b'<html>\n<title> - A GLOBAL PERSPECTIVE. ON CYBER THREATS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                          A GLOBAL PERSPECTIVE\n                            ON CYBER THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                       SUBCOMMITTEE ON OVERSIGHT\n                           AND INVESTIGATIONS\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 16, 2015\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 114-32\n                           \n                           \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n                            U.S. GOVERNMENT PUBLISHING OFFICE\n96-993 PDF                       WASHINGTON : 2016                            \n\n_________________________________________________________________________________________                 \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f99e8996b99a8c8a8d919c9589d79a9694d7">[email&#160;protected]</a>  \n                \n                 \n                 \n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                    JEB HENSARLING, Texas, Chairman\n\nPATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking \n    Vice Chairman                        Member\nPETER T. KING, New York              CAROLYN B. MALONEY, New York\nEDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York\nFRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California\nSCOTT GARRETT, New Jersey            GREGORY W. MEEKS, New York\nRANDY NEUGEBAUER, Texas              MICHAEL E. CAPUANO, Massachusetts\nSTEVAN PEARCE, New Mexico            RUBEN HINOJOSA, Texas\nBILL POSEY, Florida                  WM. LACY CLAY, Missouri\nMICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts\n    Pennsylvania                     DAVID SCOTT, Georgia\nLYNN A. WESTMORELAND, Georgia        AL GREEN, Texas\nBLAINE LUETKEMEYER, Missouri         EMANUEL CLEAVER, Missouri\nBILL HUIZENGA, Michigan              GWEN MOORE, Wisconsin\nSEAN P. DUFFY, Wisconsin             KEITH ELLISON, Minnesota\nROBERT HURT, Virginia                ED PERLMUTTER, Colorado\nSTEVE STIVERS, Ohio                  JAMES A. HIMES, Connecticut\nSTEPHEN LEE FINCHER, Tennessee       JOHN C. CARNEY, Jr., Delaware\nMARLIN A. STUTZMAN, Indiana          TERRI A. SEWELL, Alabama\nMICK MULVANEY, South Carolina        BILL FOSTER, Illinois\nRANDY HULTGREN, Illinois             DANIEL T. KILDEE, Michigan\nDENNIS A. ROSS, Florida              PATRICK MURPHY, Florida\nROBERT PITTENGER, North Carolina     JOHN K. DELANEY, Maryland\nANN WAGNER, Missouri                 KYRSTEN SINEMA, Arizona\nANDY BARR, Kentucky                  JOYCE BEATTY, Ohio\nKEITH J. ROTHFUS, Pennsylvania       DENNY HECK, Washington\nLUKE MESSER, Indiana                 JUAN VARGAS, California\nDAVID SCHWEIKERT, Arizona\nFRANK GUINTA, New Hampshire\nSCOTT TIPTON, Colorado\nROGER WILLIAMS, Texas\nBRUCE POLIQUIN, Maine\nMIA LOVE, Utah\nFRENCH HILL, Arkansas\nTOM EMMER, Minnesota\n\n                     Shannon McGahn, Staff Director\n                    James H. Clinger, Chief Counsel\n              Subcommittee on Oversight and Investigations\n\n                   SEAN P. DUFFY, Wisconsin, Chairman\n\nMICHAEL G. FITZPATRICK,              AL GREEN, Texas, Ranking Member\n    Pennsylvania, Vice Chairman      MICHAEL E. CAPUANO, Massachusetts\nPETER T. KING, New York              EMANUEL CLEAVER, Missouri\nPATRICK T. McHENRY, North Carolina   KEITH ELLISON, Minnesota\nROBERT HURT, Virginia                JOHN K. DELANEY, Maryland\nSTEPHEN LEE FINCHER, Tennessee       JOYCE BEATTY, Ohio\nMICK MULVANEY, South Carolina        DENNY HECK, Washington\nRANDY HULTGREN, Illinois             KYRSTEN SINEMA, Arizona\nANN WAGNER, Missouri                 JUAN VARGAS, California\nSCOTT TIPTON, Colorado\nBRUCE POLIQUIN, Maine\nFRENCH HILL, Arkansas\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    June 16, 2015................................................     1\nAppendix:\n    June 16, 2015................................................    35\n\n                               WITNESSES\n                         Tuesday, June 16, 2015\n\nBejtlich, Richard, Chief Security Strategist, FireEye, Inc.......     8\nCilluffo, Frank J., Director, the George Washington University \n  Center for Cyber and Homeland Security.........................     5\nMadon, Michael, Board of Advisors Member, Center on Sanctions and \n  Illicit Finance, Foundation for Defense of Democracies.........     7\n\n                                APPENDIX\n\nPrepared statements:\n    Bejtlich, Richard............................................    36\n    Cilluffo, Frank J............................................    41\n    Madon, Michael...............................................    56\n\n              Additional Material Submitted for the Record\n\nDuffy, Hon. Sean:\n    Written responses to questions for the record submitted to \n      Richard Bejtlich...........................................    66\n    Written statement of PayPal..................................    68\n\n \n                          A GLOBAL PERSPECTIVE.\n                            ON CYBER THREATS\n\n                              ----------                              \n\n\n                         Tuesday, June 16, 2015\n\n             U.S. House of Representatives,\n                          Subcommittee on Oversight\n                                and Investigations,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to notice, at 10:03 a.m., in \nroom 2128, Rayburn House Office Building, Hon. Sean Duffy \n[chairman of the subcommittee] presiding.\n    Members present: Representatives Duffy, Fitzpatrick, \nFincher, Wagner, Tipton, Poliquin, Hill; Green, Cleaver, \nBeatty, Heck, Sinema, and Vargas.\n    Ex officio present: Representative Hensarling.\n    Also present: Representative Royce.\n    Chairman Duffy. The Oversight and Investigations \nSubcommittee will come to order. The title of today\'s hearing \nis, ``A Global Perspective on Cyber Threats.\'\'\n    Without objection, the Chair is authorized to declare a \nrecess of the subcommittee at any time.\n    The Chair now recognizes himself for 3 minutes for an \nopening statement.\n    The purpose of today\'s hearing is to identify the United \nStates\' primary cyber enemies, better understand the growing \nglobal cyber threat, and ultimately formulate more effective \nresponses to cyber incidents.\n    The cyber landscape today is vastly different from that of \npast years, with technology an integral component of nearly all \ntransactions, means of communication, and methods of \ntransportation. In recent years, there has been a growing focus \non protecting the cyber security of critical infrastructure.\n    However, in the wake of the breach of over four million \npersonnel records at the Office of Personnel Management, it is \nstill clear that much more needs to be done to protect \nAmericans from cyber threats.\n    Cyber crime provides a clear and present danger to the \nUnited States of America. At the other end of these attacks are \nnation-states like Russia, China, Iran, and North Korea; \nterrorist groups; criminal organizations; and hacktivists. \nThese groups can range from sophisticated cyber actors to \nideological groups motivated by political or patriotic reasons.\n    While the motivations may vary, there remains one constant. \nThey intend to hurt America and our interests. Not only are \nthey targeting the critical infrastructure of our country such \nas banks, power grids, and food supplies, but they also pose a \nmuch graver threat directly to the citizens of the United \nStates.\n    Nearly every government agency has been a target of cyber \nattacks, and with the recent OPM breach, the Federal Government \nhas now provided a channel for these criminals to access \nsensitive personal information.\n    In the wake of these incidents, the Consumer Financial \nProtection Bureau (CFPB) continues to collect information on \nconsumers and their financial practices, and ``Obamacare\'\' has \ncreated a vast data hub to collect and store scores of highly \nsensitive personal and health information on American citizens.\n    This most recent cyber attack on OPM should underscore the \nurgency around reconsidering the need for such governmental \ndata collection programs. The benefits do not allay the privacy \nrisks to American citizens.\n    The extent to which this information is utilized to harm \nour government\'s employees is yet to be known. But what is \nknown is that more needs to be done to mitigate these cyber \nrisks.\n    I welcome our distinguished panel this morning, and I look \nforward to hearing more about what the Federal Government can \ndo and should be doing to protect our country and our citizens \nfrom these cyber criminals.\n    With that, I yield 4 minutes to the gentleman from Texas, \nMr. Green.\n    Mr. Green. Thank you, Mr. Chairman. And I thank the \nwitnesses, as well. Mr. Chairman, there appears to be clear and \nconvincing evidence that cyber attacks pose a clear and present \ndanger not only to the United States\' businesses but also to \nthe U.S. Government itself.\n    The preponderance of the evidence shows that 2014 was a \nbanner year for cyber criminals. According to a report from the \nHeritage Foundation written by Riley Walters, the list of cyber \nattacks in 2014 on private U.S. companies includes the \nfollowing excerpts. And Mr. Chairman, in my opinion, one of the \nbest ways to appreciate the magnitude of a problem is to \nexamine and review some of the components. Let\'s review some of \nthe components.\n    January 2014: Target hacked, 70 million people impacted; \nNeiman-Marcus hacked, 350,000 people impacted; Michaels retail \nstore hacked, 2.6 million customers impacted; Yahoo! hacked, \n273 million users impacted.\n    April 2014: Aaron Brothers retail store hacked, 400,000 \ncustomers impacted\n    May 2014, eBay hacked, 233 million customers impacted.\n    June 2014, Feedly Communications hacked, 15 million users \nimpacted.\n    September 2014: Home Depot hacked, 56 million shoppers \nimpacted; Google hacked, 5 million people impacted; Goodwill \nIndustries hacked, 868,000 people impacted.\n    And of course, in October, JPMorgan Chase hacked, 76 \nmillion households impacted.\n    According to this report, in 2014 the annual average cost \nper company of successful cyber attacks increased to $20.8 \nmillion in the financial services industry; $14.5 million in \nthe technology sector; and $12.7 million in the communications \nindustry.\n    These are real people. These are real concerns, and they \nmust be addressed.