[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] INDUSTRY PERSPECTIVES ON THE PRESIDENT'S CYBERSECURITY INFORMATION-SHARING PRO- POSAL ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ MARCH 4, 2015 __________ Serial No. 114-7 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PUBLISHING OFFICE 94-578 PDF WASHINGTON : 2015 ___________________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Steven M. Palazzo, Mississippi Donald M. Payne, Jr., New Jersey Lou Barletta, Pennsylvania Filemon Vela, Texas Scott Perry, Pennsylvania Bonnie Watson Coleman, New Jersey Curt Clawson, Florida Kathleen M. Rice, New York John Katko, New York Norma J. Torres, California Will Hurd, Texas Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Steven M. Palazzo, Mississippi Sheila Jackson Lee, Texas Scott Perry, Pennsylvania James R. Langevin, Rhode Island Curt Clawson, Florida Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Prepared Statement............................................. 14 The Honorable James R. Langevin, a Representative in Congress From the State of Rhode Island: Oral Statement................................................. 13 Witnesses Mr. Matthew J. Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce: Oral Statement................................................. 15 Prepared Statement............................................. 17 Ms. Mary Ellen Callahan, Jenner & Block, Former Chief Privacy Officer, U.S. Department of Homeland Security: Oral Statement................................................. 24 Prepared Statement............................................. 26 Mr. Gregory T. Garcia, Executive Director, Financial Services Sector Coordinating Council: Oral Statement................................................. 30 Prepared Statement............................................. 32 Mr. Martin C. Libicki, The Rand Corporation: Oral Statement................................................. 37 Prepared Statement............................................. 39 For the Record The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Letter From the National Defense Industrial Association........ 4 Letter From the American Bankers Association................... 5 Letter From the Retail Industry Leaders Association............ 9 Statement of the Financial Services Information Sharing & Analysis Center and the National Council of Information Sharing and Analysis Centers................................. 10 INDUSTRY PERSPECTIVES ON THE PRESIDENT'S CYBERSECURITY INFORMATION- SHARING PROPOSAL ---------- Wednesday, March 4, 2015 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to call, at 2:06 p.m., in Room 311, Cannon House Office Building, Hon. John Ratcliffe [Chairman of the subcommittee] presiding. Present: Representatives Ratcliffe, Clawson, and Langevin. Mr. Ratcliffe. The Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, will come to order. I now recognize myself for an opening statement. The subcommittee meets today to hear from key stakeholders, including industry, privacy advocates in academia, on the President's cybersecurity information-sharing proposal in recent cyber initiatives. Last week the full committee heard testimony from the Department of Homeland Security's top cyber officials on the growing cybersecurity threat and how this legislative proposal could enhance protection of our digital networks and American's most personal information. Today we turn to the private sector and look forward to hearing from our witnesses on what they think cyber threat- sharing legislation should look like. For years, the private sector has been on the front line battling devastating cyber attacks from criminals, activists in nation-states such as Iran, China, Russia, and North Korea. Any cyber threat-sharing legislation produced by Congress should enhance existing capabilities and relationships while establishing procedures to safeguard personal privacy. Protecting privacy and the integrity of information is what compels us to act. The recent cyber breach of health insurance giant Anthem exposed the personal information of up to 80 million Americans, approximately 1 in every 4 Americans, demonstrating that the quantity and sophistication of these attacks is only increasing. Just last week the director of national intelligence, James Clapper, underscored this fact, stating that cyber attacks against us are increasing in frequency, scale, sophistication, and severity of impact and that the methods of attack and the systems targeted and the victims are also expanding in diversity and intensity on a daily basis. He emphasized that privacy and the integrity of information are indeed at risk, stating that, ``In the future, we will probably see cyber operations that change or manipulate electronic information to compromise its integrity instead of simply deleting or disrupting access to it.'' Director Clapper also revealed that, in 2014, America saw for the first time destructive cyber attacks carried out on U.S. soil by nation-state entities when he confirmed that Iran was behind the cyber attack against the Las Vegas Sands Corporation, which is owned by a vocal supporter of Israel. These breaches are now becoming the norm with attacks on Sony Pictures, Target, Home Depot, JPMorgan, and others as evidence of that fact. FBI director Jim Comey recently stated, ``There are two kinds of big companies in the United States, those who have been hacked by the Chinese and those who don't know they have been hacked by the Chinese.'' Further, these attacks are not just affecting the largest businesses in financial institutions, but small and medium ones as well. Accordingly, we need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between Federal civilian agencies, like the DHS, and the private sector. The Department of Homeland Security's National Cybersecurity and Communications Integration Center, or NCCIC, has been at the forefront of working with the private sector to facilitate cyber threat sharing between the Government and the private sector. NCCIC is a civilian cyber operations center with an embedded statutorily-required privacy office. In fact, both industry and privacy advocates support NCCIC, which was codified into law last year in bipartisan legislation produced by this committee. NCCIC has been the lead civilian portal for cyber threat sharing between the private sector and the Government, and it is important that NCCIC and other civilian portals be the focus of any cyber threat-sharing legislation. Today many companies still choose not to share cyber threat indicators with one another or with NCCIC because they fear legal liability. Information about an attack experienced by one company can enable another to fortify its defenses. Yet, when the sharing does not occur, it leaves all of us more vulnerable because the same criminals can use the same tactics to target other companies, exposing even more Americans to having their private information compromised. Past legislative attempts to improve cyber threat sharing between the private sector and Government and private sector- to-private sector have failed in large part because they could not balance privacy protections with the need for industry to share cyber threat indicators. This Congress I look forward to working with Chairman McCaul, Ranking Member Thompson, and Ranking Member Richmond to craft thoughtful cybersecurity legislation that achieves this balance. I look forward to hearing from each of the witnesses in their respective fields about the opinions on how best this committee should move forward on drafting legislation to address these issues and what perspectives each of you have on the President's recent legislative proposal and cyber initiatives. Every generation faces monumental moments where its tenacity to overcome the challenges of our time are tested. Now is our time, as we move deeper into the digital age, to ensure that the cybersecurity challenges we face today are met with the same resolve shown by previous generations of Americans. I want to thank the witnesses for testifying before this committee, and I look forward to your testimony. [The statement of Chairman Ratcliffe follows:] Statement of Chairman John Ratcliffe February 4, 2015 The subcommittee meets today to hear from key stakeholders including industry, privacy advocates, and academia on the President's cybersecurity information sharing proposal and recent cyber initiatives. Last week, the full committee heard testimony from the Department of Homeland Security's top cyber officials on the growing cybersecurity threat and how this legislative proposal could enhance protection of our digital networks and Americans' most personal information. Today, we turn to the private sector and look forward to hearing from our witnesses on what they think cyber threat-sharing legislation should look like. For years, the private sector has been on the front lines battling devastating cyber attacks from criminals, hacktivists, and nation- states such as Iran, China, Russia, and North Korea. Any cyber threat- sharing legislation produced by Congress should enhance existing capabilities and relationships while establishing procedures to safeguard personal privacy. Protecting privacy and the integrity of information is what compels us to act. The recent cyber breach of health insurance giant Anthem exposed the personal information of up to 80 million individuals-- approximately 1 in 4 Americans--demonstrating that the quantity and sophistication of these attacks are only increasing. Just last week, Director of National Intelligence, James Clapper underscored this fact, stating that ``[cyber] attacks against us are increasing in frequency, scale, sophistication and severity of impact'' and ``the methods of attack, the systems targeted, and the victims are also expanding in diversity and intensity on a daily basis.'' He emphasized that privacy and the integrity of information are indeed at risk, stating, ``in the future, we'll probably see cyber operations that change or manipulate electronic information to compromise its integrity instead of simply deleting or disrupting access to it.'' Director Clapper also revealed that in 2014, America ``saw, for the first time, destructive cyber attacks carried out on U.S. soil by nation-state entities,'' confirming that Iran was behind a cyber attack against the Las Vegas Sands Corp., which is owned by a vocal supporter of Israel. These breaches are becoming the norm, with attacks on Sony Pictures, Target, Home Depot, JP Morgan, and many others. FBI Director James Comey stated, ``There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.'' Further, these attacks are not just affecting the largest businesses and financial institutions, but small and medium ones as well. As such, we need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between Federal civilian agencies like DHS and the private sector. The Department of Homeland Security's National Cybersecurity and Communications Integration Center, or NCCIC, has been at the forefront working with the private sector to facilitate cyber threat sharing between the Government and the private sector. NCCIC is a civilian cyber operations center with an embedded statutorily-required privacy office. In fact, both industry and privacy advocates support NCCIC, which was codified into law last year in bipartisan legislation produced by this committee. NCCIC has been the lead civilian portal for cyber threat sharing between the private sector and the Government and it is important that NCCIC and other civilian portals be the focus of any cyber threat- sharing legislation. Today, many companies still choose not to share cyber threat indicators with one another or NCCIC because they fear legal liability. Information about an attack experienced by one can enable another to fortify its defenses. Yet when this sharing does not occur, it leaves all of us more vulnerable because the same criminals can use the same tactics to target other companies, exposing even more Americans to having their private information compromised. Past legislative attempts to improve cyber threat sharing between the private sector and Government, and private sector-to-private sector, have failed in large part because they could not balance privacy protections with the need for industry to share cyber threat indicators. This Congress, I look forward to working with Chairman McCaul, Ranking Member Thompson, and Ranking Member Richmond to craft thoughtful cybersecurity legislation that achieves this balance. I look forward to hearing from each of the witnesses in their respective fields about their opinions on how best this committee should move forward on drafting legislation to address these issues and what perspectives each of you have on the President's recent legislative proposal and cyber initiatives. Every generation faces monumental moments where their tenacity to overcome the challenges of the time are tested. Now is our time, as we move deeper into the digital age, to ensure that the cybersecurity challenges we face today are met with the same resolve shown by previous generations of Americans. I want to thank the witnesses for testifying before this committee and I look forward to your testimony. Mr. Ratcliffe. Next I will ask for unanimous consent to insert into the record the letters received by the committee from the following organizations: National Defense Industrial Association, American Bankers Association, Retail Industry Leaders Association, and the Financial Services Information Sharing and Analysis Center. Without objection, so ordered. [The information follows:] Letter From the National Defense Industrial Association March 3, 2015. The Honorable Michael McCaul, Chairman, Committee on Homeland Security, U.S. House of Representatives. The Honorable Bennie Thompson, Ranking Member, Committee on Homeland Security, U.S. House of Representatives. Dear Chairman McCaul and Ranking Member Thompson: The National Defense Industrial Association (NDIA) is a non-partisan, non-profit, association with more than 1,600 corporate members and approximately 90,000 individual members. On March 4, 2015, your committee will hold a hearing titled ``Industry Perspectives on the President's Cybersecurity Information-Sharing Proposal.'' NDIA has received pertinent comments from its membership concerning the President's proposal which I have enclosed with this letter. Below is a synopsis of those comments to inform your committee hearing. The President's Cybersecurity Information-Sharing Proposal sometimes uses vague language that makes the legislation subject to the reader's interpretation. For example, section 103(c)(2) of the proposal states that a private entity receiving cyber threat indicators shall take ``reasonable efforts'' to protect the privacy of specific individuals and to ``safeguard'' information on specific persons. Section 103(c)(3) of the same proposal also uses the term ``reasonable.'' However, the proposal does not define what is ``reasonable,'' or what is adequate ``safeguarding.'' These undefined terms leave the door open for an enforcing agency or court to step in and provide definitions at their discretion, Instead, NDIA proposes that any legislation define what is ``reasonable'' or where such a definition can be obtained, such as in an industry or Government standard. To that end, we recommend that the work done by the National Institute of Standards and Technology (NIST) expand to include these definitions. The President's proposal also contemplates the creation of Information Sharing and Analysis Organizations (ISAOs) for the sharing of information by private industry. The role of ISAOs is further explained by Executive Order 13691, ``Promoting Private Sector Cybersecurity Information Sharing.'' Nothing appears to preclude existing Information Sharing and Analysis Centers (ISACs) from becoming ISAOs, although it is understood that ISAOs encompass a broader need- specific range of activities. The legislative proposal should explain the role of ISACs in the new scheme and positively allow or disallow ISACs from becoming ISAOs. The legislative proposal should also explain the role of other information sharing efforts, such as the Defense Security Information Exchange (DSIE). The new legislation should not bring past successful efforts to a premature end. Missing from the creation of ISAOs is an explanation of how the ``stovepiping effect'' prevalent among the ISACs and in other cyber sharing efforts can be eliminated. NIST is working hard to arrive at generally accepted standards for a ``cybersecurity framework.'' Their work should be emulated by having the legislation make clear that the government's role is to learn from industry standards and to conform itself to industry standards rather than the other way around. For example, ``best practices'' should be specifically recognized as evolving, and industry should have a mechanism to appeal previously determined ``best practices.'' Also, important missing language in the proposed legislation's concept of ``information sharing'' is that the information sharing should be secure. Otherwise, the value of information sharing is negated. The proposed legislation's liability protections should include an explicit extension of the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act. Your Committee previously introduced a bill that extended such liability protection, and a similar protection should be included in this legislation. The legislation should include anti-trust protection for entities that share information. A specific concern within the defense industrial base is that existing regulations already require breach notification and mandatory information sharing. Therefore, the proposed legislation needs to provide, in instances where the government requires the sharing or disclosure of information, extended liability protection to companies that are affected. Thank you for your attention to this letter. NDJA looks forward to working with your Committee on this and other important matters impacting industry. Please do not hesitate to contact us if you have any questions or need any further comments. Sincerely, Jimmy Thomas, Director of Legislative Policy. ______ Letter From the American Bankers Association March 3, 2015. The Honorable John Ratcliffe, Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, United States House of Representatives, Washington, DC 20515. The Honorable Cedric L. Richmond, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, United States House of Representatives, Washington, DC 20515. Dear Chairman Ratcliffe and Ranking Member Richmond: On behalf of the members of the American Bankers Association (ABA), I respectfully request this letter be included as part of the record for your hearing ``Industry Perspectives on the President's Cybersecurity Information- Sharing Proposal.'' Recent cyber-attacks underscore the need to help all businesses improve their awareness of threats and enhance their response capabilities. The steps taken by the Administration, through the issuance of the February 13, 2015 executive order promoting private sector Cybersecurity information sharing, will help the business community and government agencies share critical threat information more effectively. While the recent executive order is an important step towards more effective information sharing, it is widely recognized that Congress must also act to pass legislation to fill important gaps that executive action cannot fill. For instance, legislation is necessary to give businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyber attacks. Legislation also needs to offer protections related to public disclosure, regulatory, and antitrust matters in order to increase the timely exchange of information among public and private entities. ABA also believes that legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian and intelligence agencies. The financial sector is dedicated to protecting customer data, and has led the way for effective information sharing through the development of the Financial Services Information Sharing and Analysis Center (FS-ISAC). We are committed to working with others within the overall business community to develop a similarly strong and effective mechanism for sharing threat information. We share the views of the Financial Services Sector Coordinating Council (FSSCC) and the testimony that will be given by Mr. Greg Garcia. However, we would like to highlight two important areas within the executive order: The acceleration of the DHS security clearance process and the establishment of Information Sharing and Analysis Organizations (ISAOs). Information sharing is of critical importance to the financial services sector, other critical infrastructure sectors and the government. Without it, none of the financial sector's security and resiliency priorities would be achievable. With key federal support from the Treasury Department as our Sector Specific Agency, law enforcement and DHS, our network defenders are better able to prepare for cyber threats when there is a consistent, reliable and sustainable flow of actionable Cybersecurity information and analysis, at both a classified and unclassified level. As a nation, we are making some progress toward this goal, but it has become increasingly necessary for appropriately-cleared representatives of critical sectors such as financial services to have access, and provide contributions, to classified information that enables analysts and operators to take timely action to defend essential systems. Accordingly, the executive order's enhancement of DHS's role in accelerating the security clearance process for critical sector owners and operators is a clear indication of the Administration's support for this public-private partnership. The ISAC's have played an important role for critical infrastructure protection information sharing and incident response for their sectors. The FS-ISAC, in particular, enjoys strong support from sector members, Treasury and DHS. In this spirit, we also support the creation of ISAOs as a mechanism for all sectors, regions and other stakeholder groups to share Cybersecurity information and coordinate analysis and response. While ISACs must retain their status as the government's primary critical infrastructure partners, given their mandate for broad sectorial representation, the development of ISAOs should be facilitated for stakeholder groups that require a collaborative cyber and physical threat information sharing capability that builds on the strong foundation laid by the ISACs. As the ISAO standards development process unfolds, certain principles must be upheld for structuring both the ISAOs themselves and the government's interaction with them:Sharing of sensitive security information within and among communities of trust is successful when operational standards of practice establish clear and enforced information handling rules; Information sharing is not a competitive sport: while competition in innovation can improve technical capabilities, operational standards should incentivize federated information sharing. Threat and vulnerability intelligence needs to be fused across trust communities, not diffused or siloed; Government internal processes for collecting, analyzing and packaging critical infrastructure protection intelligence for ISAC/ISAO consumption must be streamlined and transparent to maximize timeliness, accuracy and relevance of actionable shared information; and To manage scarce resources, government information sharing mechanisms such as the National Cyber and Communications Integration Center (NCCIC) and the Treasury Department's Cyber Intelligence Group (CIG) should prioritize engagements with ISACs and ISAOs according to transparently established criteria. It is also important that the process to develop the ISAO standards is collaborative, open, and transparent. The process managed by the National Institute of Standards and Technology (NIST) during the development of the NIST Cybersecurity Framework is an excellent example of the appropriate leveraging of private sector input, knowledge and experience to develop guidance that will primarily impact non- governmental entities. We encourage DHS, as the implementing authority of the president's EO, to emulate the engagement model that NIST used to create and adopt their Cybersecurity Framework. The process worked. Finally, for DHS to be successful implementing the EO and its many cyber security risk management and partnership authorities, it must be sufficiently resourced with the best analytical and technical capabilities, with a cadre of highly qualified Cybersecurity leaders and analytical teams to conduct its mission. There must be a concerted effort to recruit, retain and maintain a world class workforce that is able to assess cyber threats globally and help the private sector reduce risk to this nation. With the application of the principles discussed in this statement, we believe the creation of ISAOs and their partnership agreements with DHS have the potential to complement the ISAC foundation and measurably improve cyber risk reduction for critical infrastructure and the national economy. We look forward to working with Congress, the Administration and DHS to leverage the FS-ISAC as a successful model in the development of regional information sharing and analysis organizations. Above all, we urge Congress to send a bill to the president that gives businesses the liability and antitrust protections, and our citizens the privacy and civil liberty protections that will enhance our already significant efforts to protect the Cybersecurity of our nation. Although it was not the focal point of the hearing, we understand that an issue may be raised about whether or not requiring PINs on transactions would be a more effective way to prevent harm to consumers. There are some very positive features of PIN transactions, but the fact is that the recent data breaches show the limitations of PINs as a security feature. The recent breaches demonstrate the danger of PINs with debit cards that are directly linked to a person's bank account (e.g., through an ATM). It is possible that if a PIN is stolen from a retailer's system, a criminal could access the customer's entire account and commit fraud. Security reporter Brian Krebs wrote that there are recent examples, such as with the recent Home Depot breach, of thieves acquiring PINs, changing them, and withdrawing cash from customers' accounts.