.
    I want to thank the witnesses for testifying before this 
committee, and I look forward to your testimony.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                            February 4, 2015
    The subcommittee meets today to hear from key stakeholders 
including industry, privacy advocates, and academia on the President's 
cybersecurity information sharing proposal and recent cyber 
initiatives. Last week, the full committee heard testimony from the 
Department of Homeland Security's top cyber officials on the growing 
cybersecurity threat and how this legislative proposal could enhance 
protection of our digital networks and Americans' most personal 
information. Today, we turn to the private sector and look forward to 
hearing from our witnesses on what they think cyber threat-sharing 
legislation should look like.
    For years, the private sector has been on the front lines battling 
devastating cyber attacks from criminals, hacktivists, and nation-
states such as Iran, China, Russia, and North Korea. Any cyber threat-
sharing legislation produced by Congress should enhance existing 
capabilities and relationships while establishing procedures to 
safeguard personal privacy.
    Protecting privacy and the integrity of information is what compels 
us to act. The recent cyber breach of health insurance giant Anthem 
exposed the personal information of up to 80 million individuals--
approximately 1 in 4 Americans--demonstrating that the quantity and 
sophistication of these attacks are only increasing. Just last week, 
Director of National Intelligence, James Clapper underscored this fact, 
stating that ``[cyber] attacks against us are increasing in frequency, 
scale, sophistication and severity of impact'' and ``the methods of 
attack, the systems targeted, and the victims are also expanding in 
diversity and intensity on a daily basis.'' He emphasized that privacy 
and the integrity of information are indeed at risk, stating, ``in the 
future, we'll probably see cyber operations that change or manipulate 
electronic information to compromise its integrity instead of simply 
deleting or disrupting access to it.''
    Director Clapper also revealed that in 2014, America ``saw, for the 
first time, destructive cyber attacks carried out on U.S. soil by 
nation-state entities,'' confirming that Iran was behind a cyber attack 
against the Las Vegas Sands Corp., which is owned by a vocal supporter 
of Israel.
    These breaches are becoming the norm, with attacks on Sony 
Pictures, Target, Home Depot, JP Morgan, and many others. FBI Director 
James Comey stated, ``There are two kinds of big companies in the 
United States. There are those who've been hacked by the Chinese and 
those who don't know they've been hacked by the Chinese.'' Further, 
these attacks are not just affecting the largest businesses and 
financial institutions, but small and medium ones as well. As such, we 
need to pass legislation that facilitates the sharing of cyber threat 
indicators and contains robust privacy protections to improve 
collaboration between Federal civilian agencies like DHS and the 
private sector.
    The Department of Homeland Security's National Cybersecurity and 
Communications Integration Center, or NCCIC, has been at the forefront 
working with the private sector to facilitate cyber threat sharing 
between the Government and the private sector. NCCIC is a civilian 
cyber operations center with an embedded statutorily-required privacy 
office. In fact, both industry and privacy advocates support NCCIC, 
which was codified into law last year in bipartisan legislation 
produced by this committee.
    NCCIC has been the lead civilian portal for cyber threat sharing 
between the private sector and the Government and it is important that 
NCCIC and other civilian portals be the focus of any cyber threat-
sharing legislation.
    Today, many companies still choose not to share cyber threat 
indicators with one another or NCCIC because they fear legal liability. 
Information about an attack experienced by one can enable another to 
fortify its defenses. Yet when this sharing does not occur, it leaves 
all of us more vulnerable because the same criminals can use the same 
tactics to target other companies, exposing even more Americans to 
having their private information compromised.
    Past legislative attempts to improve cyber threat sharing between 
the private sector and Government, and private sector-to-private 
sector, have failed in large part because they could not balance 
privacy protections with the need for industry to share cyber threat 
indicators. This Congress, I look forward to working with Chairman 
McCaul, Ranking Member Thompson, and Ranking Member Richmond to craft 
thoughtful cybersecurity legislation that achieves this balance.
    I look forward to hearing from each of the witnesses in their 
respective fields about their opinions on how best this committee 
should move forward on drafting legislation to address these issues and 
what perspectives each of you have on the President's recent 
legislative proposal and cyber initiatives.
    Every generation faces monumental moments where their tenacity to 
overcome the challenges of the time are tested. Now is our time, as we 
move deeper into the digital age, to ensure that the cybersecurity 
challenges we face today are met with the same resolve shown by 
previous generations of Americans.
    I want to thank the witnesses for testifying before this committee 
and I look forward to your testimony.

    Mr. Ratcliffe. Next I will ask for unanimous consent to 
insert into the record the letters received by the committee 
from the following organizations: National Defense Industrial 
Association, American Bankers Association, Retail Industry 
Leaders Association, and the Financial Services Information 
Sharing and Analysis Center. Without objection, so ordered.
    [The information follows:]
        Letter From the National Defense Industrial Association
                                     March 3, 2015.
The Honorable Michael McCaul,
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Bennie Thompson,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives.

Dear Chairman McCaul and Ranking Member Thompson: The National Defense 
Industrial Association (NDIA) is a non-partisan, non-profit, 
association with more than 1,600 corporate members and approximately 
90,000 individual members. On March 4, 2015, your committee will hold a 
hearing titled ``Industry Perspectives on the President's Cybersecurity 
Information-Sharing Proposal.'' NDIA has received pertinent comments 
from its membership concerning the President's proposal which I have 
enclosed with this letter. Below is a synopsis of those comments to 
inform your committee hearing.
    The President's Cybersecurity Information-Sharing Proposal 
sometimes uses vague language that makes the legislation subject to the 
reader's interpretation. For example, section 103(c)(2) of the proposal 
states that a private entity receiving cyber threat indicators shall 
take ``reasonable efforts'' to protect the privacy of specific 
individuals and to ``safeguard'' information on specific persons. 
Section 103(c)(3) of the same proposal also uses the term 
``reasonable.'' However, the proposal does not define what is 
``reasonable,'' or what is adequate ``safeguarding.'' These undefined 
terms leave the door open for an enforcing agency or court to step in 
and provide definitions at their discretion, Instead, NDIA proposes 
that any legislation define what is ``reasonable'' or where such a 
definition can be obtained, such as in an industry or Government 
standard. To that end, we recommend that the work done by the National 
Institute of Standards and Technology (NIST) expand to include these 
definitions.
    The President's proposal also contemplates the creation of 
Information Sharing and Analysis Organizations (ISAOs) for the sharing 
of information by private industry. The role of ISAOs is further 
explained by Executive Order 13691, ``Promoting Private Sector 
Cybersecurity Information Sharing.'' Nothing appears to preclude 
existing Information Sharing and Analysis Centers (ISACs) from becoming 
ISAOs, although it is understood that ISAOs encompass a broader need-
specific range of activities. The legislative proposal should explain 
the role of ISACs in the new scheme and positively allow or disallow 
ISACs from becoming ISAOs. The legislative proposal should also explain 
the role of other information sharing efforts, such as the Defense 
Security Information Exchange (DSIE). The new legislation should not 
bring past successful efforts to a premature end.
    Missing from the creation of ISAOs is an explanation of how the 
``stovepiping effect'' prevalent among the ISACs and in other cyber 
sharing efforts can be eliminated. NIST is working hard to arrive at 
generally accepted standards for a ``cybersecurity framework.'' Their 
work should be emulated by having the legislation make clear that the 
government's role is to learn from industry standards and to conform 
itself to industry standards rather than the other way around. For 
example, ``best practices'' should be specifically recognized as 
evolving, and industry should have a mechanism to appeal previously 
determined ``best practices.'' Also, important missing language in the 
proposed legislation's concept of ``information sharing'' is that the 
information sharing should be secure. Otherwise, the value of 
information sharing is negated.
    The proposed legislation's liability protections should include an 
explicit extension of the Support Anti-Terrorism by Fostering Effective 
Technologies (SAFETY) Act. Your Committee previously introduced a bill 
that extended such liability protection, and a similar protection 
should be included in this legislation. The legislation should include 
anti-trust protection for entities that share information. A specific 
concern within the defense industrial base is that existing regulations 
already require breach notification and mandatory information sharing. 
Therefore, the proposed legislation needs to provide, in instances 
where the government requires the sharing or disclosure of information, 
extended liability protection to companies that are affected.
    Thank you for your attention to this letter. NDJA looks forward to 
working with your Committee on this and other important matters 
impacting industry. Please do not hesitate to contact us if you have 
any questions or need any further comments.
            Sincerely,
                                              Jimmy Thomas,
                                    Director of Legislative Policy.
                                 ______
                                 
              Letter From the American Bankers Association
                                     March 3, 2015.
The Honorable John Ratcliffe,
Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and 
        Security Technologies, Committee on Homeland Security, United 
        States House of Representatives, Washington, DC 20515.
The Honorable Cedric L. Richmond,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure 
        Protection, and Security Technologies, Committee on Homeland 
        Security, United States House of Representatives, Washington, 
        DC 20515.

Dear Chairman Ratcliffe and Ranking Member Richmond: On behalf of the 
members of the American Bankers Association (ABA), I respectfully 
request this letter be included as part of the record for your hearing 
``Industry Perspectives on the President's Cybersecurity Information-
Sharing Proposal.''
    Recent cyber-attacks underscore the need to help all businesses 
improve their awareness of threats and enhance their response 
capabilities. The steps taken by the Administration, through the 
issuance of the February 13, 2015 executive order promoting private 
sector Cybersecurity information sharing, will help the business 
community and government agencies share critical threat information 
more effectively.
    While the recent executive order is an important step towards more 
effective information sharing, it is widely recognized that Congress 
must also act to pass legislation to fill important gaps that executive 
action cannot fill. For instance, legislation is necessary to give 
businesses legal certainty that they have safe harbor against frivolous 
lawsuits when voluntarily sharing and receiving threat indicators and 
countermeasures in real time and taking actions to mitigate cyber 
attacks.
    Legislation also needs to offer protections related to public 
disclosure, regulatory, and antitrust matters in order to increase the 
timely exchange of information among public and private entities. ABA 
also believes that legislation needs to safeguard privacy and civil 
liberties and establish appropriate roles for civilian and intelligence 
agencies. The financial sector is dedicated to protecting customer 
data, and has led the way for effective information sharing through the 
development of the Financial Services Information Sharing and Analysis 
Center (FS-ISAC). We are committed to working with others within the 
overall business community to develop a similarly strong and effective 
mechanism for sharing threat information.
    We share the views of the Financial Services Sector Coordinating 
Council (FSSCC) and the testimony that will be given by Mr. Greg 
Garcia. However, we would like to highlight two important areas within 
the executive order: The acceleration of the DHS security clearance 
process and the establishment of Information Sharing and Analysis 
Organizations (ISAOs).
    Information sharing is of critical importance to the financial 
services sector, other critical infrastructure sectors and the 
government. Without it, none of the financial sector's security and 
resiliency priorities would be achievable. With key federal support 
from the Treasury Department as our Sector Specific Agency, law 
enforcement and DHS, our network defenders are better able to prepare 
for cyber threats when there is a consistent, reliable and sustainable 
flow of actionable Cybersecurity information and analysis, at both a 
classified and unclassified level.
    As a nation, we are making some progress toward this goal, but it 
has become increasingly necessary for appropriately-cleared 
representatives of critical sectors such as financial services to have 
access, and provide contributions, to classified information that 
enables analysts and operators to take timely action to defend 
essential systems. Accordingly, the executive order's enhancement of 
DHS's role in accelerating the security clearance process for critical 
sector owners and operators is a clear indication of the 
Administration's support for this public-private partnership.
    The ISAC's have played an important role for critical 
infrastructure protection information sharing and incident response for 
their sectors. The FS-ISAC, in particular, enjoys strong support from 
sector members, Treasury and DHS. In this spirit, we also support the 
creation of ISAOs as a mechanism for all sectors, regions and other 
stakeholder groups to share Cybersecurity information and coordinate 
analysis and response. While ISACs must retain their status as the 
government's primary critical infrastructure partners, given their 
mandate for broad sectorial representation, the development of ISAOs 
should be facilitated for stakeholder groups that require a 
collaborative cyber and physical threat information sharing capability 
that builds on the strong foundation laid by the ISACs.
    As the ISAO standards development process unfolds, certain 
principles must be upheld for structuring both the ISAOs themselves and 
the government's interaction with them:
   Sharing of sensitive security information within and among 
        communities of trust is successful when operational standards 
        of practice establish clear and enforced information handling 
        rules;
   Information sharing is not a competitive sport: while 
        competition in innovation can improve technical capabilities, 
        operational standards should incentivize federated information 
        sharing. Threat and vulnerability intelligence needs to be 
        fused across trust communities, not diffused or siloed;
   Government internal processes for collecting, analyzing and 
        packaging critical infrastructure protection intelligence for 
        ISAC/ISAO consumption must be streamlined and transparent to 
        maximize timeliness, accuracy and relevance of actionable 
        shared information; and
   To manage scarce resources, government information sharing 
        mechanisms such as the National Cyber and Communications 
        Integration Center (NCCIC) and the Treasury Department's Cyber 
        Intelligence Group (CIG) should prioritize engagements with 
        ISACs and ISAOs according to transparently established 
        criteria.
    It is also important that the process to develop the ISAO standards 
is collaborative, open, and transparent. The process managed by the 
National Institute of Standards and Technology (NIST) during the 
development of the NIST Cybersecurity Framework is an excellent example 
of the appropriate leveraging of private sector input, knowledge and 
experience to develop guidance that will primarily impact non-
governmental entities. We encourage DHS, as the implementing authority 
of the president's EO, to emulate the engagement model that NIST used 
to create and adopt their Cybersecurity Framework. The process worked.
    Finally, for DHS to be successful implementing the EO and its many 
cyber security risk management and partnership authorities, it must be 
sufficiently resourced with the best analytical and technical 
capabilities, with a cadre of highly qualified Cybersecurity leaders 
and analytical teams to conduct its mission. There must be a concerted 
effort to recruit, retain and maintain a world class workforce that is 
able to assess cyber threats globally and help the private sector 
reduce risk to this nation. With the application of the principles 
discussed in this statement, we believe the creation of ISAOs and their 
partnership agreements with DHS have the potential to complement the 
ISAC foundation and measurably improve cyber risk reduction for 
critical infrastructure and the national economy.
    We look forward to working with Congress, the Administration and 
DHS to leverage the FS-ISAC as a successful model in the development of 
regional information sharing and analysis organizations. Above all, we 
urge Congress to send a bill to the president that gives businesses the 
liability and antitrust protections, and our citizens the privacy and 
civil liberty protections that will enhance our already significant 
efforts to protect the Cybersecurity of our nation.
    Although it was not the focal point of the hearing, we understand 
that an issue may be raised about whether or not requiring PINs on 
transactions would be a more effective way to prevent harm to 
consumers. There are some very positive features of PIN transactions, 
but the fact is that the recent data breaches show the limitations of 
PINs as a security feature. The recent breaches demonstrate the danger 
of PINs with debit cards that are directly linked to a person's bank 
account (e.g., through an ATM). It is possible that if a PIN is stolen 
from a retailer's system, a criminal could access the customer's entire 
account and commit fraud.
    Security reporter Brian Krebs wrote that there are recent examples, 
such as with the recent Home Depot breach, of thieves acquiring PINs, 
changing them, and withdrawing cash from customers' accounts.\1\ The 
data also shows that hackers increasingly target PINs. A report by the 
Federal Reserve Bank of Atlanta published in 2012 found that PIN debit 
fraud rates have increased more than threefold since 2004.\2\
---------------------------------------------------------------------------
    \1\ http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-
at-home-depot-banks-see-spike-in-pin-debit-card-fraud/.
    \2\ Federal Reserve Bank of Atlanta (2012) http://bit.ly/16RAPGW.
---------------------------------------------------------------------------
    The security threat we face now is a complex problem that cannot be 
solved by any single technology, standard, mandate or regulation. In 
fact, it cannot be solved by a single sector of society--businesses, 
standards-setting bodies, policymakers, and law enforcement--must work 
together to protect the financial and privacy interests of consumers. 
The attached white paper ``Preventing Data Breaches: Smart Security in 
a Changing Threat Landscape'' which was prepared by the ABA, goes into 
this issue in greater detail. It makes it clear that winning the war 
against criminal hackers will take a forward-looking approach and the 
best technologies. No single security feature is fail-proof and 
including a technology mandate in data breach legislation will only 
provide a false sense of security and not real protection for 
consumers.
            Sincerely,
                                        James C. Ballentine
  Attachment.--Preventing Data Breaches: Smart Security in a Changing 
                            Threat Landscape
                  dynamic cybersecurity for the future
    Recent high-profile data breaches at retailers like Target and Home 
Depot underscore the critical need for stronger and more innovative 
security solutions that protect consumers.
    Dynamic solutions, not rigid one-size-fits-all mandates. Mandates 
stifle innovation in the private sector and hinder the ability to adapt 
and react to evolving threats. While the federal government may believe 
technology mandates are a way to ensure a level of security, the 
private sector--and more importantly, consumers--will be saddled with 
static technology that ultimately makes them vulnerable.
    Investing in security. Banks and payment networks continue to 
invest heavily in the development and implementation of promising new 
technologies capable of protecting consumers everywhere purchases are 
made.
    A common enemy. Both banks and retailers have a role to play in 
fighting criminal hackers who will never stop looking for new ways to 
steal consumers' data.
                     chip technology: why it works
    Debit and credit cards with EMV (Europay MasterCard Visa) or 
``chip'' technology have a microprocessor that protects your personal 
information through encryption--a process that scrambles personal and 
financial data to make it virtually useless to criminals. Whether the 
consumer signs for a purchase or enters a PIN, it is the chip 
technology that enables a more secure payment. Chip technology cards 
are:
    More secure than magnetic stripe cards, because the chip generates 
unique data for each transaction. If that information is stolen, it 
won't be traceable back to the account.
    Nearly impossible to replicate, thanks to the chip's ability to 
create a new, random number for each transaction.
    Coming to a checkout terminal near you. Banks are already issuing 
chip cards, with 120 million cards expected to be in the hands of U.S. 
consumers by the end of 2014, and 575 million cards issued by the end 
of 2015. Javelin Strategy and Research estimates only 10 percent of 
merchants currently have terminals that accept EMV chips. By October 
2015, banks must issue cards with chip capability and retailers must 
have terminals to accept them or they will be liable for fraudulent 
purchases made on the card.
                       it's the chip that matters
    For cards with EMV chip technology, it's the chip that makes the 
card more secure.
    A mandate, such as one requiring chip-enabled cards or PINs, does 
not prevent on-line or mobile fraud. Americans spent $263 billion on-
line last year (most often without a PIN) and that dollar number is 
expected to grow to $414 billion by 2018. Less than 30 percent of 
merchants in the U.S.--both on-line and traditional storefronts--are 
currently equipped to accept a PIN: And some merchants prefer not to. 
As mobile technologies emerge, device passcodes and thumbprints are 
being introduced to benefit the consumer. Security should be dynamic, 
useful and address the realities of an increasingly digital economy, 
not be mandated to a single method.
    A mandate could not have prevented the massive data breaches at 
Target, caused by hackers using malware to steal credentials through 
the company's heating, ventilating, and air conditioning (HVAC) 
contractor. It also would not have prevented breaches at Home Depot, 
and Neiman Marcus, caused by malware installed in checkout terminals. 
However, chip cards would have reduced the value of the compromised 
data by inhibiting the creation of counterfeit cards.
    Criminals will always seek the weakest link. No single security 
feature is fail-proof. Creating a mandate around one static technology 
gives hackers an open invitation to exploit loopholes in the payments 
system.
    No technology is fail-proof. Magnetic stripes have become more 
vulnerable over the years as criminals have found ways to skim the data 
stored in the stripe and replicate it to make fraudulent purchases. 
PINs have their own flaws. A report by the Federal Reserve Bank of 
Atlanta published in 2012 found that PIN debit fraud rates have 
increased more than threefold since 2004. When a PIN is compromised, it 
can open a backdoor for criminals to access and drain consumers' bank 
accounts at an ATM.
      beyond plastic: better security, wherever purchases are made
    EMV chip technology will help protect customers at the register, 
but it's not a silver bullet. Expecting a single technology to 
successfully prevent all fraud is unrealistic, which is why banks and 
payment networks are implementing new technologies that can adapt and 
deploy in a changing threat landscape:
    End-to-end encryption is helping make payments more secure, by 
encoding consumers' information into unreadable formats as it makes its 
way from checkout to card network to the bank and back.
    Tokenization technology replaces sensitive consumer account 
information at the cash register or on-line with a random ``token,'' 
rendering the information useless to criminals. This technology is an 
important feature for some mobile wallets, such as Apple Pay, and can 
be used on-line.
    24/7 fraud protection is already a hallmark of banks, which employ 
teams of experts using advanced computer systems to monitor 
transactions and detect unusual activity indicating a customer's 
account has been hacked.
          the bottom line: fewer mandates, more collaboration
    Mandates hurt consumers because they funnel valuable time and 
resources into static technologies that will become obsolete as cyber 
threats change.
    A mandate could drive up the cost of doing business without 
addressing the fundamental cause of most future data breaches--
inconsistent and outdated security practices within the retailers, 
which was the source of recent high-profile breaches at Target, Home 
Depot, and others.
    The security threat facing the payment card industry is a complex 
problem that cannot be solved by any single technology, standard, 
mandate, or regulation. It cannot be solved by a single sector of 
society--businesses, standards-setting bodies, policymakers, and law 
enforcement--must work together to protect the financial and privacy 
interests of consumers.
    To borrow a concept from Moore's Law of Innovation, every new 
technology is obsolete within 18 months. Data security technologies are 
no exception. Winning the war against cybercrime will take a forward-
looking approach to preventing data breaches anywhere they occur--at 
the register, with a mobile phone or on-line. Money and resources 
should flow to the best technologies to fight these cyber attacks. 
Focusing on just one technology gives a false sense of security at a 
cost that everyone bears.
                                 ______
                                 
          Letter From the Retail Industry Leaders Association
                                 February 25, 2015.
The Honorable Michael McCaul,
Chairman, House Committee on Homeland Security, United States House of 
        Representatives, Washington, DC 20515.
The Honorable Bennie Thompson,
Ranking Member, House Committee on Homeland Security, United States 
        House of Representatives, Washington, DC 20515.

