b'<html>\n<title> - DHS\'S EFFORT TO SECURE .GOV</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                      DHS\'S EFFORT TO SECURE.GOV\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                        PROTECTION, AND SECURITY\n                              TECHNOLOGIES\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 24, 2015\n\n                               __________\n\n                           Serial No. 114-23\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n                                    \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n                               \n                     U.S. GOVERNMENT PUBLISHING OFFICE\n96-169 PDF                 WASHINGTON : 2015                     \n                               \n_______________________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bfd8cfd0ffdccacccbd7dad3cf91dcd0d291">[email&#160;protected]</a>  \n\n                              \n                               \n                               \n                               \n                               \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nCandice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island\n    Chair                            Brian Higgins, New York\nJeff Duncan, South Carolina          Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nLou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey\nScott Perry, Pennsylvania            Filemon Vela, Texas\nCurt Clawson, Florida                Bonnie Watson Coleman, New Jersey\nJohn Katko, New York                 Kathleen M. Rice, New York\nWill Hurd, Texas                     Norma J. Torres, California\nEarl L. ``Buddy\'\' Carter, Georgia\nMark Walker, North Carolina\nBarry Loudermilk, Georgia\nMartha McSally, Arizona\nJohn Ratcliffe, Texas\nDaniel M. Donovan, Jr., New York\n                   Brendan P. Shields, Staff Director\n                    Joan V. O\'Hara,  General Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                    John Ratcliffe, Texas, Chairman\nPeter T. King, New York              Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             Loretta Sanchez, California\nScott Perry, Pennsylvania            Sheila Jackson Lee, Texas\nCurt Clawson, Florida                James R. Langevin, Rhode Island\nDaniel M. Donovan, Jr., New York     Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Brett DeWitt, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n       Christopher Schepis, Minority Subcommittee Staff Director\n                           \n                           C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable John Ratcliffe, a Representative in Congress From \n  the State of Texas, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Ranking Member, Subcommittee \n  on Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     4\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Chairman, Committee on Homeland \n  Security.......................................................     6\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     8\n\n                               WITNESSES\n                                Panel I\n\nMr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and \n  Communications, National Protections and Programs Directorate, \n  U.S. Department of Homeland Security:\n  Oral Statement.................................................     9\n  Prepared Statement.............................................    11\nMr. Gregory C. Wilshusen, Director, Information Security Issues, \n  Government Accountability Office:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\n\n                                Panel II\n\nMr. Daniel M. Gerstein, The Rand Corporation:\n  Oral Statement.................................................    36\n  Prepared Statement.............................................    38\n\n                                APPENDIX\n\nQuestions From Chairman John Ratcliffe for Andy Ozment...........    51\nQuestions From Honorable James R. Langevin for Andy Ozment.......    51\nQuestions From Chairman John Ratcliffe for Gregory C. Wilshusen..    52\nQuestions From Chairman John Ratcliffe for Daniel M. Gerstein....    54\n\n \n                      DHS\'S EFFORT TO SECURE .GOV\n\n                              ----------                              \n\n\n                        Wednesday, June 24, 2015\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:42 p.m., in \nRoom 311, Cannon House Office Building, Hon. John Ratcliffe \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Ratcliffe, Perry, Clawson, \nDonovan, McCaul, Richmond, Jackson Lee, and Langevin.\n    Mr. Ratcliffe. The Homeland Subcommittee on Cybersecurity, \nInfrastructure Protection, and Security Technologies will come \nto order.\n    The subcommittee meets today to hear what the Department of \nHomeland Security is doing to secure U.S. Government networks \nfrom cyber hackers. The magnitude of the latest breach at the \nOffice of Personnel Management, or OPM, and the impact that it \nwill have on tens of millions of Americans and our National \nsecurity for decades to come is simply unacceptable.\n    OPM was warned about its poor IT security. Yet, we still \nfound them asleep at the switch. To put it in perspective, OPM \nwas responsible for safeguarding extremely sensitive data, \npersonnel files, and security clearance information for tens of \nmillions of Federal employees. Yet, OPM\'s efforts to secure its \nnetworks were frankly laughable. The stakes were immense. Yet, \nthe cybersecurity efforts were pathetic. In my opinion, this \ncould be classified as cybersecurity malpractice.\n    The Federal agency guarding this sensitive information \ndemonstrated gross negligence and willful disregard of earlier \nwarnings. We need to know who in this administration is really \nin charge and who is truly responsible for securing our Federal \nGovernment\'s civilian information systems.\n    The nature of the compromised data is particularly \nconcerning because it contained the personally identifiable \ninformation, or PII, of what is now known to be at least 14 \nmillion Federal and Congressional employees and military \npersonnel. Not only did we fail to protect that PII, we failed \nto protect the security clearance background check information \ncontained on the Questionnaire for National Security Position \nform, also known as the SF-86.\n    The individuals who serve our country, often risking their \nlives, disclose substantial personal information on these forms \nto get special clearances to handle our Government\'s secrets, \nand they have every right to expect that their information will \nbe safe. But, as we have learned, OPM struggled to implement \neven the most basic network security protocols.\n    This was spelled out in the November 2014 inspector general \nreport 1 month before the breach occurred. The Government \nAccountability Office has drawn similar conclusions. \nSpecifically, the inspector general found lackluster \ninformation security governance and even recommended that OPM \nshut down all of its information systems that lacked the valid \nauthorization.\n    Additionally, in 2014, DHS presented to OPM a mitigation \nplan with recommendations for improving its information \nsecurity. The question then is why the recommendations from DHS \nand others were not required and fully implemented by OPM.\n    Unfortunately, the White House response to the OPM breach \nhas been incredibly disappointing. The Federal Government was \nattacked. Yet, there is no indication that there will be any \nconsequences from these actions. In addition, the U.S. Chief \nInformation Officer, Tony Scott, has called for a, ``30-day \ncybersecurity sprint,\'\' for Federal agencies to secure their \nnetworks and data.\n    So the White House is essentially calling on Federal \nagencies to step up and do in the next 30 days what they were \nalready required to do. Our country\'s cybersecurity shouldn\'t \nbe a 30-day sprint exercise, but, rather, a dedicated marathon, \na long, sustained, and comprehensive effort to protect our \ncountry from escalating and rapidly evolving cyber attacks. \nThis administration\'s response is superficial. It is not \nserious, and it doesn\'t reflect the gravity of the threats \nfacing our Nation right now in cyber space.\n    It is clear that the Nation is under attack, under siege, \nby state and non-state actors and our defenses at OPM and in \nthe Federal Government are woefully inadequate. As such, in \nthis hearing today, we will examine the cyber capabilities that \nDHS is providing to OPM and to other Federal civilian agencies, \nhow quickly these tools are being deployed Government-wide, \nand, ultimately, what vulnerabilities and gaps remain in our \ncybersecurity posture.\n    Last December Congress passed the Federal Information \nModernization Act, or FISMA, to give DHS the authority to carry \nout the operational activities to protect Federal civilian \ninformation systems from cyber intrusions. Now that DHS has \nthese authorities, we want to hear how DHS plans to execute the \nnew law and rapidly implement its binding directives and other \nFederal information security capabilities to more quickly \nsecure the .gov domain.\n    Additionally, DHS\' EINSTEIN and Continuous Diagnostics and \nMitigation program, or CDM, were designed to protect Federal \ncivilian agency systems. Yet, not every Federal agency has \nadopted them. Why is that the case?\n    Although these programs aren\'t a silver bullet to prevent \nfurther cyber attacks, both play a vital role in what should be \na defense-in-depth cybersecurity strategy. Now more than ever \nDHS needs to rapidly deploy its cyber capabilities and show \nstrong leadership to protect our Government\'s networks and most \nsensitive information from cyber hackers.\n    I also hope that, if nothing else, this latest attack on \nOPM servers will prove to be a catalyst to get the United \nStates Senate to act and pass the strong and bipartisan House-\npassed cybersecurity information-sharing legislation.\n    These bills would, in part, authorize DHS\' EINSTEIN program \nand allow for greater sharing of cyber threat indicators so \nboth the public and private sectors can more effectively block \nknown and malicious cyber intrusions.\n    From my vantage point as Chairman of this subcommittee and \nas a former terrorism prosecutor, cybersecurity is National \nsecurity. The United States Government is under cyber attack \nfrom nation-states and criminal groups, and I look forward to \nhearing from our witnesses today on what the Department of \nHomeland Security is doing about it.\n    [The statement of Chairman Ratcliffe follows:]\n                  Statement of Chairman John Ratcliffe\n                             June 24, 2015\n    The subcommittee meets today to hear what the Department of \nHomeland Security is doing to secure the U.S. Government\'s networks \nfrom cyber hackers. The magnitude of the latest breach at the Office of \nPersonnel Management (OPM), and the impact it will have on tens of \nmillions of Americans and our National security for decades to come, is \nsimply unacceptable. OPM was warned about its poor IT security; yet we \nstill found them asleep at the switch. To put it into perspective, OPM \nwas responsible for safeguarding extremely sensitive data-personnel \nfiles and security clearance information for tens of millions of \nFederal employees--yet OPM\'s efforts to secure its network were \nlaughable. The stakes were immense, yet the cybersecurity efforts were \npathetic. In my opinion, this could be classified as a ``cybersecurity \nmalpractice\'\' of sorts. The Federal agency guarding this sensitive \ninformation demonstrated gross negligence and willful disregard of \nearlier warnings. We need to know who in this administration is in \ncharge, and who is responsible for securing our Federal Government\'s \ncivilian information systems.\n    The nature of the compromised data is particularly concerning \nbecause it contained the personally identifiable information (PII) of \nup to 14 million Federal and Congressional employees, and military \npersonnel. Not only did we fail to protect PII, we failed to protect \nthe security clearance background check information contained on the \nQuestionnaire for National Security Positions form, called an SF-86. \nThe individuals who serve our country, often risking their lives, \ndisclose substantial personal information on these forms to get special \nclearances to handle our Government\'s secrets and expect their \ninformation will be safe.\n    As we\'ve learned, OPM struggled to implement even the most basic \nnetwork security protocols. This was spelled out in a November 2014 \nInspector General report, 1 month before the breach occurred. The \nGovernment Accountability Office has drawn similar conclusions. \nSpecifically, the IG found lackluster information security governance \nand even recommended that OPM shut down all its information systems \nthat lacked a valid authorization. Additionally in 2014, DHS presented \nto OPM a mitigation plan with recommendations for improving its \ninformation security. The question, then, is why the recommendations \nfrom DHS and others were not required and fully implemented by OPM?\n    Unfortunately, the White House response to the OPM breach has been \nextremely disappointing. The Federal Government was attacked, yet there \nis no indication that there will be consequence for these actions. \nAdditionally, the U.S Chief Information Officer Tony Scott has called \nfor a ``30-day cybersecurity sprint\'\' for Federal agencies to secure \ntheir networks and data. The White House is essentially calling on \nFederal agencies to do in the next 30 days what they were already \nrequired to do. Our country\'s cybersecurity should not be a sprint \nexercise; but rather a marathon--a long, sustained, and comprehensive \neffort to protect our country from escalating and rapidly evolving \ncyber-attacks. This administration\'s response is not serious and does \nnot reflect the gravity of the threats facing our Nation in cyberspace.\n    It is clear that the Nation is under siege by state and non-state \nactors, and our defenses at OPM and in the Federal Government are \nwoefully inadequate. As such, today we will examine the cyber \ncapabilities that DHS is providing to OPM and other Federal civilian \nagencies, how quickly these tools are being deployed Government-wide, \nand ultimately, what vulnerabilities and gaps remain in our \ncybersecurity posture.\n    Last December, Congress passed the Federal Information \nModernization Act (FISMA) to give DHS the authority to carry out the \noperational activities to protect Federal civilian information systems \nfrom cyber intrusions. Now that DHS has these authorities, we want to \nhear how DHS plans to execute the new law and rapidly implement its \nbinding directives and other Federal information security capabilities \nto more quickly secure the .gov domain. Additionally, DHS\' Einstein and \nContinuous Diagnostics and Mitigation (CDM) programs were designed to \nprotect Federal civilian agencies\' systems, yet not every Federal \nagency has adopted them. Why is that the case? Although these programs \nare not a silver bullet to preventing further cyber attacks, both play \na vital role in what should be a ``defense-in-depth\'\' cybersecurity \nstrategy. Now more than ever, DHS needs to rapidly deploy its cyber \ncapabilities, and show strong leadership to protect our Government\'s \nnetworks and most sensitive information from cyber hackers.\n    I also hope that if nothing else, this latest attack will prove to \nbe a catalyst to get the Senate to act and pass the strong and \nbipartisan House-passed cybersecurity information sharing legislation. \nThese bills would, in part, authorize DHS\' Einstein program and allow \nfor greater sharing of cyber threat indicators so both the public and \nprivate sectors can more effectively block known and malicious cyber \nintrusions.\n    From my vantage point as Chairman of this subcommittee and a former \nterrorism prosecutor, cybersecurity is National security. The U.S. \nGovernment is under cyber-attack from nation-states and criminal groups \nand I look forward to hearing from our witnesses today on what the \nDepartment of Homeland Security is doing about it.\n\n    Mr. Ratcliffe. The Chairman now recognizes the Ranking \nMinority Member of the subcommittee, the gentleman from \nLouisiana, Mr. Richmond, for any statements that he may have.\n    Mr. Richmond. Thank you, Mr. Chairman. Thank you for \nconvening this hearing on DHS\' responsibilities in helping all \nof the Federal agencies secure their cyber networks and \ndatabases.\n    I want to welcome our witnesses, Dr. Ozment, Mr. Wilshusen, \nand Dr. Gerstein. Thank you for taking the time to appear \nbefore us today.\n    Securing the Federal Government\'s networks and databases is \na monumental task. DHS has been charged with the primary task \nto coordinate and provide cybersecurity guidance for the many \nFederal agencies, critical infrastructure sectors, and \nGovernment programs, whether it be Government, personnel \ninformation, Classified background information, patents, \ntaxpayer data, nuclear facilities, health records, port \ncomplexes, or any number of other vital Government services.\n    However, under the Federal Information Security \nModernization Act of 2014, FISMA, the White House Office of \nManagement and Budget is responsible for Federal information \nsecurity, oversight, and policy issuance.\n    However, OMB executes its responsibilities in close \ncoordination with its Federal cybersecurity partners, including \nthe Department of Homeland Security and the Department of \nCommerce\'s National Institute of Standards and Technology.\n    Both state and non-state actors are attempting to breach \nour Government and commercial systems. As President Obama said \na few days ago, this problem is not going to go away. It is \ngoing to accelerate.\n    I think we all recognize that certifying the security of \ninformation on the Federal Government\'s networks and systems \nshould remain a core focus of the administration as we here in \nCongress should continue to be looking at innovative solutions \nthat provide DHS with the authorities to respond quickly to the \nnew challenges as they arise, and Congress must continue our \nsearch for legislative initiatives that will help further \nprotect our Nation\'s critical networks and systems.\n    As a result of the latest Government network breaches, we \nhave been told that OMB has launched a 30-day cybersecurity \nsprint, a review and recommendations effort. The review team is \nmade up of OMB, the White House E-Gov Cyber National Security \nUnit, the National Security Council Cybersecurity Directorate, \nthe Department of Homeland Security, and Department of Defense, \namong other agencies.\n    As part of the effort, OMB has instructed Federal agencies \nto immediately take a number of steps to protect Federal \ninformation and assets and improve the resilience of Federal \nnetworks.\n    Specifically, Federal agencies must immediately deploy \nindicators provided by DHS which can identify priority threat \nactive techniques and tactics and procedures and tools to scan \nsystems and check logs; No. 2, patch critical vulnerabilities \nwithout delay and report to OMB and DHS on the progress and \nchallenges within 30 days; No. 3, tighten policies and \npractices for privileged users; and, No. 4, dramatically \naccelerate implementation of multi-factor identification, \nespecially for privileged users.\n    While I am pleased to see the White House taking immediate \naction, all of the above efforts are generally recognized as \nsecurity measures that should already be in place, especially \nin vital Government networks.\n    I hope to hear today from our witnesses a clear explanation \nwhy many of the standard recognized security practices were not \nin place in Federal agencies and clearly identify the plan that \nDHS has to make sure and certify that Federal agencies\' \ncybersecurity standards are up to date.\n    Of particular interest to me in my district and I know to \nothers on this subcommittee is the status of port \ncybersecurity. Overall maritime ports handle more than $1.3 \ntrillion in cargo annually. The operations of these ports are \nsupported by information and communications systems that, like \nall other network systems, are susceptible to cyber-related \nthreats.\n    Failures in these systems could degrade or interrupt \noperations at ports, including the flow of commerce. Federal \nagencies--in particular, DHS--and industry stakeholders have \nspecific roles in protecting maritime facilities and ports from \nphysical and cyber threats.\n    GAO did an audit last year of maritime port cybersecurity \nefforts to assess actions taken by DHS and two of its front-\nline component agencies, the U.S. Coast Guard and FEMA, as well \nas other Federal agencies.\n    The GAO found that, while the Coast Guard initiated a \nnumber of activities and coordinating strategies to improve \nphysical security in specific ports, it has not conducted a \nrisk assessment that fully addresses cyber-related threats, \nvulnerabilities, and consequences.\n    The report also noted that FEMA identified enhancing \ncybersecurity capabilities as a funding priority for the first \ntime in 2013.\n    I look forward to today\'s testimony on both of these \nissues. It will be crucial that stakeholders appropriately plan \nand allocate resources to protect ports and other maritime \nfacilities from increasingly persistent and pervasive cyber \nintrusions.\n    With that, Mr. Chairman, I yield back.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chairman now welcomes and recognizes the Chairman of \nthe full committee, the gentleman from Texas, Mr. McCaul, for \nhis opening statement.\n    Mr. McCaul. I would like to thank Chairman Ratcliffe for \nhis leadership in holding this hearing today.\n    Our Government, in my opinion, is still reeling from what \nappears to be the most significant breach of Federal networks \nin U.S. history. This insidious attack was aimed at Federal \nemployees who handle our National security, many with security \nclearances working to defend our country. Yet, the \nadministration failed to defend them.\n    Instead, it appears that Chinese hackers were able to cut \nthrough our defenses and extract information about millions of \ncurrent and former U.S. Government employees with sensitive \nsecurity clearances.\n    As one who has filled these out in the past--I know the \nChairman has as well in our tenure at the Justice Department--\nit is astounding to me that these very sensitive documents went \nunprotected by the administration.\n    There can be no doubt that this attack will lead to more \nbrazen attempts to steal America\'s secrets. Yet, there is no \ntelling if we will be lucky enough to spot it the next time. \nClearly the administration needs to take this more seriously.\n    What is equally appalling to me is the administration\'s \nresponse. No Government employee has been held accountable. No \nforeign adversary has been warned. No one can say with any \ndegree of confidence whether we can stop this from happening \nagain.\n    We talk often now about how we have entered a new age that \nrequires new rules of the road. It is very true. I think this \nis a watershed moment. It appears now that a foreign country \nhas invaded our networks and stolen sensitive data.\n    Yet, the administration\'s response is not to promise \nretaliation. Instead, it has promised to add the issue to the \nagenda of this week\'s strategic dialogue with China. I would \nsubmit that is not strong enough. There are no consequences to \nthe actions.\n    What if this had been a foreign adversary invading our \nterritory instead of our networks to steal secrets? How would \nthe White House respond then? What if foreign espionage, we \ncaught them physically stealing the paper files? What would be \nthe response? This is the same action, just in the digital \nworld.\n    The abilities of our cyber adversaries are no secret. The \nalarm bell has been going off for years. In 2012, Iran hackers \nhit Saudi Arabia\'s national oil company, Aramco, destroying \n30,000 computers.\n    Iran has targeted major U.S. banks to shut down websites \nand restrict Americans\' ability to access their accounts. We \nhave seen intrusions into Target, Neiman Marcus, Home Depot, \nJ.P. Morgan. All these were designed to steal the personal \ninformation of private citizens.\n    In December, North Korea used a digital bomb to destroy \ncomputer systems at Sony Pictures, an attack that was \ndestructive, but also a cowardly attempt to stifle our freedom \nof expression.\n    In just this year we have seen the breaches of two major \nhealth care companies, Anthem and Premera, that together \naffected up to 90 million Americans.\n    I hope this latest breach will stir our Government to \naction and, quite frankly, the Congress in a frank \nacknowledgment that we have fallen behind.\n    Our Government is responsible for providing for the common \ndefense under the Constitution, and that also means defending \nour cyber space.\n    During the last Congress, I led the efforts to strengthen \nour cybersecurity foundations, and we managed to get five key \ncybersecurity bills passed into law. We did this with the \nsupport of both industry and privacy advocates.\n    This year we passed legislation in the House to enhance \ncyber threat information sharing, which possibly could have \nprevented this attack from occurring if we had the signature \nthreat information to block the breach from China.\n    In light of this attack--you know, we always say around \nhere it is going to take a big event for Congress to act. I \nthink the big event has happened and now it is time for \nCongress to act.