\1\ The data also shows that hackers increasingly target PINs. A report by the Federal Reserve Bank of Atlanta published in 2012 found that PIN debit fraud rates have increased more than threefold since 2004.\2\ --------------------------------------------------------------------------- \1\ http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach- at-home-depot-banks-see-spike-in-pin-debit-card-fraud/. \2\ Federal Reserve Bank of Atlanta (2012) http://bit.ly/16RAPGW. --------------------------------------------------------------------------- The security threat we face now is a complex problem that cannot be solved by any single technology, standard, mandate or regulation. In fact, it cannot be solved by a single sector of society--businesses, standards-setting bodies, policymakers, and law enforcement--must work together to protect the financial and privacy interests of consumers. The attached white paper ``Preventing Data Breaches: Smart Security in a Changing Threat Landscape'' which was prepared by the ABA, goes into this issue in greater detail. It makes it clear that winning the war against criminal hackers will take a forward-looking approach and the best technologies. No single security feature is fail-proof and including a technology mandate in data breach legislation will only provide a false sense of security and not real protection for consumers. Sincerely, James C. Ballentine Attachment.--Preventing Data Breaches: Smart Security in a Changing Threat Landscape dynamic cybersecurity for the future Recent high-profile data breaches at retailers like Target and Home Depot underscore the critical need for stronger and more innovative security solutions that protect consumers. Dynamic solutions, not rigid one-size-fits-all mandates. Mandates stifle innovation in the private sector and hinder the ability to adapt and react to evolving threats. While the federal government may believe technology mandates are a way to ensure a level of security, the private sector--and more importantly, consumers--will be saddled with static technology that ultimately makes them vulnerable. Investing in security. Banks and payment networks continue to invest heavily in the development and implementation of promising new technologies capable of protecting consumers everywhere purchases are made. A common enemy. Both banks and retailers have a role to play in fighting criminal hackers who will never stop looking for new ways to steal consumers' data. chip technology: why it works Debit and credit cards with EMV (Europay MasterCard Visa) or ``chip'' technology have a microprocessor that protects your personal information through encryption--a process that scrambles personal and financial data to make it virtually useless to criminals. Whether the consumer signs for a purchase or enters a PIN, it is the chip technology that enables a more secure payment. Chip technology cards are: More secure than magnetic stripe cards, because the chip generates unique data for each transaction. If that information is stolen, it won't be traceable back to the account. Nearly impossible to replicate, thanks to the chip's ability to create a new, random number for each transaction. Coming to a checkout terminal near you. Banks are already issuing chip cards, with 120 million cards expected to be in the hands of U.S. consumers by the end of 2014, and 575 million cards issued by the end of 2015. Javelin Strategy and Research estimates only 10 percent of merchants currently have terminals that accept EMV chips. By October 2015, banks must issue cards with chip capability and retailers must have terminals to accept them or they will be liable for fraudulent purchases made on the card. it's the chip that matters For cards with EMV chip technology, it's the chip that makes the card more secure. A mandate, such as one requiring chip-enabled cards or PINs, does not prevent on-line or mobile fraud. Americans spent $263 billion on- line last year (most often without a PIN) and that dollar number is expected to grow to $414 billion by 2018. Less than 30 percent of merchants in the U.S.--both on-line and traditional storefronts--are currently equipped to accept a PIN: And some merchants prefer not to. As mobile technologies emerge, device passcodes and thumbprints are being introduced to benefit the consumer. Security should be dynamic, useful and address the realities of an increasingly digital economy, not be mandated to a single method. A mandate could not have prevented the massive data breaches at Target, caused by hackers using malware to steal credentials through the company's heating, ventilating, and air conditioning (HVAC) contractor. It also would not have prevented breaches at Home Depot, and Neiman Marcus, caused by malware installed in checkout terminals. However, chip cards would have reduced the value of the compromised data by inhibiting the creation of counterfeit cards. Criminals will always seek the weakest link. No single security feature is fail-proof. Creating a mandate around one static technology gives hackers an open invitation to exploit loopholes in the payments system. No technology is fail-proof. Magnetic stripes have become more vulnerable over the years as criminals have found ways to skim the data stored in the stripe and replicate it to make fraudulent purchases. PINs have their own flaws. A report by the Federal Reserve Bank of Atlanta published in 2012 found that PIN debit fraud rates have increased more than threefold since 2004. When a PIN is compromised, it can open a backdoor for criminals to access and drain consumers' bank accounts at an ATM. beyond plastic: better security, wherever purchases are made EMV chip technology will help protect customers at the register, but it's not a silver bullet. Expecting a single technology to successfully prevent all fraud is unrealistic, which is why banks and payment networks are implementing new technologies that can adapt and deploy in a changing threat landscape: End-to-end encryption is helping make payments more secure, by encoding consumers' information into unreadable formats as it makes its way from checkout to card network to the bank and back. Tokenization technology replaces sensitive consumer account information at the cash register or on-line with a random ``token,'' rendering the information useless to criminals. This technology is an important feature for some mobile wallets, such as Apple Pay, and can be used on-line. 24/7 fraud protection is already a hallmark of banks, which employ teams of experts using advanced computer systems to monitor transactions and detect unusual activity indicating a customer's account has been hacked. the bottom line: fewer mandates, more collaboration Mandates hurt consumers because they funnel valuable time and resources into static technologies that will become obsolete as cyber threats change. A mandate could drive up the cost of doing business without addressing the fundamental cause of most future data breaches-- inconsistent and outdated security practices within the retailers, which was the source of recent high-profile breaches at Target, Home Depot, and others. The security threat facing the payment card industry is a complex problem that cannot be solved by any single technology, standard, mandate, or regulation. It cannot be solved by a single sector of society--businesses, standards-setting bodies, policymakers, and law enforcement--must work together to protect the financial and privacy interests of consumers. To borrow a concept from Moore's Law of Innovation, every new technology is obsolete within 18 months. Data security technologies are no exception. Winning the war against cybercrime will take a forward- looking approach to preventing data breaches anywhere they occur--at the register, with a mobile phone or on-line. Money and resources should flow to the best technologies to fight these cyber attacks. Focusing on just one technology gives a false sense of security at a cost that everyone bears. ______ Letter From the Retail Industry Leaders Association February 25, 2015. The Honorable Michael McCaul, Chairman, House Committee on Homeland Security, United States House of Representatives, Washington, DC 20515. The Honorable Bennie Thompson, Ranking Member, House Committee on Homeland Security, United States House of Representatives, Washington, DC 20515. Dear Chairman McCaul and Ranking Member Thompson: On behalf of the Retail Industry Leaders Association (RILA), I write to thank you for holding today's hearing entitled, ``Examining the President's Cybersecurity Information-Sharing Proposal.'' Retailers greatly appreciate the Committee's leadership in seeking to find a sensible path to address critical cybersecurity issues. RILA is the trade association of the world's largest and most innovative retail companies. RILA members include more than 200 retailers, product manufacturers, and service suppliers, which together are responsible for more than $1.5 trillion in annual sales, millions of American jobs and more than 100,000 stores, manufacturing facilities and distribution centers domestically and abroad. Retailers embrace innovative technology to provide American consumers with unparalleled services and products on-line, through mobile applications, and in our stores. While technology presents great opportunity, nation states, criminal organizations, and other bad actors also are using it to attack businesses, institutions, and governments. As we have seen, no organization is immune from attacks and no security system is invulnerable. Retailers understand that defense against cyber attacks must be an on-going effort, evolving to address the changing nature of the threat. RILA is committed to working with Congress to give government and retailers the tools necessary to thwart this unprecedented attack on the United States (U.S.) economy and bring the fight to cyber criminals around the globe. As leaders in the retail community, we are taking new and significant steps to enhance cybersecurity throughout the industry. To that end, RILA formed the Retail Cyber Intelligence Sharing Center (R- CISC), one component of which is a Retail ISAC, in 2014 in partnership with America's most recognized retailers. The Center has opened a steady flow of information sharing between retailers, law enforcement and other relevant stakeholders. These efforts already have helped prevent data breaches, protected millions of American customers and saved retailers millions of dollars. The R-CISC is open to all retailers regardless of their membership in RILA. For years, RILA members have been developing and deploying new technologies to achieve pioneering levels of security and service. The cyber-attacks that our industry faces change every day and our members are building layered and resilient systems to meet these threats. Key to this effort is the ability to design systems to meet actual threats rather than potentially outdated cybersecurity standards that may be enshrined in law. That is why development of any technical cybersecurity standards, beyond a mandate for reasonable security, must be voluntary and industry-led such as the standards embodied in the National Institute of Standards and Technology Cybersecurity Framework. RILA members using the Framework have found it to be a helpful tool in evaluating their cybersecurity posture and support the continued use of voluntary, industry-led processes as a key method of addressing dynamic technology challenges. One area of cybersecurity that needs immediate attention is payment card technology. RILA members have long supported the adoption of stronger debit and credit card security protections. The woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payments ecosystem. This 1960s-era technology allows cyber criminals to create counterfeit cards and commit fraud with ease. Retailers continue to press banks and card networks to provide U.S. consumers with the same Chip and PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world. According to the Federal Reserve, PINs on debit cards make them 700 percent more secure than transactions authorized by signature.\1\ --------------------------------------------------------------------------- \1\ Federal Reserve, ``2011 Interchange Fee Revenue, Covers Issuer Costs, and Covered Issuer and Merchant Fraud Losses Related to Debit Card Transactions,'' (March 5, 2013). --------------------------------------------------------------------------- Increasing cyber threat information sharing is also vital to defeating sophisticated and coordinated cyber actors. RILA strongly supports cybersecurity information sharing legislation that provides liability protections for participating organizations. That liability protection should protect companies that share with appropriate federal law enforcement partners like the Secret Service and the FBI to help bring cybercriminals to justice. Legislation also should increase funding for government-sponsored research into next generation security controls and enhance law enforcement capabilities to investigate and prosecute criminals internationally. The cyber-attacks faced by every sector of our economy constitute a grave national security threat that should be addressed from all angles. RILA thanks the Committee for holding this important hearing examining cyber information sharing legislation and cybersecurity more broadly. We look forward to working with you on these vital issues. Should you have any additional questions regarding this matter, please feel free to contact Nicholas Ahrens, Vice President, Privacy and Cybersecurity. Sincerely, Jennifer M. Safavian, Executive Vice President, Government Affairs. ______ Statement of the Financial Services Information Sharing & Analysis Center and the National Council of Information Sharing and Analysis Centers March 4, 2015 fs-isac background Chairman Ratcliffe and Members of the subcommittee, my name is Denise Anderson. I am vice president, FS-ISAC, government and cross sector programs at the Financial Services Information Sharing & Analysis Center (FS-ISAC) and chair of the National Council of ISACs (NCI). I want to thank you for this opportunity to address the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee about the industry perspective on ``Cybersecurity and Information Sharing''. I am submitting this testimony for the record as I am on travel and regret my inability to take part in this proceeding. The FS-ISAC was formed in 1999 in response to the 1998 Presidential Decision Directive 63 (PDD 63), which called for the public and private sectors to work together to address cyber threats to the Nation's critical infrastructures. After 9/11, in response to Homeland Security Presidential Directive 7 (its 2013 successor, Presidential Policy Directive 21) and the Homeland Security Act, the FS-ISAC expanded its role to encompass physical threats to the sector. The FS-ISAC is a 501(c)6 nonprofit organization and is funded entirely by its member firms and sponsors. In 2004, there were only 68 members of the FS-ISAC, mostly larger financial services firms. Since that time the membership has expanded to almost 5,500 organizations including commercial banks and credit unions of all sizes, markets and equities firms, brokerage firms, insurance companies, payments processors, and 24 trade associations representing virtually all of the U.S. financial services sector. The FS-ISAC is a global organization and has members in 38 different countries. NCI Background The NCI is a voluntary organization of ISACs formed in 2003 in recognition of the need for the ISACs to share information with each other about common threats and issues. The mission of the NCI is to advance the physical and cyber security of the critical infrastructure of North America by establishing and maintaining a framework for valuable interaction among and between the ISACs and with Government. The membership of the NCI is the 18 individual ISACs that represent their respective sectors or sub-sectors. The NCI also works closely with the other critical infrastructure sectors (CI) that have operational arms including chemical, (reforming its ISAC) automotive (currently forming an ISAC) and critical manufacturing, among others. The NCI has made it a goal to be inclusive of each critical infrastructure sector and sub-sector's operational arm. The ISACs collaborate with each other daily through the NCI daily operations centers cyber call, the NCI secure portal and the NCI listserver. The NCI also hosts a weekly operations centers physical call and meets monthly to discuss issues and threats. The organization is a true cross-sector partnership engaged in sharing cyber and physical threats, mitigation strategies and working together and with government partners during incidents requiring cross-sector response as well as addressing issues affecting industry. In addition to the secure portal, the NCI hosts an ISAC threat level dash board, conducts and participates in cross-sector exercises, works with the National Infrastructure Coordinating Center (NICC) and the National Cybersecurity and Communications Integration Center (NCCIC) during steady-state and incidents, holds emergency calls as needed and develops joint white papers around threats. The ISACs have been instrumental in embracing, developing and advancing the automatic exchange of data within their memberships and across the ISACs, as well as with government as possible. isacs and government partnerships ISACs, which are not-for-profit organizations, work closely with various Government agencies including their respective Sector Specific Agencies (SSAs) where they exist, intelligence agencies, law enforcement, and State and local governments. In partnership with the Department of Homeland Security (DHS), several ISACs participate in the National Cybersecurity and Communications Integration Center (NCCIC) watch floor. ISAC representatives, cleared at the Top Secret/Sensitive Compartmented Information (TS/SCI) level, attend the daily briefs and other NCCIC meetings to share information on threats, vulnerabilities, incidents, and potential or known impacts to the critical infrastructure sectors. Having ISACs on the floor has allowed for effective collaboration on threats and incidents and there have been many examples of successful information sharing. The ISACs also serve as liaisons to the National Infrastructure Coordinating Center (NICC) and play a vital role in incident response and collaboration under the Critical Infrastructure Partner Annex to the Incident Management Plan. In addition, ISAC representatives sit on the Cyber Unified Coordination Group (Cyber UCG). This group was set up under authority of the National Cyber Incident Response Plan (NCIRP) and has been actively engaged in incident response. Finally, it should be noted that the ISACs collaborate with their sector coordinating councils as applicable and work with other critical infrastructure partners during steady state and incidents. the february 2015 executive order and isaos The Executive Order, Promoting Private Sector Cybersecurity Information Sharing, signed February 15, 2013 by President Obama and recently-announced information-sharing legislative proposal are commendable in their intent to foster information sharing. Information Sharing and Analysis Organizations (ISAOs) were first defined in the Homeland Security Act of 2002. ISACs were created under Presidential Decision Directive 63 (PDD-63). Effectively ISACs were the original ISAOs, are the subject-matter experts in information sharing and a majority of ISACs have been in existence for over a decade or more. Indeed there is a need for many groups that may not fall in with the critical infrastructure sectors such as legal and media and entertainment organizations, who are increasingly becoming targets for cyber incidents and attacks, to share information. The private sector is already organizing efforts in this area and as an example; the FS- ISAC has been working with the legal industry for almost a year now to form an ISAO. Many of the other ISACs, such as the Multi-State ISAC (MS-ISAC) and Information Technology ISAC (IT-ISAC) have also been engaging industries that do not have established information-sharing forums such as the Retail sector, which is actively forming an ISAC. However ISACs are much more than ISAOs. They serve a special role in critical infrastructure protection and resilience and play a unique role in the sector partnership model. While the White House has noted that the EO seeks to ``not limit effective existing relationships that exist between the Government and the private sector'' the recent EO and prominent coverage of ISAOs has led to some confusion within industry as to the impacts to ISACs. It is absolutely essential that the successful efforts that the ISACs have established over the years should not be disrupted. It is clear that the ISACs by their success meet the distinct and unique needs of each of their sectors and the owner and operator members of those sectors. The solution to easing this confusion is very simple. The White House, SSAs--including DHS--and other relevant agencies need to call out, recognize, and support the unique role ISACs play in critical infrastructure protection and resilience. For instance, ISACs have the responsibility to maintain sector-wide threat awareness within their respective sectors. It is critical that our Federal partners continue to respect and support that role to avoid undermining one of the main duties of ISACs to their members and sectors. It is vital that the process is not diluted and remains streamlined to facilitate effective situational awareness and response activities particularly when an incident occurs. One of the greatest strengths of ISACs is the productive information sharing that occurs by having robust trusted networks of members. Government should support private-sector efforts to form ISACs in those very few critical infrastructure sectors where ISACs do not currently exist, and where they do, regularly and consistently encourage owner/operators to join their respective ISACs. This has been very effective in the financial sector where the United States Department of the Treasury, the regulators, and State agencies have been strongly encouraging membership in the FS-ISAC as a best practice. Currently, not all of the SSAs support their sector-designated ISACs in the same manner. Attached is an appendix, which lists out some 20 points as to why ISACs are more than ISAOs. creating standards for isaos The Executive Order also calls for the drafting of a set of voluntary standards. The NCI believes that having an established set of capabilities is important and currently has a baseline set of criteria that ISACs must meet in order to be members of the Council. But it is essential that information-sharing organizations have the flexibility and ability to meet the unique needs of its sector and members. Although all ISACs have similar missions, no two ISACs are exactly alike. Any criteria that are developed must be done in concert with the private sector and must be upheld by the private sector in order to be effective. ISACs and ensuing ISAOs are private-sector organizations. Any attempt by Government to oversee or mandate what these organizations produce and how they collaborate would eliminate information sharing and almost two decades of progress. In the face of growing, targeted and sophisticated threats, rendering proven information-sharing efforts ineffective would not only be a grave consequence, it would run contrary to the spirit of the drafting of the EO: To promote private-sector cybersecurity information sharing. The NCI has a strong history of mentoring and supporting the establishment of several new ISACs such as Aviation, Retail, and Automotive and the re-formation of the Oil and Gas ISAC. ISACs fostered by activities developed and sponsored by the NCI are robustly sharing among their peer ISACs and partners, items such as best practice guides and toolkits that ISACs can replicate and provide to their members for free. These activities reflect a powerful force in organizational information sharing and collaboration that the EO fails to contemplate and appears to attempt to recreate through the development of a standards organization. Any focus on ISAOs and ISAO standards must be implemented carefully as not only to encourage and foster information sharing and analytical maturity among newly-established organizations, but also clearly publish, highlight, and fully leverage and emulate aspects of the status quo that are working and have been working for quite some time. effective information sharing It is important to note that the goal of information sharing is not to share information in and of itself but to create situational awareness in order to inform risk-based decisions as well as allow operational components within owner/operation organizations that have direct actionable control over the content they are sharing, to perform an action. The focus needs to be on enhancing the ability of operational groups to work closely with each other. The ISACs are successful organizations with almost two decades of proven cases studies of information sharing and collaboration. They are the subject-matter experts on information sharing. In order for information sharing to be effective it must be: Voluntary--not mandated or regulated Industry Driven Actionable, Timely and Relevant Bi-directional and Collaborative Government can help this effort by: Recognizing ISACs and the special operational role that they play in critical infrastructure protection and resilience; Supporting private-sector efforts to form ISACs in the very few critical infrastructure sectors where they do not currently exist; Encourage owners and operators of critical infrastructure to join their respective sector ISACs; Facilitate getting all of the ISACs on the NCCIC floor. After 4 years this still has not been accomplished; Recognize the NCI as the coordinating body for the ISACs. This concludes my written statement for the record. Thank you again for the opportunity to present this testimony and I look forward to your questions. Appendix: 20 Reasons Why ISACS are More Than ISAOS ISACs are all-hazards and address both cyber and physical threats and incidents ISACs are the designated operational arms of their sectors ISACs play a critical industry- and Government-recognized role in critical infrastructure incident response ISACs have reach into their sectors