Dear Chairman McCaul and Ranking Member Thompson: On behalf of the 
Retail Industry Leaders Association (RILA), I write to thank you for 
holding today's hearing entitled, ``Examining the President's 
Cybersecurity Information-Sharing Proposal.'' Retailers greatly 
appreciate the Committee's leadership in seeking to find a sensible 
path to address critical cybersecurity issues.
    RILA is the trade association of the world's largest and most 
innovative retail companies. RILA members include more than 200 
retailers, product manufacturers, and service suppliers, which together 
are responsible for more than $1.5 trillion in annual sales, millions 
of American jobs and more than 100,000 stores, manufacturing facilities 
and distribution centers domestically and abroad.
    Retailers embrace innovative technology to provide American 
consumers with unparalleled services and products on-line, through 
mobile applications, and in our stores. While technology presents great 
opportunity, nation states, criminal organizations, and other bad 
actors also are using it to attack businesses, institutions, and 
governments. As we have seen, no organization is immune from attacks 
and no security system is invulnerable. Retailers understand that 
defense against cyber attacks must be an on-going effort, evolving to 
address the changing nature of the threat. RILA is committed to working 
with Congress to give government and retailers the tools necessary to 
thwart this unprecedented attack on the United States (U.S.) economy 
and bring the fight to cyber criminals around the globe.
    As leaders in the retail community, we are taking new and 
significant steps to enhance cybersecurity throughout the industry. To 
that end, RILA formed the Retail Cyber Intelligence Sharing Center (R-
CISC), one component of which is a Retail ISAC, in 2014 in partnership 
with America's most recognized retailers. The Center has opened a 
steady flow of information sharing between retailers, law enforcement 
and other relevant stakeholders. These efforts already have helped 
prevent data breaches, protected millions of American customers and 
saved retailers millions of dollars. The R-CISC is open to all 
retailers regardless of their membership in RILA.
    For years, RILA members have been developing and deploying new 
technologies to achieve pioneering levels of security and service. The 
cyber-attacks that our industry faces change every day and our members 
are building layered and resilient systems to meet these threats. Key 
to this effort is the ability to design systems to meet actual threats 
rather than potentially outdated cybersecurity standards that may be 
enshrined in law. That is why development of any technical 
cybersecurity standards, beyond a mandate for reasonable security, must 
be voluntary and industry-led such as the standards embodied in the 
National Institute of Standards and Technology Cybersecurity Framework. 
RILA members using the Framework have found it to be a helpful tool in 
evaluating their cybersecurity posture and support the continued use of 
voluntary, industry-led processes as a key method of addressing dynamic 
technology challenges.
    One area of cybersecurity that needs immediate attention is payment 
card technology. RILA members have long supported the adoption of 
stronger debit and credit card security protections. The woefully 
outdated magnetic stripe technology used on cards today is the chief 
vulnerability in the payments ecosystem. This 1960s-era technology 
allows cyber criminals to create counterfeit cards and commit fraud 
with ease. Retailers continue to press banks and card networks to 
provide U.S. consumers with the same Chip and PIN technology that has 
proven to dramatically reduce fraud when it has been deployed elsewhere 
around the world. According to the Federal Reserve, PINs on debit cards 
make them 700 percent more secure than transactions authorized by 
signature.\1\
---------------------------------------------------------------------------
    \1\ Federal Reserve, ``2011 Interchange Fee Revenue, Covers Issuer 
Costs, and Covered Issuer and Merchant Fraud Losses Related to Debit 
Card Transactions,'' (March 5, 2013).
---------------------------------------------------------------------------
    Increasing cyber threat information sharing is also vital to 
defeating sophisticated and coordinated cyber actors. RILA strongly 
supports cybersecurity information sharing legislation that provides 
liability protections for participating organizations. That liability 
protection should protect companies that share with appropriate federal 
law enforcement partners like the Secret Service and the FBI to help 
bring cybercriminals to justice. Legislation also should increase 
funding for government-sponsored research into next generation security 
controls and enhance law enforcement capabilities to investigate and 
prosecute criminals internationally. The cyber-attacks faced by every 
sector of our economy constitute a grave national security threat that 
should be addressed from all angles.
    RILA thanks the Committee for holding this important hearing 
examining cyber information sharing legislation and cybersecurity more 
broadly. We look forward to working with you on these vital issues. 
Should you have any additional questions regarding this matter, please 
feel free to contact Nicholas Ahrens, Vice President, Privacy and 
Cybersecurity.
            Sincerely,
                                      Jennifer M. Safavian,
                      Executive Vice President, Government Affairs.
                                 ______
                                 
  Statement of the Financial Services Information Sharing & Analysis 
  Center and the National Council of Information Sharing and Analysis 
                                Centers
                             March 4, 2015
                           fs-isac background
    Chairman Ratcliffe and Members of the subcommittee, my name is 
Denise Anderson. I am vice president, FS-ISAC, government and cross 
sector programs at the Financial Services Information Sharing & 
Analysis Center (FS-ISAC) and chair of the National Council of ISACs 
(NCI). I want to thank you for this opportunity to address the 
Cybersecurity, Infrastructure Protection and Security Technologies 
Subcommittee about the industry perspective on ``Cybersecurity and 
Information Sharing''. I am submitting this testimony for the record as 
I am on travel and regret my inability to take part in this proceeding.
    The FS-ISAC was formed in 1999 in response to the 1998 Presidential 
Decision Directive 63 (PDD 63), which called for the public and private 
sectors to work together to address cyber threats to the Nation's 
critical infrastructures. After 9/11, in response to Homeland Security 
Presidential Directive 7 (its 2013 successor, Presidential Policy 
Directive 21) and the Homeland Security Act, the FS-ISAC expanded its 
role to encompass physical threats to the sector.
    The FS-ISAC is a 501(c)6 nonprofit organization and is funded 
entirely by its member firms and sponsors. In 2004, there were only 68 
members of the FS-ISAC, mostly larger financial services firms. Since 
that time the membership has expanded to almost 5,500 organizations 
including commercial banks and credit unions of all sizes, markets and 
equities firms, brokerage firms, insurance companies, payments 
processors, and 24 trade associations representing virtually all of the 
U.S. financial services sector. The FS-ISAC is a global organization 
and has members in 38 different countries.
                             NCI Background
    The NCI is a voluntary organization of ISACs formed in 2003 in 
recognition of the need for the ISACs to share information with each 
other about common threats and issues. The mission of the NCI is to 
advance the physical and cyber security of the critical infrastructure 
of North America by establishing and maintaining a framework for 
valuable interaction among and between the ISACs and with Government. 
The membership of the NCI is the 18 individual ISACs that represent 
their respective sectors or sub-sectors. The NCI also works closely 
with the other critical infrastructure sectors (CI) that have 
operational arms including chemical, (reforming its ISAC) automotive 
(currently forming an ISAC) and critical manufacturing, among others. 
The NCI has made it a goal to be inclusive of each critical 
infrastructure sector and sub-sector's operational arm.
    The ISACs collaborate with each other daily through the NCI daily 
operations centers cyber call, the NCI secure portal and the NCI 
listserver. The NCI also hosts a weekly operations centers physical 
call and meets monthly to discuss issues and threats. The organization 
is a true cross-sector partnership engaged in sharing cyber and 
physical threats, mitigation strategies and working together and with 
government partners during incidents requiring cross-sector response as 
well as addressing issues affecting industry. In addition to the secure 
portal, the NCI hosts an ISAC threat level dash board, conducts and 
participates in cross-sector exercises, works with the National 
Infrastructure Coordinating Center (NICC) and the National 
Cybersecurity and Communications Integration Center (NCCIC) during 
steady-state and incidents, holds emergency calls as needed and 
develops joint white papers around threats. The ISACs have been 
instrumental in embracing, developing and advancing the automatic 
exchange of data within their memberships and across the ISACs, as well 
as with government as possible.
                   isacs and government partnerships
    ISACs, which are not-for-profit organizations, work closely with 
various Government agencies including their respective Sector Specific 
Agencies (SSAs) where they exist, intelligence agencies, law 
enforcement, and State and local governments. In partnership with the 
Department of Homeland Security (DHS), several ISACs participate in the 
National Cybersecurity and Communications Integration Center (NCCIC) 
watch floor. ISAC representatives, cleared at the Top Secret/Sensitive 
Compartmented Information (TS/SCI) level, attend the daily briefs and 
other NCCIC meetings to share information on threats, vulnerabilities, 
incidents, and potential or known impacts to the critical 
infrastructure sectors. Having ISACs on the floor has allowed for 
effective collaboration on threats and incidents and there have been 
many examples of successful information sharing. The ISACs also serve 
as liaisons to the National Infrastructure Coordinating Center (NICC) 
and play a vital role in incident response and collaboration under the 
Critical Infrastructure Partner Annex to the Incident Management Plan.
    In addition, ISAC representatives sit on the Cyber Unified 
Coordination Group (Cyber UCG). This group was set up under authority 
of the National Cyber Incident Response Plan (NCIRP) and has been 
actively engaged in incident response.
    Finally, it should be noted that the ISACs collaborate with their 
sector coordinating councils as applicable and work with other critical 
infrastructure partners during steady state and incidents.
              the february 2015 executive order and isaos
    The Executive Order, Promoting Private Sector Cybersecurity 
Information Sharing, signed February 15, 2013 by President Obama and 
recently-announced information-sharing legislative proposal are 
commendable in their intent to foster information sharing. Information 
Sharing and Analysis Organizations (ISAOs) were first defined in the 
Homeland Security Act of 2002. ISACs were created under Presidential 
Decision Directive 63 (PDD-63). Effectively ISACs were the original 
ISAOs, are the subject-matter experts in information sharing and a 
majority of ISACs have been in existence for over a decade or more.
    Indeed there is a need for many groups that may not fall in with 
the critical infrastructure sectors such as legal and media and 
entertainment organizations, who are increasingly becoming targets for 
cyber incidents and attacks, to share information. The private sector 
is already organizing efforts in this area and as an example; the FS-
ISAC has been working with the legal industry for almost a year now to 
form an ISAO. Many of the other ISACs, such as the Multi-State ISAC 
(MS-ISAC) and Information Technology ISAC (IT-ISAC) have also been 
engaging industries that do not have established information-sharing 
forums such as the Retail sector, which is actively forming an ISAC.
    However ISACs are much more than ISAOs. They serve a special role 
in critical infrastructure protection and resilience and play a unique 
role in the sector partnership model. While the White House has noted 
that the EO seeks to ``not limit effective existing relationships that 
exist between the Government and the private sector'' the recent EO and 
prominent coverage of ISAOs has led to some confusion within industry 
as to the impacts to ISACs. It is absolutely essential that the 
successful efforts that the ISACs have established over the years 
should not be disrupted. It is clear that the ISACs by their success 
meet the distinct and unique needs of each of their sectors and the 
owner and operator members of those sectors.
    The solution to easing this confusion is very simple. The White 
House, SSAs--including DHS--and other relevant agencies need to call 
out, recognize, and support the unique role ISACs play in critical 
infrastructure protection and resilience. For instance, ISACs have the 
responsibility to maintain sector-wide threat awareness within their 
respective sectors. It is critical that our Federal partners continue 
to respect and support that role to avoid undermining one of the main 
duties of ISACs to their members and sectors. It is vital that the 
process is not diluted and remains streamlined to facilitate effective 
situational awareness and response activities particularly when an 
incident occurs.
    One of the greatest strengths of ISACs is the productive 
information sharing that occurs by having robust trusted networks of 
members. Government should support private-sector efforts to form ISACs 
in those very few critical infrastructure sectors where ISACs do not 
currently exist, and where they do, regularly and consistently 
encourage owner/operators to join their respective ISACs. This has been 
very effective in the financial sector where the United States 
Department of the Treasury, the regulators, and State agencies have 
been strongly encouraging membership in the FS-ISAC as a best practice. 
Currently, not all of the SSAs support their sector-designated ISACs in 
the same manner.
    Attached is an appendix, which lists out some 20 points as to why 
ISACs are more than ISAOs.
                      creating standards for isaos
    The Executive Order also calls for the drafting of a set of 
voluntary standards. The NCI believes that having an established set of 
capabilities is important and currently has a baseline set of criteria 
that ISACs must meet in order to be members of the Council. But it is 
essential that information-sharing organizations have the flexibility 
and ability to meet the unique needs of its sector and members. 
Although all ISACs have similar missions, no two ISACs are exactly 
alike.
    Any criteria that are developed must be done in concert with the 
private sector and must be upheld by the private sector in order to be 
effective. ISACs and ensuing ISAOs are private-sector organizations. 
Any attempt by Government to oversee or mandate what these 
organizations produce and how they collaborate would eliminate 
information sharing and almost two decades of progress. In the face of 
growing, targeted and sophisticated threats, rendering proven 
information-sharing efforts ineffective would not only be a grave 
consequence, it would run contrary to the spirit of the drafting of the 
EO: To promote private-sector cybersecurity information sharing.
    The NCI has a strong history of mentoring and supporting the 
establishment of several new ISACs such as Aviation, Retail, and 
Automotive and the re-formation of the Oil and Gas ISAC. ISACs fostered 
by activities developed and sponsored by the NCI are robustly sharing 
among their peer ISACs and partners, items such as best practice guides 
and toolkits that ISACs can replicate and provide to their members for 
free.
    These activities reflect a powerful force in organizational 
information sharing and collaboration that the EO fails to contemplate 
and appears to attempt to recreate through the development of a 
standards organization. Any focus on ISAOs and ISAO standards must be 
implemented carefully as not only to encourage and foster information 
sharing and analytical maturity among newly-established organizations, 
but also clearly publish, highlight, and fully leverage and emulate 
aspects of the status quo that are working and have been working for 
quite some time.
                     effective information sharing
    It is important to note that the goal of information sharing is not 
to share information in and of itself but to create situational 
awareness in order to inform risk-based decisions as well as allow 
operational components within owner/operation organizations that have 
direct actionable control over the content they are sharing, to perform 
an action. The focus needs to be on enhancing the ability of 
operational groups to work closely with each other.
    The ISACs are successful organizations with almost two decades of 
proven cases studies of information sharing and collaboration. They are 
the subject-matter experts on information sharing. In order for 
information sharing to be effective it must be:
   Voluntary--not mandated or regulated
   Industry Driven
   Actionable, Timely and Relevant
   Bi-directional and Collaborative

    Government can help this effort by:
   Recognizing ISACs and the special operational role that they 
        play in critical infrastructure protection and resilience;
   Supporting private-sector efforts to form ISACs in the very 
        few critical infrastructure sectors where they do not currently 
        exist;
   Encourage owners and operators of critical infrastructure to 
        join their respective sector ISACs;
   Facilitate getting all of the ISACs on the NCCIC floor. 
        After 4 years this still has not been accomplished;
   Recognize the NCI as the coordinating body for the ISACs.
    This concludes my written statement for the record. Thank you again 
for the opportunity to present this testimony and I look forward to 
your questions.
           Appendix: 20 Reasons Why ISACS are More Than ISAOS
   ISACs are all-hazards and address both cyber and physical 
        threats and incidents
   ISACs are the designated operational arms of their sectors
   ISACs play a critical industry- and Government-recognized 
        role in critical infrastructure incident response
   ISACs have reach into their sectors and in many cases are 
        relied upon as the threat and incident communications channel 
        for their respective sectors
   ISACs provide annonymization and aggregation of data for 
        their sectors
   ISACs provide a sector perspective on threats and incidents 
        and provide sector-specific analysis
   ISACs set or manage threat levels for their respective 
        sectors
   ISACs perform structured collaboration across the sectors
   ISACs conduct joint analysis to develop joint products on 
        specific threats and incidents
   ISACs serve an operational role in the National partnership 
        framework
   Many ISACs have security operations centers that monitor 
        threats, vulnerabilities, and incidents and provide analysis 
        for sector threat potential and impact
   ISACs are not-for-profit organizations that are not in the 
        business to sell information but to facilitate it
   ISACs meet the unique needs of their respective members/
        sectors
   Most ISACs are global and are not just focused on the United 
        States. Many have global partnerships
   ISACs have a vetting process for members to qualify to join
   ISACs are organized and run by the owners and operators of 
        critical infrastructure
   ISACs have a formal governance structure
   ISACS facilitate bi-directional information sharing on 
        incidents, information, and intelligence within and among the 
        sectors.
   ISACs are designated operational entities within sectors to 
        enhance efficiency and coordination of information sharing and 
        incident response.

    Mr. Ratcliffe. The Chairman now recognizes the gentleman 
from Rhode Island, Mr. Langevin, for an opening statement.
    Mr. Langevin. Thank you, Mr. Chairman.
    I know that Ranking Member Richmond is on his way, and on 
his behalf I will just welcome our witnesses.
    In particular, I want to acknowledge Greg Garcia, whom I 
worked with when I chaired this subcommittee many years ago and 
when you had the Department of Homeland Security.
    I thank all of you for your work. I know in one way or 
another I have had the opportunity to interact with all of our 
witnesses. Thank you for the work you are doing to better 
protect our country. I look forward to hearing your perspective 
here today.
    Mr. Chairman, I especially want to commend you for holding 
this hearing today. Thank you for giving the information-
sharing and data breach issues the attention that it needs and 
deserves. Hearing from expert witnesses I know will move this 
issue ahead further.
    Obviously, there is no one answer to solving our 
cybersecurity challenges. It is never a problem to be solved, 
as I have said many times, but it is a problem to be managed, 
and we have to do a much better job of getting to a place where 
we are much better protected in cyber space than where we are. 
We can close that air of vulnerability down to something much 
more manageable.
    It won't be just a Government answer, of course, and it is 
not going to be just private sector. It is going to take that 
collaboration of us working together to solve this and deal 
with this incredible challenge.
    So, with that, I will yield back.
    I thank our witnesses in advance for being here and what 
they are about to say.
    Thank you, Mr. Chairman. I yield back.
    Mr. Ratcliffe. I thank the gentleman. I remind other 
Members that additional statements may be submitted for the 
record.
    [The statement of Ranking Member Richmond follows:]
             Statement of Ranking Member Cedric L. Richmond
                             March 4, 2015
    Our infrastructure is more digitally interconnected than ever. Our 
country's reliance on cyber systems and networks covers everything from 
power plants to pipelines, and hospitals to highways. Yet for all the 
advantages interconnectivity offers, our Nation's critical 
infrastructure is also increasingly vulnerable to attack from an array 
of cyber threats.
    We are to hear testimony today on how we can be better prepared for 
these threats. The President has proposed an updated package of 
legislative initiatives to frame the issues, and hopefully spur 
Congress to action on cybersecurity. Last year this subcommittee was 
the author of important authorizations that gave the Department sound 
footing to carry out its mission as the central civilian portal for 
information sharing between critical infrastructure sectors and the 
Government.
    It is widely recognized that more is needed, and the President's 
initiatives do indeed go further. Senator Carper, Ranking Member on the 
Senate Homeland Security and Government Affairs Committee, has already 
introduced almost a word-for-word version of the White House 
information-sharing language as S. 456, The Cyber Threat Sharing Act of 
2015.
    Hacks on major businesses and financial institutions continue to 
dominate headlines. Just a few weeks after Anthem insurance announced 
that account information of as many as 80 million customers had been 
stolen, we are all waiting for the next shoe to fall.
    The President's proposal seeks to create a friendlier atmosphere 
for companies to swap certain types of computer data with each other 
and the Government, in order to identify potential cyber threats and 
isolate security flaws. To persuade companies to buy into the proposed 
system, the White House bill would provide assurances that the sharing 
of indicators--which could include things like IP addresses, routing 
information, and date and time stamps deemed important to identifying 
potential cyber threats or security vulnerabilities--would be exempt 
from legal or regulatory punishment. The President's proposals contain 
some new ideas about the formation of information-sharing organizations 
that would set sharing standards and privacy requirements.
    Since the `90s, firms have shared information directly on an ad hoc 
basis and through private-sector, nonprofit organizations, such as 
Information Sharing and Analysis Centers, or ISACs that can analyze and 
disseminate information. The White House proposal requires the 
Secretary of Homeland Security to form a new type of organization, the 
Information Sharing and Analysis Organizations, or ISAOs.
    We need to know what kinds of barriers to information sharing exist 
today, and how we on this subcommittee can help make this cyber tool 
more effective. For our side, information sharing must be structured in 
the public and private sectors to ensure that the risks to privacy 
rights and civil liberties of individual citizens be recognized, and 
how those rights and liberties can best be protected. Today, hopefully 
we'll find answers to some of these questions.
    We live in a post-Snowden world, and we are all much more aware of 
the powerful abilities of our surveillance agencies. Information 
sharing is not a zero-sum game. As policy makers we can step back and 
take stock of how best to protect our citizen's privacy rights, while 
finding effective and powerful tools to combat the cyber threats before 
us.