\n    Mr. Chairman, I fear that FBI Director James Comey was \nright when he proclaimed there are two kinds of big companies \nin the United States--those who have been hacked and those who \ndon\'t know that they have been hacked.\n    Mr. Chairman, I will yield back the balance of my time. \nActually, rather than yield back, I will share it with the \ngentlelady that you will call next.\n    Chairman Duffy. Thank you, Mr. Green.\n    The Chair now recognizes the gentleman from Pennsylvania, \nMr. Fitzpatrick, the vice chairman of our subcommittee, for 1 \nminute.\n    Mr. Fitzpatrick. Thank you, Mr. Chairman, and I also thank \nthe three witnesses for being here today to share your \nexperience and your knowledge with the subcommittee.\n    The protection of our personal data is increasingly a \ncritical part of our private lives, and the threat of data \nbreaches from state or non-state actors looms heavy over \nsecurity experts in nearly every sector of the American \neconomy.\n    These types of attacks have real financial and emotional \nconsequences. When families back in my hometown of Levittown \nlearn that their information was compromised, they immediately \nbecome concerned about whether they will be able to use their \ndebit card to purchase gas and groceries. But for our Nation\'s \nfinancial institutions, the risks are significant and they are \nsystemic.\n    Mr. Chairman, there is a task force to investigate terror \nfinance. I am especially interested in the possibility that \nthis data, once stolen, could be sold to fund illicit \noperations, or as recent reports regarding the OPM theft have \nshown, be used against United States government personnel.\n    I look forward to hearing the witnesses\' testimony, and I \nhope that this committee can work together to strengthen and \nprotect this vital part of our Nation\'s security and \ninfrastructure.\n    I yield back.\n    Chairman Duffy. The gentleman yields back.\n    The Chair now recognizes the gentlelady from Arizona for 2 \nminutes.\n    Ms. Sinema. Thank you, Chairman Duffy and Ranking Member \nGreen.\n    Earlier this month, the Office of Personnel Management \nrevealed that at least four million, and perhaps substantially \nmore, current and former Federal employees from nearly every \nFederal agency, some of them military and defense personnel \nliving in Arizona, may have had their personal information \nstolen.\n    While DHS and the FBI continue to investigate this \nincident, it is strongly suspected that Chinese hackers are \nresponsible for the breach. Cyber attacks from state and non-\nstate actors have increased dramatically in recent years. The \nU.S. Government needs a clear strategy to deter, as well as \ndetect and defeat ever-changing cyber threats.\n    Federal law sets forth various requirements, roles, and \nresponsibilities for securing Federal agencies\' systems and \ninformation. Despite these measures, according to an April 2015 \nGAO report, Federal agencies continue to demonstrate \nshortcomings in assessing risks, developing and implementing \nsecurity controls, and monitoring results.\n    Securing our government requires strengthened security \ncontrols and information-sharing infrastructures. Educating \nFederal employees and contractors is also crucial if these \nefforts are to be successful.\n    I look forward to hearing more from our witnesses today \nabout the effectiveness of actions taken by Federal agencies to \naddress cyber vulnerabilities.\n    Thank you, Mr. Chairman. I yield back my time.\n    Chairman Duffy. The gentlelady yields back.\n    We now recognize our witnesses. We have Mr. Frank Cilluffo, \nan associate vice president at George Washington University; \ndirector of the Center for Cyber and Homeland Security; and co-\ndirector of GW\'s Cyber Center for National and Economic \nSecurity. Mr. Cilluffo has published extensively on cyber and \nhomeland security.\n    In addition, he has served on various national security-\nrelated committees sponsored by the government and nonprofits, \nincluding as the vice chairman of the Future of Terrorism Task \nForce of the Homeland Security Advisory Council and chairman of \nthe Quadrennial Homeland Security Review Advisory Council.\n    Previously, Mr. Cilluffo served as Special Assistant to the \nPresident for homeland security. Immediately after the \nSeptember 11, 2001, terrorist attacks, President George W. Bush \nappointed him to the Office of Homeland Security, where he was \na principal adviser to Governor Tom Ridge. Mr. Cilluffo \ndirected the President\'s Homeland Security Advisory Council.\n    We also have Mr. Michael Madon. He serves on the board of \nadvisors of the Center on Sanctions and Illicit Finance at the \nFoundation for Defense of Democracies, and is the vice \npresident of business development at Redowl Analytics.\n    Previously, Mr. Madon served as Deputy Assistant Secretary \nin the Office of Intelligence and Analysis of the Treasury \nDepartment, where he developed strategies to help identify and \nmitigate cyber risks within both the Department and the \nfinancial sector.\n    Mr. Madon holds an MBA from Wharton School, a master\'s of \ninternational affairs from Columbia, and a BA from Cornell. He \nis the recipient of the Bronze Star, the National Intelligence \nDistinguished Service Medal, and Treasury\'s Distinguished \nService Award.\n    And finally, last but not least, Mr. Richard Bejtlich. \nWelcome. He is the chief security strategist at FireEye\' a \nnonresident senior fellow in the Center for 21st Century \nSecurity in intelligence of the foreign policy program at \nBrookings; and a board member of the Open Information Security \nFoundation.\n    Mr. Bejtlich was Mandiant\'s chief security officer. Before \nthat, he was the director of incident response for GE, and \nbefore that, he worked extensively in the private sector. \nPreviously, Mr. Bejtlich was a military intelligence officer in \nthe U.S. Air Force Computer Emergency Response Team, Air Force \nInformation Warfare Center and Air Intelligence Agency.\n    He has a master\'s of public policy from Harvard University \nand a BS from the United States Air Force Academy.\n    So with that, gentlemen, you will each be recognized for 5 \nminutes for an oral presentation of your testimony. And without \nobjection, the witnesses\' written statements will be made a \npart of the record. Once the witnesses have finished presenting \ntheir testimony, each member of the subcommittee will have 5 \nminutes within which to ask questions.\n    Now, on your table, you have three lights--green, yellow, \nand red. Green means go, yellow means you have 1 minute left, \nand red means your time is up. The microphones are sensitive, \nso please make sure that you are speaking directly into them.\n    And with that, Mr. Cilluffo, you are recognized for 5 \nminutes.\n\nSTATEMENT OF FRANK J. CILLUFFO, DIRECTOR, THE GEORGE WASHINGTON \n       UNIVERSITY CENTER FOR CYBER AND HOMELAND SECURITY\n\n    Mr. Cilluffo. Thank you, Mr. Chairman. And thank you, \nRanking Member Green, and the distinguished members of the \nsubcommittee for the opportunity to testify before you today.\n    I thought ``red\'\' meant we were being hacked, given the \ntopic, but I am glad that I have to sum up my remarks quickly.\n    I thought all of you did a terrific job summing up the \nthreat, so I will try to zero in on a handful of different \nissues that, hopefully, we will have time to explore further \nduring Q&A.\n    Clearly, the United States currently faces a dizzying array \nof cyber threats from many and varied actors. Virtually every \nday, there is a new incident in the headlines, and the \ninitiative today clearly remains with the attacker.\n    The U.S. financial services sector, from banks to credit \ncard companies to exchanges and clearinghouses, is clearly in \nthe crosshairs and is a primary target for cyber attacks and \ncyber crime.\n    To give you a sense of the magnitude of the problem, \nconsider the following figures, which were provided to me by a \nmajor U.S. bank on a not-for-attribution basis. Just last week, \nthey faced 30,000 cyber-attacks. This amounts to an attack \nevery 34 seconds each and every day.\n    And these are just the attacks that the bank actually knows \nabout by virtue of a known malicious signature or IP address. \nAs for the source of the attacks, approximately 22,000 came \nfrom criminal organizations and 400 from nation-states.\n    A few words on the threat itself. First, not all hacks are \nthe same, nor are all hackers the same. The threat comes in \nvarious shapes, sizes, and forms, ranging from nation-states at \nthe high end of the threat spectrum to foreign terrorist \norganizations, criminal enterprises, and hacktivists.\n    Just as diverse as the threat actors themselves are their \nintentions; capabilities; and tactics, techniques, and \nprocedures (TTPs) and the tools they utilize to commit these \ncrimes.\n    Put another way, nearly every form of conflict today and \ntomorrow will have a cyber dimension to it. Whereas \ntechnologies will continue to evolve and change, human nature \nremains consistent. If it happens in the physical world, it is \nhappening in the cyber world, and increasingly, you are seeing \nthe physical and cyber worlds converge.\n    One factor that makes cyber unique, of course, is time and \nspace, or speed and impact. You can commit a cyber crime \nwithout ever stepping foot in the target area or even the same \ncountry, and it would take years, say, to rob bank after bank \nafter bank, which can now be done in a matter of nanoseconds by \npointing and clicking on a mouse.\n    A couple of very quick top-line words on the threat actors. \nAs I mentioned earlier, nation-states and their proxies \ncontinue to present the greatest, meaning most advanced and \npersistent, threat in the cyber domain. Topping the list are \ncountries that are integrating computer network attack and \ncomputer network exploit into their war-fighting doctrine and \nstrategy.\n    The most sophisticated and active countries are China and \nRussia. It is also worth noting that the two countries recently \nsigned a major cyber security agreement, dubbed by a friend of \nmine as a new axis of e-vil. Both China and Russia are known to \nuse proxies to do their bidding to provide plausible \ndeniability of their attacks if they get caught.\n    After these two countries, come Iran and North Korea. While \nperhaps not up to par with Russia or China in terms of \ncapability, both countries are investing very heavily into \nbuilding out their cyber capacity, and what they may lack in \ncapability, they more than make up for in intent.