and in many cases are relied upon as the threat and incident communications channel for their respective sectors ISACs provide annonymization and aggregation of data for their sectors ISACs provide a sector perspective on threats and incidents and provide sector-specific analysis ISACs set or manage threat levels for their respective sectors ISACs perform structured collaboration across the sectors ISACs conduct joint analysis to develop joint products on specific threats and incidents ISACs serve an operational role in the National partnership framework Many ISACs have security operations centers that monitor threats, vulnerabilities, and incidents and provide analysis for sector threat potential and impact ISACs are not-for-profit organizations that are not in the business to sell information but to facilitate it ISACs meet the unique needs of their respective members/ sectors Most ISACs are global and are not just focused on the United States. Many have global partnerships ISACs have a vetting process for members to qualify to join ISACs are organized and run by the owners and operators of critical infrastructure ISACs have a formal governance structure ISACS facilitate bi-directional information sharing on incidents, information, and intelligence within and among the sectors. ISACs are designated operational entities within sectors to enhance efficiency and coordination of information sharing and incident response. Mr. Ratcliffe. The Chairman now recognizes the gentleman from Rhode Island, Mr. Langevin, for an opening statement. Mr. Langevin. Thank you, Mr. Chairman. I know that Ranking Member Richmond is on his way, and on his behalf I will just welcome our witnesses. In particular, I want to acknowledge Greg Garcia, whom I worked with when I chaired this subcommittee many years ago and when you had the Department of Homeland Security. I thank all of you for your work. I know in one way or another I have had the opportunity to interact with all of our witnesses. Thank you for the work you are doing to better protect our country. I look forward to hearing your perspective here today. Mr. Chairman, I especially want to commend you for holding this hearing today. Thank you for giving the information- sharing and data breach issues the attention that it needs and deserves. Hearing from expert witnesses I know will move this issue ahead further. Obviously, there is no one answer to solving our cybersecurity challenges. It is never a problem to be solved, as I have said many times, but it is a problem to be managed, and we have to do a much better job of getting to a place where we are much better protected in cyber space than where we are. We can close that air of vulnerability down to something much more manageable. It won't be just a Government answer, of course, and it is not going to be just private sector. It is going to take that collaboration of us working together to solve this and deal with this incredible challenge. So, with that, I will yield back. I thank our witnesses in advance for being here and what they are about to say. Thank you, Mr. Chairman. I yield back. Mr. Ratcliffe. I thank the gentleman. I remind other Members that additional statements may be submitted for the record. [The statement of Ranking Member Richmond follows:] Statement of Ranking Member Cedric L. Richmond March 4, 2015 Our infrastructure is more digitally interconnected than ever. Our country's reliance on cyber systems and networks covers everything from power plants to pipelines, and hospitals to highways. Yet for all the advantages interconnectivity offers, our Nation's critical infrastructure is also increasingly vulnerable to attack from an array of cyber threats. We are to hear testimony today on how we can be better prepared for these threats. The President has proposed an updated package of legislative initiatives to frame the issues, and hopefully spur Congress to action on cybersecurity. Last year this subcommittee was the author of important authorizations that gave the Department sound footing to carry out its mission as the central civilian portal for information sharing between critical infrastructure sectors and the Government. It is widely recognized that more is needed, and the President's initiatives do indeed go further. Senator Carper, Ranking Member on the Senate Homeland Security and Government Affairs Committee, has already introduced almost a word-for-word version of the White House information-sharing language as S. 456, The Cyber Threat Sharing Act of 2015. Hacks on major businesses and financial institutions continue to dominate headlines. Just a few weeks after Anthem insurance announced that account information of as many as 80 million customers had been stolen, we are all waiting for the next shoe to fall. The President's proposal seeks to create a friendlier atmosphere for companies to swap certain types of computer data with each other and the Government, in order to identify potential cyber threats and isolate security flaws. To persuade companies to buy into the proposed system, the White House bill would provide assurances that the sharing of indicators--which could include things like IP addresses, routing information, and date and time stamps deemed important to identifying potential cyber threats or security vulnerabilities--would be exempt from legal or regulatory punishment. The President's proposals contain some new ideas about the formation of information-sharing organizations that would set sharing standards and privacy requirements. Since the `90s, firms have shared information directly on an ad hoc basis and through private-sector, nonprofit organizations, such as Information Sharing and Analysis Centers, or ISACs that can analyze and disseminate information. The White House proposal requires the Secretary of Homeland Security to form a new type of organization, the Information Sharing and Analysis Organizations, or ISAOs. We need to know what kinds of barriers to information sharing exist today, and how we on this subcommittee can help make this cyber tool more effective. For our side, information sharing must be structured in the public and private sectors to ensure that the risks to privacy rights and civil liberties of individual citizens be recognized, and how those rights and liberties can best be protected. Today, hopefully we'll find answers to some of these questions. We live in a post-Snowden world, and we are all much more aware of the powerful abilities of our surveillance agencies. Information sharing is not a zero-sum game. As policy makers we can step back and take stock of how best to protect our citizen's privacy rights, while finding effective and powerful tools to combat the cyber threats before us. Mr. Ratcliffe. We are pleased to have with us a distinguished panel of witnesses today on this very important topic. I would ask all of you to stand, if you would, and raise your right hand. [Witnesses sworn.] Mr. Ratcliffe. Thank you. You may be seated. Our witnesses today--we have with us Mr. Matthew Eggers. He is the senior director for national security and emergency preparedness at the U.S. Chamber of Commerce. Mr. Eggers, good to see you again. Mr. Eggers. Good to see you. Mr. Ratcliffe. Also with us is Ms. Mary Ellen Callahan. She is a partner at Jenner & Block and is the former chief privacy officer at the Department of Homeland Security. Welcome, Ms. Callahan. Also with us is Mr. Greg Garcia. He is the executive director of the Financial Services Sector Coordinating Council. Mr. Garcia, we appreciate you coming to see us today. Then, finally, last, but not least, Dr. Martin Libicki is the senior management scientist at The RAND Corporation. Dr. Libicki, thank you for being here as well. The witnesses' full statements will appear in the record. The Chairman now recognizes Mr. Eggers for 5 minutes to testify. STATEMENT OF MATTHEW J. EGGERS, SENIOR DIRECTOR, NATIONAL SECURITY AND EMERGENCY PREPAREDNESS, U.S. CHAMBER OF COMMERCE Mr. Eggers. Good afternoon, Chairman Ratcliffe and other distinguished Members of the subcommittee. My name is Matthew Eggers. I lead the U.S. Chamber Cybersecurity Working Group, which has about 200 members, and it is growing virtually daily. Before talking about the cyber information-sharing proposals, I want to note that my written statement highlights the successful roll-out of the NIST framework. The Chamber's proudly launched its own cyber campaign under the banner of improving today, protecting tomorrow. In 2014, we organized several roundtables across the country. The events featured State and local chambers and principals from the White House, DHS, NIST, as well as local FBI and Secret Service officials. More roundtables are being planned this year. The framework would be incomplete without enacting legislation that removes legal and regulatory barriers to quickly exchanging data about threats to U.S. companies. Let's consider CISA and the White House proposal or the Carper bill, S. 456. First, the draft Cybersecurity Information Sharing Act of 2015, or CISA. In January, 35 associations, including the Chamber, urged the Senate to quickly pass the cyber info- sharing bill modeled after the bipartisan CISA bill that Senators Feinstein and Chambliss championed last year. The first version of CISA stalled, unfortunately. A draft CISA, 2.0, if you will, sponsored by Senators Burr and Feinstein, is expected to be marked up soon. It reflects practical compromises among many stakeholders. We need to focus our collective legislative negotiations on CISA. CISA would give businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving cyber threat indicators, or CTIs, and countermeasures in real time with private and public entities and when monitoring information systems to mitigate cyber attacks. CISA would also offer protections related to public disclosure, (direct) regulatory, and anti-trust matters. Under CISA, businesses must remove personal information from threat indicators before sharing them. Second, the White House cybersecurity legislative proposal, or S. 456, the Cyber Threat Sharing Act of 2015. Senator Tom Carper introduced S. 456 about 3 weeks ago. I focus, in part, on this bill because it is very similar to the White House's January 13 cyber information-sharing proposal and it has been introduced. In contrast to CISA, White House/Carper would grant liability protections to companies only when sharing CTIs with DHS's NCCIC and ISAOs, or Information Sharing and Analysis Organizations, that have self-certified that they are following certain information-sharing practices which have not yet been established and won't be for some time. DHS is to sponsor an outside organization to determine what would constitute cyber info-sharing standards or best practices, even though leading sectors tell us that they already have them. The bottom line: The ISAOs-plus-standards- setting effort warrants scrutiny before our organization supports it. Also, unlike CISA, businesses would not be protected under White House/Carper when monitoring information systems and sharing and receiving countermeasures. The White House/Carper bill would not write anti-trust protections into the Federal law. The lack of safeguards and protections in all of these areas would deter industry from participating in these information-sharing programs for fear of litigation or liability, whether at the Federal or the State levels. CISA and White House/Carper do share some common features especially in the area of privacy and civil liberties protection. Both CISA and the White House/Carper proposal narrowly define what cyber threat indicators may be shared among private and Government entities. CISA and White House/Carper require that businesses remove personal information from CTIs before sharing them. Like CISA, the White House/Carper bill would tightly limit how the Federal Government could use threat indicators that agencies receive. In sum, when comparing CISA with White House/Carper, CISA offers a more dynamic way to share cyber threat data among many businesses and Government entities, coupled with strong liability and related protections. CISA would go the furthest in helping businesses, including critical infrastructure, defend information systems against cyber attacks while protecting privacy. CISA is meant to help counter serious malicious attacks aimed at America that are being launched from threats like organized crime and state-sponsored groups. Getting an information-sharing bill signed into law this year, one that would actually incentivize industry to participate, not back away, is the Chamber's top cyber legislative priority. Again, thank you for inviting me to be here today. I would be happy to answer any questions. Thank you. [The prepared statement of Mr. Eggers follows:] Prepared Statement of Matthew J. Eggers March 4, 2015 Good morning, Chairman Ratcliffe, Ranking Member Richmond, and other distinguished Members of the committee. My name is Matthew Eggers, and I am a senior director of the U.S. Chamber's National Security and Emergency Preparedness Department. On behalf of the Chamber, I welcome the opportunity to testify before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies regarding industry's perspectives on the President's cybersecurity information-sharing proposal. The Chamber's National Security and Emergency Preparedness Department was established in 2003 to develop and implement the Chamber's homeland and National security policies. The department works through the National Security Task Force, a policy committee composed of roughly 200 Chamber members representing practically every sector of the American economy. The task force's Cybersecurity Working Group, which I lead, identifies current and emerging issues, crafts policies and positions, and provides analysis and direct advocacy to Government and business leaders. Industry's interest in cybersecurity is healthy and expanding--individuals join the working group almost daily. The need to address increasingly sophisticated threats against U.S. and global businesses has gone from an IT issue to a top priority for the C-suite and the boardroom. Chamber President and CEO Thomas J. Donohue recently said, ``In an interconnected world, economic security and national security are linked. To maintain a strong and resilient economy, we must protect against the threat of cyberattacks.'' My statement highlights the successful rollout of the National Institute of Standards and Technology's (NIST's) Framework for Improving Critical Infrastructure Cybersecurity (the framework)\1\ and the positive collaboration that many businesses and Government entities have developed over the past several months, including the Chamber's cybersecurity campaign--Improving Today. Protecting TomorrowTM. --------------------------------------------------------------------------- \1\ See www.nist.gov/cyberframework. --------------------------------------------------------------------------- I am also going to focus on policy issues--information-sharing legislation being the top legislative priority--that lawmakers and the administration need to diligently address. The information-sharing discussion puts too little emphasis on improving Government-to-business sharing. The Chamber wants to expand Government-to-business information sharing, which is progressing but needs improvement.\2\ --------------------------------------------------------------------------- \2\ The Chamber submitted in October 2014 similar comments to the National Institute of Standards and Technology (NIST) related to businesses' awareness and use of the framework. See http:// csrc.nist.gov/cyberframework/rfi_comments_10_2014.html. --------------------------------------------------------------------------- The framework is a good start, but more work is needed to push back against skilled attackers. Most small and mid-size businesses (SMBs) tend to lack the money and personnel to beat back highly-advanced and nefarious actors, such as organized criminal gangs and groups carrying out state-sponsored attacks. No single strategy can prevent advanced and persistent threats--popularly known as APTs in cybersecurity jargon--from breaching an organization's cyber defenses. Policymakers have not sufficiently acknowledged this expensive, practical reality. American companies should not be expected to shoulder the substantial costs of cyber attacks emanating from well- resourced bad actors such as criminal syndicates or nation-states-- costs typically absorbed by national governments. Nation-states or their proxies and other sophisticated actors are apparently hacking businesses with impunity--and that has got to stop. In addition to having policymakers acknowledge cost concerns, the Chamber would welcome working with the administration and Congress on establishing an intelligent and forceful deterrence strategy, utilizing an array of U.S. policy tools, which the United States currently lacks. U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents.\3\ --------------------------------------------------------------------------- \3\ The Chamber submitted comments to the Department of Homeland Security (DHS) on cybersecurity solutions for small and mid-size businesses (SMBs) in April 2014. --------------------------------------------------------------------------- the framework is an excellent example of an effective public-private partnership. critical infrastructure awareness of the framework is strong, and sector activities are robust and maturing The Chamber believes that the framework--which was released last February--has been a success. The framework represents one of the best examples of public-private partnerships in action. NIST and stakeholders in the public and private sectors should have a great sense of accomplishment. The Chamber, sector-based coordinating councils and associations, companies, and other entities collaborated closely with NIST in developing the framework since the first workshop was held in April 2013. Critical infrastructure sectors are keenly aware of and supportive of the framework. The Chamber understands that critical infrastructures at ``greatest risk'' have been identified and engaged by administration officials under the terms of the cyber executive order (EO).\4\ Government officials ought to ensure that all resources, particularly the latest cyber threat indicators (CTIs), are available to these enterprises to counter increasing and advanced threats. --------------------------------------------------------------------------- \4\ Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, is available at www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/ 2013-03915.pdf. --------------------------------------------------------------------------- Further, important elements of U.S. industry are aware of the framework and are using it or similar risk management tools. Indeed, the Chamber welcomed an assessment from Michael Daniel, White House special assistant to the President and cybersecurity coordinator, who remarked on September 23, 2014, at the Chamber's third cyber roundtable in Everett, Washington, that industry's response to the framework has been ``phenomenal.'' A second White House official, Ari Schwartz, senior director for cybersecurity, noted on October 1, 2014, that business support for the framework has ``exceeded expectations.'' Such recognition is constructive and helps keep the private sector engaged in using the framework and promoting it with business partners.\5\ --------------------------------------------------------------------------- \5\ See ``At eight-month mark, industry praises framework and eyes next steps,'' Inside Cybersecurity, October 6, 2014, http:// insidecybersecurity.com/Cyber-Daily-News/Daily-News/at-eight-month- mark-industry-praises-framework-and-eyes-next-steps/menu-id-1075.html. --------------------------------------------------------------------------- Much of industry's favorable reaction is owed in large measure to NIST, which tackled the framework's development in ways that ought to serve as a model for other agencies and departments. In May 2014, the administration sent the business community a powerful message, saying that the framework should remain collaborative, voluntary, and innovative over the long term.\6\ Interestingly, public focus on the framework has created visibility into industry's long-standing efforts to address cyber risks and threats--constant, dedicated, and mostly silent efforts that preceded the creation of the framework.\7\ --------------------------------------------------------------------------- \6\ The Chamber agrees with Michael Daniel's May 22 blog, Assessing Cybersecurity Regulations, at www.whitehouse.gov/blog/2014/05/22/ assessing-cybersecurity-regulations. The blog says that business and Government ``must build equally agile and responsive capabilities not bound by outdated and inflexible rules and procedures.'' The Chamber and industry partners especially urge independent agencies and Congress to adhere to the dynamic approach advocated by the administration and embodied in the nonregulatory, public-private framework. See June 11, 2014, multiassociation letter, which is available at www.uschamber.com/ sites/default/files/documents/files/11June14GroupLetterT- YReplytoDanielCyberBlog_Final_0.pdf. \7\ The on-line publication Inside Cybersecurity provides an excellent catalog of industry initiatives to implement data- and network-security best practices. See http://insidecybersecurity.com/ Sectors/menu-id-1149.html. --------------------------------------------------------------------------- Most notable, since the framework's release, industry has demonstrated its commitment to using it. Many associations are creating resources for their members and holding events across the country and taking other initiatives to promote cybersecurity education and awareness of the framework. Some examples are listed here. Associations are planning and exploring additional activities as well. The Alliance of Automobile Manufacturers and the Association of Global Automakers have initiated a process to establish an automobile industry sector information-sharing and analysis center (Auto-ISAC) to voluntarily collect and share information about existing or potential threats to the cybersecurity of motor vehicle electronics and in-vehicle networks. The American Chemistry Council (ACC) is developing sector- specific guidance based on the NIST cyber framework to further enhance and implement the council's Responsible Care Security Code. ACC's Chemical Information Technology Center (ChemITC) is also piloting an ISAC for the chemical sector. The American Gas Association (AGA) has hosted a series of webinars on control system cybersecurity, is collaborating with small utilities to develop robust cybersecurity programs, and is working with companies to review and enhance their cybersecurity posture using the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) from the Department of Energy (DOE). Among other activities, AGA has stood up the Downstream Natural Gas Information and Analysis Center (DNG-ISAC), an ISAC designed to help support the information-sharing interests of downstream natural gas utilities. The American Hotel & Lodging Association (AH&LA) has conducted a series of widely-attended cyber and data security webinars to assist small, medium, and large hotel and lodging businesses with implementing key information security measures and risk assessments. The American Water Works Association (AWWA) has created cybersecurity guidance and a use-case tool to aid water and wastewater utilities' implementation of the framework. The guidance is cross-referenced to the framework. This tool serves as implementation guidance for the framework in the water and wastewater systems sector. Members of the Communications Sector Coordinating Council (CSCC)--made up of broadcasting, cable, wireline, wireless, and satellite segments--have participated in multiple NIST, Department of Homeland Security (DHS), and industry association-sponsored programs, webinars, and panels. The sector is completing a year-long effort within the Federal Communication Commission's (FCC's) Communications Security Reliability and Interoperability Council (CSRIC), which involves more than 100 professionals who have worked to adapt the NIST framework to the sector segments and provide guidance to the industry. The Electricity Subsector Coordinating Council has worked with DOE to develop sector-specific guidance for using the framework. The guidance leverages existing subsector-specific approaches to cybersecurity, including DOE's Electricity Subsector Cybersecurity Risk Management Process Guideline, the Electricity Subsector Cybersecurity Capability Maturity Model, NIST's Guidelines for Smart Grid Cyber Security, and the North American Electric Reliability Corporation's (NERC's) Critical Infrastructure Protection Cybersecurity Standards. The mutual fund industry, represented by the Investment Company Institute (ICI), has added to its committee roster a Chief Information Security Officer Advisory Committee. The committee's mission is to collaborate on cybersecurity issues and information sharing in the financial services industry and provide a cyber threat protection resource for ICI members. The Information Technology Industry Council (ITI) visited Korea and Japan in May 2014 and shared with these countries' governments and business leaders the benefits of a public- private partnership-based approach to developing globally workable cybersecurity policies. ITI highlighted the framework as an example of an effective policy developed in this manner, reflecting global standards and industry-driven practices. ITI principals also spoke at a U.S.