\n    The House has acted. It is now time for the Senate to act \nand pass the bill that we passed out of the House with \noverwhelming bipartisan support, 355 votes, supported by both \nindustry and privacy.\n    The Department of Homeland Security has several cyber tools \nto defend these networks, such as the EINSTEIN and the \nContinuous Diagnostics and Mitigation program that were \nauthorized in our bill as well.\n    But these are only effective if they have been deployed to \nour sprawling and disparate Federal networks. As of now, only \nhalf of the Federal civilian agencies have deployed the latest \nversion of EINSTEIN.\n    I know, Dr. Ozment, you and I have talked about this. I \ncommend your efforts in expanding this now. Getting just to the \n50 percent was quite an accomplishment. But I think we want to \nhear about the expansion all across the Federal Government, \nwhich I think would protect the networks better.\n    This digital frontier and safeguarding it is one of our \nleading National security challenges of our time, and we, as \nAmericans, need to apply the same innovation, discipline, and \ncreativity that produced the information age into protecting \nwhat we have created.\n    I want to thank the Chairman again for holding this \nhearing. With that, I yield back.\n    Mr. Ratcliffe. I thank the Chairman.\n    Other Members of the committee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             June 24, 2015\n    I thank the leadership of this subcommittee for continuing to focus \non our Nation\'s most pressing cyber vulnerabilities--protecting our \nNation\'s critical infrastructure systems, and protecting citizens and \nFederal workers and their personal information. Over the past few \nmonths, the committee has found the repeated news that some of our most \nvaluable Government agencies have been infiltrated, and Government \nemployees\' detailed personal information have been exposed quite \nappalling.\n    We have seen the Internal Revenue Service breached. At the Defense \nDepartment, Secretary Carter has told us about the Russian\'s hacking \nfrom earlier this year, and now, we have a multi-layered exposure of \nFederal workers exposed in an Office of Personnel Management incident. \nOur networks and databases cannot be protected by one protocol, one \nsophisticated procedure, or one magic arrow. We have cybersecurity \nprograms in place, but for them to take hold, either in the private \nsector or across Government agencies, it will require leadership, \ncooperation, and accountability. For example, the President\'s \ncybersecurity Executive Order 13636 has charged the Department of \nHomeland Security to be the motivator, teacher, and implementer of the \nart and science of network and database security, across the Federal \nGovernment.\n    However, for DHS to fulfill this mission, it has to engage with \nboth the public and private sectors. I want to hear more from Dr. \nOzment on how DHS is fulfilling this mission, and how it has responded \nto previous intrusions. It is important for all of us to remember that \ncybersecurity is a shared responsibility, and that no single approach \ncan protect us completely. Cyber threat protection is a complex and \nincomplete process and it crosses several important intersections, \nespecially regarding privacy and civil liberties.\n    As people and Government become more dependent on technology, \ntechnology-based opportunities for crime, espionage, and physical \ndisruption will most certainly increase. Today, some contend that \ngreater security means ceding some degree of personal privacy, or vice \nversa. But in my book, cybersecurity enables privacy--because it \nprotects individuals, companies, and governments from malicious \nintrusions. Privacy and security are not competing interests; we can \nand must do both. The United States can set a positive example \nregarding the role that cybersecurity standards play globally, for both \nindustry and Government. If we can develop effective, secure protocols \nand standards that are easily implemented, it will represent an \nimportant opportunity for U.S. products around the globe.\n    Finally, I would be remiss if I did not mention the cost of these \nprograms discussed today. All of this cybersecurity effort does not \ncome cheap. While the majority has seen fit to increase cybersecurity \nfunding by large amounts in some cases, House and Senate Republicans \nhave started to show how they plan to budget at discretionary levels \nfor other programs.\n    Compared to the President\'s budget, their budget will force cuts in \nareas critical to the economy, as well as in National security \npriorities. Homeland security, peacekeeping efforts, defense, and \nforeign assistance will be impacted. These funding levels are the \nresult of Congressional Republicans\' decision to lock in the funding \ncuts imposed by sequestration. As we all know, sequestration was never \nintended to take effect: Rather, it was supposed to threaten such \ndrastic cuts to both defense and non-defense funding that policymakers \nwould be motivated to come to the table and reduce the deficit through \nsmart, balanced reforms. Unfortunately, the bills and appropriations \ntargets released to date double-down on a very different approach.\n\n    Mr. Ratcliffe. We are pleased to have with us today a panel \nof distinguished witnesses on this important topic.\n    Dr. Andy Ozment is the assistant secretary for the Office \nof Cybersecurity and Communications within the National \nProtections and Programs Directorate at the United States \nDepartment of Homeland Security.\n    Welcome back, Dr. Ozment.\n    Mr. Greg Wilshusen is the director for information security \nissues at the Government Accountability Office.\n    We\'re glad to have you with us today, sir.\n    At this time I will ask both witnesses to stand and raise \nyour right hand so that I may swear you in to provide \ntestimony.\n    [Witnesses sworn.]\n    Mr. Ratcliffe. You may be seated.\n    The witnesses\' full written statements will appear in the \nrecord.\n    The Chairman now recognizes Dr. Ozment for 5 minutes for \nhis opening statement.\n\n   STATEMENT OF ANDY OZMENT, ASSISTANT SECRETARY, OFFICE OF \n  CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTIONS AND \n   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Ozment. Thank you, Chairman Ratcliffe, Ranking Member \nRichmond, and Chairman McCaul, Members of the committee. I \nappreciate the opportunity to appear before you today.\n    Like you, my fellow panelists, and countless Americans, I \nam deeply concerned about the recent compromise at OPM, and I \nam dedicated to ensuring that we take all necessary steps to \nprotect our Federal workforce and to drive forward the \ncybersecurity of the entire Federal Government.\n    As a result, I want to focus these remarks on how DHS is \naccelerating our efforts to protect Federal agencies and help \nFederal agencies better protect themselves.\n    To begin, it is important to note that we are now making up \nfor 20 years of underinvestment in cybersecurity across both \nthe public and the private sector. At the same time, we are \nfacing a major challenge in protecting our most sensitive \ninformation against sophisticated, well-resourced, and \npersistent adversaries. This is a complex problem without a \nsimple solution.\n    To effectively address this challenge, our Federal agencies \nneed to deploy defense-in-depth. Consider protecting a \nGovernment facility. Adequate security is not only a fence or a \ncamera or locking the doors of a building, but a combination of \nthese measures and others that, in aggregate, make it difficult \nfor an adversary to gain physical access. Cybersecurity also \nrequires multiple layers of security measures. No one measure \nis sufficient.\n    Under legislation passed by this Congress last year, \nFederal agencies are responsible for their own cybersecurity. \nTo assist them, DHS provides a common baseline of cybersecurity \nacross the civilian government.\n    It helps agencies manage their cyber risk through four key \nlines of effort:\n    First, we protect agencies by providing a common set of \ncapabilities through the EINSTEIN and Continuous Diagnostics \nand Mitigation, or CDM, programs.\n    Second, we measure and motivate agencies to implement best \npractices.\n    Third, we serve as a hub for information sharing.\n    Finally, we provided incident response assistance when \nagencies suffer a cyber intrusion.\n    In my statement this morning, I will focus on the first \narea, how DHS provides a baseline of security through EINSTEIN \nand CDM. I have described the other three areas in my written \nstatement, and I am happy to take your questions on them. Our \nfirst line of defense against cyber threats is the EINSTEIN \nsystem, which protects agencies at their perimeters.\n    Returning to the analogy of a Government facility that I \nmentioned earlier, EINSTEIN 1 is similar to a camera at the \nroad onto the facility that records all traffic and identifies \nanomalies in the numbers of cars. EINSTEIN 2 adds the ability \nto detect suspicious cars based upon a watch list. EINSTEIN 2 \ndoes not stop the cars, but sounds the alarm if a suspicious \ncar enters the facility.\n    Agencies report that EINSTEIN 1 and 2 are screening over 90 \npercent of all Federal civilian traffic. EINSTEIN 1 and 2 \nplayed a key role in identifying the recent compromise at the \nDepartment of Interior.\n    The latest phase of the program, known as EINSTEIN 3A, is \nakin to a guard post at the highway that leads to multiple \nGovernment facilities. EINSTEIN 3A uses Classified information \nto look at the cars and compare them with a watch list. \nEINSTEIN 3A then actively blocks prohibited cars from entering \nthe facility.\n    As the Chairman noted, we are accelerating our efforts to \nprotect all civilian agencies with EINSTEIN 3A. The system \ncurrently protects 15 Federal civilian agencies with over \n930,000 Federal personnel, or approximately 45 percent of the \ncivilian government, with at least one security countermeasure.\n    We have added EINSTEIN 3A protections to over 20 percent of \nthe Federal civilian government in the last 9 months alone. \nDuring this time, EINSTEIN 3A has blocked nearly 550,000 \nattempts to access potentially malicious websites.\n    EINSTEIN 3A is a signature-based system. It can only block \nattacks that it knows about. This is necessary, but not \nsufficient, for protecting the civilian government. We are also \nworking on adding other technology to the EINSTEIN 3A platform \nthat can block attacks that we have not previously seen.\n    As we accelerate EINSTEIN deployment, we also recognize \nthat security cannot be achieved through only one type of tool. \nEINSTEIN is not a silver bullet, and it will never be able to \nblock every threat. For example, it must be complemented with \ntools to monitor the inside of agency networks.\n    Our CDM, Continuous Diagnostics and Mitigation Program, \nhelps address this challenge. We have purchased CDM Phase 1 \ncapabilities for 8 agencies covering over 50 percent of the \nFederal civilian government, and we expect to purchase CDM for \n97 percent of the Federal civilian government by the end of \nthis fiscal year.\n    Now, there\'s a caveat. The deadlines that I\'ve just given \nyou are when DHS will provide a capability. It takes a few \nadditional months for each agency to fully implement both \nEINSTEIN and CDM once the services are available. Of course, \nagencies must supplement EINSTEIN and CDM with additional tools \nappropriate to the needs of the agency.\n    I want to thank you again for the legislation Congress \npassed in December 2014. As you know, additional legislation is \nneeded. This committee and the House have passed a bill \nauthorizing EINSTEIN and establishing DHS as the portal for \nliability-protected information-sharing between the private \nsector and the Government. We need information sharing and \nEINSTEIN authorization legislation passed.\n    I\'d like to conclude by noting that Federal agencies are a \nrich target and will continue to experience frequent attempted \nintrusions. As our detection methods improve, we will detect \nmore incidents, incidents that are already occurring, we just \ndidn\'t know it yet.\n    The recent breach at OPM is emblematic of this trend, as \nOPM was able to detect the intrusion by implementing best \npractices recommended by DHS. We are accelerating the \ndeployment of the tools we have, and we are bringing cutting-\nedge capabilities on-line. We are asking our partner agencies \nand Congress to take action and work with us to strengthen the \ncybersecurity of our Federal agencies.\n    Thank you again for the opportunity to appear before you \ntoday. I look toward to any questions.\n    [The prepared statement of Mr. Ozment follows:]\n                   Prepared Statement of Andy Ozment\n                              introduction\n    Chairman Ratcliffe, Ranking Member Richmond, and Members of the \ncommittee, thank you for the opportunity to appear before you today. \nRecent compromises clearly demonstrate the challenge facing the Federal \nGovernment in protecting our citizens\' and employees\' personal \ninformation against sophisticated, agile, and persistent threats. \nAddressing these threats is a shared responsibility. I will discuss the \nroles of the Department of Homeland Security (DHS) in protecting \ncivilian Federal departments and agencies and in helping agencies \nbetter protect themselves.\n      the role of the department of homeland security in federal \n                             cybersecurity\n    The Federal Information Security Modernization Act of 2014 \nspecifies that Federal agencies are responsible for their own \ncybersecurity. In addition, DHS has the mission to provide a common \nbaseline of security across the civilian government and help agencies \nmanage their cyber risk. DHS, through its National Protection and \nPrograms Directorate (NPPD), assists agencies by providing this \nbaseline for the Federal Government through the EINSTEIN and Continuous \nDiagnostics and Mitigation (CDM) programs, by measuring and motivating \nagencies to implement best practices, by serving as a hub for \ninformation sharing, and by providing incident response assistance when \nagencies suffer a cyber intrusion. I will discuss each of these in \nturn. NPPD has two additional cybersecurity customers besides the \nFederal Government: Private-sector infrastructure owners and operators, \nand State, local, Tribal, and territorial governments. While several of \nthe capabilities outlined below, such as information sharing and best \npractices, apply to all three customers, this statement focuses on \nNPPD\'s approach to Federal cybersecurity in the context of the recent \ncompromise at OPM.\nEINSTEIN\n    EINSTEIN protects agencies\' unclassified networks at the perimeter \nof each agency. Furthermore, EINSTEIN provides situational awareness \nacross the Government, as threats detected in one agency are shared \nwith all others so they can take appropriate protective action. The \nU.S. Government could not achieve such situational awareness through \nindividual agency efforts alone.\n    The first two versions of EINSTEIN--EINSTEIN 1 and 2--identify \nabnormal network traffic patterns and detect known malicious traffic. \nThis capability is fully deployed and screening all Federal civilian \ntraffic that is routed through a Trusted Internet Connection (a secure \ngateway between each agency\'s internal network and the internet). \nEINSTEIN 3 Accelerated (EINSTEIN 3A), which actively blocks known \nmalicious traffic, is currently being deployed through the primary \nInternet Service Providers serving the Federal Government. EINSTEIN 1 \nand 2 use only Unclassified information, while EINSTEIN 3A uses \nClassified information. Using Classified indicators allows EINSTEIN 3A \nto detect and block many of the most significant cybersecurity threats. \nWe are working aggressively to ensure that all agencies are protected \nby EINSTEIN 3A, including by implementing alternative deployment \noptions that address the inability of some Internet Service Providers \nto implement EINSTEIN 3A in a sufficiently timely manner.\n    We are now accelerating our efforts and making significant progress \nin implementing EINSTEIN 3A across the Federal Government. The system \nnow protects 15 Federal civilian departments and agencies and over \n930,000 Federal personnel with at least one of its two security \n``countermeasures.\'\' Thus, EINSTEIN 3A protects approximately 45% of \nthe civilian government--a 20% increase over the past 9 months alone. \nDuring this time, EINSTEIN 3A has blocked nearly 550,000 attempts to \naccess potentially malicious web sites via one of its countermeasures. \nAny one of these blocked attempts could have conceivably resulted in an \nincident of severe consequence.\n    As we fully deploy EINSTEIN 3A, we are also mindful that to stay \nahead of the adversary, we must go beyond the current approach that \nuses indicators of known threats. To that end, we are developing \nadvanced malware and behavioral analysis capabilities that will \nautomatically identify and separate suspicious traffic for further \ninspection, even if the precise indicator has not been seen before. We \nare examining best-in-class technologies from the private sector to \nevolve to this next stage of network defense. As I will discuss later, \nEINSTEIN played a key role in understanding the recent compromise at \nOPM.\nContinuous Diagnostics and Mitigation (CDM)\n    Security cannot be achieved through only one type of tool. That is \nwhy security professionals believe in defense-in-depth: Employing \nmultiple tools to, in combination, manage the risks of cyber attacks. \nEINSTEIN is a perimeter system, but it will never be able to block \nevery threat. For example, it must be complemented with systems and \ntools inside agency networks. Through the CDM program, DHS provides \nFederal civilian agencies with tools to monitor agencies\' internal \nnetworks. CDM is divided into three phases:\n\n  <bullet> CDM Phase 1 identifies vulnerabilities on computers and \n        software on agency networks.\n  <bullet> CDM Phase 2 will monitor users on agencies\' networks and \n        detect if they are engaging in unauthorized activity.\n  <bullet> CDM Phase 3 will assess activity happening inside of \n        agencies\' networks to identify anomalies and alert security \n        personnel.\n    We have provided CDM Phase 1 capabilities to 8 agencies, covering \nover 50% of the Federal civilian government. We expect to purchase CDM \nfor 97% of the Federal civilian government by the end of this fiscal \nyear. CDM will provide an invaluable tool in helping agencies protect \nagainst cybersecurity compromises. Although NPPD provides both EINSTEIN \n3A and CDM capabilities to Federal civilian agencies, each agency must \nstill take action to implement these systems. In some cases, it may \ntake agencies some months to fully implement a given capability once it \nis made available by DHS.\n    For example, a vignette from the current incident may be useful to \nillustrate how EINSTEIN and CDM jointly help protect Federal agencies:\n  <bullet> As soon as OPM identified malicious activity on their \n        network, they shared this information with DHS. NPPD then \n        developed a signature for the particular threat, and used \n        EINSTEIN 2 to look back in time for other compromises across \n        the Federal civilian government. Through this process, we \n        identified a potential compromise at another location with OPM \n        data that would not have been identified and mitigated as \n        quickly without the EINSTEIN system. We then used the EINSTEIN \n        1 system to determine whether data exfiltration had occurred.\n  <bullet> This same threat information is used by EINSTEIN 3A to block \n        potential threats from impacting Federal networks. Thus, DHS \n        used EINSTEIN 3A to ensure that this cyber threat could not \n        exploit other agencies protected by the system. As noted, DHS \n        is accelerating EINSTEIN 3A deployment across the Federal \n        Government. While it is challenging to estimate the potential \n        impact of a prevented event, each of these malicious DNS \n        requests or emails that were blocked by EINSTEIN 3A may \n        conceivably have led to a cybersecurity compromise of severe \n        consequence.\n  <bullet> When implemented across the Federal Government, CDM will \n        help agencies identify and prioritize vulnerabilities within \n        their network. For example, CDM would have helped OPM identify \n        any vulnerabilities within its database of Federal personnel \n        information and mitigate those vulnerabilities before they \n        could be exploited by an adversary.\nMeasuring and Motivating Agencies to Adopt Best Practices\n    Many cybersecurity incidents can be avoided by simple measures. \nImplementing best practices is the foundation of cybersecurity. DHS \nworks closely with individual agencies and governance bodies such as \nthe Federal Chief Information Officer (CIO) Council to motivate \nagencies to implement best practices and to measure their progress in \nreaching particular goals and outcomes. Examples of best practices \ninclude patching critical vulnerabilities, implementing workforce \ntraining and awareness programs, and using multi-factor authentication. \nSecretary Johnson recently issued a Binding Operational Directive, \nbased upon authority provided by Congress in the Federal Information \nSecurity Modernization Act of 2014, which directed civilian agencies to \npromptly patch vulnerabilities on their internet-facing devices. These \nvulnerabilities are identified by recurring scans conducted by the DHS \nNational Cybersecurity and Communications Integration Center (NCCIC). \nThese vulnerabilities are accessible from the internet, and thus \npresent a significant risk if not quickly addressed. Agencies have \nresponded quickly in implementing Secretary Johnson\'s directive, as \nover half of the stale critical vulnerabilities that existed when the \nDirective was issued have been mitigated within the 20 days since its \nissuance.\n    Under the authority provided by Congress in last year\'s FISMA \nlegislation, DHS has a statutory role in developing, implementing, and \nevaluating operational cybersecurity guidance, in conjunction with the \nOffice of Management and Budget. In this role, DHS leverages metrics, \nconsultation, and strategic engagements with agency CIOs and Chief \nInformation Security Officers (CISOs) to motivate agencies toward \nbetter cybersecurity. In fact, OPM was able to first identify the \nrecent compromise of its network based upon technical recommendations \nprovided by NPPD.\nInformation Sharing\n    Information sharing is an essential aspect of NPPD\'s cybersecurity \nrole. By sharing information quickly and widely, we help other agencies \nblock cyber threats before damaging incidents occur. Equally \nimportantly, the information we receive from other agencies and the \nprivate sector help us understand emerging risks and develop effective \nprotective measures. Our NCCIC is the civilian government\'s hub for \ncybersecurity information sharing, incident response, and coordination. \nIn fiscal year 2015, the NCCIC has disseminated over 6,000 alerts, \nwarnings, and bulletins.\n    To effectively combat sophisticated and agile adversaries, we must \nshare information quickly enough to block threats before they can \npenetrate Federal networks. We now have a system to automate our \nsharing of cyber threat indicators, and we are working aggressively to \nbuild this capability across Government and to the private sector so we \ncan share this information in near-real-time. One agency is already \nreceiving cyber threat information via this automated system. We expect \nthat multiple agencies and private-sector partners will begin sharing \nand receiving information through this system by the end of October, \n2015. As more agencies join us in automated information sharing, we \nwill increase our adversaries\' cost and reduce the prevalence of \ndamaging incidents across the Federal Government and the private \nsector.\nIncident Response\n    Cybersecurity is about risk management, and we cannot eliminate all \nrisk. Agencies that implement best practices and share information will \nincrease the cost for adversaries and stop many threats. But \nultimately, there exists no perfect cyber defense, and persistent \nadversaries will find ways to infiltrate networks in both Government \nand the private sector. When an incident does occur, the NCCIC offers \non-site assistance to find the adversary, drive them out, and restore \nservice. In fiscal year 2015, the NCCIC has already provided on-site \nincident response to 32 incidents--nearly double the total in all of \nfiscal year 2014. The NCCIC also coordinate responses to significant \nincidents to give senior leaders a clear understanding of the situation \nand give operators the information they need to respond effectively. \nSimilar to the recent incident at OPM, providing on-site incident \nresponse assistance also allows the NCCIC to identify indicators of \ncompromise that can then be shared with other agencies and applied to \nEINSTEIN for broad protection across the Federal Government.\n                       cybersecurity legislation\n    Last year, Congress acted in a bipartisan manner to pass critical \ncybersecurity legislation that enhanced the ability of the Department \nof Homeland Security to work with the private sector and other Federal \ncivilian departments in each of their own cybersecurity activities, and \nenhanced the Department\'s cyber workforce authorities. As I noted, DHS \nis using the authority granted in one of those bills--the Federal \nInformation Security Modernization Act of 2014--to direct Federal \ncivilian Executive branch agencies to fix critical vulnerabilities on \ntheir Internet-facing devices.