    Mr. Ratcliffe. We are pleased to have with us a 
distinguished panel of witnesses today on this very important 
topic. I would ask all of you to stand, if you would, and raise 
your right hand.
    [Witnesses sworn.]
    Mr. Ratcliffe. Thank you. You may be seated.
    Our witnesses today--we have with us Mr. Matthew Eggers. He 
is the senior director for national security and emergency 
preparedness at the U.S. Chamber of Commerce.
    Mr. Eggers, good to see you again.
    Mr. Eggers. Good to see you.
    Mr. Ratcliffe. Also with us is Ms. Mary Ellen Callahan. She 
is a partner at Jenner & Block and is the former chief privacy 
officer at the Department of Homeland Security.
    Welcome, Ms. Callahan.
    Also with us is Mr. Greg Garcia. He is the executive 
director of the Financial Services Sector Coordinating Council.
    Mr. Garcia, we appreciate you coming to see us today.
    Then, finally, last, but not least, Dr. Martin Libicki is 
the senior management scientist at The RAND Corporation.
    Dr. Libicki, thank you for being here as well.
    The witnesses' full statements will appear in the record.
    The Chairman now recognizes Mr. Eggers for 5 minutes to 
testify.

   STATEMENT OF MATTHEW J. EGGERS, SENIOR DIRECTOR, NATIONAL 
 SECURITY AND EMERGENCY PREPAREDNESS, U.S. CHAMBER OF COMMERCE

    Mr. Eggers. Good afternoon, Chairman Ratcliffe and other 
distinguished Members of the subcommittee.
    My name is Matthew Eggers. I lead the U.S. Chamber 
Cybersecurity Working Group, which has about 200 members, and 
it is growing virtually daily. Before talking about the cyber 
information-sharing proposals, I want to note that my written 
statement highlights the successful roll-out of the NIST 
framework.
    The Chamber's proudly launched its own cyber campaign under 
the banner of improving today, protecting tomorrow. In 2014, we 
organized several roundtables across the country. The events 
featured State and local chambers and principals from the White 
House, DHS, NIST, as well as local FBI and Secret Service 
officials. More roundtables are being planned this year.
    The framework would be incomplete without enacting 
legislation that removes legal and regulatory barriers to 
quickly exchanging data about threats to U.S. companies. Let's 
consider CISA and the White House proposal or the Carper bill, 
S. 456.
    First, the draft Cybersecurity Information Sharing Act of 
2015, or CISA. In January, 35 associations, including the 
Chamber, urged the Senate to quickly pass the cyber info-
sharing bill modeled after the bipartisan CISA bill that 
Senators Feinstein and Chambliss championed last year.
    The first version of CISA stalled, unfortunately. A draft 
CISA, 2.0, if you will, sponsored by Senators Burr and 
Feinstein, is expected to be marked up soon. It reflects 
practical compromises among many stakeholders. We need to focus 
our collective legislative negotiations on CISA.
    CISA would give businesses legal certainty that they have 
safe harbor against frivolous lawsuits when voluntarily sharing 
and receiving cyber threat indicators, or CTIs, and 
countermeasures in real time with private and public entities 
and when monitoring information systems to mitigate cyber 
attacks.
    CISA would also offer protections related to public 
disclosure, (direct) regulatory, and anti-trust matters. Under 
CISA, businesses must remove personal information from threat 
indicators before sharing them.
    Second, the White House cybersecurity legislative proposal, 
or S. 456, the Cyber Threat Sharing Act of 2015. Senator Tom 
Carper introduced S. 456 about 3 weeks ago. I focus, in part, 
on this bill because it is very similar to the White House's 
January 13 cyber information-sharing proposal and it has been 
introduced.
    In contrast to CISA, White House/Carper would grant 
liability protections to companies only when sharing CTIs with 
DHS's NCCIC and ISAOs, or Information Sharing and Analysis 
Organizations, that have self-certified that they are following 
certain information-sharing practices which have not yet been 
established and won't be for some time.
    DHS is to sponsor an outside organization to determine what 
would constitute cyber info-sharing standards or best 
practices, even though leading sectors tell us that they 
already have them. The bottom line: The ISAOs-plus-standards-
setting effort warrants scrutiny before our organization 
supports it.
    Also, unlike CISA, businesses would not be protected under 
White House/Carper when monitoring information systems and 
sharing and receiving countermeasures. The White House/Carper 
bill would not write anti-trust protections into the Federal 
law.
    The lack of safeguards and protections in all of these 
areas would deter industry from participating in these 
information-sharing programs for fear of litigation or 
liability, whether at the Federal or the State levels.
    CISA and White House/Carper do share some common features 
especially in the area of privacy and civil liberties 
protection. Both CISA and the White House/Carper proposal 
narrowly define what cyber threat indicators may be shared 
among private and Government entities.
    CISA and White House/Carper require that businesses remove 
personal information from CTIs before sharing them. Like CISA, 
the White House/Carper bill would tightly limit how the Federal 
Government could use threat indicators that agencies receive.
    In sum, when comparing CISA with White House/Carper, CISA 
offers a more dynamic way to share cyber threat data among many 
businesses and Government entities, coupled with strong 
liability and related protections.
    CISA would go the furthest in helping businesses, including 
critical infrastructure, defend information systems against 
cyber attacks while protecting privacy.
    CISA is meant to help counter serious malicious attacks 
aimed at America that are being launched from threats like 
organized crime and state-sponsored groups.
    Getting an information-sharing bill signed into law this 
year, one that would actually incentivize industry to 
participate, not back away, is the Chamber's top cyber 
legislative priority.
    Again, thank you for inviting me to be here today. I would 
be happy to answer any questions. Thank you.
    [The prepared statement of Mr. Eggers follows:]
                Prepared Statement of Matthew J. Eggers
                             March 4, 2015
    Good morning, Chairman Ratcliffe, Ranking Member Richmond, and 
other distinguished Members of the committee. My name is Matthew 
Eggers, and I am a senior director of the U.S. Chamber's National 
Security and Emergency Preparedness Department. On behalf of the 
Chamber, I welcome the opportunity to testify before the Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security Technologies 
regarding industry's perspectives on the President's cybersecurity 
information-sharing proposal.
    The Chamber's National Security and Emergency Preparedness 
Department was established in 2003 to develop and implement the 
Chamber's homeland and National security policies. The department works 
through the National Security Task Force, a policy committee composed 
of roughly 200 Chamber members representing practically every sector of 
the American economy. The task force's Cybersecurity Working Group, 
which I lead, identifies current and emerging issues, crafts policies 
and positions, and provides analysis and direct advocacy to Government 
and business leaders. Industry's interest in cybersecurity is healthy 
and expanding--individuals join the working group almost daily.
    The need to address increasingly sophisticated threats against U.S. 
and global businesses has gone from an IT issue to a top priority for 
the C-suite and the boardroom. Chamber President and CEO Thomas J. 
Donohue recently said, ``In an interconnected world, economic security 
and national security are linked. To maintain a strong and resilient 
economy, we must protect against the threat of cyberattacks.''
    My statement highlights the successful rollout of the National 
Institute of Standards and Technology's (NIST's) Framework for 
Improving Critical Infrastructure Cybersecurity (the framework)\1\ and 
the positive collaboration that many businesses and Government entities 
have developed over the past several months, including the Chamber's 
cybersecurity campaign--Improving Today. Protecting 
TomorrowTM.
---------------------------------------------------------------------------
    \1\ See www.nist.gov/cyberframework.
---------------------------------------------------------------------------
    I am also going to focus on policy issues--information-sharing 
legislation being the top legislative priority--that lawmakers and the 
administration need to diligently address. The information-sharing 
discussion puts too little emphasis on improving Government-to-business 
sharing. The Chamber wants to expand Government-to-business information 
sharing, which is progressing but needs improvement.\2\
---------------------------------------------------------------------------
    \2\ The Chamber submitted in October 2014 similar comments to the 
National Institute of Standards and Technology (NIST) related to 
businesses' awareness and use of the framework. See http://
csrc.nist.gov/cyberframework/rfi_comments_10_2014.html.
---------------------------------------------------------------------------
    The framework is a good start, but more work is needed to push back 
against skilled attackers. Most small and mid-size businesses (SMBs) 
tend to lack the money and personnel to beat back highly-advanced and 
nefarious actors, such as organized criminal gangs and groups carrying 
out state-sponsored attacks. No single strategy can prevent advanced 
and persistent threats--popularly known as APTs in cybersecurity 
jargon--from breaching an organization's cyber defenses.
    Policymakers have not sufficiently acknowledged this expensive, 
practical reality. American companies should not be expected to 
shoulder the substantial costs of cyber attacks emanating from well-
resourced bad actors such as criminal syndicates or nation-states--
costs typically absorbed by national governments. Nation-states or 
their proxies and other sophisticated actors are apparently hacking 
businesses with impunity--and that has got to stop.
    In addition to having policymakers acknowledge cost concerns, the 
Chamber would welcome working with the administration and Congress on 
establishing an intelligent and forceful deterrence strategy, utilizing 
an array of U.S. policy tools, which the United States currently lacks. 
U.S. policymakers need to focus on pushing back against illicit actors 
and not on blaming the victims of cybersecurity incidents.\3\
---------------------------------------------------------------------------
    \3\ The Chamber submitted comments to the Department of Homeland 
Security (DHS) on cybersecurity solutions for small and mid-size 
businesses (SMBs) in April 2014.
---------------------------------------------------------------------------
 the framework is an excellent example of an effective public-private 
  partnership. critical infrastructure awareness of the framework is 
         strong, and sector activities are robust and maturing
    The Chamber believes that the framework--which was released last 
February--has been a success. The framework represents one of the best 
examples of public-private partnerships in action. NIST and 
stakeholders in the public and private sectors should have a great 
sense of accomplishment. The Chamber, sector-based coordinating 
councils and associations, companies, and other entities collaborated 
closely with NIST in developing the framework since the first workshop 
was held in April 2013.
    Critical infrastructure sectors are keenly aware of and supportive 
of the framework. The Chamber understands that critical infrastructures 
at ``greatest risk'' have been identified and engaged by administration 
officials under the terms of the cyber executive order (EO).\4\ 
Government officials ought to ensure that all resources, particularly 
the latest cyber threat indicators (CTIs), are available to these 
enterprises to counter increasing and advanced threats.
---------------------------------------------------------------------------
    \4\ Executive Order (EO) 13636, Improving Critical Infrastructure 
Cybersecurity, is available at www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/
2013-03915.pdf.
---------------------------------------------------------------------------
    Further, important elements of U.S. industry are aware of the 
framework and are using it or similar risk management tools. Indeed, 
the Chamber welcomed an assessment from Michael Daniel, White House 
special assistant to the President and cybersecurity coordinator, who 
remarked on September 23, 2014, at the Chamber's third cyber roundtable 
in Everett, Washington, that industry's response to the framework has 
been ``phenomenal.''
    A second White House official, Ari Schwartz, senior director for 
cybersecurity, noted on October 1, 2014, that business support for the 
framework has ``exceeded expectations.'' Such recognition is 
constructive and helps keep the private sector engaged in using the 
framework and promoting it with business partners.\5\
---------------------------------------------------------------------------
    \5\ See ``At eight-month mark, industry praises framework and eyes 
next steps,'' Inside Cybersecurity, October 6, 2014, http://
insidecybersecurity.com/Cyber-Daily-News/Daily-News/at-eight-month-
mark-industry-praises-framework-and-eyes-next-steps/menu-id-1075.html.
---------------------------------------------------------------------------
    Much of industry's favorable reaction is owed in large measure to 
NIST, which tackled the framework's development in ways that ought to 
serve as a model for other agencies and departments. In May 2014, the 
administration sent the business community a powerful message, saying 
that the framework should remain collaborative, voluntary, and 
innovative over the long term.\6\ Interestingly, public focus on the 
framework has created visibility into industry's long-standing efforts 
to address cyber risks and threats--constant, dedicated, and mostly 
silent efforts that preceded the creation of the framework.\7\
---------------------------------------------------------------------------
    \6\ The Chamber agrees with Michael Daniel's May 22 blog, Assessing 
Cybersecurity Regulations, at www.whitehouse.gov/blog/2014/05/22/
assessing-cybersecurity-regulations. The blog says that business and 
Government ``must build equally agile and responsive capabilities not 
bound by outdated and inflexible rules and procedures.'' The Chamber 
and industry partners especially urge independent agencies and Congress 
to adhere to the dynamic approach advocated by the administration and 
embodied in the nonregulatory, public-private framework. See June 11, 
2014, multiassociation letter, which is available at www.uschamber.com/
sites/default/files/documents/files/11June14GroupLetterT-
YReplytoDanielCyberBlog_Final_0.pdf.
    \7\ The on-line publication Inside Cybersecurity provides an 
excellent catalog of industry initiatives to implement data- and 
network-security best practices. See http://insidecybersecurity.com/
Sectors/menu-id-1149.html.
---------------------------------------------------------------------------
    Most notable, since the framework's release, industry has 
demonstrated its commitment to using it. Many associations are creating 
resources for their members and holding events across the country and 
taking other initiatives to promote cybersecurity education and 
awareness of the framework. Some examples are listed here. Associations 
are planning and exploring additional activities as well.
   The Alliance of Automobile Manufacturers and the Association 
        of Global Automakers have initiated a process to establish an 
        automobile industry sector information-sharing and analysis 
        center (Auto-ISAC) to voluntarily collect and share information 
        about existing or potential threats to the cybersecurity of 
        motor vehicle electronics and in-vehicle networks.
   The American Chemistry Council (ACC) is developing sector-
        specific guidance based on the NIST cyber framework to further 
        enhance and implement the council's Responsible Care Security 
        Code. ACC's Chemical Information Technology Center (ChemITC) is 
        also piloting an ISAC for the chemical sector.
   The American Gas Association (AGA) has hosted a series of 
        webinars on control system cybersecurity, is collaborating with 
        small utilities to develop robust cybersecurity programs, and 
        is working with companies to review and enhance their 
        cybersecurity posture using the Oil and Natural Gas Subsector 
        Cybersecurity Capability Maturity Model (ONG-C2M2) from the 
        Department of Energy (DOE). Among other activities, AGA has 
        stood up the Downstream Natural Gas Information and Analysis 
        Center (DNG-ISAC), an ISAC designed to help support the 
        information-sharing interests of downstream natural gas 
        utilities.
   The American Hotel & Lodging Association (AH&LA) has 
        conducted a series of widely-attended cyber and data security 
        webinars to assist small, medium, and large hotel and lodging 
        businesses with implementing key information security measures 
        and risk assessments.
   The American Water Works Association (AWWA) has created 
        cybersecurity guidance and a use-case tool to aid water and 
        wastewater utilities' implementation of the framework. The 
        guidance is cross-referenced to the framework. This tool serves 
        as implementation guidance for the framework in the water and 
        wastewater systems sector.
   Members of the Communications Sector Coordinating Council 
        (CSCC)--made up of broadcasting, cable, wireline, wireless, and 
        satellite segments--have participated in multiple NIST, 
        Department of Homeland Security (DHS), and industry 
        association-sponsored programs, webinars, and panels. The 
        sector is completing a year-long effort within the Federal 
        Communication Commission's (FCC's) Communications Security 
        Reliability and Interoperability Council (CSRIC), which 
        involves more than 100 professionals who have worked to adapt 
        the NIST framework to the sector segments and provide guidance 
        to the industry.
   The Electricity Subsector Coordinating Council has worked 
        with DOE to develop sector-specific guidance for using the 
        framework. The guidance leverages existing subsector-specific 
        approaches to cybersecurity, including DOE's Electricity 
        Subsector Cybersecurity Risk Management Process Guideline, the 
        Electricity Subsector Cybersecurity Capability Maturity Model, 
        NIST's Guidelines for Smart Grid Cyber Security, and the North 
        American Electric Reliability Corporation's (NERC's) Critical 
        Infrastructure Protection Cybersecurity Standards.
   The mutual fund industry, represented by the Investment 
        Company Institute (ICI), has added to its committee roster a 
        Chief Information Security Officer Advisory Committee. The 
        committee's mission is to collaborate on cybersecurity issues 
        and information sharing in the financial services industry and 
        provide a cyber threat protection resource for ICI members.
   The Information Technology Industry Council (ITI) visited 
        Korea and Japan in May 2014 and shared with these countries' 
        governments and business leaders the benefits of a public-
        private partnership-based approach to developing globally 
        workable cybersecurity policies. ITI highlighted the framework 
        as an example of an effective policy developed in this manner, 
        reflecting global standards and industry-driven practices. ITI 
        principals also spoke at a U.S.-European Union (EU) workshop in 
        Brussels in November 2014, comparing U.S. and E.U. policy 
        approaches with cybersecurity and emphasizing the positive 
        attributes of the framework and its development.
   The National Association of Manufacturers (NAM) has 
        spearheaded the D.A.T.A. (Driving the Agenda for Technology 
        Advancement) Policy Center, providing manufacturers with a 
        forum to understand the latest cybersecurity policy trends, 
        threats, and best practices. The D.A.T.A. Center focuses on 
        working with small and medium-size manufacturers to help them 
        secure their assets.
   Through the American Petroleum Institute (API), the oil and 
        natural gas sector has worked with DOE to complete the Oil and 
        Natural Gas Subsector Cybersecurity Capability Maturity Model 
        (ONG-C2M2). The oil and natural gas sector in 2014 established 
        an Oil and Natural Gas Information Sharing and Analysis Center 
        (ONG-ISAC) to provide shared intelligence on cyber incidents, 
        threats, vulnerabilities, and responses throughout the 
        industry.
   The Retail Industry Leaders Association (RILA), in 
        partnership with the National Retail Federation (NRF), created 
        the Retail Cyber Intelligence Sharing Center (R-CISC), 
        featuring information sharing, research, and education and 
        training. This ISAC enables retailers to share threat data 