-European Union (EU) workshop in Brussels in November 2014, comparing U.S. and E.U. policy approaches with cybersecurity and emphasizing the positive attributes of the framework and its development. The National Association of Manufacturers (NAM) has spearheaded the D.A.T.A. (Driving the Agenda for Technology Advancement) Policy Center, providing manufacturers with a forum to understand the latest cybersecurity policy trends, threats, and best practices. The D.A.T.A. Center focuses on working with small and medium-size manufacturers to help them secure their assets. Through the American Petroleum Institute (API), the oil and natural gas sector has worked with DOE to complete the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2). The oil and natural gas sector in 2014 established an Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) to provide shared intelligence on cyber incidents, threats, vulnerabilities, and responses throughout the industry. The Retail Industry Leaders Association (RILA), in partnership with the National Retail Federation (NRF), created the Retail Cyber Intelligence Sharing Center (R-CISC), featuring information sharing, research, and education and training. This ISAC enables retailers to share threat data among themselves and to receive threat information from Government and law enforcement partners. The U.S. Chamber of Commerce has launched its National roundtable series, Improving Today. Protecting TomorrowTM, recommending that businesses of all sizes and sectors adopt fundamental internet security practices. policymakers need to focus on passing information-sharing legislation and deterring foreign attackers. the chamber's cybersecurity campaign enters its second year The NIST framework is designed to help start a cybersecurity program or improve an existing one. The framework puts cybersecurity into a common language for organizations to better understand their cybersecurity posture, set goals for cybersecurity improvements, monitor their progress, and foster communications with internal and external stakeholders. Looking ahead to 2015, the Chamber's cybersecurity campaign intends to focus on several areas, including the following: Improving information sharing is job No. 1. The framework would be incomplete without enacting information-sharing legislation that removes legal and regulatory barriers to quickly exchanging data about threats to U.S. companies. Draft Cybersecurity Information Sharing Act (CISA) of 2015.--On January 27, 35 associations, including the Chamber, urged the Senate to quickly pass a cybersecurity information- sharing bill.\8\ The Senate Intelligence Committee passed in July 2014 S. 2588, the Cybersecurity Information Sharing Act (CISA) of 2014, a smart and workable bill, which earned broad bipartisan support. --------------------------------------------------------------------------- \8\ The coalition letter is available at www.uschamber.com/sites/ default/files/150127_multi-association_cyber_info- sharing_legislation_senate.pdf. --------------------------------------------------------------------------- The committee released in February a new draft bill--CISA 2015--for stakeholder review. Recent cyber incidents underscore the need for legislation to help businesses improve their awareness of cyber threats and enhance their protection and response capabilities. The Chamber urges Congress to send a bill to the President that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time with multiple private and public entities, as well as when monitoring information systems to mitigate cyberattacks. The legislation also needs to offer protections related to public disclosure, regulatory, and anti-trust matters in order to increase the timely exchange of technical CTIs and countermeasures among public and private entities. The Chamber further believes that legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian and intelligence agencies. For example, businesses must remove personal information from CTIs before sharing them. Private entities must share ``electronic mail or media, an interactive form on an internet website, or a real time, automated process between information systems'' with DHS--a civilian entity--if they are to be offered protection from liability. CISA, which is sponsored by Sens. Richard Burr and Dianne Feinstein, reflects practical compromises among many stakeholders on these issues. At the time of this writing, the measure is expected to be marked up the week of March 9. The Chamber looks forward to reviewing the bill following the mark- up to determine its support for the base measure and any amendments. Industry is likely to strongly support CISA. White House cybersecurity legislative proposal (S. 456, the Cyber Threat Sharing Act of 2015).--On February 11, S. 456, the Cyber Threat Sharing Act of 2015, was introduced in the Senate by Sen. Tom Carper. It makes sense to refer to S. 456 because it is very similar to the White House's cybersecurity information-sharing proposal, which was discussed at last week's House Homeland Security Committee hearing, and released by the administration on January 13.\9\ --------------------------------------------------------------------------- \9\ http://homeland.house.gov/hearing/hearing-administration-s- cybersecurity-legislative-proposal-information-sharing; www.whitehouse.gov/omb/legislative_letters (see January 13, 2015). --------------------------------------------------------------------------- CISA offers strong protections and flexible avenues for sharing with public and private entities. In contrast, S. 456 would grant liability protections to companies only when sharing CTIs with (1) DHS' National Cybersecurity and Communications Integration Center (NCCIC)--excluding law enforcement agencies, among others--or with (2) information-sharing and analysis organizations (ISAOs) that have self-certified that they are following information-sharing best practices. (The implications of the ISAOs and the new White House executive order \10\ related to promoting cybersecurity information sharing, which directs DHS to sponsor an ISAO standards organization to establish a common set of voluntary standards for creating and operating ISAOs, have not been fully assessed by industry.) --------------------------------------------------------------------------- \10\ www.whitehouse.gov/the-press-office/2015/02/13/executive- order-promoting-private-sector-cybersecurity-information-shari. --------------------------------------------------------------------------- These two protected avenues for sharing CTIs are far too narrow and limiting and do not reflect the information-sharing relationships that businesses have built up over time, for instance, with DHS, the Departments of Energy and Treasury, and law enforcement agencies. Unlike CISA, businesses would not be protected under S. 456 when monitoring information systems and sharing or receiving countermeasures. The lack of safeguards in these areas is a fundamental weakness of the White House proposal and S. 456. Under S. 456, cyber threat data shared with the NCCIC would seemingly be protected from public disclosure and may not be used as evidence in a regulatory action against the entity that shared CTIs, which is welcome. However, S. 456 neither codifies antitrust protections in Federal law nor preempts State law. The bill simply references via a sense-of-Congress provision a policy statement that was issued in April 2014 by the Department of Justice and the Federal Trade Commission.\11\ While this provision is constructive, anti-trust protections need to be written into law to be meaningful to industry. --------------------------------------------------------------------------- \11\ www.justice.gov/opa/pr/justice-department-federal-trade- commission-issue-antitrust-policy-statement-sharing. --------------------------------------------------------------------------- Similar to CISA, S. 456 includes strong privacy protections. Both bills narrowly define what CTIs may be shared among private sector and Federal Government entities.\12\ CISA and S. 456 require that businesses remove personal information from CTIs before sharing them. The Chamber urges businesses to share cybersecurity threat data with industry partners and the Government. Still, the mandate to scrub personal information would almost certainly sideline smaller businesses, because the provision assumes that businesses would have the technical know-how or the resources to scrub data. To be sure, this outcome is not the intent of the bills' writers, but it is important to note that this is the likely response many businesses would have to such provisions. --------------------------------------------------------------------------- \12\ CISA 2015 and S. 456 define cyber threat indicators (CTIs) in section 2 of their respective bills. --------------------------------------------------------------------------- And, like CISA, S. 456 would also tightly limit how the Federal Government could use CTIs that agencies receive. However, unlike CISA, S. 456 would sunset after 5 years. A sunset provision would almost certainly inhibit businesses' ability to make long-term planning decisions related to risk management and information-sharing investments. It is necessary to highlight that the Chamber supports CISA. Compared with S. 456, CISA offers a more dynamic approach to sharing cybersecurity threat data among multiple business and Government partners, coupled with stronger protections. CISA would go the furthest in helping businesses, including critical infrastructure, defend information systems against cyber attacks. Businesses would likely share and receive CTIs and countermeasures and monitor their networks on a broader scale and more confidently because CISA grants stronger liability protections and better policy tools. Organizing roundtables with local chambers and growing market solutions. The Chamber is planning more cyber roundtables in 2015. Last year, the Chamber organized roundtable events with State and local chambers in Chicago, Illinois (May 22); Austin, Texas (July 10); Everett, Washington (September 23); and Phoenix, Arizona (October 8) prior to the Chamber's Third Annual Cybersecurity Summit on October 28. Leading member sponsors of the campaign were American Express, Dell, and Splunk. Other sponsors were the American Gas Association, Boeing, the Edison Electric Institute, Exelon, HID Global, Microsoft, Oracle, and Pepco Holdings, Inc., and The Wall Street Journal. Each roundtable featured cybersecurity principals from the White House, DHS, NIST, and local FBI and Secret Service officials. The Chamber and its partners urged businesses to adopt fundamental internet security practices to reduce network and system weaknesses and make the price of successful hacking increasingly steep. The Chamber also urged businesses to improve their cyber risk management processes. All businesses should understand common on-line threats that can lead them to become victims of cyber crime. Using the framework and similar risk management tools, such as the Chamber's Internet Security Essentials for Business 2.0 guidebook,\13\ is ultimately about making your business more secure and resilient. The Chamber encourages businesses to report cyber incidents. Perfect on-line security is unattainable, even for large businesses. Innovative solutions are regularly being brought to market because cyber threats are always changing. Businesses should report cyber incidents and on-line crime to their FBI or Secret Service field offices. --------------------------------------------------------------------------- \13\ The booklet is available free for downloading at www.uschamber.com/issue-brief/internet-security-essentials-business-20. --------------------------------------------------------------------------- Increasing public awareness of the framework. The Chamber urges policymakers to commit greater resources over the next several years to growing awareness of the framework and risk-based solutions through a National education campaign. A broad-based campaign involving Federal, State, and local governments and multiple sectors of the U.S. economy would spur greater awareness of cyber threats and aggregate demand for market-driven cyber solutions. The Chamber believes that Government--particularly independent agencies--should devote their limited time and resources to assisting resource-strapped enterprises, not trying to flex their existing regulatory authority. After all, while businesses are working to detect, prevent, and mitigate cyber attacks originating from sophisticated criminal syndicates or foreign powers, they should not have to worry about regulatory or legal sanctions. Engaging law enforcement. The Chamber plans to continue its close contact with the FBI and the Secret Service to build trusted public- private relationships, which are essential to confirming a crime and beginning criminal investigations. The Chamber encourages businesses to partner with law enforcement before, during, and after a cyber incident. FBI and Secret Service officials have participated in each of the Chamber's roundtables. Harmonizing cybersecurity regulations. Information-security requirements should not be cumulative. The Chamber believes it is valuable that agencies and departments are urged under the E.O. to report to the Office of Management and Budget any critical infrastructure subject to ``ineffective, conflicting, or excessively burdensome cybersecurity requirements.'' The Chamber urges the administration and Congress to prioritize eliminating burdensome regulations on businesses. One solution could entail giving businesses credit for information security regimes that exist in their respective sectors.\14\ It is positive that Michael Daniel, the administration's lead cyber official, has made harmonizing existing cyber regulations with the framework a priority. --------------------------------------------------------------------------- \14\ The business community already complies with multiple information security rules. Among the regulatory requirements impacting businesses of all sizes are the Chemical Facilities Anti-Terrorism Standards (CFATS), the Federal Energy Regulatory Commission--North American Reliability Corporation Critical Information Protection (FERC- NERC CIP) standards, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes- Oxley (SOX) Act. The Securities and Exchange Commission (SEC) issued guidance in October 2011 outlining how and when companies should report hacking incidents and cybersecurity risks. Corporations also comply with many non-U.S. requirements, which add to the regulatory mix. --------------------------------------------------------------------------- Raising adversaries' costs through deterrence. The Chamber is reviewing actions that businesses and Government can take to deter nefarious actors that threaten to empty bank accounts, steal trade secrets, or damage vital infrastructures. While our organization has not formally endorsed the report, the U.S. Department of State's International Security Advisory Board (ISAB) issued in July draft recommendations regarding cooperation and deterrence in cyberspace. The ISAB's recommendations--including cooperating on crime as a first step, exploring global consensus on the rules of the road, enhancing governments' situational awareness through information sharing, combating IP theft, expanding education and capacity building, promoting attribution and prosecution, and leading by example--are sensible and worthy of further review by cybersecurity stakeholders.\15\ --------------------------------------------------------------------------- \15\ The ISAB report is available at www.state.gov/documents/ organization/229235.pdf. --------------------------------------------------------------------------- The Chamber believes that the United States needs to coherently shift the costs associated with cyber attacks in ways that are legal, swift, and proportionate relative to the risks and threats. Policymakers need to help the law enforcement community, which is a key asset to the business community but numerically overmatched compared with illicit hackers.\16\ --------------------------------------------------------------------------- \16\ The Chamber argued for a clear cyber deterrence strategy in its December 2013 letter to NIST on the framework. See http:// csrc.nist.gov/cyberframework/framework_comments/ 20131213_ann_beauchesne_uschamber.pdf. --------------------------------------------------------------------------- Making incentives work. In an April 2013 letter to NIST regarding businesses' use of the framework and the role of incentives, the Chamber provides its views on extending liability protections related to information-sharing legislation, a safe harbor related to using the framework, SAFETY Act applicability to the framework; eliminating cybersecurity regulations, leveraging Federal procurement, and making the research and development (R&D) tax credit permanent.\17\ --------------------------------------------------------------------------- \17\ The letter is available at www.ntia.doc.gov/files/ntia/ 29apr13_chamber_comments.pdf. --------------------------------------------------------------------------- The Chamber appreciates that the administration is assessing a mix of incentives that could induce businesses to use the framework.\18\ However, in the Chamber's view, it is imperative that the administration, independent agencies, and lawmakers extend to companies the assurance that the cybersecurity framework and any actions taken in relation to it remain collaborative, flexible, and innovative over the long term. The Chamber believes that the presence of these qualities, or the lack thereof, would be a key determinant to use of the framework by U.S. critical infrastructure as well as businesses generally. --------------------------------------------------------------------------- \18\ See www.whitehouse.gov/blog/2013/08/06/incentives-support- adoption-cybersecurity-framework. --------------------------------------------------------------------------- roadmap for the future of the cybersecurity framework In February 2014, NIST released a Roadmap to accompany the framework. The Roadmap outlines further areas for possible ``development, alignment, and collaboration.''\19\ The Chamber noted in an October 2014 letter to NIST some key areas that it sees as needing more attention. The Chamber would highlight for the committee the importance of aligning international cybersecurity regimes with the framework. --------------------------------------------------------------------------- \19\ The Roadmap is available at www.nist.gov/cyberframework/ upload/roadmap-021214.pdf. --------------------------------------------------------------------------- Many Chamber members operate globally and appreciate that NIST has been actively meeting with foreign governments urging them to embrace the framework. Like NIST, the Chamber believes that efforts to improve the cybersecurity of the public and private sectors should reflect the borderless and interconnected nature of our digital environment. Standards, guidance, and best practices relevant to cybersecurity are typically industry-driven and adopted on a voluntary basis; they are most effective when developed and recognized globally. Such an approach would avoid burdening multinational enterprises with the requirements of multiple, and often conflicting, jurisdictions.\20\ The administration should organize opportunities for stakeholders to participate in multinational discussions. The Chamber encourages the Federal Government to work with international partners and believes that these discussions should be stakeholder-driven and occur on a routine basis. --------------------------------------------------------------------------- \20\ The Chamber sent a letter in September 2013 to Dr. Andreas Schwab, member of the European Parliament's Internal Market and Consumer Protection Committee, recommending amendments to the proposed European Union (E.U.) cybersecurity directive. The Chamber argues that cybersecurity and resilience are best achieved when organizations follow voluntary global standards and industry-driven practices. --------------------------------------------------------------------------- passing an industry-supported information-sharing bill is the chamber's top cyber legislative goal in 2015 Cyber attacks aimed at U.S. businesses and Government entities are being launched from various sources, including sophisticated hackers, organized crime, and state-sponsored groups. These attacks are advancing in scope and complexity. Most policymakers and practitioners appreciate that the intent of legislation is not to spur more information sharing for its own sake. Rather, the goal is to help companies achieve timely and actionable situational awareness to improve the business community's and the Nation's detection, mitigation, and response capabilities. Additional positive side effects of enacting cyber information- sharing legislation include strengthening the security of personal information that is maintained on company networks and systems and increasing costs on nefarious actors. The bill would also complement the NIST framework, which many industry associations and companies are embracing and promoting with their business partners. Congressional action on cybersecurity information-sharing legislation cannot come quickly enough. Mr. Ratcliffe. Thank you, Mr. Eggers. It is my understanding that votes have been called. We expect to return roughly 10 minutes after the last vote. So, without objection, the subcommittee is in recess subject to the call of the Chairman. [Recess.] Mr. Ratcliffe. Appreciate everyone's patience. We're accommodating with the weather, and I think we're going to have some Members return. But I want to continue with everyone's testimony. So I appreciate, Mr. Eggers, your testimony. Next we would love to hear from Ms. Callahan. TESTIMONY OF MARY ELLEN CALLAHAN, JENNER & BLOCK, FORMER CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Callahan. Thank you, sir. Good afternoon, Chairman Ratcliffe. Thank you for the opportunity to appear before you today. My name is Mary Ellen Callahan, and I'm a partner at the law firm of Jenner & Block, where I chair the privacy and information governance practice. From 2009 to 2012, I served as the Chief Privacy Officer of the U.S. Department of Homeland Security. I'm appearing before this committee in my personal capacity. Cybersecurity information sharing is vital to protect private- and public-sector assets. In order to prepare for disclosing cybersecurity threat indicators, however, to the other entities in the cybersecurity ecosystem, the information sharing with the Government must meet certain standards to address industry interests and needs. There are six factors that are crucial for establishing robust effective private-sector information sharing with the Government: First, the Government must establish and implement legitimate privacy safeguards. Second, clearly-established controls must be placed on what the Government does with that shared information. Third, the controls must include civilian interface with the private sector, not just as an intake center, but for all communications and coordination related to cybersecurity information sharing. Fourth, a value proposition for the information sharing must be established. Fifth, liability limitations must be provided both civilly and criminally. Finally, the Congress should expressly provide the Privacy and Civil Liberties Oversight Board with oversight authority over cybersecurity, including information sharing. It is unfortunate that the 2015 Executive Order did not elaborate on the necessary privacy and civil liberties protections, particularly with regard to private-sector information sharing. Nonetheless, the DHS Privacy Officer and Office for Civil Rights and Civil Liberties can address those private-sector concerns, including with the intersection of the Information Sharing and Analysis Organizations, or ISAOs. DHS has been quite transparent about its cybersecurity capacities and privacy protections starting from the time when Mr. Garcia was at Homeland Security. This work will assist DHS in establishing deeper relations with the new and existing ISAOs. In addition, as this subcommittee knows, the DHS Chief Privacy Officer has unique investigatory authorities. Therefore, in the event that something went awry in the future, the Chief Privacy Officer can investigate these activities. That authority may be of interest to the private companies and ISAOs as more private information starts to flow into the Government. There are three categories of information that companies may provide when sharing cybersecurity threat indicators: Information directly associated the cyber threat; information related to the cyber threat; and information incidentally retained when sharing the threat indicators themselves. To limit the amount of incidentally retained and related information being shared, companies should implement strict data minimization standards. Frequently, however, it may not be evident upon initial sharing which information is directly associated with the threat and which information is either incidentally retained or only related to the cyber threat. Therefore, more information than necessary may be shared. As a result, the Federal Government should implement a secondary data minimization review and limit any sharing of information only to the information directly associated with the threat. In certain discussions, there have been recommendations to share all cybersecurity threat information, including the related and incidentally-retained information, as soon as possible with all Government entities. This is ill-advised. If such sharing were to occur, each agency would need to re-analyze the information to determine what is relevant and what is not. If there is a requirement to immediately share, then more information than necessary will be shared throughout the Government. Wide-spread sharing of related or incidentally-retained information will chill information sharing generally. Companies will not want their non-cyber-threat information shared widely, even if there are use limitations. To be clear, use limitations must be placed to provide guidance to the Government and necessary comfort to the sharing companies. The use of private-sector shared information must be cabined to only include use for cybersecurity threat and response. Relatedly, the Federal Government, including intelligence agencies, should have limitations on what agencies can retain and for how long with regard to the shared information from companies. Ensuring civilian control of the life cycle of cybersecurity information from the private sector is critical to comfort private companies before they share cybersecurity threat indicators in volume. Critical infrastructure sectors in companies have had reservations about information being shared that may not only be used for informing other vulnerable entities, but also would have been used for investigations or National security without concomitant benefit. The liability limitation is also important. Companies and ISAOs need to be