\n    Additional legislation is needed. I previously highlighted \nEINSTEN\'s key role in identifying and mitigating an additional \npotential compromise during the OPM activity. The Department and \nadministration have a long-standing request of Congress to remove \nobstacles to the EINSTEIN program\'s deployment across Federal civilian \nagency information systems by codifying the program\'s authorities and \nresolving lingering concerns among certain agencies. Some agencies have \nquestioned how deployment of EINSTEIN under DHS authority relates to \ntheir existing statutory restrictions on the use and disclosure of \nagency data. DHS and the administration are seeking statutory changes \nto clarify this uncertainty and to ensure agencies understand that they \ncan disclose their network traffic to DHS for narrowly-tailored \npurposes to protect agency networks, while making clear that privacy \nprotections for the data will remain in place. I look forward to \nworking with Congress to further clarify DHS\'s authority to rapidly and \nefficiently deploy this protective technology.\n    In addition, carefully updating laws to facilitate cybersecurity \ninformation sharing within the private sector and between the private \nand Government sectors is also essential to improving the Nation\'s \ncybersecurity. While many companies currently share cybersecurity \nthreat information under existing laws, there is a heightening need to \nincrease the volume and speed of information shared without sacrificing \nthe trust of the American people or the protection of privacy, \nconfidentiality, civil rights, or civil liberties. It is essential to \nensure that cyber threat information can be collated quickly in the \nNCCIC, analyzed, and shared quickly among trusted partners, including \nwith law enforcement, so that network owners and operators can take \nnecessary steps to block threats and avoid damage.\n                               conclusion\n    Federal agencies are a rich target and will continue to experience \nfrequent attempted intrusions. This problem is not unique to the \nGovernment--it is shared across a global cybersecurity community. The \nkey to good cybersecurity is awareness and constant vigilance at \nmachine speed. As our detection methods continue to improve, more \nevents will come to light. The recent breach at OPM is emblematic of \nthis trend, as OPM was able to detect the intrusion by implementing \ncybersecurity best practices recommended by DHS. As network defenders \nare able to see and thwart more events, we will inevitably identify \nmore malicious activity and thwart the adversary\'s attempts to access \nsensitive information and systems. We are facing a major challenge in \nprotecting our most sensitive information against sophisticated, well-\nresourced, and persistent adversaries. In response, we are accelerating \ndeployment of the tools we have and are working to bring cutting-edge \ncapabilities on-line. We are asking our partner agencies and Congress \nto take action and work with us to strengthen the cybersecurity of our \nFederal agencies.\n\n    Mr. Ratcliffe. Thank you, Dr. Ozment.\n    The Chair now recognizes Mr. Wilshusen for 5 minutes for \nhis opening statement.\n\n   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION \n       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Ratcliffe, Ranking Member Richmond, \nand Members of the subcommittee, thank you for the opportunity \nto testify at today\'s hearing on DHS\'s efforts to secure the \n.gov domain.\n    As you know, the Federal Government faces an array of \ncyber-based threats to its computer networks and systems, as \nillustrated by the recent OPM data breaches which affected \nmillions of Federal employees. Such incidents underscore the \nurgent need for effective implementation of information \nsecurity programs at Federal agencies.\n    Since 1997, we have designated Federal information security \nas a Government-wide high-risk area and, in 2003, expanded the \narea to include computerized systems supporting the Nation\'s \ncritical infrastructure. We further expanded this area in 2015 \nto include protecting the privacy of personally identifiable \ninformation.\n    Today I will discuss several cybersecurity challenges \nfacing Federal agencies and Government-wide initiatives, \nincluding those led by DHS aimed at improving agency \ncybersecurity.\n    Before I begin, Mr. Chairman, if I may, I\'d like to \nrecognize several members of my team who were instrumental in \ndeveloping my statement and some of the work underpinning it.\n    With me today is Larry Crosland, who is an assistant \ndirector who led this work. Also, Brad Becker, Rosanna \nGuerrero, Lee McCracken, Kush Malhotra, Chris Businsky, and \nScott Pettis also made significant contributions.\n    Mr. Chairman, most Federal agencies face challenges \nsecuring their computer networks and systems. One such \nchallenge is designing and implementing risk-based \ncybersecurity programs.\n    Agencies continue to have shortcomings in assessing risks, \ndeveloping and implementing security controls, and monitoring \nresults. Nineteen of 24 agencies covered by the CFO Act \nreported that information security weaknesses were either a \nsignificant deficiency or material weakness for financial \nreporting purposes. In addition, IGs at 23 of these agencies \ncited information security as a major management challenge for \ntheir agency.\n    Overseeing security of contractor-operated systems is \nanother challenge. Agencies rely on contractors to perform a \nwide variety of IT services. However, five of six agencies we \nreviewed did not consistently assess or review assessments of \ntheir contractors\' information security practices and controls, \nresulting in security lapses.\n    Even with effective control, security incidents and data \nbreaches can still occur. Agencies need to react swiftly and \nappropriately when they do. However, seven agencies we reviewed \nhad not consistently implemented key operational practices for \nresponding to data breaches involving personally identifiable \ninformation.\n    GAO and agency IGs have made hundreds of recommendations to \nassist agencies in addressing these and other challenges. \nImplementing these recommendations will strengthen agencies\' \nability to protect their systems and information.\n    DHS and OMB have also launched several Government-wide \ninitiatives to enhance cybersecurity. One such initiative is \nrequiring strong authentication of users through the use of \npersonal identity verification, or PIV, cards.\n    These cards provide a more secure method of verifying a \nuser\'s identity than do passwords. However, OMB recently \nreported that only 41 percent of agency user accounts at 23 \ncivilian agencies required PIV cards for accessing agency \nsystems.\n    DHS\' Continuous Diagnostics and Mitigation Initiative is \nintended to provide agencies with tools that identify and \nprioritize cyber risk on an on-going basis and enable \ncybersecurity personnel to mitigate the most significant \nprograms or problems first. If effectively implemented, the \ninitiative may assist agencies in resolving long-standing \nsecurity weaknesses.\n    The National Cybersecurity Protection System is intended to \ndetect and prevent malicious network traffic from entering \nFederal civilian networks, among other things. GAO is presently \nreviewing the implementation of this system. Our preliminary \nobservations indicate that the system\'s intrusion detection and \nprevention capabilities may be useful, but are also limited.\n    While Government-wide initiatives hold promise for \nbolstering the Federal cybersecurity posture, no single \ntechnology or set of practices is sufficient to protect against \nall cyber threats. A multi-layered defense-in-depth strategy \nthat includes well-trained personnel, effective and \nconsistently applied processes, and appropriate technologies is \nneeded to better manage these risks.\n    This concludes my statement. I\'d be happy to answer your \nquestions.\n    [The prepared statement of Mr. Wilshusen follows:]\n               Prepared Statement of Gregory C. Wilshusen\n                             June 24, 2015\n    cybersecurity.--recent data breaches illustrate need for strong \n                    controls across federal agencies\n                              gao-15-725t\n    Chairman Ratcliffe, Ranking Member Richmond, and Members of the \nsubcommittee: Thank you for inviting me to testify at today\'s hearing \non the Department of Homeland Security\'s (DHS) efforts to secure \nFederal information systems. As you know, the Federal Government faces \nan array of cyber-based threats to its systems and data, as illustrated \nby the recently-reported data breaches at the Office of Personnel \nManagement (OPM), which affected millions of current and former Federal \nemployees. Such incidents underscore the urgent need for effective \nimplementation of information security controls at Federal agencies.\n    Since 1997, we have designated Federal information security as a \nGovernment-wide high-risk area, and in 2003 expanded this area to \ninclude computerized systems supporting the Nation\'s critical \ninfrastructure. Most recently, in the 2015 update to our high-risk \nlist, we further expanded this area to include protecting the privacy \nof personally identifiable information (PII)\\1\\--that is, personal \ninformation that is collected, maintained, and shared by both Federal \nand non-Federal entities.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ Personally identifiable information is information about an \nindividual, including information that can be used to distinguish or \ntrace an individual\'s identity, such as name, Social Security number, \nmother\'s maiden name, or biometric records, and any other personal \ninformation that is linked or linkable to an individual.\n    \\2\\ See GAO, High-Risk Series: An Update, GAO-15-290 (Washington, \nDC: Feb. 11, 2015).\n---------------------------------------------------------------------------\n    My statement today will discuss: (1) Cybersecurity challenges that \nFederal agencies face in securing their systems and information and (2) \nGovernment-wide initiatives, including those led by DHS, aimed at \nimproving agencies\' cybersecurity. In preparing this statement, we \nrelied on our previous work in these areas, as well as the preliminary \nobservations from our on-going review of DHS\'s EINSTEIN initiative. We \ndiscussed these observations with DHS officials. The prior reports \ncited throughout this statement contain detailed discussions of the \nscope of the work and the methodology used to carry it out. All the \nwork on which this statement is based was conducted or is being \nconducted in accordance with generally accepted Government auditing \nstandards. Those standards require that we plan and perform audits to \nobtain sufficient, appropriate evidence to provide a reasonable basis \nfor our findings and conclusions based on our audit objectives. We \nbelieve that the evidence obtained provides a reasonable basis for our \nfindings and conclusions based on our audit objectives.\n                               background\n    As computer technology has advanced, both Government and private \nentities have become increasingly dependent on computerized information \nsystems to carry out operations and to process, maintain, and report \nessential information. Public and private organizations rely on \ncomputer systems to transmit proprietary and other sensitive \ninformation, develop and maintain intellectual capital, conduct \noperations, process business transactions, transfer funds, and deliver \nservices. In addition, the internet has grown increasingly important to \nAmerican business and consumers, serving as a medium for hundreds of \nbillions of dollars of commerce each year, and has developed into an \nextended information and communications infrastructure that supports \nvital services such as power distribution, health care, law \nenforcement, and National defense.\n    Ineffective protection of these information systems and networks \ncan result in a failure to deliver these vital services, and result in:\n  <bullet> loss or theft of computer resources, assets, and funds;\n  <bullet> inappropriate access to and disclosure, modification, or \n        destruction of sensitive information, such as National security \n        information, PII, and proprietary business information;\n  <bullet> disruption of essential operations supporting critical \n        infrastructure, National defense, or emergency services;\n  <bullet> undermining of agency missions due to embarrassing incidents \n        that erode the public\'s confidence in Government;\n  <bullet> use of computer resources for unauthorized purposes or to \n        launch attacks on other systems;\n  <bullet> damage to networks and equipment; and\n  <bullet> high costs for remediation.\n    Recognizing the importance of these issues, Congress enacted laws \nintended to improve the protection of Federal information and systems. \nThese laws include the Federal Information Security Modernization Act \nof 2014 (FISMA),\\3\\ which, among other things, authorizes DHS to: (1) \nAssist the Office of Management and Budget (OMB) with overseeing and \nmonitoring agencies\' implementation of security requirements; (2) \noperate the Federal information security incident center; and (3) \nprovide agencies with operational and technical assistance, such as \nthat for continuously diagnosing and mitigating cyber threats and \nvulnerabilities. The act also reiterated the 2002 FISMA requirement for \nthe head of each agency to provide information security protections \ncommensurate with the risk and magnitude of the harm resulting from \nunauthorized access, use, disclosure, disruption, modification, or \ndestruction of the agency\'s information or information systems. In \naddition, the act requires Federal agencies to develop, document, and \nimplement an agency-wide information security program. The program is \nto provide security for the information and information systems that \nsupport the operations and assets of the agency, including those \nprovided or managed by another agency, contractor, or other source.\n---------------------------------------------------------------------------\n    \\3\\ The Federal Information Security Modernization Act of 2014 \n(Pub. L. No. 113-283, Dec. 18, 2014) largely superseded the very \nsimilar Federal Information Security Management Act of 2002 (Title III, \nPub. L. No. 107-347, Dec. 17, 2002).\n---------------------------------------------------------------------------\nCyber Threats to Federal Systems\n    Risks to cyber-based assets can originate from unintentional or \nintentional threats. Unintentional threats can be caused by, among \nother things, natural disasters, defective computer or network \nequipment, and careless or poorly-trained employees. Intentional \nthreats include both targeted and untargeted attacks from a variety of \nsources, including criminal groups, hackers, disgruntled employees, \nforeign nations engaged in espionage and information warfare, and \nterrorists.\n    These adversaries vary in terms of their capabilities, willingness \nto act, and motives, which can include seeking monetary gain or a \npolitical, economic, or military advantage. For example, adversaries \npossessing sophisticated levels of expertise and significant resources \nto pursue their objectives--sometimes referred to as ``advanced \npersistent threats\'\'--pose increasing risks. They make use of various \ntechniques--or exploits--that may adversely affect Federal information, \ncomputers, software, networks, and operations.\n    Since fiscal year 2006, the number of information security \nincidents affecting systems supporting the Federal Government has \nsteadily increased each year: Rising from 5,503 in fiscal year 2006 to \n67,168 in fiscal year 2014, an increase of 1,121 percent (see fig. 1). \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Furthermore, the number of reported security incidents involving \nPII at Federal agencies has more than doubled in recent years--from \n10,481 incidents in fiscal year 2009 to 27,624 incidents in fiscal year \n2014. These incidents and others like them can adversely affect \nNational security; damage public health and safety; and lead to \ninappropriate access to and disclosure, modification, or destruction of \nsensitive information. Recent examples highlight the impact of such \nincidents:\n  <bullet> In June 2015, OPM reported that an intrusion into its \n        systems affected personnel records of about 4 million current \n        and former Federal employees. The director of OPM also stated \n        that a separate incident may have compromised OPM systems \n        related to background investigations, but its scope and impact \n        have not yet been determined.\n  <bullet> In June 2015, the commissioner of the Internal Revenue \n        Service (IRS) testified that unauthorized third parties had \n        gained access to taxpayer information from its ``Get \n        Transcript\'\' application. According to IRS, criminals used \n        taxpayer-specific data acquired from non-IRS sources to gain \n        unauthorized access to information on approximately 100,000 tax \n        accounts. These data included Social Security information, \n        dates of birth, and street addresses.\n  <bullet> In April 2015, the Department of Veterans Affairs (VA) \n        Office of Inspector General reported that two VA contractors \n        had improperly accessed the VA network from foreign countries \n        using personally-owned equipment.\n  <bullet> In February 2015, the Director of National Intelligence \n        stated that unauthorized computer intrusions were detected in \n        2014 on OPM\'s networks and those of two of its contractors. The \n        two contractors were involved in processing sensitive PII \n        related to National security clearances for Federal employees.\n  <bullet> In September 2014, a cyber-intrusion into the United States \n        Postal Service\'s information systems may have compromised PII \n        for more than 800,000 of its employees.\n        federal agencies face on-going cybersecurity challenges\n    Given the risks posed by cyber threats and the increasing number of \nincidents, it is crucial that Federal agencies take appropriate steps \nto secure their systems and information. We and agency inspectors \ngeneral have identified challenges in protecting Federal information \nand systems, including those in the following key areas:\n  <bullet> Designing and implementing risk-based cybersecurity programs \n        at Federal agencies..--Agencies continue to have shortcomings \n        in assessing risks, developing and implementing security \n        controls, and monitoring results. Specifically, for fiscal year \n        2014, 19 of the 24 Federal agencies covered by the Chief \n        Financial Officers (CFO) Act \\4\\ reported that information \n        security control deficiencies were either a material weakness \n        or a significant deficiency in internal controls over their \n        financial reporting.\\5\\ Moreover, inspectors general at 23 of \n        the 24 agencies cited information security as a major \n        management challenge for their agency.\n---------------------------------------------------------------------------\n    \\4\\ These are the Departments of Agriculture, Commerce, Defense, \nEducation, Energy, Health and Human Services, Homeland Security, \nHousing and Urban Development, the Interior, Justice, Labor, State, \nTransportation, the Treasury, and Veterans Affairs; the Environmental \nProtection Agency; General Services Administration; National \nAeronautics and Space Administration; National Science Foundation; \nNuclear Regulatory Commission; Office of Personnel Management; Small \nBusiness Administration; Social Security Administration; and the U.S. \nAgency for International Development.\n    \\5\\ A material weakness is a deficiency, or combination of \ndeficiencies, that results in more than a remote likelihood that a \nmaterial misstatement of the financial statements will not be prevented \nor detected. A significant deficiency is a control deficiency, or \ncombination of control deficiencies, in internal control that is less \nsevere than a material weakness, yet important enough to merit \nattention by those charged with governance. A control deficiency exists \nwhen the design or operation of a control does not allow management or \nemployees, in the normal course of performing their assigned functions, \nto prevent or detect and correct misstatements on a timely basis.\n---------------------------------------------------------------------------\n    As we testified in April 2015, for fiscal year 2014, most of the \n        agencies had weaknesses in the five key security control \n        categories.\\6\\ These control categories are: (1) Limiting, \n        preventing, and detecting inappropriate access to computer \n        resources; (2) managing the configuration of software and \n        hardware; (3) segregating duties to ensure that a single \n        individual does not have control over all key aspects of a \n        computer-related operation; (4) planning for continuity of \n        operations in the event of a disaster or disruption; and (5) \n        implementing agency-wide security management programs that are \n        critical to identifying control deficiencies, resolving \n        problems, and managing risks on an on-going basis. (See fig. \n        2.)\n---------------------------------------------------------------------------\n    \\6\\ GAO, Cybersecurity: Actions Needed to Address Challenges Facing \nFederal Systems, GAO-15-573T (Washington, DC: Apr. 22, 2015).\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Examples of these weaknesses include: (1) Granting users access \n        permissions that exceed the level required to perform their \n        legitimate job-related functions; (2) not ensuring that only \n        authorized users can access an agency\'s systems; (3) not using \n        encryption to protect sensitive data from being intercepted and \n        compromised; (4) not updating software with the current \n        versions and latest security patches to protect against known \n        vulnerabilities; and (5) not ensuring employees were trained \n        commensurate with their responsibilities. GAO and agency \n        inspectors general have made hundreds of recommendations to \n        agencies aimed at improving their implementation of these \n        information security controls.\n  <bullet> Enhancing oversight of contractors providing IT services.--\n        In August 2014, we reported that five of six agencies we \n        reviewed were inconsistent in overseeing assessments of \n        contractors\' implementation of security controls.\\7\\ This was \n        partly because agencies had not documented IT security \n        procedures for effectively overseeing contractor performance. \n        In addition, according to OMB, 16 of 24 agency inspectors \n        general determined that their agency\'s program for managing \n        contractor systems lacked at least one required element. We \n        recommended that OMB, in conjunction with DHS, develop and \n        clarify guidance to agencies for annually reporting the number \n        of contractor-operated systems and that the reviewed agencies \n        establish and implement IT security oversight procedures for \n        such systems. OMB did not comment on our report, but the \n        agencies generally concurred with our recommendations.\n---------------------------------------------------------------------------\n    \\7\\ GAO, Information Security: Agencies Need to Improve Oversight \nof Contractor Controls, GAO-14-612 (Washington, DC: Aug. 8, 2014).\n---------------------------------------------------------------------------\n  <bullet> Improving security incident response activities.--In April \n        2014, we reported that the 24 agencies did not consistently \n        demonstrate that they had effectively responded to cyber \n        incidents.\\8\\ Specifically, we estimated that agencies had not \n        completely documented actions taken in response to detected \n        incidents reported in fiscal year 2012 in about 65 percent of \n        cases.\\9\\ In addition, the 6 agencies we reviewed had not fully \n        developed comprehensive policies, plans, and procedures to \n        guide their incident response activities. We recommended that \n        OMB address agency incident response practices Government-wide \n        and that the 6 agencies improve the effectiveness of their \n        cyber incident response programs. The agencies generally agreed \n        with these recommendations. We also made two recommendations to \n        DHS concerning Government-wide incident response practices. DHS \n        concurred with the recommendations and, to date, has \n        implemented one of them.\n---------------------------------------------------------------------------\n    \\8\\ GAO, Information Security: Agencies Need to Improve Cyber \nIncident Response Practices, GAO-14-354 (Washington, DC: Apr. 30, \n2014).\n    \\9\\ This estimate was based on a statistical sample of cyber \nincidents reported in fiscal year 2012, with 95 percent confidence that \nthe estimate falls between 58 and 72 percent.