        among themselves and to receive threat information from 
        Government and law enforcement partners.
   The U.S. Chamber of Commerce has launched its National 
        roundtable series, Improving Today. Protecting 
        TomorrowTM, recommending that businesses of all 
        sizes and sectors adopt fundamental internet security 
        practices.
 policymakers need to focus on passing information-sharing legislation 
 and deterring foreign attackers. the chamber's cybersecurity campaign 
                         enters its second year
    The NIST framework is designed to help start a cybersecurity 
program or improve an existing one. The framework puts cybersecurity 
into a common language for organizations to better understand their 
cybersecurity posture, set goals for cybersecurity improvements, 
monitor their progress, and foster communications with internal and 
external stakeholders. Looking ahead to 2015, the Chamber's 
cybersecurity campaign intends to focus on several areas, including the 
following:
    Improving information sharing is job No. 1. The framework would be 
incomplete without enacting information-sharing legislation that 
removes legal and regulatory barriers to quickly exchanging data about 
threats to U.S. companies.
   Draft Cybersecurity Information Sharing Act (CISA) of 
        2015.--On January 27, 35 associations, including the Chamber, 
        urged the Senate to quickly pass a cybersecurity information-
        sharing bill.\8\ The Senate Intelligence Committee passed in 
        July 2014 S. 2588, the Cybersecurity Information Sharing Act 
        (CISA) of 2014, a smart and workable bill, which earned broad 
        bipartisan support.
---------------------------------------------------------------------------
    \8\ The coalition letter is available at www.uschamber.com/sites/
default/files/150127_multi-association_cyber_info-
sharing_legislation_senate.pdf.
---------------------------------------------------------------------------
    The committee released in February a new draft bill--CISA 2015--for 
        stakeholder review. Recent cyber incidents underscore the need 
        for legislation to help businesses improve their awareness of 
        cyber threats and enhance their protection and response 
        capabilities.
    The Chamber urges Congress to send a bill to the President that 
        gives businesses legal certainty that they have safe harbor 
        against frivolous lawsuits when voluntarily sharing and 
        receiving threat indicators and countermeasures in real time 
        with multiple private and public entities, as well as when 
        monitoring information systems to mitigate cyberattacks.
    The legislation also needs to offer protections related to public 
        disclosure, regulatory, and anti-trust matters in order to 
        increase the timely exchange of technical CTIs and 
        countermeasures among public and private entities.
    The Chamber further believes that legislation needs to safeguard 
        privacy and civil liberties and establish appropriate roles for 
        civilian and intelligence agencies. For example, businesses 
        must remove personal information from CTIs before sharing them. 
        Private entities must share ``electronic mail or media, an 
        interactive form on an internet website, or a real time, 
        automated process between information systems'' with DHS--a 
        civilian entity--if they are to be offered protection from 
        liability.
    CISA, which is sponsored by Sens. Richard Burr and Dianne 
        Feinstein, reflects practical compromises among many 
        stakeholders on these issues. At the time of this writing, the 
        measure is expected to be marked up the week of March 9. The 
        Chamber looks forward to reviewing the bill following the mark-
        up to determine its support for the base measure and any 
        amendments. Industry is likely to strongly support CISA.
   White House cybersecurity legislative proposal (S. 456, the 
        Cyber Threat Sharing Act of 2015).--On February 11, S. 456, the 
        Cyber Threat Sharing Act of 2015, was introduced in the Senate 
        by Sen. Tom Carper. It makes sense to refer to S. 456 because 
        it is very similar to the White House's cybersecurity 
        information-sharing proposal, which was discussed at last 
        week's House Homeland Security Committee hearing, and released 
        by the administration on January 13.\9\
---------------------------------------------------------------------------
    \9\ http://homeland.house.gov/hearing/hearing-administration-s-
cybersecurity-legislative-proposal-information-sharing; 
www.whitehouse.gov/omb/legislative_letters (see January 13, 2015).
---------------------------------------------------------------------------
    CISA offers strong protections and flexible avenues for sharing 
        with public and private entities. In contrast, S. 456 would 
        grant liability protections to companies only when sharing CTIs 
        with (1) DHS' National Cybersecurity and Communications 
        Integration Center (NCCIC)--excluding law enforcement agencies, 
        among others--or with (2) information-sharing and analysis 
        organizations (ISAOs) that have self-certified that they are 
        following information-sharing best practices. (The implications 
        of the ISAOs and the new White House executive order \10\ 
        related to promoting cybersecurity information sharing, which 
        directs DHS to sponsor an ISAO standards organization to 
        establish a common set of voluntary standards for creating and 
        operating ISAOs, have not been fully assessed by industry.)
---------------------------------------------------------------------------
    \10\ www.whitehouse.gov/the-press-office/2015/02/13/executive-
order-promoting-private-sector-cybersecurity-information-shari.
---------------------------------------------------------------------------
    These two protected avenues for sharing CTIs are far too narrow and 
        limiting and do not reflect the information-sharing 
        relationships that businesses have built up over time, for 
        instance, with DHS, the Departments of Energy and Treasury, and 
        law enforcement agencies.
    Unlike CISA, businesses would not be protected under S. 456 when 
        monitoring information systems and sharing or receiving 
        countermeasures. The lack of safeguards in these areas is a 
        fundamental weakness of the White House proposal and S. 456.
    Under S. 456, cyber threat data shared with the NCCIC would 
        seemingly be protected from public disclosure and may not be 
        used as evidence in a regulatory action against the entity that 
        shared CTIs, which is welcome. However, S. 456 neither codifies 
        antitrust protections in Federal law nor preempts State law. 
        The bill simply references via a sense-of-Congress provision a 
        policy statement that was issued in April 2014 by the 
        Department of Justice and the Federal Trade Commission.\11\ 
        While this provision is constructive, anti-trust protections 
        need to be written into law to be meaningful to industry.
---------------------------------------------------------------------------
    \11\ www.justice.gov/opa/pr/justice-department-federal-trade-
commission-issue-antitrust-policy-statement-sharing.
---------------------------------------------------------------------------
    Similar to CISA, S. 456 includes strong privacy protections. Both 
        bills narrowly define what CTIs may be shared among private 
        sector and Federal Government entities.\12\ CISA and S. 456 
        require that businesses remove personal information from CTIs 
        before sharing them. The Chamber urges businesses to share 
        cybersecurity threat data with industry partners and the 
        Government. Still, the mandate to scrub personal information 
        would almost certainly sideline smaller businesses, because the 
        provision assumes that businesses would have the technical 
        know-how or the resources to scrub data. To be sure, this 
        outcome is not the intent of the bills' writers, but it is 
        important to note that this is the likely response many 
        businesses would have to such provisions.
---------------------------------------------------------------------------
    \12\ CISA 2015 and S. 456 define cyber threat indicators (CTIs) in 
section 2 of their respective bills.
---------------------------------------------------------------------------
    And, like CISA, S. 456 would also tightly limit how the Federal 
        Government could use CTIs that agencies receive. However, 
        unlike CISA, S. 456 would sunset after 5 years. A sunset 
        provision would almost certainly inhibit businesses' ability to 
        make long-term planning decisions related to risk management 
        and information-sharing investments.
    It is necessary to highlight that the Chamber supports CISA. 
        Compared with S. 456, CISA offers a more dynamic approach to 
        sharing cybersecurity threat data among multiple business and 
        Government partners, coupled with stronger protections. CISA 
        would go the furthest in helping businesses, including critical 
        infrastructure, defend information systems against cyber 
        attacks. Businesses would likely share and receive CTIs and 
        countermeasures and monitor their networks on a broader scale 
        and more confidently because CISA grants stronger liability 
        protections and better policy tools.
    Organizing roundtables with local chambers and growing market 
solutions. The Chamber is planning more cyber roundtables in 2015. Last 
year, the Chamber organized roundtable events with State and local 
chambers in Chicago, Illinois (May 22); Austin, Texas (July 10); 
Everett, Washington (September 23); and Phoenix, Arizona (October 8) 
prior to the Chamber's Third Annual Cybersecurity Summit on October 28.
    Leading member sponsors of the campaign were American Express, 
Dell, and Splunk. Other sponsors were the American Gas Association, 
Boeing, the Edison Electric Institute, Exelon, HID Global, Microsoft, 
Oracle, and Pepco Holdings, Inc., and The Wall Street Journal.
    Each roundtable featured cybersecurity principals from the White 
House, DHS, NIST, and local FBI and Secret Service officials. The 
Chamber and its partners urged businesses to adopt fundamental internet 
security practices to reduce network and system weaknesses and make the 
price of successful hacking increasingly steep. The Chamber also urged 
businesses to improve their cyber risk management processes.
    All businesses should understand common on-line threats that can 
lead them to become victims of cyber crime. Using the framework and 
similar risk management tools, such as the Chamber's Internet Security 
Essentials for Business 2.0 guidebook,\13\ is ultimately about making 
your business more secure and resilient. The Chamber encourages 
businesses to report cyber incidents. Perfect on-line security is 
unattainable, even for large businesses. Innovative solutions are 
regularly being brought to market because cyber threats are always 
changing. Businesses should report cyber incidents and on-line crime to 
their FBI or Secret Service field offices.
---------------------------------------------------------------------------
    \13\ The booklet is available free for downloading at 
www.uschamber.com/issue-brief/internet-security-essentials-business-20.
---------------------------------------------------------------------------
    Increasing public awareness of the framework. The Chamber urges 
policymakers to commit greater resources over the next several years to 
growing awareness of the framework and risk-based solutions through a 
National education campaign. A broad-based campaign involving Federal, 
State, and local governments and multiple sectors of the U.S. economy 
would spur greater awareness of cyber threats and aggregate demand for 
market-driven cyber solutions.
    The Chamber believes that Government--particularly independent 
agencies--should devote their limited time and resources to assisting 
resource-strapped enterprises, not trying to flex their existing 
regulatory authority. After all, while businesses are working to 
detect, prevent, and mitigate cyber attacks originating from 
sophisticated criminal syndicates or foreign powers, they should not 
have to worry about regulatory or legal sanctions.
    Engaging law enforcement. The Chamber plans to continue its close 
contact with the FBI and the Secret Service to build trusted public-
private relationships, which are essential to confirming a crime and 
beginning criminal investigations. The Chamber encourages businesses to 
partner with law enforcement before, during, and after a cyber 
incident. FBI and Secret Service officials have participated in each of 
the Chamber's roundtables.
    Harmonizing cybersecurity regulations. Information-security 
requirements should not be cumulative. The Chamber believes it is 
valuable that agencies and departments are urged under the E.O. to 
report to the Office of Management and Budget any critical 
infrastructure subject to ``ineffective, conflicting, or excessively 
burdensome cybersecurity requirements.'' The Chamber urges the 
administration and Congress to prioritize eliminating burdensome 
regulations on businesses. One solution could entail giving businesses 
credit for information security regimes that exist in their respective 
sectors.\14\ It is positive that Michael Daniel, the administration's 
lead cyber official, has made harmonizing existing cyber regulations 
with the framework a priority.
---------------------------------------------------------------------------
    \14\ The business community already complies with multiple 
information security rules. Among the regulatory requirements impacting 
businesses of all sizes are the Chemical Facilities Anti-Terrorism 
Standards (CFATS), the Federal Energy Regulatory Commission--North 
American Reliability Corporation Critical Information Protection (FERC-
NERC CIP) standards, the Gramm-Leach-Bliley Act (GLBA), the Health 
Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-
Oxley (SOX) Act. The Securities and Exchange Commission (SEC) issued 
guidance in October 2011 outlining how and when companies should report 
hacking incidents and cybersecurity risks. Corporations also comply 
with many non-U.S. requirements, which add to the regulatory mix.
---------------------------------------------------------------------------
    Raising adversaries' costs through deterrence. The Chamber is 
reviewing actions that businesses and Government can take to deter 
nefarious actors that threaten to empty bank accounts, steal trade 
secrets, or damage vital infrastructures. While our organization has 
not formally endorsed the report, the U.S. Department of State's 
International Security Advisory Board (ISAB) issued in July draft 
recommendations regarding cooperation and deterrence in cyberspace.
    The ISAB's recommendations--including cooperating on crime as a 
first step, exploring global consensus on the rules of the road, 
enhancing governments' situational awareness through information 
sharing, combating IP theft, expanding education and capacity building, 
promoting attribution and prosecution, and leading by example--are 
sensible and worthy of further review by cybersecurity 
stakeholders.\15\
---------------------------------------------------------------------------
    \15\ The ISAB report is available at www.state.gov/documents/
organization/229235.pdf.
---------------------------------------------------------------------------
    The Chamber believes that the United States needs to coherently 
shift the costs associated with cyber attacks in ways that are legal, 
swift, and proportionate relative to the risks and threats. 
Policymakers need to help the law enforcement community, which is a key 
asset to the business community but numerically overmatched compared 
with illicit hackers.\16\
---------------------------------------------------------------------------
    \16\ The Chamber argued for a clear cyber deterrence strategy in 
its December 2013 letter to NIST on the framework. See http://
csrc.nist.gov/cyberframework/framework_comments/
20131213_ann_beauchesne_uschamber.pdf.
---------------------------------------------------------------------------
    Making incentives work. In an April 2013 letter to NIST regarding 
businesses' use of the framework and the role of incentives, the 
Chamber provides its views on extending liability protections related 
to information-sharing legislation, a safe harbor related to using the 
framework, SAFETY Act applicability to the framework; eliminating 
cybersecurity regulations, leveraging Federal procurement, and making 
the research and development (R&D) tax credit permanent.\17\
---------------------------------------------------------------------------
    \17\ The letter is available at www.ntia.doc.gov/files/ntia/
29apr13_chamber_comments.pdf.
---------------------------------------------------------------------------
    The Chamber appreciates that the administration is assessing a mix 
of incentives that could induce businesses to use the framework.\18\ 
However, in the Chamber's view, it is imperative that the 
administration, independent agencies, and lawmakers extend to companies 
the assurance that the cybersecurity framework and any actions taken in 
relation to it remain collaborative, flexible, and innovative over the 
long term. The Chamber believes that the presence of these qualities, 
or the lack thereof, would be a key determinant to use of the framework 
by U.S. critical infrastructure as well as businesses generally.
---------------------------------------------------------------------------
    \18\ See www.whitehouse.gov/blog/2013/08/06/incentives-support-
adoption-cybersecurity-framework.
---------------------------------------------------------------------------
         roadmap for the future of the cybersecurity framework
    In February 2014, NIST released a Roadmap to accompany the 
framework. The Roadmap outlines further areas for possible 
``development, alignment, and collaboration.''\19\ The Chamber noted in 
an October 2014 letter to NIST some key areas that it sees as needing 
more attention. The Chamber would highlight for the committee the 
importance of aligning international cybersecurity regimes with the 
framework.
---------------------------------------------------------------------------
    \19\ The Roadmap is available at www.nist.gov/cyberframework/
upload/roadmap-021214.pdf.
---------------------------------------------------------------------------
    Many Chamber members operate globally and appreciate that NIST has 
been actively meeting with foreign governments urging them to embrace 
the framework. Like NIST, the Chamber believes that efforts to improve 
the cybersecurity of the public and private sectors should reflect the 
borderless and interconnected nature of our digital environment.
    Standards, guidance, and best practices relevant to cybersecurity 
are typically industry-driven and adopted on a voluntary basis; they 
are most effective when developed and recognized globally. Such an 
approach would avoid burdening multinational enterprises with the 
requirements of multiple, and often conflicting, jurisdictions.\20\ The 
administration should organize opportunities for stakeholders to 
participate in multinational discussions. The Chamber encourages the 
Federal Government to work with international partners and believes 
that these discussions should be stakeholder-driven and occur on a 
routine basis.
---------------------------------------------------------------------------
    \20\ The Chamber sent a letter in September 2013 to Dr. Andreas 
Schwab, member of the European Parliament's Internal Market and 
Consumer Protection Committee, recommending amendments to the proposed 
European Union (E.U.) cybersecurity directive. The Chamber argues that 
cybersecurity and resilience are best achieved when organizations 
follow voluntary global standards and industry-driven practices.
---------------------------------------------------------------------------
passing an industry-supported information-sharing bill is the chamber's 
                   top cyber legislative goal in 2015
    Cyber attacks aimed at U.S. businesses and Government entities are 
being launched from various sources, including sophisticated hackers, 
organized crime, and state-sponsored groups. These attacks are 
advancing in scope and complexity. Most policymakers and practitioners 
appreciate that the intent of legislation is not to spur more 
information sharing for its own sake. Rather, the goal is to help 
companies achieve timely and actionable situational awareness to 
improve the business community's and the Nation's detection, 
mitigation, and response capabilities.
    Additional positive side effects of enacting cyber information-
sharing legislation include strengthening the security of personal 
information that is maintained on company networks and systems and 
increasing costs on nefarious actors. The bill would also complement 
the NIST framework, which many industry associations and companies are 
embracing and promoting with their business partners. Congressional 
action on cybersecurity information-sharing legislation cannot come 
quickly enough.