comforted that the information they share will be appropriately protected. Finally, the Privacy and Civil Liberties Oversight Board authority should be expanded to include oversight of cybersecurity activities, including information sharing with and from the private sector. Thank you. [The prepared statement of Ms. Callahan follows:] Prepared Statement of Mary Ellen Callahan March 4, 2015 Chairman Ratcliffe, Ranking Member Richmond, distinguished Members of the subcommittee, thank you for the opportunity to appear before you today. My name is Mary Ellen Callahan. I am a partner at the law firm of Jenner & Block, where I chair the Privacy and Information Governance Practice and counsel private-sector clients on integrating privacy and cybersecurity. From March 2009 to August 2012, I served as the chief privacy officer at the U.S. Department of Homeland Security (DHS or Department). I have worked as a privacy professional for 17 years and have National and international experience in integrating privacy into business and Government operations. I am appearing before this subcommittee in my personal capacity and not on behalf of any other entity. Cybersecurity information sharing is vital to protect the private and public-sector assets. In order to prepare for disclosing cybersecurity threat indicators to other entities in the cybersecurity ecosystem, however, the information sharing with the Government must meet certain standards to address industry interests and needs. In my testimony, I will address six factors that are crucial to establishing robust, effective private-sector information sharing with the Government. First and foremost, to encourage and facilitate private-sector information sharing, the Government must develop and implement legitimate privacy safeguards. Second, clearly-established controls must be placed on what the Government does with the shared information. Third, those controls must include identifying and empowering a civilian interface with the private sector on information sharing--not just as an intake center, but for all communications related to cybersecurity information sharing. The fourth necessary step is to establish the value proposition for information sharing; information sharing must be at an acceptable cost and provide minimal risk for the participants. Its companion point is to define clear and objective limitations on liability for companies that participate in information sharing--both civilly and criminally. And finally, Congress should expressly provide the Privacy and Civil Liberties Oversight Board with oversight authority over cybersecurity, including information sharing. privacy safeguards are essential to effective private sector information sharing As Apple CEO Tim Cook noted at the Cybersecurity Summit last month, we have to protect our privacy rights or we will all face dire consequences. At the same Summit, President Obama concurred, saying, ``When people go on-line, we shouldn't have to forfeit the basic privacy we're entitled to as Americans.'' However, the Executive Order on Promoting Private Sector Cybersecurity Information Sharing does not include a comprehensive privacy and civil liberties framework relating to private-sector sharing, instead focusing only on the intra- Government sharing, instructing agencies to work with their Senior Agency Officials for Privacy (SAOPs) to ensure that appropriate internal privacy protections are in place. This decentralized and Government-only approach is flawed in two ways. Following the 2013 Executive Order on Improving Cybersecurity, each of the SAOPs for the major agencies prepared their assessments of how they were complying with privacy and civil liberties protections in department-to-department sharing. The detail and level of analysis by the SAOPs differed greatly. Having a decentralized assessment of privacy impacts, including how to intersect with the private sector, will delay the implementation of adequate privacy protections, and will not instill confidence from the private sector. Furthermore, this decentralized approach does not need to take place under the 2015 Executive Order--because DHS has already has an existing infrastructure in place, and it has been identified as the key department in this private-sector information-sharing exercise. It is unfortunate that the 2015 Executive Order did not elaborate on the necessary privacy and civil liberties protections, particularly with regard to private-sector information sharing. Nonetheless, the DHS Privacy Office and Office for Civil Rights and Civil Liberties can lead these inter-agency efforts to address private-sector concerns, including with the intersection of Information Sharing and Analysis Organizations (ISAOs). Without a White House-based privacy policy official, the DHS Chief Privacy Officer frequently serves as de facto privacy policy leadership between and among the departments and agencies. As I testified before this subcommittee in April 2013, DHS has taken multiple steps to integrate cybersecurity and privacy as part of the Department's cybersecurity mission. DHS has thoroughly integrated the Fair Information Practice Principles (FIPPs) into its cybersecurity programs. The FIPPS are the ``widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy.''\1\ --------------------------------------------------------------------------- \1\ The Fair Information Practice Principles as articulated in National Strategy for Trusted Identities in Cyberspace, April 2011, available at: http://www.whitehouse.gov/sites/default/files/rss_viewer/ NSTICstrategy_041511.pdf --------------------------------------------------------------------------- DHS has been quite transparent about its cybersecurity capabilities. As discussed below, transparency is an important tenet under the FIPPs and an important cornerstone to encourage industry participation. DHS has published several Privacy Impact Assessments (PIAs) detailing pilot programs and information sharing among and between Government entities as well as with private companies that have signed Cooperative Research and Development Agreements (CRADAs). This work will assist DHS in establishing deeper relationships with new and existing ISAOs. The Department already has skilled, dedicated privacy professionals who can help navigate the privacy protections needed for effective information sharing, with multiple cyber privacy professionals on staff. These individuals focus on integrating the FIPPs of purpose specification, data minimization, use limitation, data quality and integrity and security systematically into all DHS cybersecurity activities. As part of its mission to implement the FIPPs and to integrate privacy protections into DHS cybersecurity activities, DHS privacy professionals review and provide comments and insight into cybersecurity Standard Operating Procedures (SOPs) (including protocols for human analysis and retention of cyber alerts, signatures, and indicators for minimization of information that could be personally identifiable information), statements of work, contracts, and international cyber information-sharing agreements. The DHS cyber privacy professionals review all of the CRADAs signed with private companies. An important tenet of the FIPPs is the concept of accountability-- periodically reviewing and confirming that the privacy protections initially embedded into any program remain relevant and that those protections are implemented. While I was DHS Chief Privacy Officer, I instituted ``Privacy Compliance Reviews'' (PCRs) to confirm the accountability of several of DHS's programs.\2\ We designed the PCR to improve a program's ability to comply with assurances made in PIAs, System of Records Notices, and formal information-sharing agreements. The Office conducts PCRs of on- going DHS programs with program staff to ascertain how required privacy protections are being implemented and to identify areas for improvement. --------------------------------------------------------------------------- \2\ See DHS Privacy Office Annual Report, July 2011-June 2012 at 39-40 for a detailed discussion of Privacy Compliance Reviews. --------------------------------------------------------------------------- Given the importance of the DHS mission in cybersecurity, the DHS Privacy Office conducted a Privacy Compliance Review in late 2011, publishing it in early 2012.\3\ The DHS Privacy Office found the DHS cybersecurity entities generally complied with the privacy requirements in the relevant Privacy Impact Assessments. Specifically, the DHS cybersecurity entities fully complied with collecting information, using information, internal and external sharing with Federal agencies and accountability requirements. --------------------------------------------------------------------------- \3\ Privacy Compliance Review of the EINSTEIN Program, January 3, 2012, available at: http://www.dhs.gov/xlibrary/assets/privacy/ privacy_privcomrev_nppd_ein.pdf. --------------------------------------------------------------------------- In addition, as this subcommittee knows, the DHS chief privacy officer has unique investigatory authorities. Therefore, in the unlikely event that something went awry in the future, the Chief Privacy Officer can investigate those activities.\4\ This investigatory authority may be of interest to the private companies and ISAOs as more private information starts to flow into the Government. --------------------------------------------------------------------------- \4\ 6 U.S.C. 142(b). See DHS Privacy Office Annual Report, July 2011-June 2012 at 40 for a discussion of the DHS chief privacy officer investigatory authorities. --------------------------------------------------------------------------- The procedures, staffing, accountability and integration into the relationships with private-sector entities through CRADAs demonstrate the way in which privacy protections are integrated throughout the DHS cybersecurity program. A framework is in place to address privacy and civil liberties issues for private-sector information sharing, and DHS is well-positioned to extend those privacy protections to private- sector information sharing on a larger scale. establish appropriate limitations on information sharing Consistent with the FIPPs and private-sector company expectations, there must be clearly-defined controls associated with the cybersecurity threat indicators and the related information. As the DHS portion of the 2013 Executive Order report noted, there are at least three categories of information that companies may provide when sharing cybersecurity threat indicators--information directly associated with the cybersecurity threat, information related to the cyber threat, and information incidentally retained when sharing the threat indicators themselves.\5\ --------------------------------------------------------------------------- \5\ Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014, available at: http://www.dhs.gov/sites/default/files/ publications/2014-privacy-and-civil-liberties-assessment-report.pdf --------------------------------------------------------------------------- To limit the amount of incidentally retained and related information being shared, companies should implement strict data minimization standards. Frequently, however, it may not be evident upon initial sharing--especially because time may be of the essence--which information is directly associated with the cybersecurity threat and which information is either incidentally retained or only related to the cyber threat. Therefore, more information than necessary may be shared. As a result, the Federal Government/DHS should implement a secondary data minimization review and limit any sharing of information only to the information directly associated with the cyber threat. In certain discussions, there are recommendations to share all cybersecurity threat information--including the related and incidentally-retained information--as soon as possible with all Government entities. This is ill-advised, for a few reasons. First, this approach does not assist the other entities in identifying the relevant information and requires each agency to re-analyze the information to determine what is relevant and what is not. That is inefficient. Instead, sharing immediately shifts the burden of implementation and analysis to every entity and decentralizes the skill set. If there is a requirement to immediately share, then more information than necessary--and possibly inaccurate information--will be shared throughout the Government. For these two reasons, the experts at DHS should first parse the information and apply data minimization principles to allow other agencies to respond quickly to the threat itself, rather than weeding through potentially disparate layers of information. The same principle of double data minimization applies to information sharing between and among companies. Wide-spread sharing of related or incidentally-retained information will chill information sharing generally. Companies will not want their non-cyber information shared widely, even if there are use limitations. Providing anonymity for producers (especially private companies)-- allowing them an environment to share safely without fear of backlash regarding their vulnerabilities--is vital to encourage cooperation. Companies are legitimately concerned that their valuable trade secrets or business-sensitive information may be available to the Government and their competitors if the non-cyber threat indicators are not minimized. Even if cyber threat indicators are judiciously shared, use limitations related to the shared information must be in place. In addition to the liability limitations discussed below, the use of private sector-shared information must be cabined to include only use for cybersecurity threat and response. Relatedly, the Federal Government (including intelligence agencies) should have limitations on what agencies can retain and for how long with regard to the unique information from companies, rather than the distilled threat indicators. civilian control of the cybersecurity information sharing is crucial to encourage private information sharing Ensuring civilian control of the life cycle of cybersecurity information from the private sector is critical to comfort private companies before they share cyber threat indicators in volume. Critical infrastructure sectors and companies have reservations that information being shared may not only be used to inform other vulnerable entities, but also would be used for investigations or National security, without any other concomitant benefit. The Executive Order is silent on the issue of civilian control for the life cycle of the private-sector relationship, but that control is crucial to the development of repeatable, consistent information sharing. Identifying DHS as the private-sector interface is vital to placate these concerns. This committee began this process with the legislative establishment of the National Cybersecurity and Communications Integration Center (NCCIC) in 2014 through the National Cybersecurity Protection Act. DHS must continue to be the primary interface with the private sector, and must not just be seen as a pass-through to the intelligence community. As noted above, DHS has been transparent about its cybersecurity activities, which is imperative to develop credentials and credibility with the private sector. Now that NCCIC has been identified as the leading agency, any information sharing must go through it. As Assistant Secretary Andy Ozment reported to this committee in February, NCCIC received 97,000 incident reports, released 12,000 actionable cyber alerts or warnings and responded to 115 cyber incidents last year. These statistics demonstrate that DHS is maturing. As a civilian agency, it is well-positioned to liaise between private companies and the Government. information sharing must not threaten companies Information sharing must be at an acceptable cost and, therefore, provide minimal risk for the participants. If participants believe they will be targeted by attackers by sharing information, such as configurations, vulnerabilities, or even the fact that they have been targeted, they will not be willing to share information. DHS has received thorough advice--including from private-sector representatives and advocates--as part of its Federal Advisory Committee Act privacy committee, the Data Privacy and Integrity Advisory Committee. The DPIAC issued a significant advisory paper for DHS to consider when implementing information-sharing pilots and programs with other entities, including the private sector.\6\ The report addresses two important questions in privacy and cybersecurity: ``What specific privacy protections should DHS consider when sharing information from a cybersecurity pilot project with other agencies?'' and ``What privacy considerations should DHS include in evaluating the effectiveness of cybersecurity pilots?'' This type of advice helps DHS design systems to avoid antagonizing companies and ISAOs and comfort them they will not somehow be punished for participating. --------------------------------------------------------------------------- \6\ Report from the Cyber Subcommittee to the Data Privacy and Integrity Advisory Committee (DPIAC) on Privacy and Cybersecurity Pilots, Submitted by the DPIAC Cybersecurity Subcommittee, November 2012, available at: http://www.dhs.gov/sites/default/files/ publications/privacy/DPIAC/dpiac_cyberpilots_10_29_2012.pdf. --------------------------------------------------------------------------- limitations on liability must be clearly defined The issue of liability limitations has been discussed at length during the pendency of the cybersecurity legislation. It obviously is an important issue for companies, and it needs to be resolved appropriately in order to encourage information sharing. With that said, having clearly-defined limitations may help companies even more than having a ``notwithstanding any other law'' blanket exception. The liability limitation must address at least two aspects directly. First, the shared information cannot be shared with other agencies and then used in a civil or criminal enforcement action against the sharing company. That is crucial. Furthermore, the shared information should not be used in civil or criminal enforcement actions against a third party who is not the cyber attacker--namely, if shared information contains damning information either about the sharing company or a third-party company, the Government's awareness of that information cannot lead to enforcement. Furthermore, companies and ISAOs need to be comforted that the information they share will be appropriately protected. The DHS transparency on its systems will hopefully ameliorate that concern. The anti-trust concerns raised in earlier Congresses have waned in light of the Joint Department of Justice/Federal Trade Commission Statement Antitrust Policy Statement on Sharing of Cybersecurity Information.\7\ Nonetheless, more clarity, particularly vis-a-vis inter-company sharing, will induce more information sharing. --------------------------------------------------------------------------- \7\ http://www.justice.gov/atr/public/guidelines/305027.pdf. --------------------------------------------------------------------------- privacy and civil liberties oversight board should be granted oversight authority over cybersecurity information sharing The Privacy and Civil Liberties Oversight Board (PCLOB) serves an important oversight function on intelligence and National security activities related to terrorism. The PCLOB's authority should be expanded to include oversight on cybersecurity activities, including information sharing with and from the private sector. This addition will further bolster the FIPPs throughout the cyber information-sharing life cycle, and will provide additional oversight capacity over the collection, use, sharing, and retention of private-sector information. Thank you for the opportunity to appear before this subcommittee this afternoon. I would be happy to take any questions you may have. Mr. Ratcliffe. Thank you, Ms. Callahan. The Chairman now recognizes Mr. Garcia to testify. TESTIMONY OF GREGORY T. GARCIA, EXECUTIVE DIRECTOR, FINANCIAL SERVICES SECTOR COORDINATING COUNCIL Mr. Garcia. Thank you, Mr. Chairman. Thanks for the opportunity to address the subcommittee about the President's information-sharing Executive Order. The Financial Services Sector Coordinating Council, or FSSCC, was establishes in 2002. It involves 65 of the largest financial services providers and their industry associations. Its mission is to coordinate sector-wide efforts to strengthen the resiliency of the financial services sector against threats to the Nation's critical infrastructure. So we're focused on the critical infrastructure sector. In practice, this means that we work with Government and other partners to address information-sharing content and procedures, incident response, cyber and operational risk management best practices, and appropriate policy enhancements to support the above objectives. We've learned over the years that strong risk management requires participating in communities of trust that share information on cyber and physical threats, vulnerabilities, and incidents. This is based on the simple concept of strength in numbers, the neighborhood watch, shared situational awareness. While the FSSCC focuses on longer-term trends and strategy, our sector's operational arm is the Financial Services Information Sharing and Analysis Center, or FS-ISAC. The FS- ISAC participates in many information-sharing programs. One key partner that you mentioned in your opening statement is the National Cybersecurity and Communications Integration Center, or NCCIC. The NCCIC is a hub for sharing information about cyber and communications incidents across sectors, and the financial sector has a seat on the NCCIC watch floor. The industry-sector officials that serve on the NCCIC are cleared at the Top Secret level. So they attend daily briefs and other NCCIC meetings about threats, vulnerabilities, and incidents affecting the financial sector. Within the sector, FS-ISAC manages a formal structure for collecting, analyzing, and sharing actionable intelligence and best practices among members and the sector, as well as with our industry, Government, and law enforcement partners. I'll be happy to talk about all of that in detail during Q and A about how we do that. The sector continues to make progress on the speed and reliability of its information-sharing efforts. Late last year, for example, the financial sector announced a new automated threat-sharing capability called Soltra Edge. This uses open standards funded by DHS that facilitate automated machine-to- machine information sharing. It helps our industry increase the speed, scale, and accuracy of information sharing, and it accelerates the time to resolution. It can be used by any sectors and with any sectors or information-sharing groups. So this is a way of complimenting human-to-human sharing by using machine-to- machine whenever possible. So the point is the financial sector has a very robust information-sharing environment among ourselves and with the Government and we're always working to improve it. So let me just spend the final moments of my statement discussing the President's Executive Order on private-sector information sharing. In our view, the administration's Executive Action is a positive step. We expect it has the potential to increase the volume and quality of actionable and timely cybersecurity information. We offer a few observations that can inform implementation of the order. First, as the sharing and use of Classified information can improve our response capability, it's important that the clearance process for critical sectors like ours is fast and efficient. The Executive Order supports this goal by enhancing DHS's involvement in the clearance process. This can help accelerate the security clearance process for critical sector owners and operators. Also, in general, we support the creation of the ISAOs, Information Sharing Analysis Organizations. This can be a way for noncritical sector groups to share cybersecurity information and coordinate analysis and response. We understand that the impetus for the ISAO proposal was to raise awareness for stakeholder groups looking to coalesce around joint information-sharing objectives, and we believe that the ISAO standards development process should build on the strong foundation laid by the ISACs. We caveat, however, that ISACs, as distinct from ISAOs, must retain their special partnership status with the Government, given their broad sector representation and a strong cadre of operational support with security clearances. Certain important principles need to be kept in mind for the standards development process. Sharing is successful within communities of trust when there are clear and enforced information-handling rules. Information sharing is not a competitive sport. Operational standards should incentivize federated information-sharing. Intelligence needs to be fused across trust communities, not diffused or siloed. Government processes for collecting, analyzing, and packaging intelligence for private-sector consumption must be streamlined and transparent. Indeed, the 2013 Executive Order directs the Government to do just that. In anticipating the potential for heavy demands from a proliferation of ISAOs, the NCCIC should prioritize its resources and engagements according to established criteria. They'll need to consider Government capacity to effectively serve critical sector constituents in steady-state and surge mode. They need to consider the reach those stakeholders have into their sectors and the effectiveness of their capabilities. It's also important that the ISAO standards development process be collaborative, open, and transparent. The process managed during the development of the NIST cybersecurity framework, for example, is an excellent example of this principle. Okay. Mr. Chairman, that concludes my oral remarks. I'll be happy to answer questions. [The prepared statement of Mr. Garcia follows:] Prepared Statement of Gregory T. Garcia March 4, 2015 Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittee, thank you for this opportunity to address the subcommittee about the President's information sharing Executive Order. My name is Gregory T. Garcia. I am executive director of the Financial Services Sector Coordinating Council (FSSCC), which was established in 2002 and involves 65 of the largest financial services providers and industry associations representing clearinghouses, commercial banks, credit card networks and credit rating agencies, exchanges/electronic communication networks, financial advisory services, insurance companies, financial utilities, Government- sponsored enterprises, investment banks, merchants, retail banks, and electronic payment firms. fsscc mission The mission of the FSSCC is to strengthen the resiliency of the financial services sector against attacks and other threats to the Nation's critical infrastructure by proactively identifying threats and promoting protection, driving preparedness, collaborating with the Federal Government, and coordinating crisis response for the benefit of the financial services sector, consumers and the Nation's economic security. During the past decade, this strategic partnership has continued to grow, in terms of both the size and commitment of its membership and the breadth of issues it addresses. Members volunteer their time and resources to FSSCC with a sense of responsibility to the broader sector, financial consumers and the Nation. In simplest terms, members of the FSSCC assess security and resiliency trends and policy developments affecting our critical financial infrastructure, and coordinate among ourselves and with our partners to develop a consolidated point of view and coherent strategy for dealing with those issues. Accordingly, our sector's primary objectives are to: 1. Implement and maintain structured routines for sharing timely and actionable information related to cyber and physical threats and vulnerabilities among firms, across sectors of industry, and between the private sector and Government. 