\n    Moreover, they are more likely to turn to computer network \nattack, rather than merely espionage, as demonstrated by Iran\'s \ndistributed denial of service attacks on U.S. banks and North \nKorea\'s recent attack on Sony.\n    Next up are foreign terrorist organizations. They certainly \npossess the motivation and intent, but fortunately, they have \nyet to fully develop a sustained cyber attack capability. The \nrecent doxing attacks, however, on our U.S. military and law \nenforcement personnel is a very troubling sign, with their \ncoming up with new tactics, and I think it is indicative of an \nemerging threat. It is likely that ISIS or their sympathizers \nwill increasingly turn to disruptive cyber attacks.\n    By contrast, criminal organizations possess substantial \ncapabilities, but their motivation and intent obviously differs \nfrom foreign terrorist organizations. Rather than being \nmotivated by ideology, they are motivated by profit. And they \nare continuing--one of the trends we are seeing is working as \nproxies with other nation-states, as I mentioned vis-a-vis \nRussia.\n    And then, of course, you have hacktivists. And regardless \nof the cause, they are going to use their techniques for \nspecial interests, and some of those can be very sophisticated. \nAnd their intent is normally to embarrass to bring attention to \ntheir cause.\n    While I planned to say a couple of words on what we should \ndo about all this, I hope we will have an opportunity to \ndiscuss that during Q&A.\n    Mr. Chairman, thank you.\n    [The prepared statement of Mr. Cilluffo can be found on \npage 41 of the appendix.]\n    Chairman Duffy. Thank you, Mr. Cilluffo.\n    The Chair now recognizes Mr. Madon for 5 minutes.\n\nSTATEMENT OF MICHAEL MADON, BOARD OF ADVISORS MEMBER, CENTER ON \n   SANCTIONS AND ILLICIT FINANCE, FOUNDATION FOR DEFENSE OF \n                          DEMOCRACIES\n\n    Mr. Madon. Chairman Duffy, Vice Chairman Fitzpatrick, \nRanking Member Green, and other distinguished members of the \nsubcommittee, it is an honor to appear before you to discuss \nthe global cyber threats we face, and in my view, more \nimportantly, what we can do about it.\n    During my time at Treasury, I was fortunate to work for and \nwith a team of true innovators developing novel strategies and \napproaches to identify and mitigate the cyber risks and \nvulnerabilities facing both the Department and the financial \nsector more broadly.\n    The thoughts I am sharing today are inspired by that early \nTreasury work and the thinking spearheaded by Juan Zarate and \nhis Center on Sanctions and Illicit Finance.\n    If the recent attacks against JPMorgan Chase and Citibank \nserve as examples, banks are prime targets for sophisticated, \norganized cyber attacks, despite a dramatic increase in cyber \nsecurity spending. In my view, the rise in frequency and \nbreadth of cyber attacks can be attributed to five primary \nthreats--nation-states, cyber terrorists, hacktivists, \norganized criminal elements and malicious, compromised, or \nnegligent employees--in other words, the insider threat.\n    So why banks? On a tactical level, banks hold not just \nmoney but also collect and centralize sensitive personally \nidentifiable information and clients\' intellectual property.\n    But our cyber threats see a greater purpose in hitting \nbanks. They serve as both key systemic actors important for the \nfunctioning of the global economy and as chief protagonists in \nthe isolation of bad actors from the financial system.\n    It is clear from watching these attacks dramatically \nincrease in both frequency and damage, that our Nation\'s \ncurrent defensive posture is simply not sufficient to address \nthe threat. We need to have a more proactive approach, one that \nshifts the paradigm away from defense to offense.\n    We can take inspiration from the anti-money-laundering and \nsanctions model forged at Treasury, and leverage financial \npressure against cyber threats to better protect the financial \nsystem.\n    This economic and cyber security approach requires a new \nparadigm of U.S. public-private engagement and collaboration, \nadopting language from Treasury\'s successful campaign. Cyber-\ndriven targeted financial measures is, at its core, a \nthoughtful set of decisions that change our cyber posture from \na defensive crouch to an offensive charge.\n    These measures can encourage the creation of internal \nfinancial intelligence units to enhance financial sector and \naugment U.S. intelligence community collection and analysis \nefforts. These measures include:\n    Enhancing the safe harbor regime to encourage greater \ninformation sharing among financial institutions.\n    Enhancing Section 314(b) of the USA Patriot Act to allow \nfinancial institutions to share information about suspect \ncyber-related financial activity within their sector, without \nliability.\n    Accelerating the U.S. Government\'s targeting of state \nactors, networks, and individuals that attack U.S. private \nsector systems, especially financial systems.\n    Deploing the President\'s emergency economic powers for the \nuse of multiple tools to address the reality of major cyber \nespionage, crime, and infiltration affecting the U.S. financial \nand commercial system.\n    And encouraging Congress to craft legislation to empower \nthe Secretary of the Treasury to identify jurisdictions, \ninstitutions or networks that are sponsoring or willfully \nallowing their territory or systems to be used to attack \nAmerican financial institutions as a precursor to sanctions.\n    Innovative attacks require innovative responses, and \nCongress could enlist the private sector to participate in \ncyber-driven targeted active defensive measures that reward, \nenable, and empower the private sector to help defend itself in \nconcert with the government. Yes, this would require rule-\nsetting, more active collaboration, and explicit line drawing \nand processes, but such a regime is imaginable.\n    This model could be based on the tradition of congressional \nissuances of letters of marque and reprisal, as provided for \nexplicitly in Article 1, Section 8 of the U.S. Constitution. \nThis model could take different forms to include a reward \nprogram for those groups able to uncover, identify, and even \ndeliver cyber hackers to U.S. courts or authorities, such as \nunleashing cyber forensic teams and private litigants and \nplaintiffs\' lawyers against those attacking U.S. systems; \nempowering victims of attacks to sue the perpetrators and those \nbenefiting directly from any cyber infiltrations, just as \nvictims of terrorism are provided the right to sue terrorists \nand their supporters today; and encouraging Justice, DHS, and \nTreasury to consider issuing special cyber warrants to allow \nprivate sector actors to track and even disrupt cyber attacks \nin certain instances to defend their systems.\n    Committee members, thank you for allowing me to appear \nbefore you and discuss global cyber threats. My colleagues at \nthe Center on Sanctions and Illicit Finance and I look forward \nto collaboratively devising and implementing strategies to \ndefeat the growing cyber threats that confront our Nation.\n    Thank you.\n    [The prepared statement of Mr. Madon can be found on page \n56 of the appendix.]\n    Chairman Duffy. Thank you, Mr. Madon.\n    And Mr. Bejtlich, you are now recognized for 5 minutes for \nyour opening statement.\n\n   STATEMENT OF RICHARD BEJTLICH, CHIEF SECURITY STRATEGIST, \n                         FIREEYE, INC.\n\n    Mr. Bejtlich. Chairman Duffy, Ranking Member Green, and \nmembers of the subcommittee, thank you for the opportunity to \ntestify.\n    My employer, FireEye, provides software to stop digital \nintruders; we have 3,400 customers in 67 countries, including \nhalf of the Fortune 500. In 2014, our Mandiant consulting \nservice conducted hundreds of investigations in 13 countries. \nSo my testimony today is based on not only my experience doing \nour own work, but also on the experience of our company doing \nthese investigations.\n    The title of this hearing includes the phrase ``cyber \nthreat,\'\' and it is important to understand the threat, but we \nalso need to expand that to include the concept of risk. We \nneed to think in terms of threats, vulnerabilities, and \nconsequences. Risk is a function of these three factors, and if \nwe influence any one, our overall level of security will \nchange, as well.\n    Furthermore, while risk is a forward-looking concept, where \nwe worry about what could happen, some scenarios have already \noccurred, making that theoretical risk an actualized event.\n    I separate damaging scenarios into two buckets, chronic and \nacute. Chronic scenarios occur over an extended period, with \nimpacts spread across time in ways that can be difficult to \nmeasure. Acute scenarios, on the other hand, involve immediate \nand distinct impact, usually with obvious physical or virtual \ndamage. Thankfully, we have not yet seen a combination of those \ntwo, meaning long-term, highly-visible costly damage. And \nhopefully, that will remain the case.\n    The United States is currently suffering three important \nchronic damage scenarios. First, foreign nation-state actors \nare stealing sensitive data and commercial secrets from private \norganizations, for use by their domestic industries.\n    Second, these actors are stealing sensitive and classified \ndata on American military and intelligence plans and \ntechnologies to benefit their strategic interests.\n    Third, foreign actors are stealing personally identifiable \ninformation and financial instruments from citizens and \norganizations to benefit national capabilities and fuel \nunderground crime.\n    The United States is also susceptible to two acute damage \nscenarios. First, many of us worry about attacks against \ncritical infrastructure. The electrical grid, financial sector, \nwater supply, and telecommunications systems are the big four \ntargets. To date, according to public testimony and public news \nreporting, some foreign actors have already infiltrated \nelements of critical infrastructure, while others have \nattempted to disrupt critical infrastructure.\n    The second acute damage scenario involves disruption or \ndestruction of virtual infrastructure. And we have two public \nexamples where foreign actors have infiltrated American \ncompanies and destroyed data on thousands of computers.\n    I would like to talk briefly about the four big threat \nactors, and without probably any surprise, they will be the \nsame ones mentioned by my colleagues. We worry about nation-\nstates, organized criminals, terrorists, and activists.