\n---------------------------------------------------------------------------\n  <bullet> Responding to breaches of PII.--In December 2013, we \n        reported that 8 Federal agencies had inconsistently implemented \n        policies and procedures for responding to data breaches \n        involving PII.\\10\\ In addition, OMB requirements for reporting \n        PII-related data breaches were not always feasible or \n        necessary. Thus, we concluded that agencies may not be \n        consistently taking actions to limit the risk to individuals \n        from PII-related data breaches and may be expending resources \n        to meet OMB reporting requirements that provide little value. \n        We recommended that OMB revise its guidance to agencies on \n        responding to a PII-related data breach and that the reviewed \n        agencies take specific actions to improve their response to \n        PII-related data breaches. OMB neither agreed nor disagreed \n        with our recommendation; four of the reviewed agencies agreed, \n        two partially agreed, and two neither agreed nor disagreed.\n---------------------------------------------------------------------------\n    \\10\\ GAO, Information Security: Agency Responses to Breaches of \nPersonally Identifiable Information Need to Be More Consistent, GAO-14-\n34 (Washington, DC: Dec. 9, 2013).\n---------------------------------------------------------------------------\n  <bullet> Implementing security programs at small agencies.--In June \n        2014, we reported that six small agencies (i.e., agencies with \n        6,000 or fewer employees) had not implemented or not fully \n        implemented their information security programs.\\11\\ For \n        example, key elements of their plans, policies, and procedures \n        were outdated, incomplete, or did not exist, and two of the \n        agencies had not developed an information security program with \n        the required elements. We recommended that OMB include a list \n        of agencies that did not report on the implementation of their \n        information security programs in its annual report to Congress \n        on compliance with the requirements of FISMA, and include \n        information on small agencies\' programs. OMB generally \n        concurred with our recommendations. We also recommended that \n        DHS develop guidance and services targeted at small agencies. \n        DHS has implemented this recommendation.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Information Security: Additional Oversight Needed to \nImprove Programs at Small Agencies, GAO-14-344 (Washington, DC: June \n25, 2014).\n---------------------------------------------------------------------------\n    Until Federal agencies take actions to address these challenges-- \nincluding implementing the hundreds of recommendations we and \ninspectors general have made--Federal systems and information will be \nat an increased risk of compromise from cyber-based attacks and other \nthreats.\n government-wide cybersecurity initiatives present potential benefits \n                             and challenges\n    In addition to the efforts of individual agencies, DHS and OMB have \nseveral initiatives under way to enhance cybersecurity across the \nFederal Government. While these initiatives all have potential \nbenefits, they also have limitations.\n    Personal Identity Verification.--In August 2004, Homeland Security \nPresidential Directive 12 ordered the establishment of a mandatory, \nGovernment-wide standard for secure and reliable forms of \nidentification for Federal Government employees and contractor \npersonnel who access Government-controlled facilities and information \nsystems. Subsequently, the National Institute of Standards and \nTechnology (NIST) defined requirements for such personal identity \nverification (PIV) credentials based on ``smart cards\'\'--plastic cards \nwith integrated circuit chips to store and process data--and OMB \ndirected Federal agencies to issue and use PIV credentials to control \naccess to Federal facilities and systems.\n    In September 2011, we reported that OMB and the 8 agencies in our \nreview had made mixed progress for using PIV credentials for \ncontrolling access to Federal facilities and information systems.\\12\\ \nWe attributed this mixed progress to a number of obstacles, including \nlogistical problems in issuing PIV credentials to all agency personnel \nand agencies not making this effort a priority. We made several \nrecommendations to the 8 agencies and to OMB to more fully implement \nPIV card capabilities. Although 2 agencies did not comment, 7 agencies \nagreed with our recommendations or discussed actions they were taking \nto address them. For example, we made 4 recommendations to DHS, who \nconcurred and has taken action to implement them. In February 2015, OMB \nreported that, as of the end of fiscal year 2014, only 41 percent of \nagency user accounts at the 23 civilian CFO Act agencies required PIV \ncards for accessing agency systems.\\13\\\n---------------------------------------------------------------------------\n    \\12\\ GAO, Personal ID Verification: Agencies Should Set a Higher \nPriority on Using the Capabilities of Standardized Identification \nCards, GAO-11-751 (Washington, DC: Sept. 20, 2011).\n    \\13\\ OMB, Annual Report to Congress: Federal Information Security \nManagement Act (Washington, DC: Feb. 27, 2015).\n---------------------------------------------------------------------------\n    Continuous Diagnostics and Mitigation (CDM).--According to DHS, \nthis program is intended to provide Federal departments and agencies \nwith capabilities and tools that identify cybersecurity risks on an on-\ngoing basis, prioritize these risks based on potential impacts, and \nenable cybersecurity personnel to mitigate the most significant \nproblems first. These tools include sensors that perform automated \nsearches for known cyber vulnerabilities, the results of which feed \ninto a dashboard that alerts network managers. These alerts can be \nprioritized, enabling agencies to allocate resources based on risk. \nDHS, in partnership with the General Services Administration, has \nestablished a Government-wide contract that is intended to allow \nFederal agencies (as well as State, local, and Tribal governmental \nagencies) to acquire CDM tools at discounted rates.\n    In July 2011, we reported on the Department of State\'s (State) \nimplementation of its continuous monitoring program, referred to as \niPost.\\14\\ We determined that State\'s implementation of iPost had \nimproved visibility over information security at the Department and \nhelped IT administrators identify, monitor, and mitigate information \nsecurity weaknesses. However, we also noted limitations and challenges \nwith State\'s approach, including ensuring that its risk-scoring program \nidentified relevant risks and that iPost data were timely, complete, \nand accurate. We made several recommendations to improve the \nimplementation of the iPost program, and State partially agreed.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Information Security: State Has Taken Steps to Implement \na Continuous Monitoring Application, but Key Challenges Remain, GAO-11-\n149 (Washington, DC: July 8, 2011).\n---------------------------------------------------------------------------\n    National Cybersecurity Protection System (NCPS).--The National \nCybersecurity Protection System, operationally known as ``EINSTEIN,\'\' \nis a suite of capabilities intended to detect and prevent malicious \nnetwork traffic from entering and exiting Federal civilian Government \nnetworks. The EINSTEIN capabilities of NCPS are described in table \n1.\\15\\\n---------------------------------------------------------------------------\n    \\15\\ In addition to the EINSTEIN capabilities listed in table 1, \nNCPS also includes a set of capabilities related to analytics and \ninformation sharing.\n\nTABLE 1.--NATIONAL CYBERSECURITY PROTECTION SYSTEM EINSTEIN CAPABILITIES\n------------------------------------------------------------------------\n                                      Capability\n        Operational Name               Intended           Description\n------------------------------------------------------------------------\nEINSTEIN 1......................  Network Flow......  Provides an\n                                                       automated process\n                                                       for collecting,\n                                                       correlating, and\n                                                       analyzing\n                                                       agencies\'\n                                                       computer network\n                                                       traffic\n                                                       information from\n                                                       sensors installed\n                                                       at their internet\n                                                       connections.*\nEINSTEIN 2......................  Intrusion           Monitors Federal\n                                   Detection.          agency internet\n                                                       connections for\n                                                       specific\n                                                       predefined\n                                                       signatures of\n                                                       known malicious\n                                                       activity and\n                                                       alerts US-CERT\n                                                       when specific\n                                                       network activity\n                                                       matching the\n                                                       predetermined\n                                                       signatures is\n                                                       detected.**\nEINSTEIN 3 Accelerated..........  Intrusion           Automatically\n                                   Prevention.         blocks malicious\n                                                       traffic from\n                                                       entering or\n                                                       leaving Federal\n                                                       civilian\n                                                       Executive branch\n                                                       agency networks.\n                                                       This capability\n                                                       is managed by\n                                                       internet service\n                                                       providers, who\n                                                       administer\n                                                       intrusion\n                                                       prevention and\n                                                       threat-based\n                                                       decision-making\n                                                       using DHS-\n                                                       developed\n                                                       indicators of\n                                                       malicious cyber\n                                                       activity to\n                                                       develop\n                                                       signatures.***\n------------------------------------------------------------------------\nSource.--GAO analysis of DHS documentation and prior GAO reports. GAO-15-\n  725T\n* The network traffic information includes source and destination\n  Internet Protocol addresses used in the communication, source and\n  destination ports, the time the communication occurred, and the\n  protocol used to communicate.\n** Signatures are recognizable, distinguishing patterns associated with\n  cyber attacks such as a binary string associated with a computer virus\n  or a particular set of keystrokes used to gain unauthorized access to\n  a system.\n*** An indicator is defined by DHS as human-readable cyber data used to\n  identify some form of malicious cyber activity. These data may be\n  related to Internet Protocol addresses, domains, e-mail headers,\n  files, and character strings. Indicators can be either Classified or\n  Unclassified.\n\n    In March 2010, we reported that while agencies that participated in \nEINSTEIN 1 improved their identification of incidents and mitigation of \nattacks, DHS lacked performance measures to understand if the \ninitiative was meeting its objectives.\\16\\ We made four recommendations \nregarding the management of the EINSTEIN program, and DHS has since \ntaken action to address them.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Information Security: Concerted Effort Needed to \nConsolidate and Secure Internet Connections at Federal Agencies, GAO-\n10-237 (Washington, DC: Mar. 12, 2010).\n---------------------------------------------------------------------------\n    Currently, we are reviewing NCPS, as mandated by Congress. The \nobjectives of our review are to determine the extent to which: (1) NCPS \nmeets stated objectives, (2) DHS has designed requirements for future \nstages of the system, and (3) Federal agencies have adopted the system. \nOur final report is expected to be released later this year, and our \npreliminary observations include the following:\n  <bullet> DHS appears to have developed and deployed aspects of the \n        intrusion detection and intrusion prevention capabilities, but \n        potential weaknesses may limit their ability to detect and \n        prevent computer intrusions. For example, NCPS detects \n        signature anomalies using only one of three detection \n        methodologies identified by NIST (signature-based, anomaly-\n        based, and stateful protocol analysis). Further, the system has \n        the ability to prevent intrusions, but is currently only able \n        to proactively mitigate threats across a limited subset of \n        network traffic (i.e., Domain Name System traffic and e-mail).\n  <bullet> DHS has identified a set of NCPS capabilities that are \n        planned to be implemented in fiscal year 2016, but it does not \n        appear to have developed formalized requirements for \n        capabilities planned through fiscal year 2018.\n  <bullet> The NCPS intrusion detection capability appears to have been \n        implemented at 23 CFO Act agencies.\\17\\ The intrusion \n        prevention capability appears to have limited deployment, at \n        portions of only 5 of these agencies. Deployment may have been \n        hampered by various implementation and policy challenges.\n---------------------------------------------------------------------------\n    \\17\\ The Department of Defense is not required to implement \nEINSTEIN.\n---------------------------------------------------------------------------\n    In conclusion, the danger posed by the wide array of cyber threats \nfacing the Nation is heightened by weaknesses in the Federal \nGovernment\'s approach to protecting its systems and information. While \nrecent Government-wide initiatives hold promise for bolstering the \nFederal cybersecurity posture, it is important to note that no single \ntechnology or set of practices is sufficient to protect against all \nthese threats. A ``defense-in-depth\'\' strategy is required that \nincludes well-trained personnel, effective and consistently-applied \nprocesses, and appropriately implemented technologies. While agencies \nhave elements of such a strategy in place, more needs to be done to \nfully implement it and to address existing weaknesses. In particular, \nimplementing GAO and inspector general recommendations will strengthen \nagencies\' ability to protect their systems and information, reducing \nthe risk of a potentially devastating cyber attack.\n    Chairman Ratcliffe, Ranking Member Richmond, and Members of the \nsubcommittee, this concludes my statement. I would be happy to answer \nany questions you may have.\n\n    Mr. Ratcliffe. Thank you, Mr. Wilshusen.\n    I now recognize myself for 5 minutes for questions. As I \nmentioned in my opening statement, the OPM servers that were \nbreached contained National security clearance information and \nother highly sensitive personal information.\n    When asked why that information was not encrypted, OPM \nadministrators have testified that the servers in question were \nobsolete and would have crashed had that been attempted.\n    Dr. Ozment, if that is the case, it begs the question: Why \non earth would OPM be storing such sensitive information on \nobsolete systems that cannot be encrypted?\n    Mr. Ozment. Mr. Chairman, I will defer to OPM to speak to \nthe specifics of their decision making, but I can talk to you \nabout some of the tradeoffs that CIOs, in general, face with \nlegacy systems.\n    As I mentioned in my opening remarks, looking across the \npublic and private sector, broadly I would say that, for the \nlast 20 years, both Government and industry have underinvested \nin cybersecurity. So, frankly, there is a backlog of \ncybersecurity work that needs to be done. That requires \nsignificant investment.\n    If an organization also has legacy systems that require \ninvestment to upgrade to more modern systems, the bill and \nresources required to do that can be extraordinary.\n    So all CIOs are faced with extreme demands for a capability \nthat they have to balance with the need to manage risks \nappropriately and, of course, in a world of limited resources.\n    Speaking specifically to encryption, I would note that, in \nthe case of this particular intrusion at OPM, the adversary \ncompromised what is known as an administrative credential.\n    Think about this as a computer network being an apartment \nbuilding where each user has a key to their own apartment, but \nthere\'s a superintendent who has keys to all the apartments in \nthe building. The adversary compromised, essentially copied, \nthe superintendent\'s key ring and, therefore, had legitimate \naccess to the information on the network.\n    Mr. Ratcliffe. Let me ask you about that, Dr. Ozment, \nbecause I have two questions that relate to that.\n    I read a summary of your testimony last week, and it \nappeared that it was your opinion that, even had this sensitive \ninformation been encrypted, it wouldn\'t have made a difference \nin the breach for that reason that you just mentioned.\n    But isn\'t it true that, had there been multi-factor \nauthentication in addition to encryption, that this breach \ncould have been prevented?\n    Mr. Ozment. As both Mr. Wilshusen and I mentioned in our \nopening remarks, you need defense-in-depth. You need multiple \nlayers of security. Both encryption and multi-factor \nauthentication are important layers of security.\n    You cannot confidently say that you can prevent any given \nintrusion, but the more layers of security you have, the more \ndifficult you make it for an adversary.\n    I do believe that multi-factor authentication is an \nimportant security technique, and that is one reason why OMB, \nfor example, is highlighting that in their 30-day sprint.\n    Mr. Ratcliffe. Right. But I am asking for your opinion.\n    Do you think, had there been multi-factor authentication at \nOPM, that this particular breach could have been prevented?\n    Mr. Ozment. I don\'t know that I can say the breach could \nhave been prevented. I think some of the damage could have been \nmitigated. In fact, some of the damage was mitigated when OPM \nrolled out multi-factor authentication in January 2015.\n    Mr. Ratcliffe. Okay. So let me ask you about this \nauthorized credentials that you just mentioned.\n    So, as I understand that, the user, if you will, on its \nface was authorized to be there. That being the case, what \ncybersecurity measures or best practices are intended to \nspecifically identify anomalies in the behavior of purported \nauthorized users?\n    In other words, some authorized users might be in places or \nusing devices that they typically wouldn\'t be using. Isn\'t that \nright?\n    Mr. Ozment. That\'s right. So you can employ what is \ngenerally known as insider threat detection technology.\n    Mr. Ratcliffe. Were those employed at OPM?\n    Mr. Ozment. I do not know for sure whether those were \nemployed at OPM or not.\n    Mr. Ratcliffe. Okay.\n    Mr. Ozment. But insider threat technology will stop either \na legitimate user who is behaving illegitimately or a \nlegitimate user whose accounts have been compromised. It is not \nperfect, and you often have false positives that you have to \ninvestigate. But, again, it is a useful layer of security to \nadd.\n    Mr. Ratcliffe. All right. Very quickly, Mr. Wilshusen, the \nChairman referenced the enactment of FISMA back in December \n2014.\n    Do you think that the Department of Homeland Security has \nthe necessary authorities right now to be successful in \ncarrying out its mission of protecting Government networks?\n    Mr. Wilshusen. I think the provisions provided in the \nmodernized FISMA of 2014 greatly strengthened DHS\' authorities \nto perform those functions, which previously they had certain \nresponsibilities under a memorandum delegated to it by the \nOffice of Management and Budget. But given the statutory \nauthorities to DHS, certainly strengthens its hand in \nperforming those functions.\n    Mr. Ratcliffe. Terrific. I think Dr. Ozment commented on \nthe information-sharing bill that passed the House that the \nChairman referenced earlier. I would like your opinion.\n    Do you agree with Dr. Ozment that that bill could help \nblock future threats?\n    Mr. Wilshusen. I would say that sharing of cyber threat and \nincident information is a critical element to assuring that \nagencies in the Department have appropriate threat intelligence \nto help protect against those threats.\n    Mr. Ratcliffe. Thank you. My time is expired for this round \nat least.\n    I would like to recognize the Ranking Member for 5 minutes \nfor his questions.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    Dr. Ozment, Mr. Wilshusen, let me just ask a question. It \nis something I have always toyed with.\n    I will start with Dr. Ozment. How much do you all spend \nyearly on cybersecurity? Do you have an idea?\n    Mr. Ozment. My organization within the Department of \nHomeland Security has an annual budget for fiscal year 2016 of \napproximately $900 million. Some of that budget goes to \nemergency communications, essentially ensuring that the phone \nlines work in the case of a crisis, which, depending on your \ndefinition of cybersecurity, could be included or not included.\n    Mr. Wilshusen. Government-wide OPM has reported that, for \nfiscal year 2014, 24 agencies covered by the Chief Financial \nOfficers Act spent about $13 billion on cybersecurity \nactivities out of an IT budget of around $80 billion.\n    So the vast majority of that, though, relates to the \nDepartment of Defense. Pulling that information--their budgets \nout, the numbers are significantly less.\n    Mr. Richmond. I guess I was asking those questions because, \nas we continuously focus on Government spending and spending \nalone without looking at return on investment, without looking \nat threats, and we continue to hear the mantra of ``We are \ngoing to do less with more\'\'--I guess my general question \nbecomes--and I think of it in terms of defending President Bush \nand the fact that colleagues on my side of the aisle like to \nsay he squandered a surplus and, also, defending President \nObama in terms of looking at the National debt.\n    We have expenses we didn\'t have before. Before 9/11, you \ndidn\'t have TSA. Now, with the proliferation of the internet \nand, as the Chairman just mentioned, the criminals and the \nnation-states that are attempting to do bad things on the \ninternet, we didn\'t have those costs before.\n    So I am just trying to get a sense of--do you think that \nthis is an area where we can do less with more or do you think \nthis is an area where you think we are going to have to \ncontinue to invest funds and resources to keep the .gov, .com, \n.org, all of those domains, safe?\n    Mr. Ozment. From my perspective, sir, I think we are going \nto have to continue to invest for two reasons. One is that we \nare catching up on many years of underinvestment. The second \none is this is risk management. It is not risk elimination.\n    So the adversaries are not going to go away in cyber space. \nAs we improve our defenses, they will improve their offense. So \nwe will have to continue to invest to maintain pace with an \nadversary who is also investing.\n    Mr. Wilshusen. I would agree that it will require effective \nmanagement in addition to resources to accomplish this.\n    One of the areas that we typically find on our audits of \nagencies\' systems is that many of the vulnerabilities and \ndefects in their security controls can be implemented without \nnecessarily the use or expenditure of additional resources.\n    It\'s basically applying patches in a timely manner, \nassuring that agencies limit the privileges that they grant to \ntheir users to the least privilege that\'s necessary for them to \nperform their duties, as well as continually testing and \nevaluating their systems and then taking corrective actions to \nmitigate known vulnerabilities.