2. Improve risk management capabilities and the security posture of firms across the financial sector and the service providers they rely on by encouraging the development and use of common approaches and best practices. 3. Collaborate with homeland security, law enforcement and intelligence communities, financial regulatory authorities, other sectors of industry, and international partners to respond to and recover from significant incidents. 4. Discuss policy and regulatory initiatives that advance infrastructure resiliency and security priorities through robust coordination between Government and industry. To achieve these objectives we partner with the Department of Treasury, DHS, law enforcement, and financial regulatory agencies forming our Government Coordinating Council counterpart--called the Financial and Banking Information Infrastructure Committee (FBIIC). Rolling up into those broad objectives are numerous initiatives undertaken collaboratively within this public-private partnership, including committee-organized workstreams to, for example: improve information-sharing content and procedures between Government and the sector; conduct joint exercises to test our resiliency and information-sharing procedures under differing scenarios; prioritize critical infrastructure protection research and development funding needs; engage with other critical sectors and international partners to better understand and leverage our interdependencies; advocate broad adoption of the NIST Cybersecurity Framework, including among small and mid-sized financial institutions across the country; develop best practices guidance for operational risk issues involving third-party risk, supply chain, and cyber insurance strategies. We have learned over the years that a foundational element of any strong risk management strategy for cyber and physical protection involves participation in communities of trust that share information related to threats, vulnerabilities, and incidents affecting those communities. That foundation is based on the simple concepts of strength in numbers, the neighborhood watch, and shared situational awareness. To achieve this goal, public and private-sector partners exchange data and contextual information about specific incidents and longer- term trends and developments. Sharing this information helps to prevent incidents from occurring and to reduce the risk of a successful incident at one firm later impacting another. These efforts increasingly focus on including smaller firms and include international partners. Financial-sector stakeholders participate in information-sharing programs operated by the Department of Homeland Security. For example, the financial sector and Treasury Department maintain a presence within the National Cybersecurity and Communications Integration Center (NCCIC), which serves as a hub for sharing information related to cybersecurity and communications incidents across sectors, among other roles and responsibilities. The sector also works closely with the National Infrastructure Coordinating Center (NICC), which is the dedicated 24/7 coordination and information-sharing operations center that maintains situational awareness of the Nation's critical infrastructure for the Federal Government. The financial sector benefits greatly from its close information- sharing relationship with law enforcement partners, including the Federal Bureau of Investigations and the United States Secret Service. fs-isac information-sharing programs and operations For the financial sector, the primary community of trust for critical financial infrastructure protection is the Financial Services Information Sharing and Analysis Center, or FS-ISAC, which is the operational heartbeat of the FSSCC strategic body. The FS-ISAC was formed in 1999 in response to the 1998 Presidential Decision Directive 63 (PDD 63), which called for the public and private sectors to work together to address cyber threats to the Nation's critical infrastructures. After 9/11, and in response to Homeland Security Presidential Directive 7 (and its 2013 successor, Presidential Policy Directive 21) and the Homeland Security Act, the FS-ISAC expanded its role to encompass physical threats to our sector. The FS-ISAC is a 501(c)6 nonprofit organization and is funded entirely by its member firms and sponsors. In 2004, there were only 68 members of the FS-ISAC, mostly larger financial services firms. Since that time the membership has expanded to more than 5,000 organizations including commercial banks and credit unions of all sizes, brokerage firms, insurance companies, data security payments processors, and 24 trade associations representing virtually all of the U.S. financial services sector. Since its founding, the FS-ISAC's operations and culture of trusted collaboration have evolved into what we believe is a successful model for how other industry sectors can organize themselves around this security imperative. The overall objective of the FS-ISAC is to protect the financial services sector against cyber and physical threats and risk. It acts as a trusted third party that provides anonymity to allow members to share threat, vulnerability, and incident information in a non-attributable and trusted manner. The FS-ISAC provides a formal structure for valuable and actionable information to be shared amongst members, the sector, and its industry and Government partners, which ultimately benefits the Nation. FS-ISAC information-sharing activities include: delivery of timely, relevant, and actionable cyber and physical email alerts from various sources distributed through the FS-ISAC Security Operations Center (SOC); an anonymous on-line submission capability to facilitate member sharing of threat, vulnerability, and incident information in a non-attributable and trusted manner; operation of email listservs supporting attributable information exchange by various special interest groups including the Financial Services Sector Coordinating Council (FSSCC), the FS-ISAC Threat Intelligence Committee, threat intelligence sharing open to the membership, the Payment Processors Information Sharing Council (PPISC), the Clearing House and Exchange Forum (CHEF), the Business Resilience Committee, and the Payments Risk Council; anonymous surveys that allow members to request information regarding security best practices at other organizations; bi-weekly threat information sharing calls for members and invited security/risk experts to discuss the latest threats, vulnerabilities, and incidents affecting the sector; emergency threat or incident notifications to all members using the Critical Infrastructure Notification System (CINS); emergency conference calls to share information with the membership and solicit input and collaboration; engagement with private security companies to identify threat information of relevance to the membership and the sector; participation in various cyber exercises such as those conducted by DHS (Cyber Storm I, II, and III) and support for FSSCC exercises such as CyberFIRE and Quantum Dawn; development of risk mitigation best practices, threat viewpoints and toolkits, and preparation of cybersecurity briefings and white papers; administration of Subject Matter Expert (SME) committees including the Threat Intelligence Committee and Business Resilience Committee, which: Provide in-depth analyses of risks to the sector, conduct technical, business, and operational impact assessments; determine the sector's cyber and physical threat level; and, recommend mitigation and remediation strategies and tactics; special projects to address specific risk issues such as the Account Takeover Task Force; document repositories for members to share information and documentation with other members; development and testing of crisis management procedures for the sector in collaboration with the FSSCC and other industry bodies; semi-annual member meetings and conferences; and on-line webinar presentations and regional outreach programs to educate organizations, including small- to medium-sized regional financial services firms, on threats, risks, and best practices. fs-isac partnerships The FS-ISAC works closely with various Government agencies including the U.S. Department of Treasury, Department of Homeland Security (DHS), Federal Reserve, Federal Financial Institutions Examination Council (FFIEC) regulatory agencies, United States Secret Service, Federal Bureau of Investigation (FBI), the intelligence community, and State and local governments. In partnership with DHS, FS-ISAC 2 years ago became the third ISAC to participate in the National Cybersecurity and Communications Integration Center (NCCIC) watch floor. FS-ISAC representatives, cleared at the Top Secret/Sensitive Compartmented Information (TS/SCI) level, attend the daily briefs and other NCCIC meetings to share data information on threats, vulnerabilities, incidents, and potential or known impacts to the financial services sector. Our presence on the NCCIC floor has enhanced situational awareness and information sharing between the financial services sector and the Government, and there are numerous examples of success to illustrate this. As part of this partnership, the FS-ISAC set up an email listserv with U.S. CERT where actionable incident, threat, and vulnerability information is shared in near-real time. This listserv allows FS-ISAC members to share directly with U.S. CERT and further facilitates the information sharing that is already occurring between FS-ISAC members and with the NCCIC watch floor or with other Government organizations. In addition, FS-ISAC representatives sit on the Cyber Unified Coordination Group (Cyber UCG). This group was set up under authority of the National Cyber Incident Response Plan (NCIRP) and has been actively engaged in incident response. Cyber UCG's handling and communications with various sectors following the distributed denial of service (DDOS) attacks on the financial sector in late 2012 and early 2013 is one example of how this group is effective in facilitating relevant and actionable information sharing. Consistent with the directives of Presidential Policy Directive 21 and Executive Order 13636 of 2014, the Treasury established the Cyber Intelligence Group (CIG) as part of the Office of Critical Infrastructure Protection and Compliance Policy. The CIG was established in response to a need identified by the financial sector for the Government to have a focal point for sharing cyber threat- related information with the sector. The CIG identifies and analyzes all-source intelligence on cyber threats to the financial sector; shares timely, actionable information that alerts the sector to threats and enables firms' prevention and mitigation efforts; and solicits feedback and information requirements from the sector. Finally, it should be noted that the FS-ISAC and FSSCC have worked closely with its Government partners to obtain security clearances for key financial services sector personnel. These clearances have been used to brief the sector on new information security threats and have provided useful information for the sector to implement effective risk controls to combat these threats. In addition, several membership subgroups meet regularly with their own circles of trust to share information, including: The Insurance Risk Council (IRC); the Community Institution Council (CIC) with hundreds of members from community banks and credit unions; and the Community Institution Toolkit Working Group with a mission to develop a framework and series of best practices to protect community institutions. This includes a mentoring program to assist community institutions just getting started with an IT security staff. The FS-ISAC also works very closely with the other critical infrastructure sectors on an ISAC-to-ISAC basis as well as through the National Council of ISACs. Information about threats, incidents, and best practices is shared daily among the ISACs via ISAC analyst calls, and a cross-sector information-sharing platform. The ISACs also come together during a crisis to coordinate information and mitigations as applicable. automated threat information sharing The sector continues to make significant progress toward increasing the speed and reliability of its information-sharing efforts through expanded use of DHS-funded open specifications, including Structured Threat Information eXchange (STIXTM) and Trusted Automated eXchange of Indicator Information (TAXIITM). Late last year, the financial sector announced a new automated threat capability it created called ``Soltra Edge'', which is the result of a joint venture of the FS-ISAC and the Depository Trust and Clearing Corporation. This capability addresses a fundamental challenge in our information-sharing environment: Typically the time associated with chasing down any specific threat indicator is substantial. The challenge has been to help our industry increase the speed, scale, and accuracy of information sharing and accelerate time to resolution. The Soltra Edge capability developed by the sector removes a huge burden of work for both large and small financial organizations, including those that rely on third parties for monitoring and incident response. It is designed for use by many parts of the critical infrastructure ecosystem, including the financial services sector, the health care sector, the energy sectors, transportation sectors, other ISACs, National and regional CERTs (Computer Emergency Response Teams) and vendors and services providers that serve these sectors. Key goals of Soltra-Edge are to: Deliver an industry-created utility to automate threat intelligence sharing; Reduce response time from days/weeks/months to seconds/ minutes; Deliver 10 times reduction in effort and cost to respond; Operate on the tenets of at-cost model and open standards (STIX, TAXII); Leverage DTCC scalability; FS-ISAC community & best practices; Provide a platform that can be extended to all sizes of financial services firms, other ISACs and industries; Enable integration with vendor solutions (firewalls, intrusion detection, anti-virus, threat intelligence, etc.). With these advancements, one organization's incident becomes everyone's defense at machine speed. We expect this automated solution to be a ``go-to'' resource to speed incident response across thousands of organizations in many countries within the next few years. exercises The sector regularly tests its resilience through exercises to identify gaps and exercise processes related to information sharing. Efforts such as the annual ``Cyber Attack against Payment Processes (CAPP)'', ``Quantum Dawn'' and public/private exercises provide essential insight into our ability individually and collaboratively to respond to various attack scenarios. In carrying out this information-sharing partnership, the financial sector and Government partners are committed to ensuring that individual privacy and civil liberties protections are incorporated into all activities, to include technical analysis, information sharing on threats, and incident response efforts. the president's executive order on promoting private-sector cybersecurity information sharing As discussed above, the Financial Services Sector Coordinating Council (FSSCC) considers strong collaboration and information sharing within the sector and with Government to be a critical element of cybersecurity risk management. Thus, in alignment with the FS-ISAC's statement for the record by Denise Anderson, vice president of the FS-ISAC and chair of the National Council of ISACs, we applaud this administration's efforts to improve our cybersecurity information-sharing environment so that we can better anticipate, protect against, and respond to cyber threats. The administration's Executive Action is a positive step toward increasing the volume and quality of actionable and timely cybersecurity information. With key Federal support from the Treasury Department as our Sector-Specific Agency, law enforcement and the Department of Homeland Security (DHS), our network defenders are better able to prepare for cyber threats when there is a consistent, reliable, and sustainable flow of actionable cybersecurity information and analysis, at both a Classified and Unclassified level. We are making some progress toward this goal, but it has become increasingly necessary for appropriately-cleared representatives of critical sectors such as financial services to have access, and provide contributions, to Classified information that enables analysts and operators to take timely action to defend essential systems. Accordingly, the Executive Order's enhancement of DHS's role in accelerating the security clearance process for critical sector owners and operators is a clear indication of the administration's support for this public-private partnership. In considering enhancements to this model, agility and innovation are essential for the operational resilience of critical sector functions. In this spirit, we support the creation of Information Sharing and Analysis Organizations (ISAOs) as a mechanism for all sectors, regions, and other stakeholder groups to share cybersecurity information and coordinate analysis and response. While ISACs must retain their status as the Government's primary critical infrastructure partners given their mandate for broad sectoral representation, the development of ISAOs should be facilitated for stakeholder groups that require a collaborative cyber and physical threat information-sharing capability that builds on the strong foundation laid by the ISACs. As the ISAO standards development process unfolds, the FSSCC believes certain principles must be upheld for structuring both the ISAOs themselves and the Government's interaction with them: Sharing of sensitive security information within and among communities of trust is successful when operational standards of practice establish clear and enforced information handling rules. Information sharing is not a competitive sport: While competition in innovation can improve technical capabilities, operational standards should incentivize federated information sharing. Threat and vulnerability intelligence needs to be fused across trust communities, not diffused or siloed. Government internal processes for collecting, analyzing, and packaging CIP intelligence for ISAC/ISAO consumption must be streamlined and transparent to maximize timeliness, accuracy, and relevance of actionable shared information. Indeed, Section 4 of EO 13636 directs the Government to improve its dissemination of cyber threat intelligence to the private sector, enabling entities to protect their networks. Full implementation of this directive is necessary to achieve the objectives of the President's information sharing Executive Order. To manage scarce resources, Government information-sharing mechanisms such as the National Cyber and Communications Integration Center (NCCIC) and the Treasury Department's Cyber Intelligence Group (CIG) should prioritize engagements with ISACs and ISAOs according to transparently-established impact criteria, such as Government capacity to effectively serve CIP constituents in steady-state and surge mode, the reach those CIP stakeholders have into their sectors, and the effectiveness of their capabilities. It is also important that the process to develop the ISAO standards is collaborative, open, and transparent. The process managed by the National Institute of Standards and Technology (NIST) during the development of the NIST Cybersecurity Framework is an excellent example of the appropriate leveraging of private-sector input, knowledge, and experience to develop guidance that will primarily impact non- Governmental entities. We encourage DHS, as the implementing authority of the President's EO, to emulate the engagement model that NIST used to create and adopt their Cybersecurity Framework. The process worked. Finally, for DHS to be successful implementing this EO and its many cybersecurity risk management and partnership authorities, it must be sufficiently resourced with the best analytical and technical capabilities, with a cadre of highly-qualified cybersecurity leaders and analytical teams to conduct its mission. There must be a concerted effort to recruit, retain, and maintain a world-class workforce that is able to assess cyber threats globally and help the private sector reduce risk to this Nation. The FSSCC believes that, with the application of the principles discussed in this statement, the creation of ISAOs and their partnership agreements with DHS have the potential to complement the ISAC foundation and measurably improve cyber risk reduction for critical infrastructure and the National economy. On the subject of legislation, Mr. Chairman, passing cyber threat information-sharing legislation that encourages more information sharing between the private sector and Government and within the private sector, with fewer concerns about liability, will have a positive operational impact on the security of the Nation's networks. This sector-wide position is articulated in detail in recent letters from leading financial services trade associations. Mr. Chairman and Members of the committee, this concludes my testimony. Mr. Ratcliffe. Thank you, Mr. Garcia. Mr. Ratcliffe. The Chairman now recognizes Dr. Libicki. STATEMENT OF MARTIN C. LIBICKI, THE RAND CORPORATION Mr. Libicki. Good afternoon, Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the subcommittee. My name is Martin Libicki from The RAND Corporation. Thank you for the opportunity to testify today about the President's cybersecurity information-sharing proposal. As a general proposition, information sharing among defenders makes for a better defense. Nevertheless, two concerns merit note. First, the current proposals do not address and may even exacerbate a cybersecurity divide. Second, an enormous amount of political energy is being dedicated to a point solution to a broad problem. A cybersecurity divide exists between organizations, roughly speaking, large enough to afford their own chief information security officer and those that cannot. ISAOs, for their part, are oriented towards organizations that can afford the membership fees. Unless other mechanisms to share information with the smaller organizations are bolstered, the latter are going to be left out of whatever information- sharing exists. As for the narrower focus, several weeks ago President Obama said, ``There's only one way to defend America from cyber threats, and that's Government and industry working together, sharing appropriate information.'' An associated Executive Order calls for ``fostering the development and adoption of automated mechanisms for the sharing of information.'' However, cybersecurity is so complex a challenge that not only is information sharing not the ``only one way,'' but the model proposed for information sharing is not even the only one way to share information. To explain why, let's note three models of information sharing. In the first model, vulnerabilities in software are found by white hat hackers and the forensic specialists brought into the attention of the vendors. The vendors, when they receive this information, attack the vulnerabilities and generally fix them. This is a model that would lead to better software and can be encouraged by the Federal Government with a modest addition of funding and without having to pass any new laws. In a second model, the collection and analysis of cyber attacks can shed light on what organizations could have done differently to have prevented or at least mitigated the effects of such attacks. Such sharing permits evidence-based assessments of alternative cybersecurity tools, techniques, and practices. This model can be encouraged by empowering organizations, such as NIST, and funding various R&D entities, such as the ARPAs and NSF, to build and disseminate a systematic body of knowledge on cybersecurity. The first model results in better software. The second model results in better cybersecurity management. Organizations of all size can benefit from each. The third model of information sharing, organizations are asked to report details of the attacks they have suffered, such as malware samples, attacker modus operandi, IP addresses, attack vectors, induced anomalies, social engineering methods and so on. These are used to profile specific threat actors so that the signatures of their activity can be fed to intrusion detection and prevention systems of organizations that happen to have them. The usefulness of this third model, however, requires that four assumptions be true. The first assumption is that most serious attacks come from specific black hat hacker groups