\n    There is some overlap and mixing of these groups, but if we \nare able to handle the top end, the nation-states, our \nabilities will sort of flow down and cover the others, so I \nwould like to talk briefly about the four big nation-state \nactors: Russia; China; North Korea; and Iran. And I will \nmention that just in the last year-and-a-half alone, Mandiant \nhas responded to intrusions by all four countries, including \nthe big public ones I am sure you are aware of.\n    Russia poses acute and chronic challenges. Russian \ngovernment forces can conduct full-spectrum information \noperations, and they possess top tier cyber capabilities, \nincluding the ability to preserve their operational security \nand frustrate forensic analysis.\n    China also poses chronic and acute challenges. They can \nconduct full-spectrum information operations, although not at \nthe Russian level. Unfortunately, what they lack in their top-\ntier capability, they make up for in volume and persistence. \nFor example, the Chinese theft of commercial and sensitive data \nfrom American companies is unequaled. In my 18 years of doing \nthis work, I have never seen anything like it.\n    Turning to the other two big threat actors, North Korea and \nIran, both of them primarily pose acute challenges--in other \nwords, the ability to conduct a short, sharp attack. We have \nseen this now with the North Koreans, or at least forces that \nwere under their control, with the attack against Sony Pictures \nEntertainment in November of 2014.\n    Iran has a similar capability. In fact, they conducted a \nvirtual destruction action against the Sands Casino in February \nof 2014. Both of these countries have geopolitical risks \nassociated with them, which makes it perhaps more likely that \nthey would use a cyber attack to compensate for their military \ndeficiencies.\n    I would like to conclude by mentioning that I hope during \nthe hearing, we can talk about some alternative strategies to \ndeal with these threats, primarily shifting from a strategy, at \nleast in the government, of closing the barn door after the \nhorses have left, to one of actively looking for intruders that \nare already in the network; and also, hopefully, moving from a \nsituation where if you lose your Social Security number, there \nis really no way to recover from that, to one where there are \nbusiness processes that can accommodate the loss of personal \ndata.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Mr. Bejtlich can be found on \npage 36 of the appendix.]\n    Chairman Duffy. Thank you.\n    The Chair now recognizes himself for 5 minutes of \nquestions. The testimony we heard today is quite sobering. I \nimagine everyone on the panel and everyone here today has \nreceived a letter that has said, ``Your personal information \nhas been compromised.\'\' I think I have received 4 letters in \nthe last 8 months. The first one I received was quite \ndisturbing. Sadly, we are just getting used to the fact that \nour information continues to be compromised.\n    Is anyone\'s information--is any information safe, whether \nwe are talking about personal information, we are talking about \nprograms in the Federal Government? To the panel--\n    Mr. Cilluffo. Richard, do you want to--\n    Mr. Bejtlich. Sure, I will take a quick shot at it. Sir, I \nwould argue that history has shown that no data is potentially \nsafe. We are talking--if you are talking at the very end of our \ncapabilities in the government, you have the risk of insiders, \nlike Mr. Snowden or Chelsea Manning. In the private sector, you \nhave nation-state actors going after private companies.\n    And from my own personal experience, it takes a sustained \neffort by a private company to simply hold off a nation-state, \nor at least to detect when they have gotten into your company \nso you can kick them out quickly.\n    So it is very difficult to protect information at all.\n    Mr. Cilluffo. Mr. Chairman, to build on that, I think we \nwill never be in a position to say we can prevent all attacks. \nBut there are steps we can take to mitigate the consequences \nand the potential damage by segmenting and segregating certain \ninformation in different sorts of networks. And that starts \nlooking inside, understanding your family jewels, understanding \nwhat matters most to either, A, a company, or B, a government, \nor whatever it may be.\n    But to Richard\'s point, how many companies, even the \nbiggest in the world, went into business thinking they had to \ndefend themselves against foreign intelligence services? That \nis precisely what is happening. The current approach is by \ndefinition reactive. Every time we get hit, instead of calling \nthe police, we call the locksmith. We are building higher \nwalls, getting bigger locks. At the end of the day that, by \ndefinition, is doomed for failure. It is reacting, reacting, \nreacting. We have to push the equation in a different kind of \nway. I am happy to touch on some thoughts during Q&A.\n    Chairman Duffy. I think that goes to Mr. Madon\'s point, \nwhere he was talking about not just being on defense. He was \ntalking about being on offense. And one that we had looked to \nthe Federal Government not just for defense. I don\'t know if we \nare doing any offensive measures or not, but is there a role \nfor the private sector, do you think, Mr. Madon, in the \noffensive play, not just defense?\n    Mr. Madon. I do, and I think it is very varied. I don\'t \nthink there is just one approach. I think first it starts, as \nwas mentioned earlier, with information sharing. That is a \ncritical component but that is not the only component. It is \nhow you share information. And part of that information-sharing \nrelationship between the government and the private sector has \nto start with safe harbor.\n    I can\'t tell you how many times I hear folks from the \nfinancial sector want to share information with the government \nbut they are concerned about liability. And that liability--I \nthink before true information sharing occurs, that liability \nneeds to be addressed.\n    Mr. Cilluffo. Could I build on that? Because, think about \nit, cyber crime is the only crime I know of where we blame the \nvictim. Every other crime, you blame the perpetrator. In this \ncase, we are blaming the victim.\n    And I am not disagreeing that companies can and must do \nmore, but at the end of the day they are up against an \nadversary that is very sophisticated and will require at least \nthe rules of the road. I am not ready for sanctioning companies \nto necessarily hack back, but there is a whole bit of policy \nspace between hacking back and doing nothing but being reactive \nand building higher walls.\n    Proactive forensics collection. This is key. Think about it \nas a football analogy. You have linebackers. Yes, they are \ndefending against other people trying to score on your system, \nbut they are blitzing the quarterback. There is more we can do \nin that environment as well, whether it is through \ntechnologies.\n    But most importantly we need to define the rules of the \nroad because right now if companies were to engage in this, \nthey would be breaking laws, the Computer Fraud and Abuse Act \nin particular. I think that does require some updating and \nclose examination.\n    Mr. Madon. And my main point is, let\'s get the conversation \nstarted. Let\'s really have a robust conversation with our \nNation, with ourselves, about what it looks like for the \nprivate sector to really track and even disrupt cyber attacks \nin certain instances to defend their systems.\n    Yes, sir?\n    Chairman Duffy. Go ahead. You can finish this thought.\n    Mr. Madon. And of course, it would not happen overnight. I \nthink there is no expectation of that. And it would require a \ndefendable attribution regime because as our technology gets \nincreasingly more precise, the ability to attribute the \nlocation of these attacks becomes more enhanced.\n    Chairman Duffy. Thank you. I have several more questions \nbut my time has expired. The Chair now recognizes Mr. Cleaver \nfor 5 minutes.\n    Mr. Cleaver. Thank you, Mr. Chairman. All three of you made \nprofound statements with which I agree, and I thank you for \nbeing here. Does the United States engage in hacking into \nsystems around the world?\n    Mr. Bejtlich. Well, sir, it depends on what you mean by \nhacking. It has been reported in the press, I think as you \nwould expect, that there are traditional intelligence \noperations the U.S. Government conducts, as every other country \ndoes. The significant difference, though, for the United States \nis that we don\'t steal commercial secrets and then give them to \nour domestic companies for the purposes of commercial \nadvantage.\n    Mr. Cleaver. The reason I asked the question, is I am \nfollowing up on something that was said earlier, and that is, \nwhen we discover that a nation is in fact hacking into \ncommercial operations or into the Pentagon, which I think has \nbeen done a couple of times, I am just wondering about the \nresponse, in a way that is more than saying, ``We know you did \nit,\'\' which is what I think we have said recently.\n    That wouldn\'t stop me from robbing a 7-Eleven, if I were a \n7-Eleven robber, for somebody to say, ``Well, Cleaver, I know \nyou did it.\'\'\n    Mr. Madon. Sir, I think that is precisely the point. You \nhighlighted the essential problem, which is that it is \nincredibly ambiguous what exactly we are doing as a nation when \nour most valuable--our treasures are being stolen from us, \nleft, right, and center. And I think having a transparent, \nconcrete plan to address those issues is sorely needed.\n    Mr. Cilluffo. Congressman, if I can build on that just a \nteeny bit, clearly, we need to penalize the perpetrators and \nthe adversaries from this behavior and change their behaviors. \nTo me, that does require articulating a clear cyber deterrence \nstrategy, to deter, compel, and dissuade. Obviously, that is \ngoing to take on different instruments and instrumentalities \nbased on both the perpetrator and the incident itself.\n    But I feel we do have to be more transparent and be willing \nto speak about leaning forward. What good is having the \ndoomsday machine if no one knows you have it? At the end of the \nday, of course the United States has the capability, but we use \nit in a very sophisticated and measured, commensurate kind of \nway.\n    To Richard\'s point, a number of these countries are doing \nit to benefit their companies. That is an unfair playing field \nand U.S. companies are penalized greatly by the perceived and/\nor real sins of others and we are getting our shirts cleaned in \nthis case.