\n    In certain instances, particularly now, agencies will \nlikely need to invest in improving their intrusion detection \ncapabilities to identify and mitigate and reduce the intrusions \nand impact of intrusions that are likely to occur.\n    Mr. Richmond. My final question would be back to Dr. \nOzment. That is: How can your office accelerate the \nDepartment\'s cyber strategy that confronts Federal targets, but \nstill maintain its focus on National critical infrastructure \nneeds against aggressive, persistent, malicious actors that \ncontinue to target our Nation\'s critical infrastructure, for \nexample, for me, our ports? Do you need additional resources to \ndo that? If so, what do you think the ticket price is?\n    Mr. Ozment. Thank you.\n    You will find that our budget requests for cybersecurity in \nthe Department have been growing steadily over the years, and I \nwould not be surprised for them to continue to grow.\n    You put your finger on an important challenge, which is \nthat we have a responsibility both to the private sector, to \nthe Federal civilian government, and, also, to our State, \nlocal, Tribal, and territorial government colleagues.\n    The good news is, as we improve our Federal cybersecurity, \nwe learn things that will also help us support our private \nsector and State, local, Tribal, and territorial colleagues. \nThis is where cyber information sharing becomes so important.\n    When we use the EINSTEIN or CDM programs and detect a \nthreat and learn about a new threat, with the information-\nsharing legislation, we\'ll be able to share that information \noutward.\n    At the same time, when an adversary attacks a private-\nsector network and they share that information with the \nGovernment, if we\'re able to receive it, we can then use that \ninformation to protect Government networks.\n    So there\'s absolutely a synergy between our work in the \nprivate sector and our work in the Government. The crux of that \nsynergy is taking information that one entity learns and \nsharing it with the Government or vice versa.\n    Mr. Richmond. With that, Mr. Chairman, I yield back.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chairman now recognizes and welcomes to the \nsubcommittee the former district attorney from New York and \ngentleman from New York, Mr. Donovan, for 5 minutes for his \nquestions.\n    Mr. Donovan. Thank you very much, Mr. Chairman.\n    Doctor, I was just wondering if you could help me \nunderstand this a little bit. There has been a lot of criticism \nin the reportings about the breach that EINSTEIN didn\'t work.\n    My understanding is that it did what it was built to do and \nit was part of a multi-layered approach to securing the data \nand part of this defense-in-depth theory.\n    Did EINSTEIN actually do what it was created to do?\n    Mr. Ozment. Yes, sir, it did. I can go into more detail if \nyou\'d like.\n    Mr. Donovan. Please.\n    Mr. Ozment. So, in this instance, first, OPM and the \nDepartment of Interior are not covered by EINSTEIN 3 yet, which \nis the system that blocks intrusions. We are working with the \nDepartment of Interior to roll that out aggressively. It just \nbecame available to them this winter.\n    It is not yet available to the OPM because we have not yet \ncompleted the work with that internet service provider who \nservices OPM.\n    Now, what happened in this incident is OPM rolled out \nsecurity capabilities in accordance with a mitigation plan we \nprovided them in May 2014. As they rolled out those \ncapabilities, they caught an intruder on their networks and \nthey shared the cyber threat indicators with us.\n    We took those cyber threat indicators and put them into the \nEINSTEIN system. With EINSTEIN 2, we looked back in time and \nsaw that the Department of Interior had also suffered an \nintrusion, as evidenced by these threat indicators.\n    We then used EINSTEIN 1 to help us pinpoint what was \nexfiltrated and from which computers at the Department of \nInterior. In this case, it turned out to be OPM data that was \nbeing stored at a data center at the Department of Interior. \nThat is the 4.2 million personnel records that you read about \nin the media.\n    So the trick with EINSTEIN is, as it currently is built, it \nhas to know about a threat before it can detect or block it. \nThis is what it was designed to do. It is a necessary tool. It \nis not a sufficient tool.\n    So even as we finish rolling out EINSTEIN across the \nbreadth of the Government, we are also focused on the depth of \ncapability that it offers. One layer of depth that we need to \nprovide is a layer that will help us detect and block \nintrusions that we have not previously seen.\n    That gets riskier because you have false positives when you \nare doing that. That means that we will block legitimate \ntraffic. That could be a problem, but that is a risk we will \nhave to take.\n    Mr. Donovan. Doctor, I am not well-versed in computers. In \nfact, I still have a VCR that blinks 12.\n    Just so you could clarify for me, it seems that EINSTEIN \nwas created to block known intruders rather than allowing \nfriendly traffic to come through and block everyone else who is \nnot identified as friendly.\n    I understand from your analogy about the superintendent \nthat even that wouldn\'t have worked in this case because the \nintruder was looked upon as a friendly user.\n    But is it a better system to just allow friendly users \ninstead of just blocking people who we know because we don\'t \nknow who all the intruders are?\n    Mr. Ozment. Representative, that is an accurate assessment \nof the situation.\n    EINSTEIN goes around the entire Federal civilian \ngovernment. At that distance from an individual agency, it\'s \nnot possible to identify ``This is good traffic only, and we\'ll \nonly let in the known good traffic.\'\'\n    Because departments and agencies conduct such wildly \ndifferent business, it\'s not possible to identify ``This is \nwhat is appropriate and acceptable and only let this happen.\'\' \nEven within a single department in an agency that is probably \nnot possible.\n    There may be parts within the department or agency, smaller \nsystems or organizations, that have a limited remit that would \nbe able to say ``This is all that we do. And, therefore, we \nonly accept this type of traffic or communications from these \ncomputers\'\' or something of that nature.\n    Mr. Donovan. Thank you, Doctor.\n    Chairman, I yield back my time.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes the gentleman from Rhode Island, \nMr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I want to thank our witnesses here today.\n    I want to point out one thing before I go into my \nquestions. We talk about the rollout of EINSTEIN 3 and where we \nare today. It is unacceptable that we are at this for the \nbetter part of a decade now and still such a small percentage \nof the .gov network has even basic levels of EINSTEIN 3 on it \nyet.\n    We have a long way to go. I understand that we are making \nprogress and rolling out EINSTEIN 3 to protect the .gov \nnetwork, but it is laughable that it has taken this long to get \nto this point.\n    Part of the reason, Mr. Chairman, is the fact that no one \nis in charge despite the fact that we have a cyber \ncoordinator--and I applaud the work that Michael Daniel does \nwith limited tools, really, at his disposal because he lacks \npolicy and budgetary authority to compel compliance of \ndepartments and agencies to do more in cyber. Neither does the \nSecretary of Homeland Security.\n    I know that in the last Congress we gave additional \nauthorities through FISMA reform, but still even the Secretary \nof Homeland Security does not have the ability to reach across \nGovernment and tell an agency like OPM they are not doing \nenough on cyber, which is why we are here today and is why the \nOPM breach happened, because OPM did not take cybersecurity \nseriously enough.\n    It wasn\'t even like they were coming to Congress and asking \nfor more resources. It was only until fiscal year 2016 that \nthey asked for more money for cyber. It wasn\'t like they were \ncoming here asking for money and they were told no. They didn\'t \neven ask. They weren\'t taking cyber seriously.\n    So I hope that, at some point, we will get somebody in \ncharge that does have both policy and budgetary authority who \ncan compel compliance of departments and agencies.\n    But, with that, Dr. Ozment, I noticed that you were at the \nOGR hearing earlier this morning, and I have a number of \nquestions about the OPM breach.\n    So, to begin with--and I know the Chairman touched on this \nbriefly on the encryption side--you said that encrypting data \nstolen may not have helped in this case. Now, you are not \nsuggesting that we shouldn\'t encrypt, I take it. I want to make \nsure that you have the opportunity to be clear.\n    What is your view on encryption? Because I hope you would \nstill agree that encrypting PII is still a best practice that \nagencies should be following. Is that correct?\n    Mr. Ozment. Encryption is absolutely a best practice that \nagencies should follow, although I would highlight that you \nalways have a limited cybersecurity budget. Let\'s say its $100. \nThere\'s always $200 of layers of security you could buy.\n    So you look at a particular system and look at what\'s the \nbest value. You select the layers that provide the best value \nbased on the needs of that system.\n    Mr. Langevin. I would make the point that I think \nencrypting is vitally important and, if someone were to think \nthat we shouldn\'t encrypt, it would be like saying, ``Well, \nthey came in through the window. So we shouldn\'t lock the front \ndoor and the back door of the house just because they came \nthrough the window.\'\' We want to make sure that we follow the \nindustry\'s best practices on the encryption.\n    Dr. Ozment, did the Federal Network Resilience division \nwork with OPM prior to the discovery of the March 2014 breach?\n    Mr. Ozment. So Federal Network Resilience is part of my \norganization that manages, in part, the annual FISMA reporting.\n    So prior to the March 2014 breach, we collect data that \nagencies report on their cybersecurity, and we use that data \nwith OMB to construct the annual FISMA report and, also, to \nhold cyber stat sessions, sessions where we bring agencies to \nthe White House and essentially go through their cybersecurity \nposture and work with them to address any challenges.\n    Mr. Langevin. Did you bring in OPM?\n    Mr. Ozment. I will have to come back to you on the date of \nour last cyber stat with OPM. We have had one, but I don\'t \nrecall the date of the cyber stat surrounding the March 2014.\n    Mr. Langevin. I would appreciate it if you would get that \nto the committee for the record.\n    It is my understanding that the Federal Network Resilience \ndivision did not work with OPM and that OPM never made the \nrequest.\n    The Federal Network Resilience division is precisely the \nkind of entity that a department or agency whose private \nmission isn\'t necessarily going to be cybersecurity could go to \nthe Federal Network Resilience division and ask for the \nexpertise and do a vulnerability assessment and say, ``How can \nwe get better?\'\' It is my understanding that OPM never did \nthat.\n    Dr. Ozment, just to clarify for my sake, does DHS view the \nOPM breach of personnel data as part of the same incident as \nthe breach of security clearance information? The same threat \nacted in both cases? Correct? The same threat acted in both \ncases. Is that correct?\n    Mr. Ozment. I\'m going to have to defer to the intelligence \ncommunity any questions about which actor in specific and even, \nto a degree, the specifics about the relationships between \nincidents.\n    What I will absolutely say is there are clearly \nrelationships between the Government incidents, including the \ntwo that we are talking about today, and other recent incidents \ntargeting the PII, the personally identifiable information, of \nGovernment employees.\n    Mr. Langevin. Thank you, Mr. Chair. I know my time is \nexpired. I hope we are going to do a second round. I have a \nbunch of other questions. I yield back.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes my colleague from the great State \nof Texas, Ms. Jackson Lee.\n    Mr. Jackson Lee. Mr. Chairman, thank you for your kindness \nand that of the Ranking Member, first of all, for this very \nimportant hearing, and my dear colleague, Mr. Clawson, for \nyielding not his time, but his place in order, to allow me just \na moment.\n    I have a meeting with the Secretary--and it is starting as \nwe speak--on some matters. But this committee I have always \nsaid has been the front-line committee.\n    Mr. Langevin is correct that we have been talking about the \nissues of cybersecurity and protecting data and documents for a \nvery long time. You know, I know there is a myriad of issues \nthat we are discussing, but it disturbs me that, in fact--and \nwe heard this generally--OPM used old software that could not \nbe encrypted. We face this enormous debacle that has many \nfingerprints. We know that there are many elements to it.\n    I know that I served as the Chairwoman of the \nTransportation Security and Infrastructure Protection Committee \nbefore the Cybersecurity Committee was created, and we talked \nabout the percentage of infrastructure in the cyber world in \nthe private sector--85 percent--and that we had a small \npercentage thereof.\n    So I guess for the record I want to express the recognition \nof our public servants who work very hard, but my absolute \nconsternation and frustration that we are where we are today, \ntask forces that are being discerned and established not \nnecessarily under this administration.\n    Because, if it was 2015 under another administration--\nunfortunately, hard heads made a very difficult spot to sit \ndown on. I am baffled why the Government finds itself in this \nplace.\n    My colleague indicated resources, that that was one of the \nissues, but focusing one\'s mind--we talked about getting the \nbrightest and the best to be able to address this question. We \npredicted it was coming. Not that we were geniuses, but the \nwriting was on the wall. Everyone was turning to technology. \nEveryone was using technology.\n    I am enormously saddened for the millions of Federal \nworkers in this recent incident that are now subjected to \npersonal violations. But from the White House to the vast array \nof Federal departments, agencies, we are not the standard-\nbearer for the tightest cybersecurity that we can have, having \nat hand, I think, a bipartisan commitment that this is a \nserious issue. Many legislative initiatives have been \nintroduced.\n    So let me just ask. I indicated to Mr. Clawson I would not \nbe long. I have a number of questions. My staff, Mr. Chairman, \nis going to frame them in a letter.\n    Let me indicate that some very thoughtful questions have \nbeen put forward, but I do want to heighten this level of \nfrustration. I could listen to the Government Accountability, \nbut let me just ask the two witnesses, being mindful of the \ntime.\n    You have heard my level of frustration. We are here today. \nWill we be here next week? Will we be here next month? Will we \nbe here next year? This hacking, breaching, is not going to \nstop.\n    So I just want to ask this question: Why is the Government \nat this place at this time? Why are we here?\n    Mr. Wilshusen. I think there are probably several reasons, \none of which is the fact that many of the computer systems that \nFederal agencies use--and it\'s not dissimilar to what\'s \nhappening out in the private sector--is based on defective \nsoftware.\n    Much of the software that agencies use have a number of \nvulnerabilities in it that aren\'t fixed before they\'re bought, \nsold, purchased, and deployed. So, over time, as these \nvulnerabilities come to light, agencies as well as any users of \nthat software need to take steps to mitigate and correct those \nvulnerabilities.\n    Mr. Jackson Lee. I am not going to cut you off. You gave me \na powerful answer. As I said, I am going to follow up with \nquestions coming to you because I want to get to Mr. Wilshusen \nfor that very same question.\n    So is the answer now ``stop, move out all your software, \nand begin again\'\'? Yes or no.\n    Mr. Wilshusen. No. The answer is no. You can\'t stop and \nmove out all your software.\n    Mr. Jackson Lee. All right. I wanted to hear that.\n    So it is piecemeal.\n    Mr. Wilshusen. I think what one has to do is, as \ncorrections and patches are identified to correct \nvulnerabilities in software, that they be applied promptly to \nthe----\n    Mr. Jackson Lee. Which we have had some problems with doing \nthat. Thank you, sir.\n    Mr. Jackson Lee. Mr. Wilshusen, why are we here where we \nare today?\n    Mr. Ozment. So I would actually echo the points that Mr. \nWilshusen made. I would flag that it\'s, in part, the complexity \nof software----\n    Mr. Jackson Lee. Sorry. Mr. Wilshusen was over here, and \nyou are over here. Sorry.\n    Mr. Ozment. No problem.\n    I would flag that it\'s the complexity of software, which \nmeans that, even as we build it, it\'s insecure. Even if we \ncould build individual pieces of software securely, we, as a \nNation, don\'t know how to compose those into larger systems \nthat are themselves secure. This is a place where both the \nGovernment and the private sector are.\n    We\'re in a world right now where we rely upon information \ntechnology. We\'re not able to manage securely the complexity of \nthat technology, but neither can we back away from that \ntechnology. So we are in a world where we will have to manage \nthe risks, but we will not be able to prevent intrusions.\n    Mr. Jackson Lee. Well, the first thing is to know that we \nneed to manage the risks in the Federal Government, even though \nyou have the larger--I think you are in the private sector--the \nlarger component.\n    You are in Homeland Security, but you do realize the \nprivate sector has the largest amount. So we need to manage it. \nThat is what you are suggesting that we need to do.\n    We need to engage with the private sector, and we need to \nconfront the horror that it is and be diligent constantly on \nour managing, on trying to get our hands around the issue.\n    With that, Mr. Chairman, I am going to yield back. Forgive \nme for putting Government people in private hats. But I know \nthat they have probably weaved in and out of the private sector \nat some point.\n    But I see that this is going to be a looming issue, and I \nthink this committee is right and the full committee is right \nfor us to be enormously penetrating on solutions of getting the \nGovernment where it needs to be and getting the private sector \nin its cooperative mode to help the Nation be where it needs to \nbe on this issue of cybersecurity.\n    With that, Mr. Chairman, thank you.\n    Mr. Clawson, thank you.\n    I yield back.\n    Mr. Ratcliffe. I thank the gentlelady. The gentlelady \nyields back.\n    I now would like to recognize my friend and colleague from \nFlorida, Mr. Clawson, for his questions.\n    Mr. Clawson. Thank you for coming today.\n    I am going to lay out a couple of observations, two or \nthree maybe, and then you all can respond and tell me if you \nagree with me or where you think I am wrong.\n    My first observation is, if one of my nieces and nephews \ncame to me and said they were going to take a job at the \nFederal Government, I would say, ``Don\'t do it. Your \ninformation is not secure. It is probably a lot less secure \nthan most places you could go to work.\'\'\n    Therefore, I am not sure how we attract great talent to do \nthe things that we talk about doing in this committee not just \nfor the security, but just to run the Government.\n    I am not sure that putting employees at this kind of risk \nwill attract ``A\'\' players to work in the Government. Just all \nof my instincts tell me there is going to be residual impact \nfrom these kind of breaches that impact how well the Government \ndoes across the board. That is my first observation.\n    My second observation is, if I was sitting there running \nthat enterprise, I would say to myself, ``Delete, delete, and \nmore delete.\'\' My guess is that there is a lot of legacy data \nthat aren\'t mission-critical right now, right now, particularly \nemployees that have come and gone, records that are years old.\n    I know you are going to tell me you can\'t. But all of my \nown managerial experience would say to delete the hell out of \nthis so that, even though that might make our job more \ndifficult in the future, it will make the hacker\'s job \nimpossible. He can\'t hack what doesn\'t exist.\n    My third observation would be, from a managerial \nperspective, to decentralize. Even if you roll it up on the \ninternet in summary format later, decentralize. Decentralize \neverywhere you can.\n    I understand that everybody wants an ERP on a centralized \nbasis, but do that at a summary level and keep the data \ndecentralized so that the hacker\'s job is much more complicated \nand you don\'t have a mother lode of data that he can get into.\n    Now, I know you are going to take issue with those things. \nBut if this was my board of directors and you all came in with \nthis problem to me, those would be my first three reactions. If \nwe ignore those outcomes and those possible solutions, it seems \nto me that we are living in yesterday\'s world.\n    Now, I know you are going to tell me why what I say is \nimpracticable, but I still want to hear from you.\n    Mr. Wilshusen. I guess I\'ll take first crack versus your \nfirst observation on whether or not an individual should be \nhired or try to seek work with the Federal Government versus \nprivate sector.\n    First, I would just say that the scourge of cyber \nmalfeasance is not unique to the Federal Government. The same \nsecurity vulnerabilities, the same types of attacks, the same \ntypes of data leakage and theft, occurs in private sector as \nwell as the Federal Government. I think many Federal employees \nlook beyond just that element to work for the Federal \nGovernment. It\'s more, perhaps, out of a civic duty and \nresponsibility.\n    Mr. Clawson. But you would agree--excuse me for \ninterrupting to reclaim my time--you would agree that a Chinese \nhacker would probably rather get into the central government \nthan a shock absorber maker or a wheel maker or a basic \nindustry parts maker.\n    Mr. Wilshusen. It depends on their motives.\n    Mr. Clawson. When you make that equivalency, I am just \nhaving a hard time with that. You know, having protected my own \nnetwork, I kind of have to call you on that. That doesn\'t feel \nlike the same level of being a target.\n    Mr. Wilshusen. It depends on what the motives of the hacker \nare, whether it\'s economic, monetary gain, or seeking a \npolitical or military advantage.\n    If I\'m a competitor and I\'m seeking to gain information \nabout a private company and what their products might be, I \nmight be interested in hacking a private company\'s system. I \nmight very well be in tune to trying to hack into Federal \nGovernment because----\n    Mr. Clawson. Right. I have never had a personnel system \nhacked. I have had my product designs hacked. I have had my \nprocess technology hacked. I never had my personnel records \nhacked. It doesn\'t help my competitor.\n    Mr. Wilshusen. As you mention, it\'s not just personnel \nrecords. It\'s other proprietary information, intellectual \nproperty, that might be the target of a hacker.\n    Regarding the deleting data, of course, in the Federal \nGovernment, we do have records management requirements where we \nhave to retain and archive certain data for a period of time.\n    But I agree. After those time limits have expired, sure, \nget rid of it. To the extent we\'re able to, deleting \ninformation that\'s no longer necessary in accordance with \nFederal requirements should be done on a regular basis.\n    Mr. Clawson. Well, if Congress can help with that at all, I \nwould really like to be involved. In our company, we kept \nthings a year unless we absolutely--you can\'t hack what was \nthere 3 years ago because it is gone. That would eliminate a \nlot of risk, I think.\n    I am sorry I am going on here, Doctor. You can also take \nissue with me.\n    Mr. Ozment. I agree with Mr. Wilshusen. So I won\'t belabor \nthe first two points.\n    I\'ll add to the final point that there is a constant \ntension between centralization and decentralization in IT and, \nalso, between homogeneity and heterogeneity in the sense of do \nyou have a few systems of the same type or systems of very \ndifferent types.\n    It really depends on what you\'re trying to accomplish in \nthe broader environment. So I don\'t think there\'s a right \nanswer there. I think we should absolutely, however, consider \nthat question when we design our networks.\n    Mr. Clawson. My final follow-up. I spent a lot of years \ntrying to centralize, as you say, to get the same kind of data \nall across the world.\n    I found out just by rolling it up on the internet and \nleaving it decentralized it was just a lot cheaper. I didn\'t \nhave all this management problem. It ended up being safer \nbecause I didn\'t have a lot of hackers in the Czech Republic.\n    I yield back. Thank you.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes the gentleman from Pennsylvania, \nMr. Perry, for his questions.\n    Mr. Perry. Thank you, Mr. Chairman.\n    I know it is a little unexpected. Sorry to be late to the \ngame here.\n    I am thinking about like the data services hub and the law \nthat we have in place now in particular where you are required \nby law to be involved in the Government and then, by \ntransposition, your data is then within the Government purview \nand then we don\'t necessarily have the best systems, maybe, \nthat we could or should and how we also, as a Government, treat \nprivate entities that have been hacked and we penalize them for \nhaving not done enough soon enough or notified appropriately or \nwhat have you.