    Mr. Ratcliffe. Thank you, Mr. Eggers.
    It is my understanding that votes have been called. We 
expect to return roughly 10 minutes after the last vote. So, 
without objection, the subcommittee is in recess subject to the 
call of the Chairman.
    [Recess.]
    Mr. Ratcliffe. Appreciate everyone's patience. We're 
accommodating with the weather, and I think we're going to have 
some Members return. But I want to continue with everyone's 
testimony.
    So I appreciate, Mr. Eggers, your testimony.
    Next we would love to hear from Ms. Callahan.

TESTIMONY OF MARY ELLEN CALLAHAN, JENNER & BLOCK, FORMER CHIEF 
     PRIVACY OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Callahan. Thank you, sir.
    Good afternoon, Chairman Ratcliffe. Thank you for the 
opportunity to appear before you today.
    My name is Mary Ellen Callahan, and I'm a partner at the 
law firm of Jenner & Block, where I chair the privacy and 
information governance practice. From 2009 to 2012, I served as 
the Chief Privacy Officer of the U.S. Department of Homeland 
Security. I'm appearing before this committee in my personal 
capacity.
    Cybersecurity information sharing is vital to protect 
private- and public-sector assets. In order to prepare for 
disclosing cybersecurity threat indicators, however, to the 
other entities in the cybersecurity ecosystem, the information 
sharing with the Government must meet certain standards to 
address industry interests and needs.
    There are six factors that are crucial for establishing 
robust effective private-sector information sharing with the 
Government:
    First, the Government must establish and implement 
legitimate privacy safeguards.
    Second, clearly-established controls must be placed on what 
the Government does with that shared information.
    Third, the controls must include civilian interface with 
the private sector, not just as an intake center, but for all 
communications and coordination related to cybersecurity 
information sharing.
    Fourth, a value proposition for the information sharing 
must be established.
    Fifth, liability limitations must be provided both civilly 
and criminally.
    Finally, the Congress should expressly provide the Privacy 
and Civil Liberties Oversight Board with oversight authority 
over cybersecurity, including information sharing.
    It is unfortunate that the 2015 Executive Order did not 
elaborate on the necessary privacy and civil liberties 
protections, particularly with regard to private-sector 
information sharing.
    Nonetheless, the DHS Privacy Officer and Office for Civil 
Rights and Civil Liberties can address those private-sector 
concerns, including with the intersection of the Information 
Sharing and Analysis Organizations, or ISAOs.
    DHS has been quite transparent about its cybersecurity 
capacities and privacy protections starting from the time when 
Mr. Garcia was at Homeland Security. This work will assist DHS 
in establishing deeper relations with the new and existing 
ISAOs.
    In addition, as this subcommittee knows, the DHS Chief 
Privacy Officer has unique investigatory authorities. 
Therefore, in the event that something went awry in the future, 
the Chief Privacy Officer can investigate these activities. 
That authority may be of interest to the private companies and 
ISAOs as more private information starts to flow into the 
Government.
    There are three categories of information that companies 
may provide when sharing cybersecurity threat indicators: 
Information directly associated the cyber threat; information 
related to the cyber threat; and information incidentally 
retained when sharing the threat indicators themselves.
    To limit the amount of incidentally retained and related 
information being shared, companies should implement strict 
data minimization standards. Frequently, however, it may not be 
evident upon initial sharing which information is directly 
associated with the threat and which information is either 
incidentally retained or only related to the cyber threat. 
Therefore, more information than necessary may be shared.
    As a result, the Federal Government should implement a 
secondary data minimization review and limit any sharing of 
information only to the information directly associated with 
the threat.
    In certain discussions, there have been recommendations to 
share all cybersecurity threat information, including the 
related and incidentally-retained information, as soon as 
possible with all Government entities. This is ill-advised.
    If such sharing were to occur, each agency would need to 
re-analyze the information to determine what is relevant and 
what is not. If there is a requirement to immediately share, 
then more information than necessary will be shared throughout 
the Government.
    Wide-spread sharing of related or incidentally-retained 
information will chill information sharing generally. Companies 
will not want their non-cyber-threat information shared widely, 
even if there are use limitations. To be clear, use limitations 
must be placed to provide guidance to the Government and 
necessary comfort to the sharing companies.
    The use of private-sector shared information must be 
cabined to only include use for cybersecurity threat and 
response. Relatedly, the Federal Government, including 
intelligence agencies, should have limitations on what agencies 
can retain and for how long with regard to the shared 
information from companies.
    Ensuring civilian control of the life cycle of 
cybersecurity information from the private sector is critical 
to comfort private companies before they share cybersecurity 
threat indicators in volume.
    Critical infrastructure sectors in companies have had 
reservations about information being shared that may not only 
be used for informing other vulnerable entities, but also would 
have been used for investigations or National security without 
concomitant benefit.
    The liability limitation is also important. Companies and 
ISAOs need to be comforted that the information they share will 
be appropriately protected.
    Finally, the Privacy and Civil Liberties Oversight Board 
authority should be expanded to include oversight of 
cybersecurity activities, including information sharing with 
and from the private sector.
    Thank you.
    [The prepared statement of Ms. Callahan follows:]
               Prepared Statement of Mary Ellen Callahan
                             March 4, 2015
    Chairman Ratcliffe, Ranking Member Richmond, distinguished Members 
of the subcommittee, thank you for the opportunity to appear before you 
today. My name is Mary Ellen Callahan. I am a partner at the law firm 
of Jenner & Block, where I chair the Privacy and Information Governance 
Practice and counsel private-sector clients on integrating privacy and 
cybersecurity. From March 2009 to August 2012, I served as the chief 
privacy officer at the U.S. Department of Homeland Security (DHS or 
Department). I have worked as a privacy professional for 17 years and 
have National and international experience in integrating privacy into 
business and Government operations. I am appearing before this 
subcommittee in my personal capacity and not on behalf of any other 
entity.
    Cybersecurity information sharing is vital to protect the private 
and public-sector assets. In order to prepare for disclosing 
cybersecurity threat indicators to other entities in the cybersecurity 
ecosystem, however, the information sharing with the Government must 
meet certain standards to address industry interests and needs.
    In my testimony, I will address six factors that are crucial to 
establishing robust, effective private-sector information sharing with 
the Government. First and foremost, to encourage and facilitate 
private-sector information sharing, the Government must develop and 
implement legitimate privacy safeguards. Second, clearly-established 
controls must be placed on what the Government does with the shared 
information. Third, those controls must include identifying and 
empowering a civilian interface with the private sector on information 
sharing--not just as an intake center, but for all communications 
related to cybersecurity information sharing. The fourth necessary step 
is to establish the value proposition for information sharing; 
information sharing must be at an acceptable cost and provide minimal 
risk for the participants. Its companion point is to define clear and 
objective limitations on liability for companies that participate in 
information sharing--both civilly and criminally. And finally, Congress 
should expressly provide the Privacy and Civil Liberties Oversight 
Board with oversight authority over cybersecurity, including 
information sharing.
     privacy safeguards are essential to effective private sector 
                          information sharing
    As Apple CEO Tim Cook noted at the Cybersecurity Summit last month, 
we have to protect our privacy rights or we will all face dire 
consequences. At the same Summit, President Obama concurred, saying, 
``When people go on-line, we shouldn't have to forfeit the basic 
privacy we're entitled to as Americans.'' However, the Executive Order 
on Promoting Private Sector Cybersecurity Information Sharing does not 
include a comprehensive privacy and civil liberties framework relating 
to private-sector sharing, instead focusing only on the intra-
Government sharing, instructing agencies to work with their Senior 
Agency Officials for Privacy (SAOPs) to ensure that appropriate 
internal privacy protections are in place.
    This decentralized and Government-only approach is flawed in two 
ways. Following the 2013 Executive Order on Improving Cybersecurity, 
each of the SAOPs for the major agencies prepared their assessments of 
how they were complying with privacy and civil liberties protections in 
department-to-department sharing. The detail and level of analysis by 
the SAOPs differed greatly. Having a decentralized assessment of 
privacy impacts, including how to intersect with the private sector, 
will delay the implementation of adequate privacy protections, and will 
not instill confidence from the private sector. Furthermore, this 
decentralized approach does not need to take place under the 2015 
Executive Order--because DHS has already has an existing infrastructure 
in place, and it has been identified as the key department in this 
private-sector information-sharing exercise.
    It is unfortunate that the 2015 Executive Order did not elaborate 
on the necessary privacy and civil liberties protections, particularly 
with regard to private-sector information sharing. Nonetheless, the DHS 
Privacy Office and Office for Civil Rights and Civil Liberties can lead 
these inter-agency efforts to address private-sector concerns, 
including with the intersection of Information Sharing and Analysis 
Organizations (ISAOs).
    Without a White House-based privacy policy official, the DHS Chief 
Privacy Officer frequently serves as de facto privacy policy leadership 
between and among the departments and agencies. As I testified before 
this subcommittee in April 2013, DHS has taken multiple steps to 
integrate cybersecurity and privacy as part of the Department's 
cybersecurity mission. DHS has thoroughly integrated the Fair 
Information Practice Principles (FIPPs) into its cybersecurity 
programs. The FIPPS are the ``widely accepted framework of defining 
principles to be used in the evaluation and consideration of systems, 
processes, or programs that affect individual privacy.''\1\
---------------------------------------------------------------------------
    \1\ The Fair Information Practice Principles as articulated in 
National Strategy for Trusted Identities in Cyberspace, April 2011, 
available at: http://www.whitehouse.gov/sites/default/files/rss_viewer/
NSTICstrategy_041511.pdf
---------------------------------------------------------------------------
    DHS has been quite transparent about its cybersecurity 
capabilities. As discussed below, transparency is an important tenet 
under the FIPPs and an important cornerstone to encourage industry 
participation. DHS has published several Privacy Impact Assessments 
(PIAs) detailing pilot programs and information sharing among and 
between Government entities as well as with private companies that have 
signed Cooperative Research and Development Agreements (CRADAs). This 
work will assist DHS in establishing deeper relationships with new and 
existing ISAOs.
    The Department already has skilled, dedicated privacy professionals 
who can help navigate the privacy protections needed for effective 
information sharing, with multiple cyber privacy professionals on 
staff. These individuals focus on integrating the FIPPs of purpose 
specification, data minimization, use limitation, data quality and 
integrity and security systematically into all DHS cybersecurity 
activities.
    As part of its mission to implement the FIPPs and to integrate 
privacy protections into DHS cybersecurity activities, DHS privacy 
professionals review and provide comments and insight into 
cybersecurity Standard Operating Procedures (SOPs) (including protocols 
for human analysis and retention of cyber alerts, signatures, and 
indicators for minimization of information that could be personally 
identifiable information), statements of work, contracts, and 
international cyber information-sharing agreements. The DHS cyber 
privacy professionals review all of the CRADAs signed with private 
companies.
    An important tenet of the FIPPs is the concept of accountability--
periodically reviewing and confirming that the privacy protections 
initially embedded into any program remain relevant and that those 
protections are implemented.
    While I was DHS Chief Privacy Officer, I instituted ``Privacy 
Compliance Reviews'' (PCRs) to confirm the accountability of several of 
DHS's programs.\2\ We designed the PCR to improve a program's ability 
to comply with assurances made in PIAs, System of Records Notices, and 
formal information-sharing agreements. The Office conducts PCRs of on-
going DHS programs with program staff to ascertain how required privacy 
protections are being implemented and to identify areas for 
improvement.
---------------------------------------------------------------------------
    \2\ See DHS Privacy Office Annual Report, July 2011-June 2012 at 
39-40 for a detailed discussion of Privacy Compliance Reviews.
---------------------------------------------------------------------------
    Given the importance of the DHS mission in cybersecurity, the DHS 
Privacy Office conducted a Privacy Compliance Review in late 2011, 
publishing it in early 2012.\3\ The DHS Privacy Office found the DHS 
cybersecurity entities generally complied with the privacy requirements 
in the relevant Privacy Impact Assessments. Specifically, the DHS 
cybersecurity entities fully complied with collecting information, 
using information, internal and external sharing with Federal agencies 
and accountability requirements.
---------------------------------------------------------------------------
    \3\ Privacy Compliance Review of the EINSTEIN Program, January 3, 
2012, available at: http://www.dhs.gov/xlibrary/assets/privacy/
privacy_privcomrev_nppd_ein.pdf.
---------------------------------------------------------------------------
    In addition, as this subcommittee knows, the DHS chief privacy 
officer has unique investigatory authorities. Therefore, in the 
unlikely event that something went awry in the future, the Chief 
Privacy Officer can investigate those activities.\4\ This investigatory 
authority may be of interest to the private companies and ISAOs as more 
private information starts to flow into the Government.
---------------------------------------------------------------------------
    \4\ 6 U.S.C.  142(b). See DHS Privacy Office Annual Report, July 
2011-June 2012 at 40 for a discussion of the DHS chief privacy officer 
investigatory authorities.
---------------------------------------------------------------------------
    The procedures, staffing, accountability and integration into the 
relationships with private-sector entities through CRADAs demonstrate 
the way in which privacy protections are integrated throughout the DHS 
cybersecurity program. A framework is in place to address privacy and 
civil liberties issues for private-sector information sharing, and DHS 
is well-positioned to extend those privacy protections to private-
sector information sharing on a larger scale.
        establish appropriate limitations on information sharing
    Consistent with the FIPPs and private-sector company expectations, 
there must be clearly-defined controls associated with the 
cybersecurity threat indicators and the related information.
    As the DHS portion of the 2013 Executive Order report noted, there 
are at least three categories of information that companies may provide 
when sharing cybersecurity threat indicators--information directly 
associated with the cybersecurity threat, information related to the 
cyber threat, and information incidentally retained when sharing the 
threat indicators themselves.\5\
---------------------------------------------------------------------------
    \5\ Executive Order 13636 Privacy and Civil Liberties Assessment 
Report 2014, available at: http://www.dhs.gov/sites/default/files/
publications/2014-privacy-and-civil-liberties-assessment-report.pdf
---------------------------------------------------------------------------
    To limit the amount of incidentally retained and related 
information being shared, companies should implement strict data 
minimization standards. Frequently, however, it may not be evident upon 
initial sharing--especially because time may be of the essence--which 
information is directly associated with the cybersecurity threat and 
which information is either incidentally retained or only related to 
the cyber threat. Therefore, more information than necessary may be 
shared. As a result, the Federal Government/DHS should implement a 
secondary data minimization review and limit any sharing of information 
only to the information directly associated with the cyber threat.
    In certain discussions, there are recommendations to share all 
cybersecurity threat information--including the related and 
incidentally-retained information--as soon as possible with all 
Government entities. This is ill-advised, for a few reasons. First, 
this approach does not assist the other entities in identifying the 
relevant information and requires each agency to re-analyze the 
information to determine what is relevant and what is not. That is 
inefficient. Instead, sharing immediately shifts the burden of 
implementation and analysis to every entity and decentralizes the skill 
set. If there is a requirement to immediately share, then more 
information than necessary--and possibly inaccurate information--will 
be shared throughout the Government. For these two reasons, the experts 
at DHS should first parse the information and apply data minimization 
principles to allow other agencies to respond quickly to the threat 
itself, rather than weeding through potentially disparate layers of 
information. The same principle of double data minimization applies to 
information sharing between and among companies.
    Wide-spread sharing of related or incidentally-retained information 
will chill information sharing generally. Companies will not want their 
non-cyber information shared widely, even if there are use limitations. 
Providing anonymity for producers (especially private companies)--
allowing them an environment to share safely without fear of backlash 
regarding their vulnerabilities--is vital to encourage cooperation. 
Companies are legitimately concerned that their valuable trade secrets 
or business-sensitive information may be available to the Government 
and their competitors if the non-cyber threat indicators are not 
minimized.
    Even if cyber threat indicators are judiciously shared, use 
limitations related to the shared information must be in place. In 
addition to the liability limitations discussed below, the use of 
private sector-shared information must be cabined to include only use 
for cybersecurity threat and response. Relatedly, the Federal 
Government (including intelligence agencies) should have limitations on 
what agencies can retain and for how long with regard to the unique 
information from companies, rather than the distilled threat 
indicators.
civilian control of the cybersecurity information sharing is crucial to 
                 encourage private information sharing
    Ensuring civilian control of the life cycle of cybersecurity 
information from the private sector is critical to comfort private 
companies before they share cyber threat indicators in volume. Critical 
infrastructure sectors and companies have reservations that information 
being shared may not only be used to inform other vulnerable entities, 
but also would be used for investigations or National security, without 
any other concomitant benefit. The Executive Order is silent on the 
issue of civilian control for the life cycle of the private-sector 
relationship, but that control is crucial to the development of 
repeatable, consistent information sharing.
    Identifying DHS as the private-sector interface is vital to placate 
these concerns. This committee began this process with the legislative 
establishment of the National Cybersecurity and Communications 
Integration Center (NCCIC) in 2014 through the National Cybersecurity 
Protection Act. DHS must continue to be the primary interface with the 
private sector, and must not just be seen as a pass-through to the 
intelligence community.
    As noted above, DHS has been transparent about its cybersecurity 
activities, which is imperative to develop credentials and credibility 
with the private sector. Now that NCCIC has been identified as the 
leading agency, any information sharing must go through it. As 
Assistant Secretary Andy Ozment reported to this committee in February, 
NCCIC received 97,000 incident reports, released 12,000 actionable 
cyber alerts or warnings and responded to 115 cyber incidents last 
year. These statistics demonstrate that DHS is maturing. As a civilian 
agency, it is well-positioned to liaise between private companies and 
the Government.
            information sharing must not threaten companies
    Information sharing must be at an acceptable cost and, therefore, 
provide minimal risk for the participants. If participants believe they 
will be targeted by attackers by sharing information, such as 
configurations, vulnerabilities, or even the fact that they have been 
targeted, they will not be willing to share information.
    DHS has received thorough advice--including from private-sector 
representatives and advocates--as part of its Federal Advisory 
Committee Act privacy committee, the Data Privacy and Integrity 
Advisory Committee. The DPIAC issued a significant advisory paper for 
DHS to consider when implementing information-sharing pilots and 
programs with other entities, including the private sector.\6\ The 
report addresses two important questions in privacy and cybersecurity: 
``What specific privacy protections should DHS consider when sharing 
information from a cybersecurity pilot project with other agencies?'' 
and ``What privacy considerations should DHS include in evaluating the 
effectiveness of cybersecurity pilots?'' This type of advice helps DHS 
design systems to avoid antagonizing companies and ISAOs and comfort 
them they will not somehow be punished for participating.
---------------------------------------------------------------------------
    \6\ Report from the Cyber Subcommittee to the Data Privacy and 
Integrity Advisory Committee (DPIAC) on Privacy and Cybersecurity 
Pilots, Submitted by the DPIAC Cybersecurity Subcommittee, November 
2012, available at: http://www.dhs.gov/sites/default/files/
publications/privacy/DPIAC/dpiac_cyberpilots_10_29_2012.pdf.
---------------------------------------------------------------------------
            limitations on liability must be clearly defined
    The issue of liability limitations has been discussed at length 
during the pendency of the cybersecurity legislation. It obviously is 
an important issue for companies, and it needs to be resolved 
appropriately in order to encourage information sharing. With that 
said, having clearly-defined limitations may help companies even more 
than having a ``notwithstanding any other law'' blanket exception.
    The liability limitation must address at least two aspects 
directly. First, the shared information cannot be shared with other 
agencies and then used in a civil or criminal enforcement action 
against the sharing company. That is crucial. Furthermore, the shared 
information should not be used in civil or criminal enforcement actions 
against a third party who is not the cyber attacker--namely, if shared 
information contains damning information either about the sharing 
company or a third-party company, the Government's awareness of that 
information cannot lead to enforcement.
    Furthermore, companies and ISAOs need to be comforted that the 
information they share will be appropriately protected. The DHS 
transparency on its systems will hopefully ameliorate that concern.
    The anti-trust concerns raised in earlier Congresses have waned in 
light of the Joint Department of Justice/Federal Trade Commission 
Statement Antitrust Policy Statement on Sharing of Cybersecurity 
Information.\7\ Nonetheless, more clarity, particularly vis-a-vis 
inter-company sharing, will induce more information sharing.
---------------------------------------------------------------------------
    \7\ http://www.justice.gov/atr/public/guidelines/305027.pdf.
---------------------------------------------------------------------------
privacy and civil liberties oversight board should be granted oversight 
            authority over cybersecurity information sharing
    The Privacy and Civil Liberties Oversight Board (PCLOB) serves an 
important oversight function on intelligence and National security 
activities related to terrorism. The PCLOB's authority should be 
expanded to include oversight on cybersecurity activities, including 
information sharing with and from the private sector. This addition 
will further bolster the FIPPs throughout the cyber information-sharing 
life cycle, and will provide additional oversight capacity over the 
collection, use, sharing, and retention of private-sector information.
    Thank you for the opportunity to appear before this subcommittee 
this afternoon. I would be happy to take any questions you may have.

    Mr. Ratcliffe. Thank you, Ms. Callahan.
    The Chairman now recognizes Mr. Garcia to testify.