\n    So I do feel there is a way, and there are other \ninstruments that can be brought to bear, both proactive, but \nalso sanctions. The Administration recently promulgated an \nExecutive Order that allows for using economic sanctions \nagainst cyber perpetrators.\n    I think it is going to be put to the test really soon. We \nwill see how it plays out in reality, if we can translate those \nnouns into verbs.\n    Mr. Cleaver. Someone hit on this earlier, but is it \npossible--do we in fact have the technology now, or are we \ncapable of producing the technology that would create a zero-\nfail system?\n    Mr. Bejtlich. Sir, in my experience there is no such thing \nas a non-hackable system, and I think that is what you mean by \nzero-fail.\n    Mr. Cleaver. Yes. So, go ahead, Mr. Madon?\n    Mr. Madon. And likewise, there will never be a system or a \ncondition where attribution will be 100 percent. That is also \nan ideal. But I think it is a matter of weighing risks. And \nthis revolution in attribution where technologies are advancing \nto the extent where we are very confident that certain attacks \noriginated from a certain state actor, for example, I think \nthat we are getting to a place where we can be comfortable with \nthe amount of risk that we are taking on.\n    Mr. Cleaver. After North Korea hacked into our system, Kim \npublicly said that didn\'t happen, we didn\'t do it. And so I was \nhoping on the next day we could produce something, some \nindisputable evidence that yes, you did it, and here is how we \nknow you did it. Does that exist?\n    Mr. Madon. That is the Treasury model, sir. That is \nprecisely what we did with illicit finance. We confronted those \nnation-state actors with declassified intelligence and said, \nyes, you did.\n    Mr. Cilluffo. Can I build on that, because I am going to \nthrow a compliment in Richard\'s direction. Mandiant, in their \nreport on China and their activity, that was the smoking \nkeyboard. Very difficult to discern, but they did demonstrate \nsmoking keyboards. You are starting to see attribution improve \ndramatically. Never to 100 percent. The smart actors are using \nproxies. They want the veneer of plausible deniability if they \nget their hands caught in the cookie jar.\n    But there are other means than simply cyber forensics to \nget information on who is doing what, so we have other \nintelligence capabilities that can be brought to bear.\n    Mr. Cleaver. Thank you.\n    Chairman Duffy. The gentleman\'s time has expired. A smoking \nkeyboard, that is quite an analogy.\n    The Chair now recognizes the gentleman from Pennsylvania, \nMr. Fitzpatrick, the vice chairman of this subcommittee, and \nthe chairman of the Task Force to Investigate Terrorism \nFinancing, for 5 minutes.\n    Mr. Fitzpatrick. I thank the chairman. Mr. Cilluffo, the \nfour nation-states that you mentioned in your opening \nstatement--Russia, China, Iran, and North Korea--it seems like \nevery time you talk about nation-states and cyber terrorism, \nthose are the four nations that sort of roll off your tongue.\n    I was wondering if you can discuss how each of those \nnations decide or select the subject of the attack and how it \nmay differentiate between the four of them?\n    Mr. Cilluffo. Excellent question, and not an easy answer \nbecause it is going to come in various sizes and forms. In \nChina, we heard, and I think Richard said, it is a numbers \ngame. They have so many bodies they can throw at the problem \nthat they are quite sophisticated, deeply involved in not only \nmilitary application and cyber capability but obviously in \neconomic and industrial espionage.\n    Russia, I think, is the more sophisticated actor of those \ntwo. They are integrating cyber into not only their war \nfighting but into their intelligence apparatus, which often \nincludes human intelligence, according to the U.S. National \nCounterintelligence directorate of a couple of years ago. They \nlean so heavily on--and it is worth touching on proxies.\n    So in China, we know military officers are moonlighting. \nAfter work hours, they are doing business for others. In \nRussia, what you have is more a criminal underground, that they \nturn a blind eye, but when the government wants them, they do \ntheir bidding. Which is maybe very different than Iran, for \nexample, which is turning to its hacking underground, the \nAshiyane network, the Basij. They are actually co-opting them \ninto the fold, their activity, which is very different.\n    So when the stakes are really high, the country that--and \nit is worth noting--so computer network exploiter, espionage, \ncomputer network attack is using attack mode. If you can \nexploit, you can attack. And there has been article after \narticle after article on countries that have done the cyber \nequivalent intelligence preparation of the battlefield of, say, \nour electric grid. That has no economic value but it has \nsignificant value in a national security kind of setting. So I \nam concerned that if the intent shifts, the capability goes up \nexponentially.\n    Now Iran, North Korea, they are less constrained perhaps by \nsome of this activity, so they are going to be going to the \ncyber drive-by shooting equivalent, which is easily built \nbecause the bar is low, and also a more sophisticated \ncapability.\n    And it is worth noting, these are the countries we talk \nabout. Every country that has a modern military has a cyber \ncapability as well, so it is worth noting that.\n    Mr. Fitzpatrick. Is it possible to know really whether the \nattack is coming from the state sponsor or from just a group of \nprivate hackers, say within Russia?\n    Mr. Cilluffo. That is the $64,000 question. So the 2007 \nattacks on Estonia, was that driven by the Kremlin? I think the \nmessaging was driven by the Kremlin but I think in this case \nyou actually had criminal actors engage in that activity. So \nthat is where some of this forensics collection becomes so \nimportant.\n    Mr. Fitzpatrick. Did you have an opinion as to the number \nof prosecutions or actions brought by the Administration in \nresponse to cyber attacks?\n    Mr. Cilluffo. Not nearly enough. Right now, we are \npenalizing the victim. So I actually think that in Russia\'s \ncase, you have a small number of actors who are responsible for \ndeveloping most of the tools that are being used in the \nunderground, or the malware, or the botnets that are being \nrented.\n    If we could go after--I recently had the head of EUROPOL in \nand he said 80 percent of their attacks were coming from \nRussian-speaking countries. He had claimed there are about 150 \nsuper-hackers. Maybe instead of spending billions of dollars on \nour cyber security, we should aggressively pursue those 150 \nhackers.\n    Mr. Fitzpatrick. Mr. Madon, on the subject of financial \ninstitutions, clearly, there is a public role in coordinating \nresponse and defenses, and a purely private role as well. But \nwithin the financial institutions, we have to encourage the \ninstitutions to be communicating with each other, to support \neach other.\n    But also within individual institutions, is there a \nchallenge of divisions of certain, say, banks or related banks \nin different countries, even within those institutions talking \nto each other?\n    Mr. Madon. Of course that is the case, sir. But I think \nthat the decision by many global financial institutions to \ncreate these financial intelligence units that cross the \ndifferent verticals within the bank is a terrific effort. And I \nam seeing more and more of those units being created and being \nempowered and properly funded.\n    Mr. Fitzpatrick. My time has expired.\n    Chairman Duffy. The gentleman yields back. The Chair now \nrecognizes the gentlelady from Ohio, Mrs. Beatty, for 5 \nminutes.\n    Mrs. Beatty. Thank you, Mr. Chairman, and Ranking Member \nGreen. And thank you to our expert witnesses here today. I am \nnot sure how I feel. I guess I wanted you to be able to answer \nCongressman Duffy\'s question by saying, yes, that some of our \ninformation is protected and safe and we could work through \nthis and come up with a fail-safe system. But that does not \nappear to be the case.\n    As I recall, in February James Clapper, the Director of \nNational Intelligence, testified before the Senate Armed \nServices Committee, and in that testimony, he stated that in \nthe future we might see more cyber operations that will change \nor manipulate electronic information in order to compromise its \nintegrity--that is, its accuracy and reliability--instead of \ndeleting or disrupting access to it.\n    And obviously as members of the subcommittee who oversee \nthe financial regulators, part of our role is to ensure the \nintegrity of financial information.\n    So I would like to know whether the panel agrees with \nDirector Clapper\'s assessment of future cyber operations to \nmanipulate data, and if you do, what can our financial \ninstitutions and regulators do to combat such attacks to ensure \nthe prevention of manipulation of financial data?\n    Mr. Bejtlich. Yes, ma\'am, I agree with that assessment. The \nmanipulation of data such that there is an effect, but no one \nreally understands what happened. That is the top end of the \nproblem. The way to counter that, and honestly, the way to \ncounter all of these problems, in my opinion, is to have a \nstrategy that relies on detecting the infiltration before the \nadversary completes the mission.\n    In other words, we currently have delays of upwards of 200 \ndays or so between when an intruder gets into a network and \nsomeone notices. And the someone noticing, two-thirds of the \ntime, is the FBI. That needs to change. We need to have a much \ntighter window so that when an intruder gets into the network, \nsomeone notices quickly and cuts them off before their \naccomplish their mission.\n    So although we can\'t stop everyone from getting to the \ndata, if we can stop them before they change it, steal it, or \ndestroy it, then we win.\n    Mr. Madon. I also agree with General Clapper on that. I \nwould say there is another half of that equation, which is \nactually more disturbing. I mentioned this briefly, and that is \nthe insider threat. So an insider threat can be a malicious \nemployee who started in an organization feeling great about the \nfinancial institution, and then somewhere along the line became \ndisgruntled. It could be a compromised system, or it could be a \nvery sloppy employee.