\n    I don\'t know how we have the moral high ground, as the \nFederal Government in this, you know, and we are not \nnecessarily talking about the particular OPM breach, but \nbecause these things happen on a--at least the hacks happen on \na regular basis. Right? We know that there are those who have \nbeen hacked and those who don\'t know it yet. Right? That is \nkind of how things go.\n    So DHS, I think, has done everything within their current \npower. Right? They have advised. They have urged other \nagencies, ``This is the gold standard. This is where you need \nto be.\'\' But they still have no authority to force the \nagencies, like OPM or anybody else.\n    They can tell them where they think they should be based on \nwhat DHS knows. ``This is why we have the Department of \nHomeland Security, among other reasons, is to determine threats \nthat we have and solutions sets\'\' and so on and so forth. So \nthey can advise, but they have no authority.\n    So, in a broad sense, my question to you would be: Should \nDHS have the authority regarding other agencies to impose--we \nare talking about individual citizen\'s data which, in this \nparticular instance, not necessarily OPM, but the data services \nhub associated with the ACA.\n    You are mandated by Federal law to have your data, \neverything about you, be in that repository. If that is the \ncase, should it be DHS? Should they have the authority? If not, \nwho? If not anybody, then what is the solution set to make sure \nthat agencies are on the cutting edge of safeguarding America\'s \ndata?\n    Mr. Wilshusen. Well, with regard to the first question, in \nterms of does DHS have the authority to compel agencies to take \ncertain actions, the Federal Information Security Modernization \nAct of 2014 gave DHS statutory authorities to perform \nadditional activities to help assist Federal agencies in \nimproving their information security.\n    One of those tools that\'s available to the Department is \nwhat is known as a binding operational directive. This is \nguidance and actually direction to the agency that the agency \nis required to implement. These directives are, I believe, \nprepared and developed in collaboration with OMB and others. \nBut they do have a tool at least in their tool kit to help \ndirect agencies to take corrective actions.\n    Mr. Perry. They can help, they can assist, but they can\'t \ncompel, or they can compel?\n    Mr. Wilshusen. I believe those directives may be \ncompulsory. But I will defer to Dr. Ozment.\n    Mr. Langevin. Will the gentleman yield?\n    So what is the consequence if they fail to comply?\n    Mr. Ozment. I think, Mr. Langevin, Mr. Perry represents--\nyou get to the crux of the matter, which is we have the formal \nauthority to compel. We do not have a stick to enforce that \ncompulsory order.\n    That being said, I don\'t know that it\'s possible for one \ndepartment to be given that sort of compulsory ability with \nsome sort of budgetary authority over another department, the \nway our overarching system is structured. So in the sense of \nour ability to issue compulsory orders, I think we do have that \nexisting authority.\n    I would highlight the two areas where we absolutely are \nlacking in necessary authorities right now are authorizing \nlegislation for the EINSTEIN program, which this committee \nsponsored and passed and the House has passed, and, also, the \ninformation-sharing legislation, again, which this committee \nsponsored and the House has passed.\n    Mr. Perry. So you think that we have at least some form, in \nthe remaining time, of oversight to where we can urge and maybe \neven compel, but there is no--you can compel all you want, but \nif there is no consequence to inaction, there is nothing to \ncompel you.\n    Your assertion would be, as usual, not that--this isn\'t \nmeant to be personal. How can the Government penalize itself? \nBecause you are taking from one pocket--out of one pocket and \nputting it another pocket, if it is financial or what have you.\n    But I think that smart folks like you and people on this \ncommittee need to find a way to compel, if that is the right \nsolution set--you know, our individual citizen\'s data is at \nrisk here and, if we have that authority, we have a \nresponsibility to safeguard it. They are mandated to provide \nthat information, mandated to, and then it is at risk. That is \nunacceptable, and I am sure you know it.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Ratcliffe. The gentleman yields back.\n    Like Congressman Langevin, I was hoping that we might get \nto a second round of questions. But based on the updated vote \nschedule and out of respect to our witness on the second panel, \nwe will move now to that second panel.\n    So I thank the witnesses for their testimony and the \nMembers for their questions at this first part of our hearing \ntoday.\n    As was indicated, some of the Members have additional \nquestions for the witnesses. We will ask you to respond to \nthose in writing. The committee will now take a very short \nbreak so that the clerks can prepare the second panel.\n    [Recess.]\n    Mr. Ratcliffe. I would like to welcome our second \ndistinguished panel today, Dr. Daniel Gerstein, with The RAND \nCorporation and former acting under secretary for the Science \nand Technology Directorate at the Department of Homeland \nSecurity.\n    Welcome, Dr. Gerstein. At this time I will ask you to stand \nand raise your right hand so that I can swear you in to \ntestify.\n    [Witness sworn.]\n    Mr. Ratcliffe. You may be seated.\n    Dr. Gerstein\'s full statement will appear in the record.\n    The Chair recognizes you now for 5 minutes for an opening \nstatement.\n\n     STATEMENT OF DANIEL M. GERSTEIN, THE RAND CORPORATION\n\n    Mr. Gerstein. Well, thank you. Good afternoon.\n    Chairman Ratcliffe, Ranking Member Richmond, and \ndistinguished Members of the subcommittee, I thank you for the \nopportunity to testify today on the strategies for defending \nU.S. Government networks in cyberspace.\n    Recent events occurring on U.S. Government networks over \nthe past several years, punctuated most recently by the OPM \nbreach, demonstrate clearly the need for developing and \nmaintaining capabilities to assess the status of the \nGovernment\'s internal networks and protect them from intrusion.\n    These events have also underscored concerns about the \ngrowing sophistication of the threat and the risk posed to \npersonal data, Government networks, and even mission assurance.\n    Two foundational elements of the Department of Homeland \nSecurity\'s cybersecurity program are EINSTEIN, also called \nEINSTEIN 3A, and Continuous Diagnostics and Mitigation, or CDM. \nThe two systems are designed to work in tandem, with EINSTEIN \nfocusing on keeping threats out of Federal networks and CDM \nidentifying them when the threats are inside the Government \nnetworks. The phased rollouts of both CDM and EINSTEIN are \nexpected to continue over the next several years.\n    Now, despite recent progress, critics have argued that both \nprograms have taken too long to implement, and I have to say \nthere is some validity to these concerns. However, CDM is now \nat a point in development and deployment where additional \nresources could accelerate the program. EINSTEIN, on the other \nhand, still requires additional development and coordination \nwith internet service providers, which will be contracted to \nimplement the program.\n    In my judgment, both programs are necessary, but not \nsufficient for ensuring the security of Government networks. \nTherefore, even with EINSTEIN and CDM, more will be needed to \ndefend Government networks in cyber space.\n    For the remainder of my remarks, I would like to provide a \nmore strategic look at this issue. Now, the internet is a \ncomplex system of systems, requiring a comprehensive approach \nto ensuring security across the vast Government network. Any \nsingle approach or program will be insufficient to ensure \nsecurity in cyber space. As such, defense-in-depth strategies \nwill be essential for securing Government networks.\n    Now, when considering the development of a comprehensive \ncybersecurity approach, one must examine how new policies and \nprocesses, improvements to the internet architecture, hardware \nand software hardening, and personnel training and education \nmust be combined into a system that will provide security, \nprivacy, and resiliency.\n    Inherent in efforts to secure the Federal cyberspace is the \ncritical need for a National cybersecurity strategy. Such a \ndocument would include articulation of concepts for governance \nof the .gov domain in addition to cyber doctrine for \ndeterrence, denial, attribution, response, and resilience. \nToday no such doctrine exists.\n    It is my belief that the U.S. Government is at a crossroads \nconcerning cybersecurity. The goal to date has been to balance \ntwo competing demands: Availability of data and security of the \nenterprise.\n    As recent breaches have demonstrated over the past several \nyears and with the OPM breach as an exclamation point, it is \ntime to consider developing secure enclaves to protect key \nGovernment information, data, and networks.\n    The technology exists today to re-architect the Government \ninternet systems, and several agencies within the National \nsecurity community have implemented such re-engineering with \ngood results.\n    Implementing these approaches to modernize and improve the \nsecurity architectures will require resources and focused \nattention, both of which Congress and the Executive branch can \nprovide.\n    Appropriate funding for research, development, and \nacquisition programs remains another foundational element in \nthe critical race to secure Federal Government networks. \nGovernment must partner with the cyber industries to ensure the \npipeline of critical solutions continues to be developed.\n    Finally, workforce issues both for cyber professionals that \nmanage the Government networks and for the broader Government \nworkforce that utilizes the network must be considered as a top \npriority.\n    In the Government\'s cyber space, the security of the \noverall network is directly linked to the security of each of \nthe nodes, to include the individuals operating each terminal \ndevice.\n    I appreciate the opportunity to discuss recommendations to \nimprove cybersecurity in our Government networks and, thereby, \nthe homeland security of our Nation, and I look forward to your \nquestions. Thank you.\n    [The prepared statement of Mr. Gerstein follows:]\n              Prepared Statement of Daniel M. Gerstein \\1\\\n---------------------------------------------------------------------------\n    \\1\\ The opinions and conclusions expressed in this testimony are \nthe author\'s alone and should not be interpreted as representing those \nof RAND or any of the sponsors of its research. This product is part of \nthe RAND Corporation testimony series. RAND testimonies record \ntestimony presented by RAND associates to Federal, State, or local \nlegislative committees; Government-appointed commissions and panels; \nand private review and oversight bodies. The RAND Corporation is a non-\nprofit research organization providing objective analysis and effective \nsolutions that address the challenges facing the public and private \nsectors around the world. RAND\'s publications do not necessarily \nreflect the opinions of its research clients and sponsors.\n---------------------------------------------------------------------------\n  Strategies for Defending U.S. Government Networks in Cyberspace \\2\\\n---------------------------------------------------------------------------\n    \\2\\ This testimony is available for free download at http://\nwww.rand.org/pubs/testimonies/CT436.html.\n---------------------------------------------------------------------------\n                             June 24, 2015\n                              introduction\n    Good morning Chairman Ratcliffe, Ranking Member Richmond, and \ndistinguished Members of the subcommittee. I thank you for the \nopportunity to testify today on the Department of Homeland Security\'s \n(DHS\'s) Federal cybersecurity efforts. Specifically, I will discuss \noverarching cyber concerns, the Continuous Diagnostics and Mitigation \n(CDM) program, and other strategies for defending networks in cyber \nspace.\n    The CDM program is an important foundation for the security of \nGovernment networks. The concept was designed to provide a set of tools \nfor enabling network administrators to know the state of their \nrespective networks, inform on current threats, and allow system \npersonnel to identify and mitigate issues at network speed. However, it \nis worth noting that CDM is not intended to be a stand-alone system, \nbut rather one part of an overarching system-of-systems approach.\n    EINSTEIN, which provides perimeter security for U.S. Government \nnetworks, is a complementary system to CDM. EINSTEIN functions by \ninstalling sensors at web access points and employs signatures to \nidentify cyber attacks. Of note, both CDM and EINSTEIN are in early \nstages of deployment.\n    Recent breaches occurring on U.S. Government networks over the past \nseveral years demonstrate clearly the need for developing and \nmaintaining capabilities to assess the status of the Government\'s \ninternal networks and protect them from intrusion. These events have \nalso underscored concerns about the growing sophistication of the \nthreat and the risk to personal data, Government networks, and even \nmission assurance.\noverarching cyber issues and the continuous diagnostics and mitigation \n                      (cdm) and einstein programs\n    Several key points undergird my comments about the CDM and EINSTEIN \nprograms. These points concern the nature of the cyber threat, the \ndemonstrated ability to sense and respond to threats, the importance of \nthe programs, and, finally, the need to employ CDM in concert with \nothers\' cybersecurity strategies.\nThe cyber threat continues to grow and evolve\n    The range, pace, persistence, and intensity of cyber threats to \nU.S. Government networks continues to grow. Even before this most \nrecent breach of Government data from the Office of Personnel \nManagement (OPM), ample evidence was available to indicate that our \nnetworks have been and likely continue to be penetrated. The goals of \nthese attacks vary and include mapping Government networks, building \ndatabases on personnel, and intellectual property theft. The \nperpetrators include both state actors--in particular, China and \nRussia--and non-state actors.\n    The cyber adversary is determined and technically competent and has \ndemonstrated significant agility in attacking Government networks. \nAdditionally, the cyber adversary has a low cost of entry, allowing for \nlarge numbers of potential threat actors. Coupling the growing number \nof hackers with the potential for high payoffs for successful attacks \nprovides indications that the current pace of attacks is unlikely to \nchange unless the perceived cost-benefit dynamics are also changed.\n    Concerning the recent OPM database hack, the private data of over 4 \nmillion people were compromised, with up to 18 million personnel whose \nrecords were exposed to the hackers. Speculation is that the goal \nbehind the attack is to build a database of Federal employees, perhaps \neven to use the stolen personal information to impersonate Government \nworkers or for future ``insider\'\' attacks. Experts speculate that the \ngoal behind the attack could be to reveal who has security clearances \nand at what level, so that the Chinese may be able to identify, expose, \nand even blackmail U.S. Government officials around the world.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ See Andy Medici, ``Massive OPM Data Breach Went Undetected for \nMonths,\'\' Federal Times, June 5, 2015, and OPM, ``Information About \nRecent Cybersecurity Incidents,\'\' web page, updated June 18, 2015 \n(http://www.opm.gov/news/latest-news/announcements/).\n---------------------------------------------------------------------------\n    Several years ago, U.S. Cyber Command (CYBERCOM) estimated that \nthere were 250,000 probes or attacks every hour, or over 6 million per \nday, against U.S. Government networks.\\4\\ Today, an estimated 3 billion \npeople use the internet, and another 4.9 billion devices are \nconnected--a phenomenon known as the Internet of Things (IoT). \nEstimates are that by 2020, the number of IoT connections will be in \nexcess of 25 billion devices.\\5\\ This expansion implies that more \nGovernment internet users, data, and systems will be placed at risk \nfrom a rapidly expanding internet footprint.\n---------------------------------------------------------------------------\n    \\4\\ Jim Garamone, ``Cybercom Chief Details Cyberspace Defense,\'\' \nDoD News, September 23, 2010.\n    \\5\\ Gartner, ``Gartner Says 4.9 Billion Connected `Things\' Will Be \nin Use in 2015,\'\' press release, Barcelona, Spain, November 11, 2014 \n(http://www.gartner.com/newsroom/id/2905717).\n---------------------------------------------------------------------------\n    The loss of Government intellectual property (IP) is another \nsignificant cause for concern. Russia and China have active programs to \npenetrate U.S. Government networks for the purpose of gaining IP. China \nuses these intrusions to fill gaps in its own research programs, map \nfuture targets, gather intelligence on U.S. strategies and plans, \nenable future military operations, shorten research and development \n(R&D) time lines for military technologies, and identify \nvulnerabilities in U.S. systems and develop countermeasures.\\6\\ \nEstimates are that the loss of IP has exceeded well over $1 trillion \nincluding the loss of plans and technical details for the F-22 and F-35 \naircraft.\\7\\\n---------------------------------------------------------------------------\n    \\6\\ Larry M. Wortzel, Cyber Espionage and the Theft of U.S. \nIntellectual Property and Technology, Testimony Before the House of \nRepresentatives Committee on Energy and Commerce, Subcommittee on \nOversight and Investigations, Washington, DC, July 9, 2013.\n    \\7\\ Ellen Nakashima and Andrea Peterson, ``Report: Cybercrime and \nEspionage Costs $445 Billion Annually,\'\' Washington Post, June 9, 2014.\n---------------------------------------------------------------------------\nMajor concerns about our ability to sense threats in real time and \n        respond rapidly\n    The OPM data breach provides ample evidence that the Government\'s \nability to sense threats in real time has not been adequate. Reports \nindicate that the OPM breach first occurred in December 2014, but was \nnot discovered until April 2015 or publically acknowledged until June \n4, 2015.\n    Also noteworthy when considering the OPM breach is that the \nintrusion was detected in April only after OPM\'s cybersecurity \ndetection and monitoring tools had been upgraded. Therefore, any \nGovernment organization that has not already upgraded its detection and \nmonitoring tools is likely to be unaware of any similar intrusions that \nare on-going or that previously occurred.\n    Given the large number of attacks on Government networks that \nCYBERCOM estimates occur on a daily basis, one can conclude that there \nis a high likelihood of additional successful malicious attacks that \nhave been conducted or are on-going and that have not been detected.\nContinuous Diagnostic Monitoring (CDM) and EINSTEIN as key components \n        of our defensive cyber capacity for .gov users\n    The two foundational programs of DHS\'s cybersecurity program are \nEINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are \ndesigned to work in tandem, with EINSTEIN focusing on keeping threats \nout of Federal networks and CDM identifying them when they are inside \nGovernment networks.\n    EINSTEIN provides a perimeter around Federal (or .gov) users, as \nwell as select users in the .com space that have responsibility for \ncritical infrastructure. EINSTEIN functions by installing sensors at \nweb access points and employs signatures to identify cyber attacks.\n    CDM, on the other hand, is designed to provide an embedded system \nof sensors on internal Government networks. These sensors provide real-\ntime capacity to sense anomalous behavior and provide reports to \nadministrators through a scalable dashboard. It is composed of \ncommercial-off-the-shelf equipment coupled with a customized dashboard \nthat can be scaled for administrators at each level.\n    CDM operates by providing:\n\n``Federal departments and agencies with capabilities and tools that \nidentify cybersecurity risks on an on-going basis, prioritize these \nrisks based upon potential impacts, and enable cybersecurity personnel \nto mitigate the most significant problems first. Congress established \nthe CDM program to provide adequate, risk-based, and cost-effective \ncybersecurity and more efficiently allocate cybersecurity \nresources.\'\'\\8\\\n---------------------------------------------------------------------------\n    \\8\\ U.S. Department of Homeland Security, ``Continuous Diagnostics \nand Mitigation (CDM),\'\' web page, updated June 16, 2015 (http://\nwww.dhs.gov/cdm).\n\n    CDM will be fully implemented in three phases, allowing for 15 \ndiagnostic capabilities. The first phase focuses on endpoint integrity, \nwhich is the functionality that examines all endpoints attempting to \nattach to the network and prohibits unsafe or noncompliant endpoints \nfrom gaining access. Specifically, endpoint integrity includes \nmanagement of hardware and software assets, configuration management, \nand vulnerability management, which are foundational capabilities to \nprotect systems and data. Phases 2 and 3 are continuing to be further \ndefined to include Least Privilege and Infrastructure Integrity, and \nBoundary Protection and Event Management, respectively.\\9\\ In the end-\nstate, CDM is expected to cover over 60 Federal agencies.\n---------------------------------------------------------------------------\n    \\9\\ U.S. Department of Homeland Security, ``Implementation of \nContinuous Diagnostics and Mitigation (CDM),\'\' web page, updated June \n16, 2015 (http://www.dhs.gov/cdm-implementation).\n---------------------------------------------------------------------------\n    DHS, partnering with the General Services Administration (GSA), \nestablished a Blanket Purchase Agreement (BPA) for CDM that allows \nGovernment departments and agencies at the Federal, State, local, \nTribal, and territorial levels to contract for continuous diagnostic \nmonitoring. The BPA has a total ceiling of $6 billion.\n    The phased roll-outs of both CDM and EINSTEIN are expected to \ncontinue over the next several years. Despite recent progress, critics \nhave argued that both programs have taken too long to implement, and \nthere is some validity to the concerns. However, CDM is now at a point \nin development and deployment where additional resources could \naccelerate the program. EINSTEIN, on the other hand, still requires \nadditional early-stage development and coordination with the internet \nservice providers that would be contracted to support the program.\nLack of defensive capacity is placing the Nation at risk and we should \n        expect additional intrusions and hacking to occur\n    The skill of the adversaries, low cost of entry, relative ease of \nconducting attacks and the potential for high payoffs suggests that \ncyber attacks against Government networks are likely to remain a \nsignificant threat.\n    Programs such as EINSTEIN and CDM are necessary but not sufficient \nto change the cost-benefit calculus or provide sufficient defensive \ncapacity to keep cyber attacks from penetrating U.S. Government \nnetworks.\n    Recent legislative actions are also necessary but not sufficient to \nensure protection of Government networks. These include: (1) The \nNational Cybersecurity Protection Act of 2014, which provides explicit \nauthority for DHS to provide assistance to the private sector in \nidentifying vulnerabilities and restoring their networks following an \nattack, and establishes in law the National Cybersecurity and \nCommunications Integration Center (NCCIC) as a Federal civilian \ninterface with the private sector; and (2) the Federal Information \nSecurity Modernization Act of 2014, which provides DHS authority to \nadminister the implementation of Federal information security policies, \ndevelop and oversee implementation of binding cybersecurity directives, \nprovide technical assistance to other agencies through the U.S. \nComputer Emergency Response Team (US-CERT), and deploy cybersecurity \ntechnology to other agencies upon their request.\n    A third piece of legislation that is still being debated is the \nCybersecurity Information Sharing Act of 2015. This legislation would \nrequire the sharing of information between the Government and industry \nconcerning threats and other cyber information. While the specifics are \nstill being developed, the general concept of greater sharing of \ninformation on cyber incidents between industry and the Government \nwould be welcomed. However, even with such new legislation, recent \ncybersecurity trends are unlikely to be reversed without a more \ncomprehensive program.\nEven with EINSTEIN and CDM, more will be needed to defend Government \n        networks in cyber space--developing doctrine for deterrence, \n        denial, attribution, and response will be imperative. It may \n        also be time to reevaluate the U.S. Government information \n        architecture.