who repeat their attacks often enough so that evidence from early attacks can be used to detect later ones. The second assumption is that such groups maintain a consistent modus operandi that is constantly reused. The third assumption is that such signatures can be shared in a timely manner, something that is complicated by the length of time--several months to a year--between when a typical advanced attack starts and when it is discovered. The fourth assumption is that such signatures will not evolve over time, even if information sharing were to become so wide-spread that the failure to evolve on the part of hackers would doom their ability to compromise networks. An analogy may be made to the anti-virus industry. The majors run very large information-gathering networks fed by inputs from sensors placed throughout the internet, but the anti-virus model has lost viability in the face of ever- shifting signatures and the tendency of attackers to test their malware against anti-virus suites before releasing them. Granted, the threat-based information-sharing model, if substantiated, would not be totally useless. Not every black hat hacker group will be conscientiously altering its modus operandi, and forcing such groups to cluster their attacks or shift their attack vectors does mean more work for them. Nevertheless, threat-based information sharing is no panacea, and, yet, efforts to achieve it have absorbed a disproportional share of the legislative and media bandwidth on the topic of cybersecurity policy, crowding out the consideration of alternative approaches. Hence, the basis for our concern. I appreciate the opportunity to discuss this important topic, and I look forward to your questions. [The prepared statement of Mr. Libicki follows:] Prepared Statement of Martin C. Libicki \1\ \2\ --------------------------------------------------------------------------- \1\ The opinions and conclusions expressed in this testimony are the author's alone and should not be interpreted as representing those of RAND or any of the sponsors of its research. This product is part of the RAND Corporation testimony series. RAND testimonies record testimony presented by RAND associates to Federal, State, or local legislative committees; Government-appointed commissions and panels; and private review and oversight bodies. The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors. \2\ TThis testimony is available for free download at http:// www.rand.org/pubs/testimonies/CT425.html. --------------------------------------------------------------------------- March 4, 2015 Good morning, Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the subcommittee. I thank you for the opportunity to testify today about the President's cybersecurity information-sharing proposal. The President's initiatives to improve cybersecurity through information sharing are laudable. Information sharing can and should be an important element in efforts to ensure that defenders learn from each other faster than attackers learn from each other. The fact that attackers do learn from each other is something that we know from research that RAND conducted for a report released last year on cyber crime markets (Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar). People have been calling for greater information sharing for almost 20 years, dating back to the formation of Information Sharing and Analysis Centers (ISACs) in the late 1990s and continuing through the recent reformulation of ISACs into Information Sharing and Analysis Organizations (ISAOs). Although more information is being shared, the President's initiatives are prompted by the perception that information sharing is not advancing fast enough. Those asked to share gain little directly from sharing and believe they face financial, reputational, and legal risks in doing so. As a result, legislation has been repeatedly introduced to facilitate the increased exchange of information--notably, I would argue, threat information. Without going into a detailed assessment of the privacy implications of such legislation, apart from noting that concerns have been raised, its purposes are nevertheless sound and its passage can help improve cybersecurity. Two concerns, however, merit note. One is that the current proposals do not address, and may even exacerbate, the differences between the cybersecurity enjoyed by small- and medium-sized enterprises on the one hand and that enjoyed by large enterprises on the other: A cybersecurity divide. The second concern is that the current legislative proposals represent an enormous amount of political energy dedicated to what is actually a narrowly-focused point solution to the problem of cybersecurity when a much broader approach is required. Consider each concern in turn. The cybersecurity divide exists roughly at the boundary between those organizations that are large enough to afford their own chief information security officer (CISO) and those that cannot. As a very rough estimate, though this varies by sector, organizations with more than 1,000 employees can afford to hire a CISO, and those that are smaller cannot. Organizations that cannot afford to employ a CISO can usually offer only generalized cybersecurity training for their employees (if they do so at all); must rely on commodity hardware and software, often deployed with default settings; make do with commercial network offerings such as routers; and use off-the-shelf firewall tools. Organizations that can afford to employ a CISO can offer and customize specialized training, can afford to optimize their hardware and software for cybersecurity, can purchase sophisticated cybersecurity tools, can hire information security analysts, and contract with third parties for additional cybersecurity services. Fortunately, cloud offerings can be and are tailored for organizations of all sizes, but this only represents a partial approach to cybersecurity and may introduce a few additional security problems of their own. ISAOs, laudable as they may be, are oriented toward organizations that can afford their membership fees; at $10,000 a year, most small- and medium-sized organizations are priced out of that market. Consider the likelihood that these ISAO's become the primary--or worse, exclusive--conduit for information sharing between the Government and private organizations. If so--and in the absence of other mechanisms to share information with the broader public--the smaller organizations are going to be left out. Whatever advantage they reap from information-sharing rests on the hope that the existence of ISAOs as conduits for shared information does not detract from paths more suited to smaller enterprises. The risks of exacerbating the cybersecurity divide are related to the problem of an overly narrow focus for information sharing associated with pending legislation. Several weeks ago, during the Cybersecurity Summit, President Obama said, ``There's only one way to defend America from cyber threats, and that's Government and industry working together [and] sharing appropriate information.'' However, cybersecurity is not that elementary; there is no one unique way. Furthermore, the associated Executive Order calls for ``fostering the development and adoption of automated mechanisms for the sharing of information.'' That being so, not only is information sharing not the ``only one way'' to improve cybersecurity, but the model proposed for information sharing is also not the ``only one way'' to share information. To explain why requires stepping back to take a broader look at information sharing. Among the many types of information sharing, three merit note. First is the process by which software vulnerabilities are brought to the attention of those who make and maintain software. A large percentage of all networks--particularly the more diligently-defended ones--are penetrated because their software contains vulnerabilities that have not been fixed, notably because the vendors have not discovered them. These are ``zero-day vulnerabilities''; they permit ``zero-day exploits.'' Software vulnerabilities in Java, Acrobat, Flash, and Microsoft Office products are commonly exploited to allow attackers to enter computer networks and systems (which is why users are warned not to click on suspect websites or open suspicious attachments). A large and growing community of researchers and white hat hackers are busy finding these vulnerabilities and reporting them to vendors. A related community examines actual cyber attacks to determine which vulnerabilities were exploited in order to serve the same end of fixing them. A world with fewer software vulnerabilities would be a safer world (although patches do no good until installed). Occasionally, software vendors confronted with a number of similar vulnerability reports about their products may find correlated architectural weaknesses in their offerings and make more fundamental changes. The Federal Government can do more to encourage and accelerate the process of finding software vulnerabilities with modest amounts of funding and without passing new legislation. Second is the use of information sharing to improve cybersecurity practice. The collection and analysis of cyber attacks, both those that succeed and those that may be termed near-misses, can shed light on what organizations could have done differently to have prevented or at least mitigated the effects of such attacks. Such analysis can provide evidence-based assessments of the cost-effectiveness of alternative cybersecurity tools and techniques. Such an activity is already informally carried out to some extent at the worker level, especially among the information security community and disseminated through professional interaction. This should continue to be encouraged, and should trickle up to the C-Suite and managers. Such activity can lead to insights that are scientifically validated (or refuted), which then become part of the cybersecurity canon, to be spread through the literature and other formal and informal exchanges within the information technology community, as well as taught in the various schoolhouses. The Government can aid this process by empowering organizations such as the National Institute of Standards and Technology (NIST) and funding the various Advanced Research Project Agencies (ARPAs) and the National Science Foundation (NSF) to build a systematic body of knowledge. These first two types of information sharing do not exacerbate the cybersecurity divide. The first should result in better software, which benefits everyone. The second should result in better cybersecurity practices, which also should benefit everyone, particularly those organizations that have at least one person who can think systematically about cybersecurity. This now leaves the third type of information sharing, one that is specific to the characterization of threats and the impetus behind the legislation. It calls for organizations to report attacks and provide relevant details of these attacks, such as malware samples, attacker modus operandi, IP addresses, attack vectors, induced anomalies, social engineering methods, etc. These instances, in turn, are used to create a profile of specific threat actors and infer signatures of their activities, which, in turn, would be circulated to other organizations so that they can better prepare themselves, notably by putting such signatures into their intrusion prevention/detection systems. The appendix of the 2013 Mandiant report (APT1: Exposing One of China's Cyber Espionage Units), for instance, was stuffed with many signatures that could be used by potential victims of APT1 (their name for a specific hacker group supported by China's Peoples Liberation Army) to recognize signs of threat activity infection. Although such signatures could, and in many cases, would also be supplemented by intelligence collection, the Classified nature of such additional material limits the number and type of machines on which they could reside. The usefulness of threat-based information sharing rests on four assumptions about the nature of the threat itself. Such assumptions would have to be largely or totally true before the value of establishing an information-sharing apparatus can justify the effort to operate it, persuade organizations to contribute to it, and offset the residual risks to privacy that such information transfer may entail. The first assumption is that a sufficient share of all serious attacks comes from specific black hat hacker groups and that each carry out enough attacks over a period of time so that their modus operandi can be characterized. Trivially, if every black hat hacker organization carried out just one attack, signatures derived from that one attack would inform no further attacks. In practice, each group must carry out enough attacks so those that are discovered can inform those that take place later on. Furthermore, for such signatures to be useful, there has to be time for the attack to be detected so that the signatures can be collected, shared, and inserted into the defensive systems of potential future victims while they are still useful. If all the attacks were bunched together in a short period, the information gathered from such attacks will not be gathered in time to be useful. The second assumption is that each attacker group generates a consistent set of signatures that recur in multiple attacks (and that can be used reliably by defenders to distinguish their attacks from benign activity). To wit, hacker signatures have to resemble fingerprints. The APT1 group's attacks did have such characteristics (similarly, those that attacked Sony Pictures Entertainment in late 2014 used the same IP addresses as those who attacked South Korean banks and media firms in 2013). However, the possibilities of polymorphic malware (variations in the appearance of exploits) and fast-flux DNS (to permit shifting IP addresses) suggest that hackers have options for varying their signatures. The third assumption is that these signatures are detectable by organizations interested in sharing. The average attacks by sophisticated and advanced threats remain undetected for a year--and those are only the ones that have been discovered. Most such attacks are discovered not by their victims but by third parties and, for the most part, only because the information taken from several victims is funneled through the same intermediate servers used to hold the exfiltrated data. If these servers are discovered, evidence from attacks on multiple victims can be picked up at the same time. Attackers who are sensitive to being caught can explore alternative ways to route the data they bring home. The fourth assumption is that such signatures will not evolve (enough) over time--even if information sharing became so wide-spread that the failure to evolve would make it too hard for hacker groups to penetrate and compromise networks. Although Mandiant's publication of APT1 activities slowed the group's activities, it only took a few months before they were back in business using a new set of exploits and attack vectors, with brand-new signatures that had to be inferred. An analogy may be drawn to the anti-virus industry. The major players--Symantec, McAfee, Kaspersky, and Microsoft--run very large information-gathering networks fed by inputs from customers as well as sensors that they have placed throughout the internet. But the anti- virus model has lost most of its viability over the past 5 years in the face of ever-shifting signatures and the practice of attackers testing malware against anti-virus suites before releasing them into the wild. Although threat-centric information-sharing deals with a broader range of indicators than anti-virus companies do, the same dynamic by which expensively-constructed measures beget relatively low-cost countermeasures argues against being terribly optimistic about the benefits from pushing a threat-centric information-sharing model. This is not to say that threat-centric information sharing is useless. Not every black hat hacker group will be conscientious about altering its modus operandi, and there may be features of their signatures that are not obvious to themselves (and hence would likely persist for later detection). Forcing such groups to cluster their attacks or to use multiple attack vectors, including obfuscation techniques and grouping methods, resulting in new or altered signatures over time, means more work for them. Some attackers will drop out; others may not be able to attack as many organizations in a given period. So, the effort to gather signatures would not be completely wasted. Furthermore, even if threat-centric information sharing does not work, the efforts that organizations would have to make to understand what is going on in their networks in order to share information effectively would, as a side benefit, also help them protect themselves absent any information-sharing whatsoever. Unfortunately, these recent efforts to promote a particular kind of information sharing have achieved the status of a panacea. They are absorbing a disproportional share of the legislative and elite media energy on the topic of cybersecurity. Many otherwise serious people assert that information sharing could have prevented many headline assaults on important networks. Yet, if one works through such attacks to understand if there were precedents that could have given us threat signatures, one often finds no good basis for such a belief. Quelling the Nation's cybersecurity problems is a complex, multi-faceted endeavor not subject to a silver bullet. In sum, there is nothing wrong with information sharing. It should be encouraged. The President's proposal may well do so--in which case it deserves our support. But there is something wrong with assuming that it solves most, much less all, of the cybersecurity problem. It only addresses one facet of a very complex space. It is therefore highly questionable whether efforts to achieve information sharing deserve the political energy that they are currently taking up. I appreciate the opportunity to discuss this important topic, and I look forward to your questions. Mr. Ratcliffe. Thank you, Dr. Libicki. I now recognize myself for 5 minutes for questions. Mr. Eggers, I'd like to start with you. In many respects, the Chamber of Commerce represents a single voice for stakeholders across many of the critical infrastructure sectors. So, in that respect and capacity, can you address whether industry supports the sharing of cyber threat indicators through civilian portals, such as the NCCIC, with established and transparent privacy protections? Mr. Eggers. Congressman, thank you for that question. I would say yes, we do. Just to give you an example, the NCCIC is a key portal through which businesses are sharing and will be sharing. One thing I might add to that is we want businesses to be sharing with their trusted partners, whether it's DHS, FBI, Secret Service, Department of Energy, Treasury, you name it. I think what we want to see is a bill that gives them the ability to voluntarily share cyber threat indicators with associated protections with some flexibility in terms of sharing with Government. So it would be DHS and other entities. Mr. Ratcliffe. Thank you, Mr. Eggers. Ms. Callahan, as I've listened to stakeholders across the spectrum here, including privacy groups, one of the recurring questions and concerns out there relates to the minimization of data, which you talked about in your testimony. As the former chief privacy officer at DHS, I know that you oversaw the processes and procedures on how DHS protects privacy when it comes to sharing cyber threat indicators. Could you walk us through that in a little more detail? The measures that are in place at NCCIC to ensure that personal information is not shared with the Government. Ms. Callahan. Thank you for that question. There are several steps and several procedures that DHS goes through, depending on how the threat is conveyed to Homeland Security, depending on how it's integrated and whether or not it's going to be shared. As you mentioned, data minimization and only having the directly associated threat information is the key element both because it protects privacy better, of course, but, also, it helps identify what people should really be looking at if, indeed, information is shared and they don't have to go through the chaff. At Homeland Security, there are multiple steps. First, when the threat comes in from the private sector, it can be reviewed by a human to go and look to see if it can be identified for what the specific threat is. It's then distilled down. It's very frequently often IP addresses, possibly URLs associated with it, and the very rate time associated with an email address. It's distilled down to that kind of core element, and then it's compared to whether or not we know anything about this threat, what else is happening, where is it going. To the extent that it's going to be shared, only that distilled element is going to be the purpose that it's shared. It also then, before sharing, is reviewed by a DHS privacy professional to confirm that minimization process. Mr. Ratcliffe. Terrific. So, from your experience, what is your opinion on whether the privacy community supports the privacy protections that are currently in place at NCCIC? Ms. Callahan. I think the privacy community very specifically wants to have civilian control over information sharing, and that's an important tenet for the privacy community. They also are very aware of the privacy protections that I described that are detailed in the multiple privacy impact assessments, privacy compliance reviews, and other public documents that have been detailed by the DHS privacy office. In addition, Homeland Security has a subcommittee that is Classified at the Top Secret/SCI level that has had even more detailed briefings, and those include advocates and members of the community. So I think that, to the extent the privacy advocates can be comfortable with the privacy protections of information sharing, Homeland Security has met that. Mr. Ratcliffe. Terrific. Thank you. Mr. Garcia, I think it's pretty well-known out there that the financial services sector has one of the most mature ISACs and is considered by many to be the gold standard for information sharing. I think that we all need to be cognizant and careful from the committee standpoint not to break something that's currently working well. So with that in mind, a two-part question for you. How would the President's legislative proposal affect the financial sector's current sharing of cyber threat information? Then, second, what recommendations do you have for other sectors, based on your experience, and what might be learned from the FS-ISAC model? Mr. Garcia. Thank you. That's a good question. I think the President's proposal is almost explicitly with us not targeted at the financial services sector or trying to make any improvements to it. There is a recognition that we have established a fairly robust and mature information-sharing trust community and that the proposal would really try to get at many of those noncritical sectors that have not yet engaged in this level of information sharing. So I would think that, on the edges, the proposal will help information sharing broadly and maybe the financial services as well, as long as the ISAO model is developed in a way that doesn't create too much confusion. As I mentioned in my opening statement, we need to have a federated information-sharing capability, not a competitive one where one ISAO is trying to get more members and, therefore, is withholding information from other ISAOs. That's really important. If we have Balkanized or siloed information sharing, we are defeating the purpose of trying to get broader comprehensive situational awareness. So for ISAOs standing up, I think we'll look forward to providing contributions to the standards development process for what constitutes a good information-sharing environment. I think key to that is we really started sharing robustly when we established a traffic light protocol--red, yellow, green, white--a cascade of different definitions of what information can be shared with whom and what information cannot be shared. That is enforced. It's enforceable and it is enforced. That really cements the trust, that you know that, when you're going to share this information, that it is not going to be released anywhere else where it is not permitted. So that gives a contributor some level of confidence that their information is going to be protected, but it's also going to be used by other members of that community. So that is a key element. The other element is having well-trained personnel who are able to analyze information and be able to assimilate and synthesize all the different feeds that are coming in and make sense of it in a way that can provide the users with some kind of a coherent guidance for what to do about it. Mr. Ratcliffe. Terrific. Thank you, Mr. Garcia. Mr. Eggers, I want to come back to you for a second. As I mentioned before, I've had listening sessions with different groups and one of the things that we've learned is that, you know, liability protections are clearly going to be necessary to incentivize this information sharing. Can you explain what types of liability protections are needed and why? Mr. Eggers. Sure. Let me just kind of give you a feel for the protections, in general, where that liability protection fits in. So when we look at, let's say, something like the CISA bill--which, you know, unless there's maybe hiccups at an upcoming mark-up which could happen soon, we will support that bill. But I think about liability in terms of kind of four key protections. Right? So liability's probably the first and foremost liability. Right? In the legislation, if you're acting within the terms of the bill, you will be getting liability protections for the ways in which you share with the private-sector and Government entities. There's a few nuances. The second is regulatory protection, and the third is FOIA, and the fourth is anti-trust. So, if anything, I would mention that the liability protection probably sits at the top and is probably the most important one of the bunch, if you had to single one out. Mr. Ratcliffe. So expounding on that, why is private-to- private sharing so important---- Mr. Eggers. Generally---- Mr. Ratcliffe [continuing]. And the liability protections associated with that? Mr. Eggers. Sure. So within the construct of a voluntary program--right?