\n    I think focusing these efforts also on the insider threat, \nand understanding your employee--financial institutions are \nbecoming and have--are experts at knowing their customer. They \nare required to do that. I think it is time to also expand that \nto include knowing your employees.\n    Mrs. Beatty. Okay.\n    Mr. Cilluffo. Sadly, I too agree. We have actually seen it \nbased in recent public cases as well that the data has been \nmanipulated. But I think in terms of your oversight \nresponsibilities, if I may be so presumptuous, what makes this \ncommittee so significant is a sustained campaign against our \nbanks, markets, clearinghouses or other areas is the potential \nto erode trust and confidence in our very systems themselves.\n    It is all about perception, and that is with markets, and \nthat can include data manipulation. But there are backups. \nThere are ways where you can stave off the bleeding, and I \nthink both of the other witnesses said there is a lot more we \ncan do in terms of detection.\n    And I might note, of all the sectors of our critical \ninfrastructures, yours is so much further along than others. I \nam actually worried about regional banks more than I am Wall \nStreet. It is Main Street. It is all the regional banks and \nfinancial institutions outside of Wall Street that are going to \nbe the primary targets.\n    Mrs. Beatty. Okay, thank you. In my few seconds left, two \nof you testified that with corporations being at the tip of the \nspear in the question which related to public and private \npartnerships.\n    What are the tools needed in the private sector, and if we \nstart with regional banks, what are the tools they need to be \nin the game, to help themselves and us with them?\n    Mr. Cilluffo. The financial services sector has what is \ncalled the Financial Services Information Sharing and Analysis \nCenter, the FSISAC. It is the gold standard of information \nsharing and analysis centers. They have even gone so far as \nhaving automated information sharing in terms of known \nsignatures and I.P. addresses through an entity called Soltra.\n    So I think that we need to expand that beyond some of the \nbigger financial institutions to others, but there is a model \nto turn to and it is one that is actually working.\n    Chairman Duffy. The gentlelady yields back. The Chair now \nrecognizes the gentlelady from Missouri, Mrs. Wagner, for 5 \nminutes.\n    Mrs. Wagner. Thank you, Mr. Chairman, and I thank our \npanelists for being with us here today. As we have all \ndiscussed, cyber security is quickly becoming one of the \nlargest threats to our country and carries severe national and \neconomic security concerns. The studies have shown the number \nof security incidents in the United States every day range in \nthe hundreds of thousands, and we seem to learn of a new major \ncyber breach almost every week.\n    Earlier this year, millions of customers with health \ninsurer Anthem had their personal information compromised, and \njust recently, as we have discussed over and over again and we \nwill be in briefings later on today, the Office of Personnel \nManagement announced that millions of confidential records on \ncurrent and former Federal Government employees have been \ncompromised.\n    Not only does this represent a major threat and breach of \nprivacy for the individuals whose information is compromised, \nbut it hampers our ability to gather intelligence abroad, and \nempowers and emboldens foreign governments, many of whom are \nbehind these attacks.\n    In both of these instances that I mentioned before, we know \nthe attacks are attributed to China, to their cyber unit that \nengineered the attack. However, what we don\'t know is, how is \nour government responding and helping to prevent attacks like \nthis in the future?\n    You all have talked about a number of risk factors out \nthere and things that are being done, but clearly current \nactions by the United States to address specifically Chinese \nand Russian cyber space capabilities is not sufficient. And I \nnever, ever like it when the U.S. Government is in a reactive \nmode. Nor do I like to hear that it takes upward of 200 days to \nnotice an intruder.\n    As some of you talked about building, we just seem to be \nreacting, building that firewall higher and higher, yet wow. \nWhy is it taking upwards of 200 days for us to notice, \nrecognize an intruder? Would anyone like to respond to that?\n    Mr. Madon. Sure, I couldn\'t agree with you more, ma\'am. \nThere are certain things we can do. One is, as I mentioned, \nenhancing Section 314(b) of the USA Patriot Act, which will \nallow financial institutions to share information about cyber-\nrelated financial activity within their sector without \nliability. So enhancing those safe harbor provisions is \nabsolutely critical to that.\n    Mrs. Wagner. Mr. Madon, let me interrupt. I believe the \nHouse has moved on that through CISPA, and on a voluntary \nbasis, as agreed for that kind of sharing, both within industry \nand in the government, if they voluntarily choose to. Is that \ncorrect?\n    Mr. Madon. Yes. So I think the safe harbor, not just trends \nof cyber information but specific, pointed information that \nbanks can share with each other.\n    Mrs. Wagner. Right.\n    Mr. Madon. So expanding it not just between the private \ninstitutions and the government, but also within and among \nfinancial institutions.\n    Mrs. Wagner. Without liability.\n    Mr. Madon. So what I am saying is, start the conversation, \nfigure out a way to enable that, because if there isn\'t a \nconversation and sort of a template that banks and financial \nsector institutions can use, then the information simply isn\'t \ngoing to flow.\n    So I am not saying it is easy, ma\'am, and it would take \nquite a bit of thought, but I think that if the conversation \nbegins in bringing in the private sector to come up with \ncreative solutions, there is a possibility.\n    Mrs. Wagner. I think you are right. Let me ask you also, \nMr. Madon, while I am at it, are there currently adequate \ninternational frameworks in place governing nation-states\' use \nof cyber attack?\n    Mr. Madon. In short, no. I don\'t think there are. But I \nthink what we can do is again look at the Treasury model and \nlook at the financial action task force as a model, which is an \ninternational body which sets international standards and norms \non anti-money-laundering, accounting, the financing of \nterrorism and proliferation financing.\n    We can use that FADV model in a cyber context as a way of \nbringing the nation-states to work in a FADV-type body and \nassess implementation and effectiveness of international norms \nand standards.\n    Mr. Cilluffo. Can I add just very briefly?\n    Mrs. Wagner. Yes.\n    Mr. Cilluffo. There are some initiatives out there. The \nCouncil of Europe, for example has a cyber crime convention \nwhich I think is at least a starting point in terms of inducing \nchanges in behavior.\n    But I think the bigger issue here is we do need to \narticulate a clear deterrence strategy, and we don\'t deter \ncyber. We deter actors, so it will have to have a deterrence \nstrategy that is focused on all the different perpetrators and \nactors and what the commensurate penalties and response will \nbe.\n    So I think there is an awful lot that needs to be done, and \nI think we actually need new cyber alliances. Let\'s start with \nour five-eyes community--the U.S., the U.K., Canada, New \nZealand, and Australia--and build that out to our transatlantic \npartners in Europe, then start building out, building that out \nto allies in Asia, Japan, Korea, in the Middle East, Israel, \nand on it goes. We haven\'t really had those conversations in a \nsignificant kind of way.\n    Mrs. Wagner. Thank you very, very much.\n    I apologize for going over, Mr. Chairman. I yield back.\n    Chairman Duffy. The gentlelady yields back. The Chair now \nrecognizes the gentleman from California, Mr. Vargas, for 5 \nminutes.\n    Mr. Vargas. Thank you very much, Mr. Chairman. Again, thank \nyou for this discussion. It is interesting today to hear some \nof the words that came out: smoking keyboards; stop the \nbleeding; doomsday machine. It almost seems like a 1960s movie \nin some ways. Hopefully, it has a happy ending.\n    One of the things that did strike me was that you said we \nneed to have a robust discussion in our country, and I think we \nare starting to have that, to be frank. Everyone is afraid of \nlosing their personal information, especially their Social \nSecurity number.\n    And we need to penalize the cyber criminals. That gets \ntough if they are the top-ranked nations, foreign nations. That \nis a difficult situation. We need to lean forward. We have the \ncapabilities, the doomsday machine. What doomsday machine? I am \nnot familiar with any doomsday machine.\n    Mr. Cilluffo, I think you are the one who mentioned we \nhave--what doomsday? What are you talking about?\n    Mr. Cilluffo. It was meant to demonstrate that we have \noffensive capabilities that can be brought to bear as well. And \nif you don\'t articulate, and to some extent be transparent \nabout that, perpetrators--\n    Mr. Vargas. Let\'s talk about that, because I think what you \nmeant is maybe disrupt them. In other words, if they are \ndisrupting us, we disrupt them more. Is that what you mean? \nWhat do you mean by these capabilities?\n    One thing is trying to find out who they are, and it sounds \nlike we have the capabilities to do that, to figure out now who \nare the perpetrators. It seems like we are getting better and \nbetter at that. So we find out it is Russia. What do we do?\n    Mr. Cilluffo. That is way after-the-fact, though. So to \nRichard\'s point, there are steps that can be taken left of \nboom, or in this case before an actual breach and/or incident \noccurs. And in terms of some of our capabilities, sometimes all \nyou need to do is demonstrate that and that has a net deterrent \neffect, or it can dissuade. It can raise the stakes, make the \npenalties so high that they may decide not to engage in this \nactivity.\n    So what we are really talking about is inducing changes in \nbehavior. If people feel that they can get away with this and \nget away with this in a wanton kind of way, you are going to \nsee more and more and more and more activity. So the point is, \nhow do we shift that equation where you raise the costs.\n    Mr. Bejtlich. Sir, if I could just quickly say, this is \nsort of like an American football game where you have the \nPatriots versus the Broncos. Tom Brady plays against the \nBroncos\' defense and Peyton Manning plays against the Patriots\' \ndefense. We need our Tom Brady going against their Peyton \nManning. In other words, our offense disrupting their offense.