\n    The internet is a complex system-of-systems requiring a \ncomprehensive approach to ensuring security across the vast Government \nnetwork. Any single approach or program will be insufficient to ensure \nsecurity in cyber space. As such, a defense-in-depth strategy will be \nessential for securing Government networks.\n    In considering the development of a comprehensive cybersecurity \napproach, one must examine how new policies and processes, improvements \nto the internet architecture, hardware and software hardening, and \npersonnel training and education must be combined into a system that \nwill provide security, privacy, and resiliency.\n    Inherent in efforts to secure the Federal cyber space is the \ndevelopment of a National Cybersecurity Strategy. Such a document would \ninclude articulation of concepts for governance of the .gov domain, in \naddition to cyber doctrine for deterrence, denial, attribution, \nresponse, and resilience.\n    In my judgment, the U.S. Government is at a crossroads concerning \ncybersecurity. The goal to date has been to balance two competing \ndemands: Availability of data and security of the enterprise. As recent \nbreaches have demonstrated over the past several years--with the OPM \nbreach as an exclamation point--it is time to develop secure enclaves \nto protect key Government information, data, and networks.\n    The technology exists today to re-architect Government internet \nsystems, and several agencies within the National security community \nhave implemented such a reengineering with good results.\n    Implementing these existing approaches to modernize and improve \nsecurity architectures will take resources and focused attention--both \nof which Congress and the Executive branch can provide. We must start \nthinking of security as one of the top imperatives and systematically \nevaluate and change the U.S. Government\'s information architectures, \nalong with applying programs such as CDM and EINSTEIN, if we are going \nto be better able to prevent, detect, and respond to these sorts of \nattacks.\n    Appropriate funding for research, development, and acquisition \nprograms remains another foundational element in this critical race to \nsecure Federal Government networks. Government must partner with the \ncyber industries to ensure that the pipeline of critical solutions \ncontinues to be developed. At the same time, critical infrastructure \nindustries such as transportation and energy must be beneficiaries of \nthis cyber research, development, and acquisition.\n    Workforce issues, both for the cyber professionals that manage the \nGovernment networks and for the broader Government workforce that \nutilizes the network, must be considered as a top priority.\n    In the Government cyber space, the security of the overall network \nis directly linked to the security of each node, including the \nindividuals operating the terminal devices. Training and education must \nbe fully embedded throughout the workforce.\n                              conclusions\n    Recent cyber attacks demonstrate a disconcerting trajectory. \nAttackers are evolving their strategies and are becoming more \nemboldened. With little by way of deterrence, hackers--including state \nand non-state actors--are continuing to find opportunities to penetrate \nU.S. Government networks.\n    These networks have demonstrated significant weaknesses that have \nbeen exploited resulting in loss of a large amount personal \nidentifiable information, intellectual property, acquisition \ninformation, and sensitive security information.\n    CDM and Einstein must be considered as one part of a layered \ndefense strategy, but they cannot be the only tools employed. No one \ntechnology or solution can be utilized in isolation. Employing a \nsystems approach to cybersecurity will be essential.\n    Thank you, and I look forward to your questions.\n\n    Mr. Ratcliffe. Thank you, Dr. Gerstein.\n    I now recognize myself for 5 minutes for questions.\n    So, Dr. Gerstein, you were in the room today and had a \nchance to listen to the testimony of our first panel. So I want \nto start there.\n    Obviously, we spent some time in this hearing and much of \nlast week talking about the OPM breach. As a former DHS officer \nnow on the outside looking in, I would like to get your \nperspective on that and specifically whether or not you have an \nopinion to the question that I was asking earlier about whether \nor not there is any legitimate excuse for why encryption and \nmulti-factor identification shouldn\'t have been deployed at \nOPM.\n    Mr. Gerstein. Thank you, Mr. Chairman.\n    I absolutely believe that, in fact, OPM had been slow to \nmake necessary enhancements to its cyber network. The list of \ndeficiencies that they are trying remediate and have been \ntrying to remediate over the past, say, 9 months or so has been \nquite long.\n    It begins with not even having a common understanding of \nwhat systems were part of their network. So they had not had a \nmapped network to be able to understand what was on their \nentire OPM network. So that is problematic.\n    The multi-factor authentication is absolutely key. They \nwere not in charge of their configuration because they had not \nhad necessarily a professional IT force until 2013, when they \nactually did get an IT staff. So you have those sorts of \nsystemic problems that are now being addressed.\n    I clearly think that Dr. Ozment\'s comment about we are \nfighting a catch-up battle is right to the point, that we have \nunderinvested in cybersecurity strategies.\n    At the same time, interestingly, we have, in a sense, \noverinvested in information-sharing strategies. That is, we \nhave put a premium on how to share information, but not \nnecessarily how to secure the information.\n    Mr. Ratcliffe. Well, you mentioned underinvesting. But \nFederal agencies face similar problems with budgets and \nresources all the time.\n    I guess I would like to know if you have any \nrecommendations for Federal CISOs with respect to devoting \nthose resources to combat this particular threat.\n    Mr. Gerstein. Well, Mr. Chairman, it\'s really above the \nCISO. It\'s about strategic decisions to protect the network. \nWhat we lack in this entire architecture is a governance \nstructure and a National cybersecurity strategy.\n    I go back to several months ago now. The Department of \nDefense put out its own defense cybersecurity strategy. \nNormally, when there is such a strategy, you would expect that \nthere would have been a National strategy that would have \nhelped to inform.\n    Such is always the case, for example, with the National \nsecurity strategy of the United States coming out, and then the \nNational military strategy falls shortly thereafter. One would \nexpect and one would hope there would be such a thing as a \nNational cybersecurity strategy.\n    This strategy, as I mentioned in my opening remarks, should \nreally think about, what is the doctrine for deterrence, how do \nwe tell potential adversaries what the consequences are for \nactions in cyber space, how do we find the proper balance \nbetween the security of the network and the privacy of \nindividuals? These are trade-off questions that have to be \naddressed in such a strategy.\n    Mr. Ratcliffe. So, Dr. Gerstein, you heard Dr. Ozment\'s \ntestimony. I asked him specifically about--and he was able to \nconfirm--the published reports out there that this breach was \naccomplished by using authorized credentials.\n    So, in effect, the user here with respect to the network \nappeared to be an authorized user. We seem to be increasingly \nseeing that as a cyber intrusion method in other places besides \nthe OPM attack.\n    So I guess I would like to hear your perspective on what \ncybersecurity measures and best practices can be employed to \nidentify those anomalies where you have authorized users in \nplaces where they shouldn\'t be.\n    Mr. Gerstein. So there are a number of different strategies \nthat one can consider. Certainly you brought out multi-factor \nauthentication. That is key. PIV cards. Incorporating those \ninto your architecture is also key. I think we need to look \nhard now at, do we develop enclaves? Let me just talk for a \nmoment about that.\n    Today we have a system, an internet, which has evolved over \nthe past 40 years in which you have normal information sharing. \nI use the tongue-in-cheek grandma\'s recipes residing on the \nsame system that you have industrial control systems for \nhydroelectric plants and even nuclear facilities.\n    The question has to be: Is it now time to segment the \ninternet such that you do develop secure enclaves that have a \ngreater degree of security? This is something that should be \nconsidered as part of this National cyber strategy that I\'ve \nalluded to.\n    Mr. Ratcliffe. Thank you, Dr. Gerstein. My time has \nexpired.\n    The Chair now recognizes the Ranking Member, Mr. Richmond. \nThe gentlemen yields.\n    The Chair recognizes the gentleman from Rhode Island, Mr. \nLangevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I want to thank the Ranking Member for yielding.\n    Dr. Gerstein, thank you for your testimony. It has been \nvery insightful.\n    I want to begin by saying I completely agree with you on \nthe National cyber strategy. In fact, the legislation that I \nhave introduced in now a few Congresses, including this one, \nthe Executive Cyberspace Coordination Act, would basically put \nsomebody in charge, giving them both policy and budgetary \nauthority. That act would also require a National strategy to \nbe completed within 1 year. So you and I are of like mind on \nthat subject.\n    So, Dr. Gerstein, in your written testimony, you say that \nbalancing data access and security has been a driving factor in \ncybersecurity strategies. I understand that this is often a \nfundamental trade-off and that we must support research and \ndevelopment to allow us to better achieve both goals.\n    But I wonder if a bigger problem in many agencies like, \nsay, OPM is that the security risk assessments are not even \nbeing conducted adequately. In other words, there is not so \nmuch a conscious decision to prize usability at the expense of \nsecurity, but a lack of understanding that security is being \ncomprised. Is that a fair analysis?\n    Mr. Gerstein. Yes, sir. I think there is some of that. But \nI do believe that some of the recent legislation--I think the \nimplementation of EINSTEIN and CDM across the .gov space will \nbe important.\n    We have to continue, though, to stress to all elements of \nthe network, which includes the personnel and their terminal \ndevices, how important they are as a first line of defense.\n    Many of the intrusions that occur are due to people not \nunderstanding issues such as phishing attacks, spear-phishing \nattacks, and, therefore, opening up their networks through \ninadvertently opening up a piece of software that contains, \nsay, malware.\n    Mr. Langevin. Thank you.\n    So, Dr. Gerstein, I sincerely believe that we are going to \nkeep seeing breaches of sensitive Government networks, \nunfortunately, until we start holding attackers accountable.\n    This is not to absolve OPM for the weak cybersecurity \nposture. Far from it. But I do believe that the administration \nand Congress have to take stronger actions in response to cyber \nattacks.\n    Do you believe that we have sufficiently explored options \nfor deterrence? What avenues would we be exploring?\n    Mr. Gerstein. Absolutely not, sir. I think we have much \nmore to do in cyber deterrence. Today we\'re having discussions \nabout what constitutes an attack and what level of intrusion is \ngoing to be acceptable on networks. I take you back to the Cold \nWar when there was spying going on between adversaries within \nthe Warsaw Pact and NATO.\n    So we have not yet said what is going to be our response to \nsuch intrusions. Are we going to just consider them to be the \ncourse of doing business or are we going to react?\n    I would presume that, if we did talk about deterrence in a \nrealistic and measured way, that we would come up with limits \non what we are prepared to accept before taking actions. These \nactions need to be thought of across the full range, from \neconomic- and political-type activities and, if necessary, even \nconsidering use-of-force activities. But we have not had those \ndiscussions across the U.S. Government.\n    Mr. Langevin. Could you speculate on some of what those \nactions would be beyond the broad categories that you talked \nabout?\n    Mr. Gerstein. Well, of course, there are a number of \nopportunities to use organizations such as United Nations and \nthings at the lower end, such as demarche. You can have \neconomic sanctions. You can do something that is very \nasymmetric. So you could have a blockade, for example.\n    But I\'m not suggesting any one set of actions, rather, that \nwe need to, as a Government, consider what actions would be \nreasonable, given the activities that are on-going.\n    Mr. Langevin. Well, I clearly agree that we should have \nsome more international rules of the road. This isn\'t just a \nU.S. problem, but an international one. Right now it is kind of \nthe Wild West out there.\n    On the experience of the cyber attacks that we have \nexperienced here in the United States--and OPM is a perfect \nexample--our adversaries or these hackers are eating our lunch, \nand we are not seeming to be able to stop it and not doing much \nabout it.\n    That should change. We have to change the calculus so that \nour enemies or adversaries know that there is a cost to hacking \nour systems and stealing our data.\n    So, with that, Mr. Chairman, I will yield back.\n    I thank Dr. Gerstein for his testimony.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes the gentleman from Pennsylvania, \nMr. Perry.\n    Mr. Perry. Thank you, Mr. Chairman.\n    Hey, Dr. Gerstein. Good to see you again.\n    So you were sitting here during the last panel and the \nquestioning that I had. I just would like to get your \nperception, if you recall.\n    Is DHS the correct place? Do they have the authority? What \nare the consequences? Your perception there. Also, just \nthinking through some of your comments, National security \nstrategy, National military strategy, National cybersecurity \nstrategy, your thoughts on where--where would be the repository \nof that strategy? Who would develop it? Maybe some tenets of \nthe strategy.\n    Also, what is topical today just came to me while we are \nhaving this discussion. So maybe it has already been brought \nup. But the naming convention, circumstances that we find \nourselves in now, is that something that should be included in \nthis strategy? Should the United States allow that to leave the \npurview of our country and be more international with some \nother international body? How does that tie in? Then we can \nprobably just have an on-going discussion based on your \nanswers.\n    Mr. Gerstein. So I was jotting down some. That was quite a \nlong list. But let me start at the top with the National \ncybersecurity strategy.\n    What I would say there is that I think the precedent \nexists. The National security strategy of the United States \ncomes from the White House, and it\'s an interagency product. \nThe interagency gets a chance to comment and to provide input.\n    I would see a National cybersecurity strategy similarly \nthat would have the responsibility to be developed by the White \nHouse and coordinated and discussed within the interagency. So \nI think that\'s key.\n    On the question of authorities, I believe that the \nlegislation concerning information sharing is critical. That\'s, \nof course, the work that this body has done. I think that\'s \ncritical. Hopefully, in some form--I don\'t take a position on \nwhether each word is correct. But, rather, the general concept \nof information sharing between the Government and industry in \nthis space is absolutely imperative.\n    When you look at capabilities such as CDM and EINSTEIN, \ncertainly EINSTEIN relies on signatures. The only way to get \nsignatures is if there is information sharing. So it\'s \nabsolutely essential.\n    On the broader question of authorities, I think for right \nnow the biggest issue that remains is this idea of governance. \nSeveral years ago there were discussions on-going between three \nCabinet departments about who would have authorities in cyber \nspace, Department of Justice, FBI, and Department of Defense, \nand Department of Homeland Security.\n    I still believe that there are likely some seams that need \nto be considered, and I would think those should be considered \nas part of the National cybersecurity strategy. That would give \nan opportunity for the complete discussion to ensure that the \nauthorities are appropriate.\n    Mr. Perry. So two other questions in the time I have left.\n    The naming convention, just your thoughts on that. Just as, \nyou know, it is not appropriate or proper to set up a shotgun \nin your cabin while you are away in case somebody shows up and \nthey open the door, it is locked, and so it is set with a \ntrigger with a string or something to shoot the intruder, that \nis not appropriate.\n    But would it be appropriate in cyber space to set up--and \nis it possible to set up a system where you are hacked by XYZ \ncountry or company, the Federal Government or what have you, \nthat there is a response that is elicited by that attack that \ndoes something similar to what happened to Aramco\'s computer \nwhich rendered them useless? I mean, is that a possibility? \nWould that be something that would be appropriate or is \ncontemplated?\n    Mr. Gerstein. So on the question first on the naming \nconvention, I guess what I would say on this, which I think is \npretty important to consider, is the naming convention is, with \nrespect to the internet, a fairly low-level discussion. It\'s a \ntechnical discussion about how things are named. The sharing of \nthat throughout the globe, I think that would be fine.\n    But I think the more important discussion is at a higher \nlevel: What is acceptable internet behavior for a State to \nallow within its borders? Those sorts of discussions have been \nhad really more on an informal basis and not so much directly \nwith all States like we do with sort of a typical arms control \nagreement.\n    This one has been--there have been some discussions with \nparticular States, and they\'ve been on a bilateral basis where \nthey\'ve talked about behaviors. But these continue to evolve.\n    So on your question about having some sort of shotgun \nshell, here\'s what I would be concerned about. This goes back \nto the question of attribution. So imagine if you think you \nunderstand who the perpetrator of the act is, but you have no \nway to definitively attribute a particular act. If you were to \ntake a catastrophic attack against who you think is the \nperpetrator and you get it wrong, you would be doing a lot of \ndamage.\n    So this goes back to this question of you can\'t just depend \non attribution, retribution, proportionality, laws of war-type \nactivities, but you also have to go to the front end and say, \n``How do I deter? How do I change the calculus of a potential \nadversary who is thinking about intruding on my networks? Also, \nhow do I deny? So I won\'t be able to stop everything. But can I \nset up enclaves so that I\'m not exposing my entire network, so \nI\'m not exposing 4 million personnel records or perhaps 18-30 \nmillion\'\'--as was reported today--``How do we do a better job \nin parsing that off so that we\'re not exposing our entirety of \nPII information?\'\'\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes the Ranking Member, the gentleman \nfrom Louisiana, Mr. Richmond.\n    Mr. Richmond. Thank you, Mr. Chairman. I will try not to \ntake up all of my time.\n    I will start where my colleague Mr. Perry left off. You \nknow, as I think of sports and other things, even war, I mean, \nthe best defense is a good offense.\n    So the question for me becomes maybe not the shotgun \napproach. But what about the Trojan horse approach, that we \nembed in all of our information something that, if you ever \ntake all of our information, we just activate it, which wipes \nyour computer out?\n    Look, I am not a programmer. I don\'t know code. I don\'t \nknow any of that. But there are people that do. I would just \nthink that we should be able to be in a position that we can \nput land mines in all of our data that we can activate whenever \nwe need to activate it. If you just happen to have it by \naccident, so be it, because you shouldn\'t have it.\n    Because I think that, you know, for folks back home, the \nmajor concern is about our ability to sense these threats, our \nability to stop them. I guess the pervasive question is just, \nwhere does it end? I don\'t think anybody fears us enough to not \ndo this.\n    So the question becomes: Is there anything we can do \nbesides defense to make hackers think twice about messing with \nus or our information?\n    Mr. Gerstein. So there are people who are thinking about \noffensive actions and how to use offensive capabilities. \nObviously, that discussion needs to be had in a closed session, \na Classified session.\n    But I think, from a general standpoint, again, I go back to \nestablishing attribution is really key to being able to take \nany action, whether that action is legal action, for example, \nin the case of the Chinese hackers, where we indicted them in \nU.S. courts. So there are opportunities to do those kind of \nthings if one can establish attribution.\n    You know, one topic that we haven\'t talked as much about \ntoday that concerns me greatly is the sensing capacity from the \nstandpoint of our networks today are likely penetrated with \neither zero day attacks which have not been executed and are \nawaiting a point in time at which they would be executed or \nthere\'s an on-going attack. I mean, the likelihood of such a \ncase is very high.\n    So I worry about being able to establish security on our \nnetworks today with the capabilities that we have. As has been \npointed out both by the Members of this subcommittee as well as \nby the other two witnesses, EINSTEIN and CDM have been slow to \nroll out, and we\'re still in the process of rolling them out.\n    Even once that occurs, there will be developmental periods \nand the departments and agencies will have to ensure that they \nhave the proper procedures in place. So it\'s not just the DHS \navailability of the different programs, but it\'s the \nimplementation within the departments and agencies that\'s key.\n    To the point that you asked about, you know, can we do some \nsort of Trojan horse, this is where research and development \nand follow-on, hopefully, with acquisition is key. You have to \nhave robust research and development programs that are designed \nto make headway in this very competitive environment called \ncyber space. Right now we are largely in a defensive posture \nwhere an attack is discovered and then we take some sort of \naction to respond, mitigate, recover, resiliency, those sorts \nof action.\n    Mr. Richmond. I will yield the remainder of my time to my \ncolleague, Mr. Perry.\n    Mr. Perry. Thank you, Mr. Richmond.\n    So when you talk about attribution, much like what Mr. \nRichmond was thinking, I was thinking of, you know, if your \ncomputer, if your network, has our data--and I like the land \nmine concept, but, essentially, it is self-actuating or maybe \nit can be actuated by somebody on our side of the fence, so to \nspeak, that there are consequences.\n    I am trying to think about how and maybe why I care whether \nsomebody that didn\'t necessarily do the hack, so to speak, has \nthe latest plans or the plans to our latest fighter or our \npersonnel data. Do I care how they got them or why they got \nthem? They are not supposed to have them. They are critical to \nus.\n    What does it hurt to just obliterate their system and make \nit nonfunctional as a consequence and maybe even everybody down \nthe line, if that becomes an issue? Do hackers steal \ninformation and then store it on somebody else\'s computer?\n    Mr. Gerstein. They do, indeed. In fact, they even use other \npeople\'s computers in what we call botnets. So a botnet is the \nuse of another computer. You load the software on and you have \nattacks that emanate from, if you will, a computer that has \nnothing to do with the attack other than it is used as a \nplatform.\n    In fact, if you look at the attacks against the financial \nsector that were occurring with great regularity 3, 4 years \nago, those attacks were botnet attacks. They were denial, \ndistributed----\n    Mr. Perry. So is there no way--I mean, I think over time, \nwith your indulgence, Mr. Chairman, the investigators follow \nthe thread back through the botnet computer--right?--to find \nthe original source. I mean, if that capability exists now, why \ncan\'t the capability go along with it that follows the thread \nback to the origination and then takes care of business where \nit occurred?\n    Mr. Gerstein. Well, Congressman, I\'m not saying that it \ncouldn\'t. I guess what I\'m saying is I would go back to we need \na robust research and development program that looks at all \nalternatives.\n    Look at iPhones or cellular telephones today. They now come \nequipped with a kill switch so that, if your phone has been \nstolen, you have the ability to turn off that phone and make it \nso it is no longer anything viable for someone to use. It \nerases all the data.