 TESTIMONY OF GREGORY T. GARCIA, EXECUTIVE DIRECTOR, FINANCIAL 
              SERVICES SECTOR COORDINATING COUNCIL

    Mr. Garcia. Thank you, Mr. Chairman. Thanks for the 
opportunity to address the subcommittee about the President's 
information-sharing Executive Order.
    The Financial Services Sector Coordinating Council, or 
FSSCC, was establishes in 2002. It involves 65 of the largest 
financial services providers and their industry associations. 
Its mission is to coordinate sector-wide efforts to strengthen 
the resiliency of the financial services sector against threats 
to the Nation's critical infrastructure. So we're focused on 
the critical infrastructure sector.
    In practice, this means that we work with Government and 
other partners to address information-sharing content and 
procedures, incident response, cyber and operational risk 
management best practices, and appropriate policy enhancements 
to support the above objectives.
    We've learned over the years that strong risk management 
requires participating in communities of trust that share 
information on cyber and physical threats, vulnerabilities, and 
incidents. This is based on the simple concept of strength in 
numbers, the neighborhood watch, shared situational awareness.
    While the FSSCC focuses on longer-term trends and strategy, 
our sector's operational arm is the Financial Services 
Information Sharing and Analysis Center, or FS-ISAC. The FS-
ISAC participates in many information-sharing programs. One key 
partner that you mentioned in your opening statement is the 
National Cybersecurity and Communications Integration Center, 
or NCCIC.
    The NCCIC is a hub for sharing information about cyber and 
communications incidents across sectors, and the financial 
sector has a seat on the NCCIC watch floor. The industry-sector 
officials that serve on the NCCIC are cleared at the Top Secret 
level. So they attend daily briefs and other NCCIC meetings 
about threats, vulnerabilities, and incidents affecting the 
financial sector.
    Within the sector, FS-ISAC manages a formal structure for 
collecting, analyzing, and sharing actionable intelligence and 
best practices among members and the sector, as well as with 
our industry, Government, and law enforcement partners. I'll be 
happy to talk about all of that in detail during Q and A about 
how we do that.
    The sector continues to make progress on the speed and 
reliability of its information-sharing efforts. Late last year, 
for example, the financial sector announced a new automated 
threat-sharing capability called Soltra Edge. This uses open 
standards funded by DHS that facilitate automated machine-to-
machine information sharing.
    It helps our industry increase the speed, scale, and 
accuracy of information sharing, and it accelerates the time to 
resolution. It can be used by any sectors and with any sectors 
or information-sharing groups. So this is a way of 
complimenting human-to-human sharing by using machine-to-
machine whenever possible.
    So the point is the financial sector has a very robust 
information-sharing environment among ourselves and with the 
Government and we're always working to improve it.
    So let me just spend the final moments of my statement 
discussing the President's Executive Order on private-sector 
information sharing.
    In our view, the administration's Executive Action is a 
positive step. We expect it has the potential to increase the 
volume and quality of actionable and timely cybersecurity 
information. We offer a few observations that can inform 
implementation of the order.
    First, as the sharing and use of Classified information can 
improve our response capability, it's important that the 
clearance process for critical sectors like ours is fast and 
efficient. The Executive Order supports this goal by enhancing 
DHS's involvement in the clearance process. This can help 
accelerate the security clearance process for critical sector 
owners and operators.
    Also, in general, we support the creation of the ISAOs, 
Information Sharing Analysis Organizations. This can be a way 
for noncritical sector groups to share cybersecurity 
information and coordinate analysis and response.
    We understand that the impetus for the ISAO proposal was to 
raise awareness for stakeholder groups looking to coalesce 
around joint information-sharing objectives, and we believe 
that the ISAO standards development process should build on the 
strong foundation laid by the ISACs.
    We caveat, however, that ISACs, as distinct from ISAOs, 
must retain their special partnership status with the 
Government, given their broad sector representation and a 
strong cadre of operational support with security clearances.
    Certain important principles need to be kept in mind for 
the standards development process. Sharing is successful within 
communities of trust when there are clear and enforced 
information-handling rules.
    Information sharing is not a competitive sport. Operational 
standards should incentivize federated information-sharing. 
Intelligence needs to be fused across trust communities, not 
diffused or siloed.
    Government processes for collecting, analyzing, and 
packaging intelligence for private-sector consumption must be 
streamlined and transparent. Indeed, the 2013 Executive Order 
directs the Government to do just that.
    In anticipating the potential for heavy demands from a 
proliferation of ISAOs, the NCCIC should prioritize its 
resources and engagements according to established criteria. 
They'll need to consider Government capacity to effectively 
serve critical sector constituents in steady-state and surge 
mode. They need to consider the reach those stakeholders have 
into their sectors and the effectiveness of their capabilities.
    It's also important that the ISAO standards development 
process be collaborative, open, and transparent. The process 
managed during the development of the NIST cybersecurity 
framework, for example, is an excellent example of this 
principle.
    Okay. Mr. Chairman, that concludes my oral remarks. I'll be 
happy to answer questions.
    [The prepared statement of Mr. Garcia follows:]
                Prepared Statement of Gregory T. Garcia
                             March 4, 2015
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
subcommittee, thank you for this opportunity to address the 
subcommittee about the President's information sharing Executive Order.
    My name is Gregory T. Garcia. I am executive director of the 
Financial Services Sector Coordinating Council (FSSCC), which was 
established in 2002 and involves 65 of the largest financial services 
providers and industry associations representing clearinghouses, 
commercial banks, credit card networks and credit rating agencies, 
exchanges/electronic communication networks, financial advisory 
services, insurance companies, financial utilities, Government-
sponsored enterprises, investment banks, merchants, retail banks, and 
electronic payment firms.
                             fsscc mission
    The mission of the FSSCC is to strengthen the resiliency of the 
financial services sector against attacks and other threats to the 
Nation's critical infrastructure by proactively identifying threats and 
promoting protection, driving preparedness, collaborating with the 
Federal Government, and coordinating crisis response for the benefit of 
the financial services sector, consumers and the Nation's economic 
security. During the past decade, this strategic partnership has 
continued to grow, in terms of both the size and commitment of its 
membership and the breadth of issues it addresses. Members volunteer 
their time and resources to FSSCC with a sense of responsibility to the 
broader sector, financial consumers and the Nation.
    In simplest terms, members of the FSSCC assess security and 
resiliency trends and policy developments affecting our critical 
financial infrastructure, and coordinate among ourselves and with our 
partners to develop a consolidated point of view and coherent strategy 
for dealing with those issues.
    Accordingly, our sector's primary objectives are to:
    1. Implement and maintain structured routines for sharing timely 
        and actionable information related to cyber and physical 
        threats and vulnerabilities among firms, across sectors of 
        industry, and between the private sector and Government.
    2. Improve risk management capabilities and the security posture of 
        firms across the financial sector and the service providers 
        they rely on by encouraging the development and use of common 
        approaches and best practices.
    3. Collaborate with homeland security, law enforcement and 
        intelligence communities, financial regulatory authorities, 
        other sectors of industry, and international partners to 
        respond to and recover from significant incidents.
    4. Discuss policy and regulatory initiatives that advance 
        infrastructure resiliency and security priorities through 
        robust coordination between Government and industry.
    To achieve these objectives we partner with the Department of 
Treasury, DHS, law enforcement, and financial regulatory agencies 
forming our Government Coordinating Council counterpart--called the 
Financial and Banking Information Infrastructure Committee (FBIIC).
    Rolling up into those broad objectives are numerous initiatives 
undertaken collaboratively within this public-private partnership, 
including committee-organized workstreams to, for example:
   improve information-sharing content and procedures between 
        Government and the sector;
   conduct joint exercises to test our resiliency and 
        information-sharing procedures under differing scenarios;
   prioritize critical infrastructure protection research and 
        development funding needs;
   engage with other critical sectors and international 
        partners to better understand and leverage our 
        interdependencies;
   advocate broad adoption of the NIST Cybersecurity Framework, 
        including among small and mid-sized financial institutions 
        across the country;
   develop best practices guidance for operational risk issues 
        involving third-party risk, supply chain, and cyber insurance 
        strategies.
    We have learned over the years that a foundational element of any 
strong risk management strategy for cyber and physical protection 
involves participation in communities of trust that share information 
related to threats, vulnerabilities, and incidents affecting those 
communities. That foundation is based on the simple concepts of 
strength in numbers, the neighborhood watch, and shared situational 
awareness.
    To achieve this goal, public and private-sector partners exchange 
data and contextual information about specific incidents and longer-
term trends and developments. Sharing this information helps to prevent 
incidents from occurring and to reduce the risk of a successful 
incident at one firm later impacting another. These efforts 
increasingly focus on including smaller firms and include international 
partners.
    Financial-sector stakeholders participate in information-sharing 
programs operated by the Department of Homeland Security. For example, 
the financial sector and Treasury Department maintain a presence within 
the National Cybersecurity and Communications Integration Center 
(NCCIC), which serves as a hub for sharing information related to 
cybersecurity and communications incidents across sectors, among other 
roles and responsibilities. The sector also works closely with the 
National Infrastructure Coordinating Center (NICC), which is the 
dedicated 24/7 coordination and information-sharing operations center 
that maintains situational awareness of the Nation's critical 
infrastructure for the Federal Government.
    The financial sector benefits greatly from its close information-
sharing relationship with law enforcement partners, including the 
Federal Bureau of Investigations and the United States Secret Service.
          fs-isac information-sharing programs and operations
    For the financial sector, the primary community of trust for 
critical financial infrastructure protection is the Financial Services 
Information Sharing and Analysis Center, or FS-ISAC, which is the 
operational heartbeat of the FSSCC strategic body.
    The FS-ISAC was formed in 1999 in response to the 1998 Presidential 
Decision Directive 63 (PDD 63), which called for the public and private 
sectors to work together to address cyber threats to the Nation's 
critical infrastructures. After 9/11, and in response to Homeland 
Security Presidential Directive 7 (and its 2013 successor, Presidential 
Policy Directive 21) and the Homeland Security Act, the FS-ISAC 
expanded its role to encompass physical threats to our sector.
    The FS-ISAC is a 501(c)6 nonprofit organization and is funded 
entirely by its member firms and sponsors. In 2004, there were only 68 
members of the FS-ISAC, mostly larger financial services firms. Since 
that time the membership has expanded to more than 5,000 organizations 
including commercial banks and credit unions of all sizes, brokerage 
firms, insurance companies, data security payments processors, and 24 
trade associations representing virtually all of the U.S. financial 
services sector.
    Since its founding, the FS-ISAC's operations and culture of trusted 
collaboration have evolved into what we believe is a successful model 
for how other industry sectors can organize themselves around this 
security imperative. The overall objective of the FS-ISAC is to protect 
the financial services sector against cyber and physical threats and 
risk. It acts as a trusted third party that provides anonymity to allow 
members to share threat, vulnerability, and incident information in a 
non-attributable and trusted manner. The FS-ISAC provides a formal 
structure for valuable and actionable information to be shared amongst 
members, the sector, and its industry and Government partners, which 
ultimately benefits the Nation. FS-ISAC information-sharing activities 
include:
   delivery of timely, relevant, and actionable cyber and 
        physical email alerts from various sources distributed through 
        the FS-ISAC Security Operations Center (SOC);
   an anonymous on-line submission capability to facilitate 
        member sharing of threat, vulnerability, and incident 
        information in a non-attributable and trusted manner;
   operation of email listservs supporting attributable 
        information exchange by various special interest groups 
        including the Financial Services Sector Coordinating Council 
        (FSSCC), the FS-ISAC Threat Intelligence Committee, threat 
        intelligence sharing open to the membership, the Payment 
        Processors Information Sharing Council (PPISC), the Clearing 
        House and Exchange Forum (CHEF), the Business Resilience 
        Committee, and the Payments Risk Council;
   anonymous surveys that allow members to request information 
        regarding security best practices at other organizations;
   bi-weekly threat information sharing calls for members and 
        invited security/risk experts to discuss the latest threats, 
        vulnerabilities, and incidents affecting the sector;
   emergency threat or incident notifications to all members 
        using the Critical Infrastructure Notification System (CINS);
   emergency conference calls to share information with the 
        membership and solicit input and collaboration;
   engagement with private security companies to identify 
        threat information of relevance to the membership and the 
        sector;
   participation in various cyber exercises such as those 
        conducted by DHS (Cyber Storm I, II, and III) and support for 
        FSSCC exercises such as CyberFIRE and Quantum Dawn;
   development of risk mitigation best practices, threat 
        viewpoints and toolkits, and preparation of cybersecurity 
        briefings and white papers;
   administration of Subject Matter Expert (SME) committees 
        including the Threat Intelligence Committee and Business 
        Resilience Committee, which: Provide in-depth analyses of risks 
        to the sector, conduct technical, business, and operational 
        impact assessments; determine the sector's cyber and physical 
        threat level; and, recommend mitigation and remediation 
        strategies and tactics;
   special projects to address specific risk issues such as the 
        Account Takeover Task Force;
   document repositories for members to share information and 
        documentation with other members;
   development and testing of crisis management procedures for 
        the sector in collaboration with the FSSCC and other industry 
        bodies;
   semi-annual member meetings and conferences; and
   on-line webinar presentations and regional outreach programs 
        to educate organizations, including small- to medium-sized 
        regional financial services firms, on threats, risks, and best 
        practices.
                          fs-isac partnerships
    The FS-ISAC works closely with various Government agencies 
including the U.S. Department of Treasury, Department of Homeland 
Security (DHS), Federal Reserve, Federal Financial Institutions 
Examination Council (FFIEC) regulatory agencies, United States Secret 
Service, Federal Bureau of Investigation (FBI), the intelligence 
community, and State and local governments.
    In partnership with DHS, FS-ISAC 2 years ago became the third ISAC 
to participate in the National Cybersecurity and Communications 
Integration Center (NCCIC) watch floor. FS-ISAC representatives, 
cleared at the Top Secret/Sensitive Compartmented Information (TS/SCI) 
level, attend the daily briefs and other NCCIC meetings to share data 
information on threats, vulnerabilities, incidents, and potential or 
known impacts to the financial services sector. Our presence on the 
NCCIC floor has enhanced situational awareness and information sharing 
between the financial services sector and the Government, and there are 
numerous examples of success to illustrate this.
    As part of this partnership, the FS-ISAC set up an email listserv 
with U.S. CERT where actionable incident, threat, and vulnerability 
information is shared in near-real time. This listserv allows FS-ISAC 
members to share directly with U.S. CERT and further facilitates the 
information sharing that is already occurring between FS-ISAC members 
and with the NCCIC watch floor or with other Government organizations.
    In addition, FS-ISAC representatives sit on the Cyber Unified 
Coordination Group (Cyber UCG). This group was set up under authority 
of the National Cyber Incident Response Plan (NCIRP) and has been 
actively engaged in incident response. Cyber UCG's handling and 
communications with various sectors following the distributed denial of 
service (DDOS) attacks on the financial sector in late 2012 and early 
2013 is one example of how this group is effective in facilitating 
relevant and actionable information sharing.
    Consistent with the directives of Presidential Policy Directive 21 
and Executive Order 13636 of 2014, the Treasury established the Cyber 
Intelligence Group (CIG) as part of the Office of Critical 
Infrastructure Protection and Compliance Policy. The CIG was 
established in response to a need identified by the financial sector 
for the Government to have a focal point for sharing cyber threat-
related information with the sector. The CIG identifies and analyzes 
all-source intelligence on cyber threats to the financial sector; 
shares timely, actionable information that alerts the sector to threats 
and enables firms' prevention and mitigation efforts; and solicits 
feedback and information requirements from the sector.
    Finally, it should be noted that the FS-ISAC and FSSCC have worked 
closely with its Government partners to obtain security clearances for 
key financial services sector personnel. These clearances have been 
used to brief the sector on new information security threats and have 
provided useful information for the sector to implement effective risk 
controls to combat these threats.
    In addition, several membership subgroups meet regularly with their 
own circles of trust to share information, including: The Insurance 
Risk Council (IRC); the Community Institution Council (CIC) with 
hundreds of members from community banks and credit unions; and the 
Community Institution Toolkit Working Group with a mission to develop a 
framework and series of best practices to protect community 
institutions. This includes a mentoring program to assist community 
institutions just getting started with an IT security staff.
    The FS-ISAC also works very closely with the other critical 
infrastructure sectors on an ISAC-to-ISAC basis as well as through the 
National Council of ISACs. Information about threats, incidents, and 
best practices is shared daily among the ISACs via ISAC analyst calls, 
and a cross-sector information-sharing platform. The ISACs also come 
together during a crisis to coordinate information and mitigations as 
applicable.
                  automated threat information sharing
    The sector continues to make significant progress toward increasing 
the speed and reliability of its information-sharing efforts through 
expanded use of DHS-funded open specifications, including Structured 
Threat Information eXchange (STIXTM) and Trusted Automated 
eXchange of Indicator Information (TAXIITM).
    Late last year, the financial sector announced a new automated 
threat capability it created called ``Soltra Edge'', which is the 
result of a joint venture of the FS-ISAC and the Depository Trust and 
Clearing Corporation. This capability addresses a fundamental challenge 
in our information-sharing environment: Typically the time associated 
with chasing down any specific threat indicator is substantial. The 
challenge has been to help our industry increase the speed, scale, and 
accuracy of information sharing and accelerate time to resolution.
    The Soltra Edge capability developed by the sector removes a huge 
burden of work for both large and small financial organizations, 
including those that rely on third parties for monitoring and incident 
response. It is designed for use by many parts of the critical 
infrastructure ecosystem, including the financial services sector, the 
health care sector, the energy sectors, transportation sectors, other 
ISACs, National and regional CERTs (Computer Emergency Response Teams) 
and vendors and services providers that serve these sectors.
    Key goals of Soltra-Edge are to:
   Deliver an industry-created utility to automate threat 
        intelligence sharing;
   Reduce response time from days/weeks/months to seconds/
        minutes;
   Deliver 10 times reduction in effort and cost to respond;
   Operate on the tenets of at-cost model and open standards 
        (STIX, TAXII);
   Leverage DTCC scalability; FS-ISAC community & best 
        practices;
   Provide a platform that can be extended to all sizes of 
        financial services firms, other ISACs and industries;
   Enable integration with vendor solutions (firewalls, 
        intrusion detection, anti-virus, threat intelligence, etc.).
    With these advancements, one organization's incident becomes 
everyone's defense at machine speed. We expect this automated solution 
to be a ``go-to'' resource to speed incident response across thousands 
of organizations in many countries within the next few years.
                               exercises
    The sector regularly tests its resilience through exercises to 
identify gaps and exercise processes related to information sharing. 
Efforts such as the annual ``Cyber Attack against Payment Processes 
(CAPP)'', ``Quantum Dawn'' and public/private exercises provide 
essential insight into our ability individually and collaboratively to 
respond to various attack scenarios.
    In carrying out this information-sharing partnership, the financial 
sector and Government partners are committed to ensuring that 
individual privacy and civil liberties protections are incorporated 
into all activities, to include technical analysis, information sharing 
on threats, and incident response efforts.
      the president's executive order on promoting private-sector 
                   cybersecurity information sharing
    As discussed above, the Financial Services Sector Coordinating 
Council (FSSCC) considers strong collaboration and information sharing 
within the sector and with Government to be a critical element of 
cybersecurity risk management.
    Thus, in alignment with the FS-ISAC's statement for the record by 
Denise Anderson, vice president of the FS-ISAC and chair of the 
National Council of ISACs, we applaud this administration's efforts to 
improve our cybersecurity information-sharing environment so that we 
can better anticipate, protect against, and respond to cyber threats. 
The administration's Executive Action is a positive step toward 
increasing the volume and quality of actionable and timely 
cybersecurity information.
    With key Federal support from the Treasury Department as our 
Sector-Specific Agency, law enforcement and the Department of Homeland 
Security (DHS), our network defenders are better able to prepare for 
cyber threats when there is a consistent, reliable, and sustainable 
flow of actionable cybersecurity information and analysis, at both a 
Classified and Unclassified level.
    We are making some progress toward this goal, but it has become 
increasingly necessary for appropriately-cleared representatives of 
critical sectors such as financial services to have access, and provide 
contributions, to Classified information that enables analysts and 
operators to take timely action to defend essential systems. 
Accordingly, the Executive Order's enhancement of DHS's role in 
accelerating the security clearance process for critical sector owners 
and operators is a clear indication of the administration's support for 
this public-private partnership.
    In considering enhancements to this model, agility and innovation 
are essential for the operational resilience of critical sector 
functions. In this spirit, we support the creation of Information 
Sharing and Analysis Organizations (ISAOs) as a mechanism for all 
sectors, regions, and other stakeholder groups to share cybersecurity 
information and coordinate analysis and response.
    While ISACs must retain their status as the Government's primary 
critical infrastructure partners given their mandate for broad sectoral 
representation, the development of ISAOs should be facilitated for 
stakeholder groups that require a collaborative cyber and physical 
threat information-sharing capability that builds on the strong 
foundation laid by the ISACs.
    As the ISAO standards development process unfolds, the FSSCC 
believes certain principles must be upheld for structuring both the 
ISAOs themselves and the Government's interaction with them:
   Sharing of sensitive security information within and among 
        communities of trust is successful when operational standards 
        of practice establish clear and enforced information handling 
        rules.
   Information sharing is not a competitive sport: While 
        competition in innovation can improve technical capabilities, 
        operational standards should incentivize federated information 
        sharing. Threat and vulnerability intelligence needs to be 
        fused across trust communities, not diffused or siloed.
   Government internal processes for collecting, analyzing, and 
        packaging CIP intelligence for ISAC/ISAO consumption must be 
        streamlined and transparent to maximize timeliness, accuracy, 
        and relevance of actionable shared information. Indeed, Section 
        4 of EO 13636 directs the Government to improve its 
        dissemination of cyber threat intelligence to the private 
        sector, enabling entities to protect their networks. Full 
        implementation of this directive is necessary to achieve the 
        objectives of the President's information sharing Executive 
        Order.
   To manage scarce resources, Government information-sharing 
        mechanisms such as the National Cyber and Communications 
        Integration Center (NCCIC) and the Treasury Department's Cyber 
        Intelligence Group (CIG) should prioritize engagements with 
        ISACs and ISAOs according to transparently-established impact 
        criteria, such as Government capacity to effectively serve CIP 
        constituents in steady-state and surge mode, the reach those 
        CIP stakeholders have into their sectors, and the effectiveness 
        of their capabilities.
    It is also important that the process to develop the ISAO standards 
is collaborative, open, and transparent. The process managed by the 
National Institute of Standards and Technology (NIST) during the 
development of the NIST Cybersecurity Framework is an excellent example 
of the appropriate leveraging of private-sector input, knowledge, and 
experience to develop guidance that will primarily impact non-
Governmental entities. We encourage DHS, as the implementing authority 
of the President's EO, to emulate the engagement model that NIST used 
to create and adopt their Cybersecurity Framework. The process worked.
    Finally, for DHS to be successful implementing this EO and its many 
cybersecurity risk management and partnership authorities, it must be 
sufficiently resourced with the best analytical and technical 
capabilities, with a cadre of highly-qualified cybersecurity leaders 
and analytical teams to conduct its mission. There must be a concerted 
effort to recruit, retain, and maintain a world-class workforce that is 
able to assess cyber threats globally and help the private sector 
reduce risk to this Nation.
    The FSSCC believes that, with the application of the principles 
discussed in this statement, the creation of ISAOs and their 
partnership agreements with DHS have the potential to complement the 
ISAC foundation and measurably improve cyber risk reduction for 
critical infrastructure and the National economy.
    On the subject of legislation, Mr. Chairman, passing cyber threat 
information-sharing legislation that encourages more information 
sharing between the private sector and Government and within the 
private sector, with fewer concerns about liability, will have a 
positive operational impact on the security of the Nation's networks. 
This sector-wide position is articulated in detail in recent letters 
from leading financial services trade associations.
    Mr. Chairman and Members of the committee, this concludes my 
testimony.

    Mr. Ratcliffe. Thank you, Mr. Garcia.
    Mr. Ratcliffe. The Chairman now recognizes Dr. Libicki.