--and I think it's important just to stress we're talking about a voluntary program where we're trying to create some legal certainty--businesses, when they are, let's say, fortunate to be able to identify, let's say, a breach, an incident, they've got those bits and pieces of technical data that they should share with business partners and the governments to provide everyone a better sense of real security. But a lot of times what we hear from businesses is, ``Hey, we want to do the right thing, but we're afraid that the information that we share will come back to bite us''--right?-- ``It will have a boomerang effect.'' So they want protections to be able to share that with peers, and we encourage that. Right? So if there's some attacks that you know of that you can share with others so other folks can benefit, stop those attacks, that's a good thing. We want them to share with their business partners. The FS-ISAC is a great example. But we also want businesses to share that narrow threat data with Government, too, so they can start to build a bigger picture and help others, Government and private sector. Mr. Ratcliffe. Terrific. Thank you, Mr. Eggers. Dr. Libicki, in addition to threat and indicator information sharing, you mentioned two others: The sharing of software vulnerabilities with the software vendor and information sharing to improve cybersecurity practices. In your opinion, what would you suggest as appropriate legislative actions to address or enable these two areas? Mr. Libicki. I am not sure that you really need that much legislative action apart from, you know, appropriations authorization sort of information. Let me give you an example. I think the total amount of money spent world-wide to reward people for finding vulnerabilities in software isn't much more than about $10 million a year. When you consider that, globally, $70 billion a year are spent on cybersecurity tools and services and if you believe that, in fact, reducing the number of vulnerabilities can make people safer, there is a certain amount of room to increase the amount of money being spent on finding vulnerabilities. If I had to make a guess, I would say $10 million, which is not particularly large in the context of, say, DHS's total cybersecurity spending, could do a lot to encourage that kind of discovery. In terms of the other type of information sharing, every particular attack in many ways can be associated with things that you could have done differently, better practices, best practices. Although we have a canon of best practices today, a lot of times our best practices can be described as belt and suspenders. When you talk to CISOs who cannot afford both belts and suspenders, they want some sort of guidance as to which one is more important, how important is isolating systems, for instance, how important is multi-factor authentication, how important is training, how important are a lot of the various way that organizations can improve their cybersecurity. A lot of the way that you learn how organizations can improve cybersecurity is to figure out when something got past these particular defenses. So where you would want to put more resources in is a consolidated effort to try to assess the relative efficacy of various cybersecurity measures in the context in which they are used, and empowering NIST is one way to do that. NIST tends not to want to make those sorts of, ``Well, A is better than B decisions.'' But that's the kind of knowledge you're going to need for cybersecurity and, I think, in terms of R&D funding from NSF and the various ARPAs, is a way to help systematize this learning and collect the lessons from this learning. Mr. Ratcliffe. Thank you, Dr. Libicki. Ms. Callahan, in listening sessions with privacy groups, I've heard that following the Fair Information Practice Principles is a key to protecting Americans' privacies. In your opinion, what more can NCCIC do to increase transparency and ensure that these principles are followed? Ms. Callahan. Thank you, sir. The Fair Information Practice Principles, or the FIPPs, are the cornerstone for any analysis of analyzing the privacy impact of certain considerations. As you note, the NCCIC has applied the FIPPs in their processes. However, we can always improve. The NCCIC can also have--the transparency and the discussion of the effectiveness of information sharing I think could be a very valuable tool in light of the fact that, you know, we hear a lot about information sharing and how does it work? Mr. Garcia has some examples that I believe he'll share with you. But I think it's also important to understand why this information's being shared, what's happening to it, and where is it going. Dr. Ozment's testimony earlier this month--or, I guess, in February does have some statistics, as does Under Secretary Spaulding's, but I think understanding the core elements would be an important factor. The data minimization that I talked about and the procedures that NCCIC and CSNC go through are useful, and I think it wouldn't be--it would be good to again describe those in more detail and try to get some understanding. Finally, the issue about security clearances is a difficult one, but at the same time I think we can get more information at an Unclassified level perhaps both to explain to the private-sector companies who are concerned as well as those advocates. Thank you. Mr. Ratcliffe. Thank you. So do you think that the sharing of cyber threat information should be exempt from FOIA? Ms. Callahan. I think that there are several factors to think about. Candidly, the information that I have seen that's been shared from private-sector companies or from DHS to other Government entities is difficult to parse if you're not a computer. You know, we're trying to identify the malware. We're trying to identify what the threat is specifically. From a FOIA perspective, to understand public policy issues I don't think is very helpful. Furthermore, I certainly think that companies would be very reticent to share that information if, indeed, it was exposed to FOIA. I think it probably still meets under the FOIA qualifications of Exemption (b)(3). So I don't know that we need necessarily new legislation on that, but I think that the FOIA exemption is both useful and getting the information wouldn't be all that helpful for the advocates themselves. Mr. Ratcliffe. Thank you, Ms. Callahan. Mr. Eggers, what's your perspective on that question? Mr. Eggers. I think the exemption from--thank you--the exemption from disclosure is a fundamental part of any bill. Right? Businesses want to be sharing. We want them to share. They don't want to see their names necessarily in the headlines because they were trying to do the right thing. Mr. Ratcliffe. Terrific. Thank you. Pleased to be joined by the gentleman from Florida, Mr. Clawson. I'd like to yield to him for questions. Mr. Clawson. So you all had the good luck or bad luck of coming when it turns out to be a fly-out day, weather day, votes at the last second. I mean, you know, you had everything going against you. I wouldn't take personal offense to a bunch of folks not being here because it is an unusual day up here. So I think I have a grasp on what we're trying to do and why we're trying to do it. But when I put myself, if I were a participating company, with so many different stakeholders, particularly if it was a multi-national, I don't know how you get this to work. It feels like the right thing that the anti-trust blocks could get thrown out of the way by the Government. Liability insurance feels like a good start, too. But there still feels to be a lot of other obstacles that, if I were running my company, would give me lots of pause here. There's a long list. Right? I mean, first of all, if I was and have operated in foreign countries and their governments wanted to do this to me, I know I'd just say no. So the foreign stakeholders, including security holders, I think also makes this a lot more complicated, particularly in former Soviet Bloc countries, by the way, where they don't like Government involved in their IT systems. So the multi-national nature of stakeholders is the first thing that comes to mind. The second thing that comes to mind is who's not going to participate. If you don't get a big block of people in my industry participating, I am not sure I'd want to. The third thing I'd say is, ``Isn't this going to slow me down?'' More important, the very tool that you seem to be putting in place here might help the bad guys. Because if the Government does get in the middle almost at any level, it slows down, I think what the point is, disseminating data to the people that understand the malware as quickly as possible. So I could keep going on and on here. So I kind of feel like I like the idea. The devil's in the details. If I were a business, you'd have to--you know, if I were running a business again, you'd have to lay out pretty clearly how we would get over some of these obstacles and me still keep my fiduciary responsibility to shareholders and the other stakeholders in the company. When I hear that not everybody wants to participate, I say to myself, ``Hmm. I can kind of understand that.'' Now, that's from a non-IT guy, by the way. So you all know more about these things than I do. So take up where I've left off here. Am I on shaky ground in terms of these kind of concerns or am I hitting on something that you all have already anticipated and addressed prior to this in your own studies and activities? Mr. Eggers. Congressman, if I may--and then others can join me--let me try to come at your questions this way. They're very good. We're talking about information sharing, but one of the things that's positive about the framework is you can be using the framework in any country, any province, any State. It's not mandatory. It's voluntary. So you don't have to come up specially-engineered cyber solutions to comply with, let's say, regulations of each country. That would not be good. That would be too costly even for big companies. No. 2, information sharing, voluntary at least under the bill that we are championing, the CISA bill currently in the Senate, at least in draft form. The information-sharing program we're looking to achieve is not about surveillance. It's about sharing threat data from business-to-business, business-to-government, and, hopefully, more and more business-to-government so that can stop future attacks. The Chamber--we were part of a letter that had---- Mr. Clawson. Can I interrupt just for a second? Mr. Eggers. Sure. Mr. Clawson. Business-to-business I understand because, if the attack hits here, let's get at the information to--by the way, even my competitors. Right?--and so that they can be inoculated. Mr. Eggers. Uh-huh. Mr. Clawson. Why Government? Mr. Eggers. We can't fight the bad guys without working together. When I think about the threats out there, it's not the wayward kid down the street that's having fun, maybe, breaking into a computer system. It's nation-states. It's people working on their behalf. It's super criminal groups that I think Dr. Libicki points out is very costly. So if we're going to--and I like to think of an information-sharing bill. It's trying to knock the bad guys off-balance. Right? We need to push them off-balance. Right? We're going to share and be more resilient, meaning industry and Government. So we need to work together. We can't tackle nation-states or their proxies solo. We can't do it. So we need to work together, and we need to do it smartly. Mr. Clawson. Anybody else? Mr. Garcia. Sure. I agree with Mr. Eggers. I think, you know, when you look at this very complicated world of cyber threats, the industry has information that the Government does not have globally. We are located around the world. The Government has information that we do not have, Classified information, information about nation-state activities. If we're not fusing that together, we're really not getting a broad situational awareness. So we are not where we should be. The financial sector has been working closely with the Government to think about the ways to improve the bidirectional sharing of information between industry and Government, and the Government agencies recognize that internally they need to improve their processes or how do they process information within the Government and then what's the tear line, meaning what's the really critical information that can be sent to the private sector, leaving the sources and methods, which is Classified, out of it because we don't need that information. So we're working through that process of trying to improve content and procedures. It isn't easy. Government is not-- there's many agencies in the Government with different cultures and different ways of doing things. The same goes with the private sector. So---- Mr. Clawson. Am I right to say that the further down you push the actual activity, meaning Government becomes an abler, facilitator, as opposed to active participant, there's an inverse relationship so you'll get more--if less Government's involved on a direct basis, more companies will voluntarily sign up. Am I right or wrong about that? You see, I know what I would feel. I know what I would think. Mr. Garcia. Yes. And---- Mr. Clawson. It feels like it will be quicker without the Government being a direct participant, and it feels like it will be, you know, less risky in a lot of ways if I am doing this peer-to-peer with protection of the Government as opposed to the Government being the clearinghouse and interpreter of the data. Mr. Garcia. We wouldn't look at the Government as a clearinghouse or interpreter either, but we do see them as a partner that--again, they can provide information we don't have and vice versa. Yes, I think there will be companies and organizations out there that have less trust in working with the Government for the liability concerns that Mr. Eggers has articulated, but the same goes for company-to-company at times. We're dealing with competitors. In the financial sector, it's not quite the same thing. We are all competitors in financial services. But when it comes to cybersecurity, we're all in it together. It is not a competitive issue. So we've gotten over that hurdle. We understand that we have to proceed on the assumption that we are all under attack every day and we are all going to get hit at one point or another. So let's just come to the table with that and admit that. ``Now, what are we going to do about it together?'' That's a trust relationship that has been building over time. Other industry sectors, not as much. Hopefully, this information-sharing and analysis organization model that the administration is trying to incentivize--maybe that will move other companies toward more trust-sharing models not just among themselves, but with the Government. Mr. Eggers. Congressman Clawson, if I may, let me add to that. So you had mentioned about business interest and information sharing. The Chamber was one of about 35 associations representing--I don't know--back of the envelope, maybe 80 to 90 percent of the U.S. economy, stating that, ``We need a good bill that clears away the legal policy underbrush, gives us certainty that, when we are sharing, we are protected.'' Mr. Clawson. That's easy. Right? I mean, we all agree on that. I mean---- Mr. Eggers. So one thing I might add, if I just may--you mentioned slowing things down--one thing that we are looking at--and the jury's still out with respect to the Executive Order on cyber information sharing, at least February 13--is the standards/best practices element of standing up more ISAOs--right?--or at least having organizations declare that they've self-certified it at a future date, that they are following certain standards/best practices. One of the things that I think gives our members pause is not that you're going to be holding up an entity as a model for how to share well. What we're concerned about is, in that process of creating standards, highlighting best practices, that that could kind of gum up the information-sharing works. Mr. Clawson. Right. Right. I mean, look, if I wanted to get a good laugh out of my employees, two lines I could say: ``We're from corporate and we're here to help''--that always got a chuckle--or ``We're from the Government and we're here to help.'' You know, employee stakeholders have had long-time experience of hearing people say that and then it goes wrong on them. You know, that's the--for this to work, whether you're the Chamber or whoever we are, we would have to be able to convince the companies and, more importantly, the folks that are running the IT systems and the ERPs that both corporate and, you know, in this case, the Government, is really not going to slow them down. I think clearing out the underbrush, as you say--I mean, that's a no-brainer. Right? I mean, take away the anti-trust and take away the liability and we're much more likely to share. But then, after that, after many years in the private sector, this story gets more murky to me as, you know, good intentions where things could easily go wrong or not get enough companies to participate to make a difference. I'm glad that the financial sector is in that position, but having been involved in other sectors, I am really pretty sure that they're not nearly as organized and that their industries, by the way, are not nearly as consolidated. So, you know, in the financial--we still have got a lot of community banks left, but it's a much more consolidated environment than it is in a lot of other industries. Those unconsolidated environments are a different animal. I don't know if that's even a word or not. But that's a different animal than what you're talking about. I don't want to take all the time here. But give me a reaction on whether I'm all wet here. Mr. Garcia. Well, you know, you can see where there are times when information sharing has slowed down, for example, when something is subject to law enforcement investigation. Okay? Now no one can talk about it and you can't actually disseminate the facts about something that, if other potential victims had that information, they could shut down systems that might otherwise be attacked. So, yeah, there will be situations where trying to engage with the Government is going to slow things down. There are other situations where it's going to speed things up. For example, we had worked within the NCCIC cooperatively with DHS. There was a point-of-sale malware called Backoff that was infecting a lot of different retail outlets all over the country. Actually coming together, we fused information that DHS had and what the financial sector had, and we made sense of what this point-of-sale malware was doing. We pushed out a joint product, basically said, ``Here's the threat. Here's what it's trying to do. Here's what you need to do to fix it.'' One of the participants in the activity had something like 50 stores located in 24 different States where they actually took that advice and they made the correction before it---- Mr. Clawson. Who identified the malware? Mr. Garcia. That could have been--I don't have the specifics. It could have been from law enforcement. Often law enforcement can find certain malware---- Mr. Clawson. Or an outside contractor to---- Mr. Garcia. It comes from many different places. It can come from security companies who are on contract. It can come from law enforcement that's doing their own investigative forensics work. It can come from a member company of the FS- ISAC. It can come from an analyst at DHS or the intelligence community. It's a matter of having that automated phone tree, if you will, where we can bring all of those sources of intelligence together and make sense of it. Sometimes it's slow. Sometimes it's faster. We're trying to get ourselves to a point of more automated threat information sharing where we actually can take out some of the human dimension of having to pick up a phone and call somebody or send an email saying ``Did you see what I just saw?'' and, actually, the machines are recognizing these kinds of---- Mr. Clawson. Looking for patterns. Mr. Garcia. Yeah. Mr. Clawson. Dr. Libicki. Mr. Libicki. Yes. Mr. Clawson. Anything to add? Mr. Libicki. Yes. I want to add to some of the comments. I think we have a common stake in better cybersecurity. Okay? In a world in which, say, one bank is subject to an attack that causes people to lose trust in the bank, their neighbor across the street isn't going to be better off. In many ways, they're going to be worse off. The attack that makes people wonder if they can give a credit card to one merchant isn't going to necessarily have them running to another merchant. It's going to complicate the response of everybody who wants to use credit cards in commerce. For that reason, there is going to be a common interest in information security, in cybersecurity, and improving it across the lot. To a large extent we shouldn't forget that the Government organizations themselves have an interest in their own cybersecurity and there's information on best practices, on how to make good decisions, that they can learn from the rest of the economy, or the benefits that they get from closing vulnerabilities in software used in business also helps the Government organizations preserve their own systems, preserve their own confidentiality in their systems and---- Mr. Clawson. That's a good point. Mr. Libicki [continuing]. Authentication. Mr. Clawson. That's a good point. Ms. Callahan. If I may, sir, just to follow up, I think about information sharing both among the companies and, also, with and from the Government as kind of three-dimensional chess. You need to know where each of the different elements are, as Mr. Garcia and Dr. Libicki talked about, and you may not have the complete picture unless you get all of the information. I completely agree with you that you don't want the Government in your business dealing with what the threat is itself, but you do want to share the information that you've figured out or maybe a contractor figured out or maybe the Government figured out. So it's to share the information as broadly as possible, but not to have the Government come and, you know, deal with the information or address the cyber threat unless it's a critical scenario. Mr. Eggers. Congressman, if I may just add a quick point, one thing I think about or at least our members think about in terms of getting from Point A to Point B, A to Z, on an information-sharing bill, a bill that clears both Chambers and, hopefully, gets to the President's desk this year, is, even though it's important to protect privacy, that we not lose sight of the burdens that we could place on small and mid-sized businesses to scrub personal information. Those kinds of provisions will be in a bill, but I want to make sure that we not go too far that we're essentially, from a practical standpoint, having the small and mid-sized guys sit on the sidelines because they feel like they can't scrub personal information adequately or do it at least under the terms of any future bill. Mr. Clawson. Boy, that's a tough balance. I mean, I thought about this all day. We talked about it with our team. With small businesses that don't have a lot of dedicated resources and often outsource anything of any complexity with regards to--I mean, they even outsource their own ERP system. Right? You know, to get a bill which will convince those folks to participate in a voluntary program that could make their life more difficult and still get the bill through--because you're going to have folks like me that are going to say, ``I'm just not fond of the Government being in my cell or in my ERP, either one, really.'' That's going to be a neat trick. Right? I mean, that just doesn't feel like it will be easy to do. I'm not trying to be critical. It just feels like a mountain to climb here to get it just right where you don't make it so onerous that no one signs up. But you have got to have something that has enough impact to get the bill passed. Am I making sense? Mr. Eggers. Yes. One quick brief note on that is, when I say small and mid-sized guys just generically, I'm thinking in a lot of ways some of the supply chain elements of, let's say, a bigger firm. If those smaller companies are hacked, we want them to have the confidence that they report, let's say, to the bigger company and a lot of times the Government won't necessarily have to be in their systems. What they will be doing is sharing those technical bits and pieces of information that the bigger company can use and, let's say, law enforcement can use to build a case against folks probably overseas. Mr. Clawson. Well, if I can help you--I mean, I'm playing devil's advocate here, obviously. But I'm doing it because I'm trying to--you know, I hope this works. I don't want it to fail. We want it to work. Mr. Eggers. Agreed. Mr. Clawson. So I think the more front-end conversations you have like this one--and I know you're doing that every day with people that are out there--the better your chances of getting people to participate. Because, if they don't come around, we're dead. Right? I mean, if it's a voluntary program and no one signs up, then it's not going to do us much good. Ms. Callahan. I think, for the small and medium-sized businesses, the automated sharing that Mr. Garcia talked about can really help facilitate that. Therefore, the more people can participate, the bigger the pie, so to speak, the more you can share, the less burden it is on the small and medium-sized enterprises. Mr. Clawson. I yield back. Thank you, everybody, for your patience with me. Mr. Ratcliffe. I thank the gentleman. I agree with the gentleman that weather has definitely affected attendance today. But I know that my colleagues on both sides of the aisle see this as a critically important issue, as evidenced by the fact that a number of them were with me earlier this morning and with the Chairman, touring the NCCIC. So, with that, I am very grateful to the witnesses for their valuable testimony. I know that it will inform this committee as we move forward. I thank my colleague for his questions. The Members of the committee may have some additional questions for witnesses, and we'll ask them to respond to these in writing. Pursuant to committee rule 7(e), the hearing record will be held open for 10 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 4:08 p.m., the subcommittee was adjourned.] [all]