\n    So there could be some sort of capability. I would prefer \nnot to speculate on the specifics, but rather say that a robust \nresearch and development program should be looking at how do we \nsecure hardware, software, enclaves, networks, in a more \ncohesive fashion than perhaps we have thought about heretofore.\n    Mr. Perry. Thank you, Mr. Chair. I yield.\n    Mr. Ratcliffe. The gentleman yields back.\n    I thank Dr. Gerstein for his valuable testimony. I thank \nthe Members for their questions today.\n    The Members of the committee may have some additional \nquestions for you, Dr. Gerstein. If that is the case, we will \nask you to respond to those in writing.\n    Pursuant to committee rule 7(e), the hearing record will be \nheld open for a period of 10 days.\n    Without objection, the subcommittee stands adjourned.\n    [Whereupon, at 4:28 p.m., the subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n         Questions From Chairman John Ratcliffe for Andy Ozment\n    Question 1. Today\'s agency networks are not compartmentalized and \nas we\'ve seen with several of the recent hacks, once the exterior \nperimeter is breached, the hacker remains undetected for months and is \nable to exploit vulnerabilities within the network(s) without passing \nthrough additional inspection or security measures. There has been a \nshift in the private sector towards a Zero Trust model of information \nsecurity where the networks are segmented and additional security is \nbrought within the network between compartments, thus limiting the \nability for the hacker to move internally.\n    This is becoming an important part of the so-called ``defense-in-\ndepth\'\' approach that agencies use today. Is DHS promoting this \npractice across agencies?\n    Answer. Response was not received at the time of publication.\n    Question 2. In April 2014, Deputy Under Secretary for Cybersecurity \nPhyllis Schneck testified before the Senate Appropriations Committee, \n``the lack of clear and updated laws reflecting the roles and \nresponsibilities of civilian network security caused unnecessary delays \nin the incident response . . . In many cases 5 to 6 days were lost in \nresponding to the Heartbleed incident as a result.\'\'\n    As of December 2014, FISMA was updated to give DHS the authorities \nneeded to carry out the operational mission to protect the .Gov domain. \nNow that DHS has the needed authorities, what is in the way of fully \nimplementing the needed capabilities to protect our Government \nnetworks? How does DHS plan to implement FISMA\'s new authorities?\n    Answer. Response was not received at the time of publication.\n       Questions From Honorable James R. Langevin for Andy Ozment\n    Question 1a. Dr. Ozment, is DHS treating the breach of personnel \nrecords and the breach of the SF-86 forms as a single incident or \nseparate incidents?\n    What criteria does DHS use in making such a determination?\n    Answer. Response was not received at the time of publication.\n    Question 1b. What specific criteria did DHS use in making the \ndetermination regarding the OPM breach?\n    Answer. Response was not received at the time of publication.\n    Question 1c. What was the time line for said determination?\n    Answer. Response was not received at the time of publication.\n    Question 2a. Dr. Ozment, I understand that OPM discovered the most \nrecent breach after upgrading their security based on recommendations \nfrom US-CERT following the 2014 breach.\n    Was DHS aware of the indicator of compromise--not its existence on \nthe network but just the indicator itself--OPM used in making that \ndiscovery prior to OPM\'s alerting DHS?\n    Answer. Response was not received at the time of publication.\n    Question 2b. How did OPM acquire that indicator of compromise?\n    Answer. Response was not received at the time of publication.\n    Question 3a. Dr. Ozment, in your testimony, you reference a binding \noperational directive issued recently by DHS. The directive instructs \nagencies to close known vulnerabilities on their internet-facing \nsystems.\n    Why weren\'t agencies already closing these known vulnerabilities?\n    Question 3b. Given that the statutory authority has been in place \nsince December, why did DHS wait until May to issue the directive?\n    Answer. Response was not received at the time of publication.\n    Question 3c. Was the issuance of the directive in any way \ninfluenced by the OPM breach?\n    Answer. Response was not received at the time of publication.\n    Question 4. Dr. Ozment, it is clear that OPM\'s security posture was \npoor prior to the breach discovered in March 2014--US-CERT confirmed \nthis, and OPM\'s Inspector General has been saying so since at least \n2007. Do you believe DHS could have done more to help prevent either \nthis most recent breach or the one earlier in 2014? If not, why not?\n    Answer. Response was not received at the time of publication.\n    Question 5. Dr. Ozment, in your opinion based on your experience \nwith DHS, is it reasonable to expect agencies to be primarily \nresponsible for defense of their own networks?\n    Answer. Response was not received at the time of publication.\n    Question 6. Do agencies have the management capabilities to \nunderstand the risks they face and make informed decisions about the \nresources they need--relative to other demands--to protect their \nsystems and respond and recover from breaches?\n    Answer. Response was not received at the time of publication.\n    Question 7. Do agencies have the acquisition capabilities to \nappropriately contract for cybersecurity services?\n    Answer. Response was not received at the time of publication.\n    Questions From Chairman John Ratcliffe for Gregory C. Wilshusen\n    Question 1. How would you characterize the current state of \ncybersecurity for Federal civilian information systems?\n    Answer. The current state of cybersecurity for Federal civilian \ninformation systems is that these systems are at high-risk of \nunauthorized access, use, disclosure, modification, and disruption. In \nfiscal year 2014, Federal agencies reported 50,289 cyber-related \ninformation security incidents to the U.S. Computer Emergency Readiness \nTeam (US-CERT).\\1\\ These incidents included unauthorized access, \nimproper usage, suspicious network activity, social engineering, \nmalicious code, lost or stolen equipment, policy violations, phishing, \nand denial of service.\n---------------------------------------------------------------------------\n    \\1\\ The number of cyber-related information security incidents \n(50,289) reported by Federal agencies was determined by subtracting the \nnumber of reported non-cyber-related information security incidents \n(16,879) from the total number of information security incidents \n(67,168) reported by Federal agencies in fiscal year 2014.\n---------------------------------------------------------------------------\n    Cybersecurity for Federal civilian information systems needs \nsignificant improvement. Agencies continue to have shortcomings in \nassessing risks, developing and implementing security controls, and \nmonitoring results. As I have previously testified,\\2\\ for fiscal year \n2014, 19 of the 24 Federal agencies covered by the Chief Financial \nOfficers (CFO) Act reported that information security control \ndeficiencies were either a material weakness or significant deficiency \nin internal control for financial reporting purposes.\\3\\ In addition, \nmost agencies have weaknesses in five key control categories.\\4\\ For \nexample, 22 of the 24 CFO Act agencies had weaknesses with limiting, \npreventing, and detecting inappropriate access to computer resources, \nand managing the configuration of software and hardware. Moreover, the \nInspectors General at 23 of the 24 agencies cited information security \nas a major management challenge for their agency.\n---------------------------------------------------------------------------\n    \\2\\ GAO, Cybersecurity: Actions Needed to Address Challenges Facing \nFederal Systems, GAO-15-573T (Washington, DC, Apr. 22, 2015).\n    \\3\\ A material weakness is a deficiency, or combination of \ndeficiencies, that results in more than a remote likelihood that a \nmaterial misstatement of the financial statements will not be prevented \nor detected. A significant deficiency is a control deficiency, or a \ncombination of control deficiencies, in internal control that is less \nsevere than a material weakness, yet important enough to merit \nattention by those charged with governance. A control deficiency exists \nwhen the design or operation of a control does not allow management or \nemployees, in the normal course of performing their assigned functions, \nto prevent or detect and correct misstatements on a timely basis.\n    \\4\\ These categories include controls that are intended to: (1) \nLimit, detect, and prevent unauthorized access to computer resources; \n(2) manage the configuration of software and hardware; (3) segregate \nincompatible duties to ensure that a single individual does not have \ncontrol over all key aspects of a computer-related operation; (4) \nplanning for continuity of operations in the event of a disaster or \ndisruption; and (5) implementing agency-wide security management \nprograms that are critical to identifying control deficiencies, \nresolving problems, and managing risks on an on-going basis.\n---------------------------------------------------------------------------\n    Question 2. In your view, who in the Federal Government is \nresponsible for protecting Federal civilian information systems? What \nis DHS\'s role, and what is each Federal agency\'s role? Do you think \ntheir respective roles are clearly defined? Who is responsible for \nenforcing the standards and processes?\n    Answer. Every single user of Federal civilian information systems \nis responsible for protecting the systems. In addition, the Secretary \nof DHS, heads of Federal agencies, and the Director of the Office of \nManagement and Budget (OMB) have key responsibilities for protecting \nthese systems, as discussed below.\n    The Federal Information Security Modernization Act of 2014 (FISMA \n2014) assigns DHS a key role in protecting Federal civilian information \nsystems.\\5\\ With an exception for National security systems, the \nSecretary of DHS is to administer the implementation of agency \ninformation security policies and practices for information systems. In \nthis regard, the Secretary of DHS is responsible for:\n---------------------------------------------------------------------------\n    \\5\\ The Federal Information Security Modernization Act of 2014 \n(Pub. L. 113-283, Dec. 18, 2014) largely superseded the very similar \nFederal Information Security Management Act of 2002 (Title III, Pub. L. \nNo. 107-347, Dec. 17, 2002).\n---------------------------------------------------------------------------\n  <bullet> assisting the director of OMB in carrying out his or her \n        authorities and functions overseeing agency information \n        security policies and practices;\n  <bullet> developing and overseeing the implementation of binding \n        operational directives to agencies to implement the policies, \n        principles, standards, and guidelines developed by the director \n        of OMB and the requirements of the Act;\n  <bullet> monitoring agency implementation of information security \n        policies and practices;\n  <bullet> convening meetings with senior agency officials to help \n        ensure effective implementation of information security \n        policies and practices;\n  <bullet> coordinating Government-wide efforts on information security \n        policies and practices; and\n  <bullet> providing operational and technical assistance to agencies \n        in implementing policies, principles, standards, and guidelines \n        on information security.\n    The head of each Federal agency is to provide information security \nprotections commensurate with the risk and magnitude of harm resulting \nfrom unauthorized access, use, disclosure, disruption, modification, or \ndestruction of information systems used or operated by an agency or by \na contractor of an agency or other organization on the agency\'s behalf. \nTo this end, each agency is to develop, document, and implement an \nagency-wide information security program to provide information \nsecurity for the information and information systems that support the \noperations and assets ofthe agency, including those provided or managed \nby another agency, contractor, or other source.\n    FISMA 2014 helped to clarify the roles of OMB, DHS, and Federal \nagencies in protecting Federal civilian information systems and \nbestowed additional esponsibilities upon DHS for ``administering the \nimplementation of agency information security policies and practices \nfor information systems.\'\' However, testimony by a DHS official at \nrecent Congressional hearings suggests that agencies have questioned \nhow sharing network data with DHS for security monitoring purposes \nrelates to their existing statutory restrictions on the use and \ndisclosure of agency data. Thus, the extent to which DHS can compel an \nagency to take a specific action in the name of information security \nmay be unclear.\n    The director of OMB is responsible for enforcing information \nsecurity standards and processes. FISMA 2014 states that the director \nshall oversee agency information security policies and practices \nincluding overseeing agency compliance with the requirements of the \nact. FISMA 2014 also states that the director can use any authorized \naction under section 11303 of title 40 to enforce accountability for \ncompliance with such requirements. The authorized actions include \nrecommending a reduction or an increase in the amount of information \nresources that the heard of the executive agency proposes for its \nbudget, reducing or otherwise adjusting apportionments and \nreapportionments of appropriations for information resources, and using \nother administrative controls over appropriations. The secretary of DHS \nis responsible for assisting the director in carrying out this \nauthority and function.\n    Question 3. GAO reported in 2014 that agencies\' information \nsecurity was a major struggle for 23 of 24 agencies. One major weakness \nidentified was agencies\' lack of oversight of contractor standards, \nwhich resulted in an inconsistent implementation of security standards.\n    What should Federal agencies be doing to address this problem? What \nis the role for DHS?\n    Answer. In August 2014, we recommended that agencies establish and \nimplement IT security oversight procedures for contractor-operated \nsystems.\\6\\ Key procedures for effective oversight that agencies should \nimplement include:\n---------------------------------------------------------------------------\n    \\6\\ GAO, Information Security: Agencies Need to Improve Oversight \nof Contractor Controls, GAO-14-612 (Washington, DC: August 8, 2014).\n---------------------------------------------------------------------------\n  <bullet> communicating security and privacy requirements to \n        contractors;\n  <bullet> selecting and documenting controls securing Federal \n        information;\n  <bullet> selecting an independent assessor to evaluate contractor \n        security;\n  <bullet> developing and executing a test plan for assessing security \n        controls;\n  <bullet> recommending remedial actions to mitigate identified \n        vulnerabilities;\n  <bullet> developing and implementing plans of actions and milestones \n        for remediation efforts; and\n  <bullet> monitoring implementation and effectiveness of remedial \n        actions.\n    DHS has a role in monitoring agency implementation of information \nsecurity policies and practices and in providing operational and \ntechnical assistance to agencies in implementing policies and \nguidelines on information security. In this role, DHS can monitor and \nassist agencies with effectively overseeing their contractors\' \nimplementation of appropriate security controls over Federal \ninformation and systems.\n    Question 4. The Binding Operational Directive issued by Secretary \nJohnson directs agencies to fix the most critical vulnerabilities on \ntheir systems within 30 days. This seems like going after the lowest-\nhanging fruit. Why not direct agencies to address all their \nvulnerabilities not just the most critical ones?\n    Answer. Directing agencies to fix the most critical vulnerabilities \nhelps to prioritize agency efforts by focusing remediation efforts on \nthe vulnerabilities that are more likely to be exploited and cause most \nharm to the agency. In an environment of constrained resources, this is \nprudent. Once the most critical vulnerabilities have been mitigated, \nagencies should then proceed to resolve lower-priority vulnerabilities.\n   Questions From Chairman John Ratcliffe for Daniel M. Gerstein \\1\\\n---------------------------------------------------------------------------\n    \\1\\ The opinions and conclusions expressed in this testimony are \nthe author\'s alone and should not be interpreted as representing those \nof RAND or any of the sponsors of its research. This product is part of \nthe RAND Corporation testimony series. RAND testimonies record \ntestimony presented by RAND associates to Federal, State, or local \nlegislative committees; Government-appointed commissions and panels; \nand private review and oversight bodies. The RAND Corporation is a \nnonprofit research organization providing objective analysis and \neffective solutions that address the challenges facing the public and \nprivate sectors around the world. RAND\'s publications do not \nnecessarily reflect the opinions of its research clients and sponsors.\n---------------------------------------------------------------------------\n   strategies for defending u.s. government networks in cyber space \n                              addendum \\2\\\n---------------------------------------------------------------------------\n    \\2\\ This testimony is available for free download at http://\nwww.rand.org/pubs/testimonies/CT436z1.html.\n---------------------------------------------------------------------------\n    Question 1a. From your time at the U.S. Department of Homeland \nSecurity Science and Technology Directorate what do you see as \nimprovements that can be made to improve DHS\' ability to assist Federal \nagencies secure Government networks?\n    Answer. Cybersecurity must be looked at through the lens of a \ncampaign plan. In such a plan, numerous initiatives must be implemented \nto ensure a layered defense, thereby increasing the difficulty of \npenetrating Government networks.\n    EINSTEIN 3A and the Continuous Diagnostics and Mitigation (CDM) \nprogram are part of such a layered defense. These two systems are \ndesigned to work in tandem, with EINSTEIN 3A focusing on keeping \nthreats out of Federal networks and CDM identifying risks inside \nGovernment networks. These programs are necessary, but they are not \nsufficient to ensure cybersecurity across Government networks. Other \nmeasures must be developed that compliment these programs.\n    For example, hardware and software must be hardened. Enclaves can \nbe developed and deployed using a combination of hardened hardware \nconfigurations in devices and operating software (such as network, \ndata, access, and security management systems). In addition, newer \nconcepts such as clouds and virtual machines are being used with some \nsuccess to build enclaves to protect valuable data and sensitive \ncomputation. Emerging concepts under development--such as software-\ndefined networking, trusted protection modules, and secure-by-design \nsoftware systems--may improve our ability to create secure enclaves in \nthe future.\n    Software assurance must continue to be a point of emphasis. New \nsoftware must be developed that assures that products are free from \nvulnerabilities and perform as intended. Legacy systems must be \nevaluated to ensure that they have necessary security. In addition, \ninformation architectures--particularly software and database \narchitectures--for our legacy systems should be rethought and perhaps \noverhauled for systems containing or dealing with personally \nidentifiable information (PII). And consideration should be given to \nany future placement of especially sensitive information (such as PII) \non secure sites. The Office of Personnel Management data breach should \nbe a serious wake-up call to apply resources and common sense against \nthese sensitive data.\n    Personnel who operate the networks and users of the systems must be \nappropriately trained to understand and prevent the various types of \ncyber attacks they are likely to face. Examining previous attacks \nhighlights the degree to which vulnerabilities result from insecurities \ncaused by individuals\' actions (for example, during phishing attacks).\n    Information sharing is a critical component of cybersecurity. The \ncurrent system of securing software vulnerabilities largely relies on \ndiscovering a network intrusion, identifying the attack signature, and \ndeveloping and deploying patches to address the vulnerabilities. \nTherefore, information sharing is essential both to gain knowledge that \nan attack has occurred and to share mitigation procedures.\n    Finally, inherent in efforts to secure the Federal cyber space is \nthe critical need for a National Cybersecurity Strategy. Such a \ndocument would articulate concepts for governance of the .gov domain, \nas well as cyber doctrine for deterrence, denial, attribution, \nresponse, and resilience. Today, no such comprehensive document exists.\n    Question 1b. What should S&T\'s role be in helping further develop \nthese programs and future technologies?\n    Answer. Research and development will be critical to identifying \nand deploying solutions to secure Federal networks. S&T must take the \nlonger view of the security requirements for the Federal space. \nAdditionally, the focus for DHS S&T should be to systematically examine \nthe cybersecurity landscape and develop solutions that contribute \ndirectly to the future layered security architecture supporting \nGovernment networks.\n    This examination also involves looking comprehensively at EINSTEIN \n3A and the CDM program to assess their effectiveness and to think more \nbroadly about what the follow-on systems must look like to assure a \nmore forward-looking posture.\n    Given the importance of cybersecurity to the Department and its \ncomponents for both securing their networks and supporting their \nmissions, S&T must also assure a keen understanding of their \noperational and security requirements and look to align its research \nand development to address identified shortfalls and gaps.\n    S&T can also serve an important function in assisting non-\nGovernmental entities, such as the critical infrastructure sectors, in \ncoordinating research and development activities for security \nsolutions. One such S&T program exists in the oil and gas sector, and \nexpanding this program into other sectors could provide significant \nbenefit.\n    Question 2. In your short time at the RAND Corporation you have \ndone extensive research in the cybersecurity field.\n    Based on your research what more can be done to encourage Federal \nagencies to adopt the most basic network security standards such as \nproper cyber hygiene?\n    Answer. Cybersecurity is not a one-time issue. That is, the \nGovernment cannot recruit a competent cyber workforce and train users \nto operate their information technology systems and expect that this \nwill be sufficient. Rather, cybersecurity must receive constant \nattention, by all employees and at all levels.\n    The cyber workforce must be trained and educated to have the latest \nknowledge and capabilities. They must be continuously challenged \nthrough exercises--including simulated and Red Team intrusions--to keep \ntheir skills honed. The Federal cyber workforce must also be \ncontinuously refreshed to attract the best and brightest to serve. \nLimited-term appointments (including the highly-qualified experts \nprogram) that allow industry experts to serve in Government for periods \nof 2 or 3 years can provide a necessary infusion of talent.\n    Awareness campaigns serve to educate the workforce. The DHS ``Stop, \nThink, Connect\'\' campaign is an example of a program designed to \nincrease personal awareness. In addition to awareness, training can be \nhelpful as well. Individuals must be trained to recognize malicious \ncyber activity that could potentially surface during their interactions \non Government information technology systems.\n    CDM remains a critical component for supporting cyber hygiene on \nGovernment networks. When fully deployed, CDM will allow for \nunderstanding the network architecture and identifying in near real-\ntime the risks that are in the network by sensing vulnerabilities and \nanomalous behaviors that could that signal an attack is under way.\n    Question 3. Federal agencies face similar problems with budgets and \nresources when trying to address cybersecurity.\n    What recommendations do you have for DHS and Federal CISOs in \ndevoting resources to combating this threat?\n    Answer. DHS and Federal chief information security officers must \nreceive necessary funding that allows for up-to-date information \ntechnology and security systems for their networks and the users that \nreside on those networks. In some regards, this requires a culture \nchange. Typically, budgets have been allocated for ``mission\'\' \nactivities first and have funded the security of internal networks at \nminimum levels. This means that fielding advanced cybersecurity systems \nand even up-to-date hardware and software does not receive the \nnecessary funding to defeat the determined threats that are targeting \nFederal networks.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'