\n    Mr. Vargas. I like the football analogy. I was a \nlinebacker. I like the blitzing linebacker. It is fun to tackle \nthe quarterback. But I guess my question really is, it seems \nlike you could figure out who these guys are, but then how do \nyou punish them? Really honestly, at the end of the day, how do \nyou go and punish them? You have all these companies in China \nthat are stealing our information. How do you at the end of the \nday punish them other than strict sanctions? How do you do \nthat?\n    Mr. Bejtlich. Sir, at the operational level I have seen \nthese guys attacking targets and slowing down and not being \nable to accomplish their mission because of friction introduced \nby the defender. If you are an attacker and someone is suddenly \nattacking your system, kicking you off the target, kicking you \noff your own system, maybe deleting your system, that raises \nthe cost quite a bit.\n    And many times we think that these guys are 10 feet tall \nand bullet-proof. There are guys who are sitting in uniform, 18 \nyears old, following a script, essentially.\n    Mr. Vargas. Let me get to one thing I did want to get to \nbefore my time runs out, and that is, you did talk about Social \nSecurity, that if someone\'s Social Security number is hacked, \nthere should be some protocols in place or something to be able \nto put that person back to where he or she was.\n    Why don\'t you talk a little bit about that, because I think \npeople are very interested in that.\n    Mr. Bejtlich. Yes, sir. So when you steal a credit card and \nyou lose a credit card, there is basically no cost to recover \nfrom that. When you lose your Social Security number, when you \nlose your healthcare records, I don\'t know how you recover from \nthat. You are looking at unbounded cost.\n    We need to replace the Social Security number with \nsomething that if it is public, it doesn\'t matter. We need to \nmove to a system where we acknowledge that if the data gets \nout, there is a way for the customer to recover from that. And \nright now, when a Social Security number is used as a method of \nidentification and authentication--if you know my Social, you \ncan log into Web sites essentially, and that has to be changed.\n    Mr. Vargas. Anyone else want to comment on that? Because I \nthink that is important, something that a little thinking \noutside the box. Would you like to comment on that, sir?\n    Mr. Madon. Sir, sorry, on your former point I would say you \nmentioned sanctions. And I just point to the incredible work \nthat the Executive Branch and Congress did--\n    Mr. Vargas. If I could interrupt you for just one second. \nOne of the things that was interesting--I am from California \nand of course we have great capabilities there. The FBI and the \nTreasury have been named over and over again as models of doing \na good job. Private companies are also, and I think that is \nimportant to know because it seems today that we are talking \nmostly about the good work that the Federal Government has \ndone, but California also--\n    Mr. Cilluffo. Mr. Vargas, could I just pick up on that, \nbecause I actually think the future is within the private \nsector, and not only domestically but also in cooperation, \nconcerted efforts with others.\n    Mr. Vargas. Thank you. My time has expired. Thank you, Mr. \nChairman.\n    Chairman Duffy. The gentleman yields back. The Chair now \nrecognizes Mr. Tipton from Colorado for 5 minutes.\n    Mr. Tipton. Thank you, Mr. Chairman.\n    I appreciate you bringing up the Broncos and the Patriots. \nI am out of Colorado, so, this is very disturbing, obviously, \nin terms of the real threats that we are going to be facing as \na country.\n    Mr. Cilluffo, you were talking about penalizing the risk \nvictims, and I happen to agree with that. We are going after \nthe banks who didn\'t--or, even Home Depot, I think that was \ncited earlier, in terms of testimony, as opposed to the \nculprits who are perpetrating the crime.\n    A lot of my concern that I see is when we are looking at \nthe Chinese as an example, we have heard the reports that they \nhave our plans for the F-35. They were able--not only coming at \nit from an economic standpoint, but also from a military \nstandpoint as well. And, we are talking about the doomsday \nmachine when we are--staying with the football end of this, its \nsaid that the best offense is a good defense.\n    I understand being proactive, so how do we find that proper \nbalance? As a Nation, shouldn\'t we be incredibly concerned if \nthey are able to get into our military industrial complex to be \nable to steal some of our best technology? And, then we move \ninto the financial end of the world, and our bank accounts are \ngoing to be exploited, and then we can shut down the electrical \ngrid as well.\n    How do we get those components together to be able to be on \nthe offense?\n    Mr. Madon. Sir, that is a great concern, and I actually \nshare the view that the private sector is very much a part of \nthe solution to that.\n    Some of the reforms that I mentioned earlier are a rewards \nprogram for groups to uncover and identify cyber hackers to \nU.S. courts and authorities; empowering the victims of attacks \nto sue the perpetrators, and those benefiting directly from \ncyber infiltrations, just as victims of terrorist attacks can \ndo so today.\n    And, also, unleashing cyber forensic teams, and private \nlitigants, and plaintiffs\' lawyers against those attacking U.S. \nsystems.\n    Mr. Tipton. Now, what are we going to do? There is \nsomething called sleep malware that can be put into a system to \nbe activated at a later time. When we are identifying some of \nthe threats that are going to be in place against us--if it is \njust sitting there, and it is late, and it is not doing \nanything, can we identity that now?\n    Mr. Cilluffo. Actually, that is an excellent point, because \nmost breaches today occur vis-a-vis or through vulnerabilities \nin your supply chain, or third-party vendors. And until you \nstart looking at this issue holistically, that is a legitimate \nvulnerability we need to be thinking about.\n    I might also note, though, the defense industrial base, \nthey do have unique pilots, vis-a-vis, information sharing with \nthe public and the private sector with government--along with \nthe financial services sector. I think they are up there, but \neven they, as we saw, have been successfully hacked--whether it \nis RSA, you name the entity. They have been hacked to one \nextent or another.\n    I am going to take a different approach--I think the \neconomic instruments here could be very valuable and useful. I \nactually think China, long term, will have enough to lose that \nthey will recognize that there is some change in behavior that \nthey need to consider and think about, unfortunately it is not \nthere now. They are seeing immediately in front of them, why \nspend billions on R&D if we can just steal it, and spend it on \ngaining market share.\n    But, at some point they will have market share that they \nare really concerned about, but I do think that could level it \nout a little bit, which is different than actors that want to \ncause harm. So,--that are driven--and I am not suggesting China \ndoesn\'t, because they are investing in a military technologies \nas well, but that is something we need to be thinking about.\n    Mr. Tipton. Do we have an issue, as a country, when we are \nhaving software, as an example, maybe being written in China? \nComing into our country, and then we start bringing into the \ncomponent of it, trust your employees--we have technology that \nwe are using in our systems right now that is being written \noverseas. Is that something that we need to examine?\n    Mr. Bejtlich. Yes, sir, it is absolutely a concern, and, in \nfact, the top end attackers, when they realize they can\'t get \ninto a target technically using the cyber component, they try \nto get their nationals hired as programmers in sensitive \ncompanies.\n    Mr. Tipton. And secure coding, that is something the United \nStates ought to be investing in. If we built planes the way we \ncode for software, none of us would ever fly. So, at the end of \nthe day there are initiatives from a STEM education standpoint \nthat we can be looking at in terms of secure coding and the \nlike.\n    Mr. Madon. There are companies out there, like my own, \nwhich is looking very much at the inside threat which a \ncompromised system would be, so that when that malicious \nsoftware fires up it is identified within the system. So, there \nare tools, and techniques out there to identify those problems. \nIt is not foolproof, but they exist, and getting better.\n    Mr. Tipton. Thank you, Mr. Chairman. My time has expired, \nand I yield back.\n    Chairman Duffy. The gentleman yields back. The Chair now \nrecognizes the ranking member of the subcommittee, the \ngentleman from Texas, Mr. Green, for 5 minutes.\n    Mr. Green. Thank you, Mr. Chairman. I thank the witnesses \nas well, and I greatly appreciate your testimony.\n    You have spoken of an offensive tactic, or strategy, if you \nwill. And, what you seem to be saying is rather than have a \nfirewall, create a backfire; fire back. Be offensive. Let \npeople know that there are penalties, that there is a price to \npay for encroaching upon our technology and our systems, our \nsoftware.\n    Now, is there technology currently available such that we \ncan now, without attribution, without the certainty of \nattribution, attack the source without having actual \nattribution?\n    Mr. Bejtlich. Sir, the U.S. Government has unique \nattribution capabilities to trace all the way back to the true \nsource of an activity. This is one of the few areas I disagree \nwith my co-panelists in that I don\'t feel that it is the role \nof the private sector to be doing hack-back. We can enable \nattribution, we can help through our own forensic \ninvestigations, figure out what is happening.\n    I would much rather see the private sector engage in \nfinding intruders and removing them quickly, and leave the \npower of striking back at the adversary as part of the state\'s \nmonopoly of force.\n    Mr. Green. Yes, if we had this unique ability to strike \nback at the point of origin, what is it that causes us to \nhesitate, if indeed we are hesitating?