      STATEMENT OF MARTIN C. LIBICKI, THE RAND CORPORATION

    Mr. Libicki. Good afternoon, Chairman Ratcliffe, Ranking 
Member Richmond, and distinguished Members of the subcommittee. 
My name is Martin Libicki from The RAND Corporation.
    Thank you for the opportunity to testify today about the 
President's cybersecurity information-sharing proposal. As a 
general proposition, information sharing among defenders makes 
for a better defense.
    Nevertheless, two concerns merit note. First, the current 
proposals do not address and may even exacerbate a 
cybersecurity divide. Second, an enormous amount of political 
energy is being dedicated to a point solution to a broad 
problem.
    A cybersecurity divide exists between organizations, 
roughly speaking, large enough to afford their own chief 
information security officer and those that cannot.
    ISAOs, for their part, are oriented towards organizations 
that can afford the membership fees. Unless other mechanisms to 
share information with the smaller organizations are bolstered, 
the latter are going to be left out of whatever information-
sharing exists.
    As for the narrower focus, several weeks ago President 
Obama said, ``There's only one way to defend America from cyber 
threats, and that's Government and industry working together, 
sharing appropriate information.'' An associated Executive 
Order calls for ``fostering the development and adoption of 
automated mechanisms for the sharing of information.''
    However, cybersecurity is so complex a challenge that not 
only is information sharing not the ``only one way,'' but the 
model proposed for information sharing is not even the only one 
way to share information.
    To explain why, let's note three models of information 
sharing.
    In the first model, vulnerabilities in software are found 
by white hat hackers and the forensic specialists brought into 
the attention of the vendors. The vendors, when they receive 
this information, attack the vulnerabilities and generally fix 
them. This is a model that would lead to better software and 
can be encouraged by the Federal Government with a modest 
addition of funding and without having to pass any new laws.
    In a second model, the collection and analysis of cyber 
attacks can shed light on what organizations could have done 
differently to have prevented or at least mitigated the effects 
of such attacks. Such sharing permits evidence-based 
assessments of alternative cybersecurity tools, techniques, and 
practices. This model can be encouraged by empowering 
organizations, such as NIST, and funding various R&D entities, 
such as the ARPAs and NSF, to build and disseminate a 
systematic body of knowledge on cybersecurity.
    The first model results in better software. The second 
model results in better cybersecurity management. Organizations 
of all size can benefit from each.
    The third model of information sharing, organizations are 
asked to report details of the attacks they have suffered, such 
as malware samples, attacker modus operandi, IP addresses, 
attack vectors, induced anomalies, social engineering methods 
and so on. These are used to profile specific threat actors so 
that the signatures of their activity can be fed to intrusion 
detection and prevention systems of organizations that happen 
to have them.
    The usefulness of this third model, however, requires that 
four assumptions be true.
    The first assumption is that most serious attacks come from 
specific black hat hacker groups who repeat their attacks often 
enough so that evidence from early attacks can be used to 
detect later ones.
    The second assumption is that such groups maintain a 
consistent modus operandi that is constantly reused.
    The third assumption is that such signatures can be shared 
in a timely manner, something that is complicated by the length 
of time--several months to a year--between when a typical 
advanced attack starts and when it is discovered.
    The fourth assumption is that such signatures will not 
evolve over time, even if information sharing were to become so 
wide-spread that the failure to evolve on the part of hackers 
would doom their ability to compromise networks.
    An analogy may be made to the anti-virus industry. The 
majors run very large information-gathering networks fed by 
inputs from sensors placed throughout the internet, but the 
anti-virus model has lost viability in the face of ever-
shifting signatures and the tendency of attackers to test their 
malware against anti-virus suites before releasing them.
    Granted, the threat-based information-sharing model, if 
substantiated, would not be totally useless. Not every black 
hat hacker group will be conscientiously altering its modus 
operandi, and forcing such groups to cluster their attacks or 
shift their attack vectors does mean more work for them.
    Nevertheless, threat-based information sharing is no 
panacea, and, yet, efforts to achieve it have absorbed a 
disproportional share of the legislative and media bandwidth on 
the topic of cybersecurity policy, crowding out the 
consideration of alternative approaches. Hence, the basis for 
our concern.
    I appreciate the opportunity to discuss this important 
topic, and I look forward to your questions.
    [The prepared statement of Mr. Libicki follows:]
            Prepared Statement of Martin C. Libicki \1\ \2\
---------------------------------------------------------------------------
    \1\ The opinions and conclusions expressed in this testimony are 
the author's alone and should not be interpreted as representing those 
of RAND or any of the sponsors of its research. This product is part of 
the RAND Corporation testimony series. RAND testimonies record 
testimony presented by RAND associates to Federal, State, or local 
legislative committees; Government-appointed commissions and panels; 
and private review and oversight bodies. The RAND Corporation is a 
nonprofit research organization providing objective analysis and 
effective solutions that address the challenges facing the public and 
private sectors around the world. RAND's publications do not 
necessarily reflect the opinions of its research clients and sponsors.
    \2\ TThis testimony is available for free download at http://
www.rand.org/pubs/testimonies/CT425.html.
---------------------------------------------------------------------------
                             March 4, 2015
    Good morning, Chairman Ratcliffe, Ranking Member Richmond, and 
distinguished Members of the subcommittee. I thank you for the 
opportunity to testify today about the President's cybersecurity 
information-sharing proposal.
    The President's initiatives to improve cybersecurity through 
information sharing are laudable. Information sharing can and should be 
an important element in efforts to ensure that defenders learn from 
each other faster than attackers learn from each other. The fact that 
attackers do learn from each other is something that we know from 
research that RAND conducted for a report released last year on cyber 
crime markets (Markets for Cybercrime Tools and Stolen Data: Hackers' 
Bazaar).
    People have been calling for greater information sharing for almost 
20 years, dating back to the formation of Information Sharing and 
Analysis Centers (ISACs) in the late 1990s and continuing through the 
recent reformulation of ISACs into Information Sharing and Analysis 
Organizations (ISAOs). Although more information is being shared, the 
President's initiatives are prompted by the perception that information 
sharing is not advancing fast enough. Those asked to share gain little 
directly from sharing and believe they face financial, reputational, 
and legal risks in doing so. As a result, legislation has been 
repeatedly introduced to facilitate the increased exchange of 
information--notably, I would argue, threat information. Without going 
into a detailed assessment of the privacy implications of such 
legislation, apart from noting that concerns have been raised, its 
purposes are nevertheless sound and its passage can help improve 
cybersecurity.
    Two concerns, however, merit note. One is that the current 
proposals do not address, and may even exacerbate, the differences 
between the cybersecurity enjoyed by small- and medium-sized 
enterprises on the one hand and that enjoyed by large enterprises on 
the other: A cybersecurity divide. The second concern is that the 
current legislative proposals represent an enormous amount of political 
energy dedicated to what is actually a narrowly-focused point solution 
to the problem of cybersecurity when a much broader approach is 
required. Consider each concern in turn.
    The cybersecurity divide exists roughly at the boundary between 
those organizations that are large enough to afford their own chief 
information security officer (CISO) and those that cannot. As a very 
rough estimate, though this varies by sector, organizations with more 
than 1,000 employees can afford to hire a CISO, and those that are 
smaller cannot. Organizations that cannot afford to employ a CISO can 
usually offer only generalized cybersecurity training for their 
employees (if they do so at all); must rely on commodity hardware and 
software, often deployed with default settings; make do with commercial 
network offerings such as routers; and use off-the-shelf firewall 
tools. Organizations that can afford to employ a CISO can offer and 
customize specialized training, can afford to optimize their hardware 
and software for cybersecurity, can purchase sophisticated 
cybersecurity tools, can hire information security analysts, and 
contract with third parties for additional cybersecurity services. 
Fortunately, cloud offerings can be and are tailored for organizations 
of all sizes, but this only represents a partial approach to 
cybersecurity and may introduce a few additional security problems of 
their own.
    ISAOs, laudable as they may be, are oriented toward organizations 
that can afford their membership fees; at $10,000 a year, most small- 
and medium-sized organizations are priced out of that market. Consider 
the likelihood that these ISAO's become the primary--or worse, 
exclusive--conduit for information sharing between the Government and 
private organizations. If so--and in the absence of other mechanisms to 
share information with the broader public--the smaller organizations 
are going to be left out. Whatever advantage they reap from 
information-sharing rests on the hope that the existence of ISAOs as 
conduits for shared information does not detract from paths more suited 
to smaller enterprises.
    The risks of exacerbating the cybersecurity divide are related to 
the problem of an overly narrow focus for information sharing 
associated with pending legislation.
    Several weeks ago, during the Cybersecurity Summit, President Obama 
said, ``There's only one way to defend America from cyber threats, and 
that's Government and industry working together [and] sharing 
appropriate information.'' However, cybersecurity is not that 
elementary; there is no one unique way. Furthermore, the associated 
Executive Order calls for ``fostering the development and adoption of 
automated mechanisms for the sharing of information.'' That being so, 
not only is information sharing not the ``only one way'' to improve 
cybersecurity, but the model proposed for information sharing is also 
not the ``only one way'' to share information.
    To explain why requires stepping back to take a broader look at 
information sharing. Among the many types of information sharing, three 
merit note.
    First is the process by which software vulnerabilities are brought 
to the attention of those who make and maintain software. A large 
percentage of all networks--particularly the more diligently-defended 
ones--are penetrated because their software contains vulnerabilities 
that have not been fixed, notably because the vendors have not 
discovered them. These are ``zero-day vulnerabilities''; they permit 
``zero-day exploits.'' Software vulnerabilities in Java, Acrobat, 
Flash, and Microsoft Office products are commonly exploited to allow 
attackers to enter computer networks and systems (which is why users 
are warned not to click on suspect websites or open suspicious 
attachments). A large and growing community of researchers and white 
hat hackers are busy finding these vulnerabilities and reporting them 
to vendors. A related community examines actual cyber attacks to 
determine which vulnerabilities were exploited in order to serve the 
same end of fixing them. A world with fewer software vulnerabilities 
would be a safer world (although patches do no good until installed). 
Occasionally, software vendors confronted with a number of similar 
vulnerability reports about their products may find correlated 
architectural weaknesses in their offerings and make more fundamental 
changes. The Federal Government can do more to encourage and accelerate 
the process of finding software vulnerabilities with modest amounts of 
funding and without passing new legislation.
    Second is the use of information sharing to improve cybersecurity 
practice. The collection and analysis of cyber attacks, both those that 
succeed and those that may be termed near-misses, can shed light on 
what organizations could have done differently to have prevented or at 
least mitigated the effects of such attacks. Such analysis can provide 
evidence-based assessments of the cost-effectiveness of alternative 
cybersecurity tools and techniques. Such an activity is already 
informally carried out to some extent at the worker level, especially 
among the information security community and disseminated through 
professional interaction. This should continue to be encouraged, and 
should trickle up to the C-Suite and managers. Such activity can lead 
to insights that are scientifically validated (or refuted), which then 
become part of the cybersecurity canon, to be spread through the 
literature and other formal and informal exchanges within the 
information technology community, as well as taught in the various 
schoolhouses. The Government can aid this process by empowering 
organizations such as the National Institute of Standards and 
Technology (NIST) and funding the various Advanced Research Project 
Agencies (ARPAs) and the National Science Foundation (NSF) to build a 
systematic body of knowledge.
    These first two types of information sharing do not exacerbate the 
cybersecurity divide. The first should result in better software, which 
benefits everyone. The second should result in better cybersecurity 
practices, which also should benefit everyone, particularly those 
organizations that have at least one person who can think 
systematically about cybersecurity.
    This now leaves the third type of information sharing, one that is 
specific to the characterization of threats and the impetus behind the 
legislation. It calls for organizations to report attacks and provide 
relevant details of these attacks, such as malware samples, attacker 
modus operandi, IP addresses, attack vectors, induced anomalies, social 
engineering methods, etc. These instances, in turn, are used to create 
a profile of specific threat actors and infer signatures of their 
activities, which, in turn, would be circulated to other organizations 
so that they can better prepare themselves, notably by putting such 
signatures into their intrusion prevention/detection systems. The 
appendix of the 2013 Mandiant report (APT1: Exposing One of China's 
Cyber Espionage Units), for instance, was stuffed with many signatures 
that could be used by potential victims of APT1 (their name for a 
specific hacker group supported by China's Peoples Liberation Army) to 
recognize signs of threat activity infection. Although such signatures 
could, and in many cases, would also be supplemented by intelligence 
collection, the Classified nature of such additional material limits 
the number and type of machines on which they could reside.
    The usefulness of threat-based information sharing rests on four 
assumptions about the nature of the threat itself. Such assumptions 
would have to be largely or totally true before the value of 
establishing an information-sharing apparatus can justify the effort to 
operate it, persuade organizations to contribute to it, and offset the 
residual risks to privacy that such information transfer may entail.
    The first assumption is that a sufficient share of all serious 
attacks comes from specific black hat hacker groups and that each carry 
out enough attacks over a period of time so that their modus operandi 
can be characterized. Trivially, if every black hat hacker organization 
carried out just one attack, signatures derived from that one attack 
would inform no further attacks. In practice, each group must carry out 
enough attacks so those that are discovered can inform those that take 
place later on. Furthermore, for such signatures to be useful, there 
has to be time for the attack to be detected so that the signatures can 
be collected, shared, and inserted into the defensive systems of 
potential future victims while they are still useful. If all the 
attacks were bunched together in a short period, the information 
gathered from such attacks will not be gathered in time to be useful.
    The second assumption is that each attacker group generates a 
consistent set of signatures that recur in multiple attacks (and that 
can be used reliably by defenders to distinguish their attacks from 
benign activity). To wit, hacker signatures have to resemble 
fingerprints. The APT1 group's attacks did have such characteristics 
(similarly, those that attacked Sony Pictures Entertainment in late 
2014 used the same IP addresses as those who attacked South Korean 
banks and media firms in 2013). However, the possibilities of 
polymorphic malware (variations in the appearance of exploits) and 
fast-flux DNS (to permit shifting IP addresses) suggest that hackers 
have options for varying their signatures.
    The third assumption is that these signatures are detectable by 
organizations interested in sharing. The average attacks by 
sophisticated and advanced threats remain undetected for a year--and 
those are only the ones that have been discovered. Most such attacks 
are discovered not by their victims but by third parties and, for the 
most part, only because the information taken from several victims is 
funneled through the same intermediate servers used to hold the 
exfiltrated data. If these servers are discovered, evidence from 
attacks on multiple victims can be picked up at the same time. 
Attackers who are sensitive to being caught can explore alternative 
ways to route the data they bring home.
    The fourth assumption is that such signatures will not evolve 
(enough) over time--even if information sharing became so wide-spread 
that the failure to evolve would make it too hard for hacker groups to 
penetrate and compromise networks. Although Mandiant's publication of 
APT1 activities slowed the group's activities, it only took a few 
months before they were back in business using a new set of exploits 
and attack vectors, with brand-new signatures that had to be inferred.
    An analogy may be drawn to the anti-virus industry. The major 
players--Symantec, McAfee, Kaspersky, and Microsoft--run very large 
information-gathering networks fed by inputs from customers as well as 
sensors that they have placed throughout the internet. But the anti-
virus model has lost most of its viability over the past 5 years in the 
face of ever-shifting signatures and the practice of attackers testing 
malware against anti-virus suites before releasing them into the wild. 
Although threat-centric information-sharing deals with a broader range 
of indicators than anti-virus companies do, the same dynamic by which 
expensively-constructed measures beget relatively low-cost 
countermeasures argues against being terribly optimistic about the 
benefits from pushing a threat-centric information-sharing model.
    This is not to say that threat-centric information sharing is 
useless. Not every black hat hacker group will be conscientious about 
altering its modus operandi, and there may be features of their 
signatures that are not obvious to themselves (and hence would likely 
persist for later detection). Forcing such groups to cluster their 
attacks or to use multiple attack vectors, including obfuscation 
techniques and grouping methods, resulting in new or altered signatures 
over time, means more work for them. Some attackers will drop out; 
others may not be able to attack as many organizations in a given 
period. So, the effort to gather signatures would not be completely 
wasted. Furthermore, even if threat-centric information sharing does 
not work, the efforts that organizations would have to make to 
understand what is going on in their networks in order to share 
information effectively would, as a side benefit, also help them 
protect themselves absent any information-sharing whatsoever.
    Unfortunately, these recent efforts to promote a particular kind of 
information sharing have achieved the status of a panacea. They are 
absorbing a disproportional share of the legislative and elite media 
energy on the topic of cybersecurity. Many otherwise serious people 
assert that information sharing could have prevented many headline 
assaults on important networks. Yet, if one works through such attacks 
to understand if there were precedents that could have given us threat 
signatures, one often finds no good basis for such a belief. Quelling 
the Nation's cybersecurity problems is a complex, multi-faceted 
endeavor not subject to a silver bullet.
    In sum, there is nothing wrong with information sharing. It should 
be encouraged. The President's proposal may well do so--in which case 
it deserves our support. But there is something wrong with assuming 
that it solves most, much less all, of the cybersecurity problem. It 
only addresses one facet of a very complex space. It is therefore 
highly questionable whether efforts to achieve information sharing 
deserve the political energy that they are currently taking up.
    I appreciate the opportunity to discuss this important topic, and I 
look forward to your questions.

    Mr. Ratcliffe. Thank you, Dr. Libicki.
    I now recognize myself for 5 minutes for questions.
    Mr. Eggers, I'd like to start with you. In many respects, 
the Chamber of Commerce represents a single voice for 
stakeholders across many of the critical infrastructure 
sectors.
    So, in that respect and capacity, can you address whether 
industry supports the sharing of cyber threat indicators 
through civilian portals, such as the NCCIC, with established 
and transparent privacy protections?
    Mr. Eggers. Congressman, thank you for that question.
    I would say yes, we do. Just to give you an example, the 
NCCIC is a key portal through which businesses are sharing and 
will be sharing.
    One thing I might add to that is we want businesses to be 
sharing with their trusted partners, whether it's DHS, FBI, 
Secret Service, Department of Energy, Treasury, you name it. I 
think what we want to see is a bill that gives them the ability 
to voluntarily share cyber threat indicators with associated 
protections with some flexibility in terms of sharing with 
Government. So it would be DHS and other entities.
    Mr. Ratcliffe. Thank you, Mr. Eggers.
    Ms. Callahan, as I've listened to stakeholders across the 
spectrum here, including privacy groups, one of the recurring 
questions and concerns out there relates to the minimization of 
data, which you talked about in your testimony. As the former 
chief privacy officer at DHS, I know that you oversaw the 
processes and procedures on how DHS protects privacy when it 
comes to sharing cyber threat indicators.
    Could you walk us through that in a little more detail? The 
measures that are in place at NCCIC to ensure that personal 
information is not shared with the Government.
    Ms. Callahan. Thank you for that question.
    There are several steps and several procedures that DHS 
goes through, depending on how the threat is conveyed to 
Homeland Security, depending on how it's integrated and whether 
or not it's going to be shared.
    As you mentioned, data minimization and only having the 
directly associated threat information is the key element both 
because it protects privacy better, of course, but, also, it 
helps identify what people should really be looking at if, 
indeed, information is shared and they don't have to go through 
the chaff.
    At Homeland Security, there are multiple steps. First, when 
the threat comes in from the private sector, it can be reviewed 
by a human to go and look to see if it can be identified for 
what the specific threat is. It's then distilled down. It's 
very frequently often IP addresses, possibly URLs associated 
with it, and the very rate time associated with an email 
address.
    It's distilled down to that kind of core element, and then 
it's compared to whether or not we know anything about this 
threat, what else is happening, where is it going.
    To the extent that it's going to be shared, only that 
distilled element is going to be the purpose that it's shared. 
It also then, before sharing, is reviewed by a DHS privacy 
professional to confirm that minimization process.
    Mr. Ratcliffe. Terrific.
    So, from your experience, what is your opinion on whether 
the privacy community supports the privacy protections that are 
currently in place at NCCIC?
    Ms. Callahan. I think the privacy community very 
specifically wants to have civilian control over information 
sharing, and that's an important tenet for the privacy 
community.
    They also are very aware of the privacy protections that I 
described that are detailed in the multiple privacy impact 
assessments, privacy compliance reviews, and other public 
documents that have been detailed by the DHS privacy office.
    In addition, Homeland Security has a subcommittee that is 
Classified at the Top Secret/SCI level that has had even more 
detailed briefings, and those include advocates and members of 
the community. So I think that, to the extent the privacy 
advocates can be comfortable with the privacy protections of 
information sharing, Homeland Security has met that.
    Mr. Ratcliffe. Terrific. Thank you.
    Mr. Garcia, I think it's pretty well-known out there that 
the financial services sector has one of the most mature ISACs 
and is considered by many to be the gold standard for 
information sharing.
    I think that we all need to be cognizant and careful from 
the committee standpoint not to break something that's 
currently working well. So with that in mind, a two-part 
question for you.
    How would the President's legislative proposal affect the 
financial sector's current sharing of cyber threat information? 
Then, second, what recommendations do you have for other 
sectors, based on your experience, and what might be learned 
from the FS-ISAC model?
    Mr. Garcia. Thank you. That's a good question.
    I think the President's proposal is almost explicitly with 
us not targeted at the financial services sector or trying to 
make any improvements to it. There is a recognition that we 
have established a fairly robust and mature information-sharing 
trust community and that the proposal would really try to get 
at many of those noncritical sectors that have not yet engaged 
in this level of information sharing.
    So I would think that, on the edges, the proposal will help 
information sharing broadly and maybe the financial services as 
well, as long as the ISAO model is developed in a way that 
doesn't create too much confusion.
    As I mentioned in my opening statement, we need to have a 
federated information-sharing capability, not a competitive one 
where one ISAO is trying to get more members and, therefore, is 
withholding information from other ISAOs. That's really 
important. If we have Balkanized or siloed information sharing, 
we are defeating the purpose of trying to get broader 
comprehensive situational awareness.
    So for ISAOs standing up, I think we'll look forward to 
providing contributions to the standards development process 
for what constitutes a good information-sharing environment. I 
think key to that is we really started sharing robustly when we 
established a traffic light protocol--red, yellow, green, 
white--a cascade of different definitions of what information 
can be shared with whom and what information cannot be shared.
    That is enforced. It's enforceable and it is enforced. That 
really cements the trust, that you know that, when you're going 
to share this information, that it is not going to be released 
anywhere else where it is not permitted. So that gives a 
contributor some level of confidence that their information is 
going to be protected, but it's also going to be used by other 
members of that community. So that is a key element.
    The other element is having well-trained personnel who are 
able to analyze information and be able to assimilate and 
synthesize all the different feeds that are coming in and make 
sense of it in a way that can provide the users with some kind 
of a coherent guidance for what to do about it.
    Mr. Ratcliffe. Terrific. Thank you, Mr. Garcia.
    Mr. Eggers, I want to come back to you for a second. As I 
mentioned before, I've had listening sessions with different 
groups and one of the things that we've learned is that, you 
know, liability protections are clearly going to be necessary 
to incentivize this information sharing.
    Can you explain what types of liability protections are 
needed and why?
    Mr. Eggers. Sure. Let me just kind of give you a feel for 
the protections, in general, where that liability protection 
fits in.
    So when we look at, let's say, something like the CISA 
bill--which, you know, unless there's maybe hiccups at an 
upcoming mark-up which could happen soon, we will support that 
bill. But I think about liability in terms of kind of four key 
protections. Right? So liability's probably the first and 
foremost liability. Right?
    In the legislation, if you're acting within the terms of 
the bill, you will be getting liability protections for the 
ways in which you share with the private-sector and Government 
entities. There's a few nuances.
    The second is regulatory protection, and the third is FOIA, 
and the fourth is anti-trust. So, if anything, I would mention 
that the liability protection probably sits at the top and is 
probably the most important one of the bunch, if you had to 
single one out.
    Mr. Ratcliffe. So expounding on that, why is private-to-
private sharing so important----
    Mr. Eggers. Generally----
    Mr. Ratcliffe [continuing]. And the liability protections 
associated with that?
    Mr. Eggers. Sure. So within the construct of a voluntary 
program--right?--and I think it's important just to stress 
we're talking about a voluntary program where we're trying to 
create some legal certainty--businesses, when they are, let's 
say, fortunate to be able to identify, let's say, a breach, an 
incident, they've got those bits and pieces of technical data 
that they should share with business partners and the 
governments to provide everyone a better sense of real 
security.
    But a lot of times what we hear from businesses is, ``Hey, 
we want to do the right thing, but we're afraid that the 
information that we share will come back to bite us''--right?--
``It will have a boomerang effect.''
    So they want protections to be able to share that with 
peers, and we encourage that. Right? So if there's some attacks 
that you know of that you can share with others so other folks 
can benefit, stop those attacks, that's a good thing. We want 
them to share with their business partners.
    The FS-ISAC is a great example. But we also want businesses 
to share that narrow threat data with Government, too, so they 
can start to build a bigger picture and help others, Government 
and private sector.
    Mr. Ratcliffe. Terrific. Thank you, Mr. Eggers.
    Dr. Libicki, in addition to threat and indicator 
information sharing, you mentioned two others: The sharing of 
software vulnerabilities with the software vendor and 
information sharing to improve cybersecurity practices.
    In your opinion, what would you suggest as appropriate 
legislative actions to address or enable these two areas?
    Mr. Libicki. I am not sure that you really need that much 
legislative action apart from, you know, appropriations 
authorization sort of information. Let me give you an example.
    I think the total amount of money spent world-wide to 
reward people for finding vulnerabilities in software isn't 
much more than about $10 million a year. When you consider 
that, globally, $70 billion a year are spent on cybersecurity 
tools and services and if you believe that, in fact, reducing 
the number of vulnerabilities can make people safer, there is a 
certain amount of room to increase the amount of money being 
spent on finding vulnerabilities.
    If I had to make a guess, I would say $10 million, which is 
not particularly large in the context of, say, DHS's total 
cybersecurity spending, could do a lot to encourage that kind 
of discovery.
    In terms of the other type of information sharing, every 
particular attack in many ways can be associated with things 
that you could have done differently, better practices, best 
practices. Although we have a canon of best practices today, a 
lot of times our best practices can be described as belt and 
suspenders.
    When you talk to CISOs who cannot afford both belts and 
suspenders, they want some sort of guidance as to which one is 
more important, how important is isolating systems, for 
instance, how important is multi-factor authentication, how 
important is training, how important are a lot of the various 
way that organizations can improve their cybersecurity.
    A lot of the way that you learn how organizations can 
improve cybersecurity is to figure out when something got past 
these particular defenses.
    So where you would want to put more resources in is a 
consolidated effort to try to assess the relative efficacy of 
various cybersecurity measures in the context in which they are 
used, and empowering NIST is one way to do that.
    NIST tends not to want to make those sorts of, ``Well, A is 
better than B decisions.'' But that's the kind of knowledge 
you're going to need for cybersecurity and, I think, in terms 
of R&D funding from NSF and the various ARPAs, is a way to help 
systematize this learning and collect the lessons from this 
learning.
    Mr. Ratcliffe. Thank you, Dr. Libicki.
    Ms. Callahan, in listening sessions with privacy groups, 
I've heard that following the Fair Information Practice 
Principles is a key to protecting Americans' privacies.
    In your opinion, what more can NCCIC do to increase 
transparency and ensure that these principles are followed?
    Ms. Callahan. Thank you, sir.
    The Fair Information Practice Principles, or the FIPPs, are 
the cornerstone for any analysis of analyzing the privacy 
impact of certain considerations.
    As you note, the NCCIC has applied the FIPPs in their 
processes. However, we can always improve. The NCCIC can also 
have--the transparency and the discussion of the effectiveness 
of information sharing I think could be a very valuable tool in 
light of the fact that, you know, we hear a lot about 
information sharing and how does it work? Mr. Garcia has some 
examples that I believe he'll share with you. But I think it's 
also important to understand why this information's being 
shared, what's happening to it, and where is it going.
    Dr. Ozment's testimony earlier this month--or, I guess, in 
February does have some statistics, as does Under Secretary 
Spaulding's, but I think understanding the core elements would 
be an important factor.
    The data minimization that I talked about and the 
procedures that NCCIC and CSNC go through are useful, and I 
think it wouldn't be--it would be good to again describe those 
in more detail and try to get some understanding.
    Finally, the issue about security clearances is a difficult 
one, but at the same time I think we can get more information 
at an Unclassified level perhaps both to explain to the 
private-sector companies who are concerned as well as those 
advocates.
    Thank you.
    Mr. Ratcliffe. Thank you.
    So do you think that the sharing of cyber threat 
information should be exempt from FOIA?
    Ms. Callahan. I think that there are several factors to 
think about. Candidly, the information that I have seen that's 
been shared from private-sector companies or from DHS to other 
Government entities is difficult to parse if you're not a 
computer. You know, we're trying to identify the malware. We're 
trying to identify what the threat is specifically. From a FOIA 
perspective, to understand public policy issues I don't think 
is very helpful.
    Furthermore, I certainly think that companies would be very 
reticent to share that information if, indeed, it was exposed 
to FOIA. I think it probably still meets under the FOIA 
qualifications of Exemption (b)(3).
    So I don't know that we need necessarily new legislation on 
that, but I think that the FOIA exemption is both useful and 
getting the information wouldn't be all that helpful for the 
advocates themselves.
    Mr. Ratcliffe. Thank you, Ms. Callahan.
    Mr. Eggers, what's your perspective on that question?
    Mr. Eggers. I think the exemption from--thank you--the 
exemption from disclosure is a fundamental part of any bill. 
Right? Businesses want to be sharing. We want them to share. 
They don't want to see their names necessarily in the headlines 
because they were trying to do the right thing.
    Mr. Ratcliffe. Terrific. Thank you.
    Pleased to be joined by the gentleman from Florida, Mr. 
Clawson. I'd like to yield to him for questions.
    Mr. Clawson. So you all had the good luck or bad luck of 
coming when it turns out to be a fly-out day, weather day, 
votes at the last second. I mean, you know, you had everything 
going against you. I wouldn't take personal offense to a bunch 
of folks not being here because it is an unusual day up here.
    So I think I have a grasp on what we're trying to do and 
why we're trying to do it. But when I put myself, if I were a 
participating company, with so many different stakeholders, 
particularly if it was a multi-national, I don't know how you 
get this to work.
    It feels like the right thing that the anti-trust blocks 
could get thrown out of the way by the Government. Liability 
insurance feels like a good start, too. But there still feels 
to be a lot of other obstacles that, if I were running my 
company, would give me lots of pause here.
    There's a long list. Right? I mean, first of all, if I was 
and have operated in foreign countries and their governments 
wanted to do this to me, I know I'd just say no.
    So the foreign stakeholders, including security holders, I 
think also makes this a lot more complicated, particularly in 
former Soviet Bloc countries, by the way, where they don't like 
Government involved in their IT systems. So the multi-national 
nature of stakeholders is the first thing that comes to mind.
    The second thing that comes to mind is who's not going to 
participate. If you don't get a big block of people in my 
industry participating, I am not sure I'd want to.
    The third thing I'd say is, ``Isn't this going to slow me 
down?'' More important, the very tool that you seem to be 
putting in place here might help the bad guys. Because if the 
Government does get in the middle almost at any level, it slows 
down, I think what the point is, disseminating data to the 
people that understand the malware as quickly as possible. So I 
could keep going on and on here.
    So I kind of feel like I like the idea. The devil's in the 
details. If I were a business, you'd have to--you know, if I 
were running a business again, you'd have to lay out pretty 
clearly how we would get over some of these obstacles and me 
still keep my fiduciary responsibility to shareholders and the 
other stakeholders in the company.
    When I hear that not everybody wants to participate, I say 
to myself, ``Hmm. I can kind of understand that.'' Now, that's 
from a non-IT guy, by the way. So you all know more about these 
things than I do.
    So take up where I've left off here. Am I on shaky ground 
in terms of these kind of concerns or am I hitting on something 
that you all have already anticipated and addressed prior to 
this in your own studies and activities?
    Mr. Eggers. Congressman, if I may--and then others can join 
me--let me try to come at your questions this way. They're very 
good.
    We're talking about information sharing, but one of the 
things that's positive about the framework is you can be using 
the framework in any country, any province, any State. It's not 
mandatory. It's voluntary.
    So you don't have to come up specially-engineered cyber 
solutions to comply with, let's say, regulations of each 
country. That would not be good. That would be too costly even 
for big companies.
    No. 2, information sharing, voluntary at least under the 
bill that we are championing, the CISA bill currently in the 
Senate, at least in draft form.
    The information-sharing program we're looking to achieve is 
not about surveillance. It's about sharing threat data from 
business-to-business, business-to-government, and, hopefully, 
more and more business-to-government so that can stop future 
attacks.
    The Chamber--we were part of a letter that had----
    Mr. Clawson. Can I interrupt just for a second?
    Mr. Eggers. Sure.
    Mr. Clawson. Business-to-business I understand because, if 
the attack hits here, let's get at the information to--by the 
way, even my competitors. Right?--and so that they can be 
inoculated.
    Mr. Eggers. Uh-huh.
    Mr. Clawson. Why Government?
    Mr. Eggers. We can't fight the bad guys without working 
together. When I think about the threats out there, it's not 
the wayward kid down the street that's having fun, maybe, 
breaking into a computer system.
    It's nation-states. It's people working on their behalf. 
It's super criminal groups that I think Dr. Libicki points out 
is very costly.
    So if we're going to--and I like to think of an 
information-sharing bill. It's trying to knock the bad guys 
off-balance. Right? We need to push them off-balance. Right?
    We're going to share and be more resilient, meaning 
industry and Government. So we need to work together. We can't 
tackle nation-states or their proxies solo. We can't do it. So 
we need to work together, and we need to do it smartly.
    Mr. Clawson. Anybody else?
    Mr. Garcia. Sure. I agree with Mr. Eggers. I think, you 
know, when you look at this very complicated world of cyber 
threats, the industry has information that the Government does 
not have globally. We are located around the world. The 
Government has information that we do not have, Classified 
information, information about nation-state activities. If 
we're not fusing that together, we're really not getting a 
broad situational awareness. So we are not where we should be.
    The financial sector has been working closely with the 
Government to think about the ways to improve the bidirectional 
sharing of information between industry and Government, and the 
Government agencies recognize that internally they need to 
improve their processes or how do they process information 
within the Government and then what's the tear line, meaning 
what's the really critical information that can be sent to the 
private sector, leaving the sources and methods, which is 
Classified, out of it because we don't need that information.
    So we're working through that process of trying to improve 
content and procedures. It isn't easy. Government is not--
there's many agencies in the Government with different cultures 
and different ways of doing things. The same goes with the 
private sector. So----
    Mr. Clawson. Am I right to say that the further down you 
push the actual activity, meaning Government becomes an abler, 
facilitator, as opposed to active participant, there's an 
inverse relationship so you'll get more--if less Government's 
involved on a direct basis, more companies will voluntarily 
sign up.
    Am I right or wrong about that? You see, I know what I 
would feel. I know what I would think.
    Mr. Garcia. Yes. And----
    Mr. Clawson. It feels like it will be quicker without the 
Government being a direct participant, and it feels like it 
will be, you know, less risky in a lot of ways if I am doing 
this peer-to-peer with protection of the Government as opposed 
to the Government being the clearinghouse and interpreter of 
the data.
    Mr. Garcia. We wouldn't look at the Government as a 
clearinghouse or interpreter either, but we do see them as a 
partner that--again, they can provide information we don't have 
and vice versa.
    Yes, I think there will be companies and organizations out 
there that have less trust in working with the Government for 
the liability concerns that Mr. Eggers has articulated, but the 
same goes for company-to-company at times. We're dealing with 
competitors.
    In the financial sector, it's not quite the same thing. We 
are all competitors in financial services. But when it comes to 
cybersecurity, we're all in it together. It is not a 
competitive issue. So we've gotten over that hurdle.
    We understand that we have to proceed on the assumption 
that we are all under attack every day and we are all going to 
get hit at one point or another. So let's just come to the 
table with that and admit that. ``Now, what are we going to do 
about it together?''
    That's a trust relationship that has been building over 
time. Other industry sectors, not as much. Hopefully, this 
information-sharing and analysis organization model that the 
administration is trying to incentivize--maybe that will move 
other companies toward more trust-sharing models not just among 
themselves, but with the Government.
    Mr. Eggers. Congressman Clawson, if I may, let me add to 
that.
    So you had mentioned about business interest and 
information sharing. The Chamber was one of about 35 
associations representing--I don't know--back of the envelope, 
maybe 80 to 90 percent of the U.S. economy, stating that, ``We 
need a good bill that clears away the legal policy underbrush, 
gives us certainty that, when we are sharing, we are 
protected.''
    Mr. Clawson. That's easy. Right? I mean, we all agree on 
that. I mean----
    Mr. Eggers. So one thing I might add, if I just may--you 
mentioned slowing things down--one thing that we are looking 
at--and the jury's still out with respect to the Executive 
Order on cyber information sharing, at least February 13--is 
the standards/best practices element of standing up more 
ISAOs--right?--or at least having organizations declare that 
they've self-certified it at a future date, that they are 
following certain standards/best practices.
    One of the things that I think gives our members pause is 
not that you're going to be holding up an entity as a model for 
how to share well. What we're concerned about is, in that 
process of creating standards, highlighting best practices, 
that that could kind of gum up the information-sharing works.
    Mr. Clawson. Right. Right. I mean, look, if I wanted to get 
a good laugh out of my employees, two lines I could say: 
``We're from corporate and we're here to help''--that always 
got a chuckle--or ``We're from the Government and we're here to 
help.''
    You know, employee stakeholders have had long-time 
experience of hearing people say that and then it goes wrong on 
them. You know, that's the--for this to work, whether you're 
the Chamber or whoever we are, we would have to be able to 
convince the companies and, more importantly, the folks that 
are running the IT systems and the ERPs that both corporate 
and, you know, in this case, the Government, is really not 
going to slow them down.
    I think clearing out the underbrush, as you say--I mean, 
that's a no-brainer. Right? I mean, take away the anti-trust 
and take away the liability and we're much more likely to 
share.
    But then, after that, after many years in the private 
sector, this story gets more murky to me as, you know, good 
intentions where things could easily go wrong or not get enough 
companies to participate to make a difference.
    I'm glad that the financial sector is in that position, but 
having been involved in other sectors, I am really pretty sure 
that they're not nearly as organized and that their industries, 
by the way, are not nearly as consolidated.
    So, you know, in the financial--we still have got a lot of 
community banks left, but it's a much more consolidated 
environment than it is in a lot of other industries. Those 
unconsolidated environments are a different animal. I don't 
know if that's even a word or not. But that's a different 
animal than what you're talking about.
    I don't want to take all the time here. But give me a 
reaction on whether I'm all wet here.
    Mr. Garcia. Well, you know, you can see where there are 
times when information sharing has slowed down, for example, 
when something is subject to law enforcement investigation. 
Okay?
    Now no one can talk about it and you can't actually 
disseminate the facts about something that, if other potential 
victims had that information, they could shut down systems that 
might otherwise be attacked.
    So, yeah, there will be situations where trying to engage 
with the Government is going to slow things down. There are 
other situations where it's going to speed things up.
    For example, we had worked within the NCCIC cooperatively 
with DHS. There was a point-of-sale malware called Backoff that 
was infecting a lot of different retail outlets all over the 
country.
    Actually coming together, we fused information that DHS had 
and what the financial sector had, and we made sense of what 
this point-of-sale malware was doing. We pushed out a joint 
product, basically said, ``Here's the threat. Here's what it's 
trying to do. Here's what you need to do to fix it.''
    One of the participants in the activity had something like 
50 stores located in 24 different States where they actually 
took that advice and they made the correction before it----
    Mr. Clawson. Who identified the malware?
    Mr. Garcia. That could have been--I don't have the 
specifics. It could have been from law enforcement. Often law 
enforcement can find certain malware----
    Mr. Clawson. Or an outside contractor to----
    Mr. Garcia. It comes from many different places. It can 
come from security companies who are on contract. It can come 
from law enforcement that's doing their own investigative 
forensics work. It can come from a member company of the FS-
ISAC. It can come from an analyst at DHS or the intelligence 
community.
    It's a matter of having that automated phone tree, if you 
will, where we can bring all of those sources of intelligence 
together and make sense of it. Sometimes it's slow. Sometimes 
it's faster.
    We're trying to get ourselves to a point of more automated 
threat information sharing where we actually can take out some 
of the human dimension of having to pick up a phone and call 
somebody or send an email saying ``Did you see what I just 
saw?'' and, actually, the machines are recognizing these kinds 
of----
    Mr. Clawson. Looking for patterns.
    Mr. Garcia. Yeah.
    Mr. Clawson. Dr. Libicki.
    Mr. Libicki. Yes.
    Mr. Clawson. Anything to add?
    Mr. Libicki. Yes. I want to add to some of the comments.
    I think we have a common stake in better cybersecurity. 
Okay? In a world in which, say, one bank is subject to an 
attack that causes people to lose trust in the bank, their 
neighbor across the street isn't going to be better off. In 
many ways, they're going to be worse off.
    The attack that makes people wonder if they can give a 
credit card to one merchant isn't going to necessarily have 
them running to another merchant. It's going to complicate the 
response of everybody who wants to use credit cards in 
commerce. For that reason, there is going to be a common 
interest in information security, in cybersecurity, and 
improving it across the lot.
    To a large extent we shouldn't forget that the Government 
organizations themselves have an interest in their own 
cybersecurity and there's information on best practices, on how 
to make good decisions, that they can learn from the rest of 
the economy, or the benefits that they get from closing 
vulnerabilities in software used in business also helps the 
Government organizations preserve their own systems, preserve 
their own confidentiality in their systems and----
    Mr. Clawson. That's a good point.
    Mr. Libicki [continuing]. Authentication.
    Mr. Clawson. That's a good point.
    Ms. Callahan. If I may, sir, just to follow up, I think 
about information sharing both among the companies and, also, 
with and from the Government as kind of three-dimensional 
chess. You need to know where each of the different elements 
are, as Mr. Garcia and Dr. Libicki talked about, and you may 
not have the complete picture unless you get all of the 
information.
    I completely agree with you that you don't want the 
Government in your business dealing with what the threat is 
itself, but you do want to share the information that you've 
figured out or maybe a contractor figured out or maybe the 
Government figured out.
    So it's to share the information as broadly as possible, 
but not to have the Government come and, you know, deal with 
the information or address the cyber threat unless it's a 
critical scenario.
    Mr. Eggers. Congressman, if I may just add a quick point, 
one thing I think about or at least our members think about in 
terms of getting from Point A to Point B, A to Z, on an 
information-sharing bill, a bill that clears both Chambers and, 
hopefully, gets to the President's desk this year, is, even 
though it's important to protect privacy, that we not lose 
sight of the burdens that we could place on small and mid-sized 
businesses to scrub personal information.
    Those kinds of provisions will be in a bill, but I want to 
make sure that we not go too far that we're essentially, from a 
practical standpoint, having the small and mid-sized guys sit 
on the sidelines because they feel like they can't scrub 
personal information adequately or do it at least under the 
terms of any future bill.
    Mr. Clawson. Boy, that's a tough balance. I mean, I thought 
about this all day. We talked about it with our team. With 
small businesses that don't have a lot of dedicated resources 
and often outsource anything of any complexity with regards 
to--I mean, they even outsource their own ERP system. Right?
    You know, to get a bill which will convince those folks to 
participate in a voluntary program that could make their life 
more difficult and still get the bill through--because you're 
going to have folks like me that are going to say, ``I'm just 
not fond of the Government being in my cell or in my ERP, 
either one, really.''
    That's going to be a neat trick. Right? I mean, that just 
doesn't feel like it will be easy to do. I'm not trying to be 
critical. It just feels like a mountain to climb here to get it 
just right where you don't make it so onerous that no one signs 
up. But you have got to have something that has enough impact 
to get the bill passed.
    Am I making sense?
    Mr. Eggers. Yes. One quick brief note on that is, when I 
say small and mid-sized guys just generically, I'm thinking in 
a lot of ways some of the supply chain elements of, let's say, 
a bigger firm.
    If those smaller companies are hacked, we want them to have 
the confidence that they report, let's say, to the bigger 
company and a lot of times the Government won't necessarily 
have to be in their systems.
    What they will be doing is sharing those technical bits and 
pieces of information that the bigger company can use and, 
let's say, law enforcement can use to build a case against 
folks probably overseas.
    Mr. Clawson. Well, if I can help you--I mean, I'm playing 
devil's advocate here, obviously. But I'm doing it because I'm 
trying to--you know, I hope this works. I don't want it to 
fail. We want it to work.
    Mr. Eggers. Agreed.
    Mr. Clawson. So I think the more front-end conversations 
you have like this one--and I know you're doing that every day 
with people that are out there--the better your chances of 
getting people to participate.
    Because, if they don't come around, we're dead. Right? I 
mean, if it's a voluntary program and no one signs up, then 
it's not going to do us much good.
    Ms. Callahan. I think, for the small and medium-sized 
businesses, the automated sharing that Mr. Garcia talked about 
can really help facilitate that. Therefore, the more people can 
participate, the bigger the pie, so to speak, the more you can 
share, the less burden it is on the small and medium-sized 
enterprises.
    Mr. Clawson. I yield back.
    Thank you, everybody, for your patience with me.
    Mr. Ratcliffe. I thank the gentleman.
    I agree with the gentleman that weather has definitely 
affected attendance today. But I know that my colleagues on 
both sides of the aisle see this as a critically important 
issue, as evidenced by the fact that a number of them were with 
me earlier this morning and with the Chairman, touring the 
NCCIC.
    So, with that, I am very grateful to the witnesses for 
their valuable testimony. I know that it will inform this 
committee as we move forward.
    I thank my colleague for his questions.
    The Members of the committee may have some additional 
questions for witnesses, and we'll ask them to respond to these 
in writing. Pursuant to committee rule 7(e), the hearing record 
will be held open for 10 days.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 4:08 p.m., the subcommittee was adjourned.]
                             
                             [all]