\n    Mr. Cilluffo. Congressman, first, for the record, I don\'t \nadvocate hacking back. I think there is a lot that can be done \nin terms of proactive forensics collection, but, one thing--and \nyou used fireback, I look at it more as suppressive fire so you \nare protecting your systems. The challenge with some of the \ntechnology--\n    Mr. Green. Excuse me, if I may, I really am not talking \nabout suppressive fire. I appreciate your--\n    Mr. Cilluffo. No, I was saying--\n    Mr. Green. --I understand, but what I would like to know is \nwhat can we do to the hacker that is actually attacking our \nsystem. Why can we not? If we know that the point of origin is \na certain place, why can\'t we go to that place and take \noffensive action as opposed to continuing to be on the defense?\n    Mr. Madon. Sir, at a minimum, we can remove them from the \nformal financial sector. We can--\n    Mr. Green. --No, no, no, I am not--I am talking about \nattacking that system. What is it that prevents us as a part of \nour counter measures, our defense becomes an offense of \nattacking that system that is attacking us?\n    Mr. Cilluffo. Friendly fire?\n    Mr. Green. I don\'t--\n    Mr. Cilluffo. --because there could be innocents along--in \nother words, exploiting other systems that you would be taking \ndown, and god forbid, one manages a hospital in Pyongyang--\n    Mr. Green. --I see, but--\n    Mr. Cilluffo. --or whatever it may be.\n    Mr. Green. Well, I needed to hear that.\n    Mr. Bejtlich. Sir, I think there is also a gain-loss in the \nintel community which says they would much rather watch the \nfireworks then let the adversary know that they see the \nfireworks by interfering with their system. So, there might be \nsome resistance that has to be overcome.\n    Mr. Green. All right, let\'s talk about credit cards for \njust a moment. It is my understanding that you can go online \nand buy credit card information. I am interested in seeing this \nactually happen--seeing a demonstration of this kind of \nactivity. I understand that if you are sophisticated enough, \nyou are supposed to be able to do this, and people are actually \nbuying credit card numbers, and they are buying social security \ncards.\n    Is there any place available to members, or more \nspecifically to me so that I can get a demonstration of how \nthis actually works?\n    Mr. Bejtlich. Sir, there are companies out there that \ninvestigate this sort of behavior. It is not something we do at \nFireEye. You may actually be able to find some banks who will \nshow this because one of the ways they validate they have been \nhacked is to go out and buy a sample of these credit cards to \ndetermine if it came from their system. And by doing so, they \ninitiate a response.\n    Mr. Green. Are these available--is the credit card \ninformation available to just anybody? Can anybody go online \nand find this information and buy the--so that I can steal \nanother person\'s identity? Actually buy this information? Is it \navailable?\n    Mr. Bejtlich. It is available, but you tend to have to be a \nvetted person who is brought in by another criminal.\n    Mr. Cilluffo. It is referred to as the Dark Web, so there \nis the cyber equivalent of black markets, and it is worth \nnoting that credit card data is now going for cents on the \ndollar whereas health care records are going for much more \nbecause the potential to commit fraud and the likelihood of \ngetting caught is less.\n    And, also worth noting in particular, they are going after \nchildren\'s health records because they are not checking their \ncredit until they are 18, so you could have 10 years of fraud \ncommitted against you.\n    Mr. Green. Are you of the opinion that the penalties for \nidentity theft are sufficient? Do we have sufficient mandatory \npenalties, do we need stiffer penalties for identity theft?\n    Mr. Bejtlich. Sir, I think the penalties probably are harsh \nenough. We just had a prosecution of someone who ran something \ncalled the ``Silk Road,\'\' and he essentially got life in prison \nfor running an underground site.\n    Chairman Duffy. The gentleman yields back. The Chair now \nrecognizes the gentleman from Maine, Mr. Poliquin, for 5 \nminutes.\n    Mr. Poliquin. Thank you very much, Mr. Chairman. I \nappreciate it, and I thank all of you gentleman for being here \ntoday.\n    This is a very sobering exercise for a lot of us who are \nnot experts in the area that you folks are in. We have to--as a \ncountry, I believe, stay on offense when it comes to a lot of \nthese issues, and Congresswoman Wagner commented on that a \nlittle bit. And, what I have heard today where you have not \nonly terrorist organizations, and you have organized crime, but \nyou also have sovereign states.\n    You have countries that are supporting cyber attacks \nagainst our infrastructure, our health insurance companies, our \ncell phone companies, military installations, and this is, as \nwe all know, very serious stuff. It threatens our way of life, \nour economy, jobs, and when our economy can\'t function because \nof these sort of threats then we can\'t generate the tax \nrevenues that we need to defend ourselves.\n    This is really serious stuff, and there is a big cost to \nthis, and I understand that. I don\'t understand all the \nspecifics, but I understand there is a huge cost to our country \nin doing this. So, in anything in life, any organization you \nneed to have leadership. If you have leadership and you marshal \nthe resources of a country like ours to address a problem, I am \ncertain we can do that, and it sounds like we are not doing \nthat, and we are not staying on offense in a coordinated way as \nmuch as we can be.\n    So, my question to you, and I will start with each of you, \nwhomever would like to go first, Mr. Cilluffo--am I pronouncing \nit right?\n    If you were the President of the United States, and you \ncontrolled one third of our government, and you were the \nCommander in Chief, what would be the one thing that you would \ndo to fix this problem?\n    Mr. Cilluffo. A great question. I wish there was one silver \nbullet I could turn to address this, but, by and large, I would \nlook at owning the interagency piece. Do all that we can to \nenhance not only our own cybersecurity, but also demonstrate \nour capability. Articulate a deterrent strategy, articulate the \npenalties, follow through. There are a lot of nouns, not a \nwhole lot of verbs. We have to follow through. These bright \nlines are being transgressed regularly.\n    And, more importantly, I would find ways to build on the \nprivate sector\'s capability--\n    Mr. Poliquin. Okay. Let\'s drill down a little bit more, if \nI may, Mr. Cilluffo. We are not the only country that has this \nproblem. We know who the bad actors are, right? Russia, China, \nNorth Korea, and Iran when it comes to state sponsoring of \nthese cyber attacks. So, other developed nations across the \nworld have these same problems. A lot of our friends in Europe, \nfor example, and the Pacific Rim.\n    So, my question is, wouldn\'t part of this activity to stay \non offense as a country, to protect our homeland, protect our \neconomy and way of life, and our freedom include coordination \nwith other--\n    Mr. Cilluffo. Unequivocally.\n    Mr. Poliquin. With other people around the world?\n    Mr. Cilluffo. Unequivocally.\n    Mr. Poliquin. And that can be done, correct?\n    Mr. Cilluffo. It can, and it has not--\n    Mr. Poliquin. --and it has not been done, correct?\n    Mr. Cilluffo. Not to the extent it needs to be done.\n    Mr. Poliquin. Mr. Madon, what do you think? If you were the \nPresident of the United States and you had all these resources \nat your disposal, what would you do?\n    Mr. Madon. I would call a meeting together with my staff \nand say, ``What authorities do I have to hit them back, hit \nthem back hard, and do it publicly? Very publicly?\'\'\n    Mr. Poliquin. And, that would include, clearly--because you \nmentioned this before, dealing with international law, or the \ndevelopment thereof, to make sure that those that are \nresponsible for this are held accountable because in many \ncases, it seems to me, that we probably have the resources to \nfind out who these people are.\n    We certainly know who the countries are, correct?\n    Mr. Madon. Absolutely, sir.\n    Mr. Poliquin. Mr. Bejtlich?\n    Mr. Bejtlich. Sir, I would first accept that the government \nis compromised. We need to go out there and find these guys \nnow. We have to do that.\n    Mr. Poliquin. When you say the government is compromised, \ndo you mean in a case like China, or Russia? Is that what you \nmean?\n    Mr. Bejtlich. There are intruders in the network. We need \nto go out there, find them, and kick them out. That will be the \nfirst message we send, is that we see you, and we are doing \nsomething about it.\n    Mr. Poliquin. And we have the resources to do that, in your \nopinion?\n    Mr. Bejtlich. I don\'t know, sir, if we have the resources \nnecessary.\n    Mr. Poliquin. Do we need to do anything here, anything in \nCongress? Do you have the legislative support that you need, or \nanything else that we can do in Congress to make sure that we \nhave an opportunity to stay on offense with respect to this?\n    Mr. Bejtlich. I think a reinterpretation of the FISMA law \nthat focuses more attention on detecting and responding to \nintruders, and less on building up the walls might be \nnecessary.\n    Mr. Poliquin. Okay. Great. Anything else from any of you?\n    I appreciate very much you being here to help educate us. \nKeep this country on offense to stop this. Mr. Chairman, I \nyield back.\n    Thank you very much.\n    Chairman Duffy. The gentleman yields back. Without \nobjection, members of the full Financial Services Committee, \nwho are not members of the subcommittee, may participate in \ntoday\'s hearing for the purposes of making an opening \nstatement, and asking questions. We do have Mr. Royce from the \nfull committee. Mr. Royce is also chairman of the House Foreign \nAffairs Committee.\n    Mr. Royce, you are recognized for 5 minutes.\n    Mr. Royce. First, let me thank Chairman Duffy, because we \nare looking at the same issue in the Foreign Affairs Committee. \nI thought I would pursue a line of questioning here. There are \nsome questions that--they are brief questions, but they are a \nlittle complicated. I will start with Mr. Cilluffo and ask him \nwhat constitutes an act of war in cyberspace?\n    Mr. Cilluffo. I am not sure we have enough time for me to \ntry to explain--\n    Mr. Royce. Oh, try to be succinct.\n    Mr. Cilluffo. If it does affect our national and economic \nsecurity, and it is driven by a nation-state actor, Article 5 \ncould be triggered. For example, in the NATO context, if Russia \nengaged in a computer network attack against Lithuania, that \ndoesn\'t have to be a military attack, it can also be on \ncivilian infrastructures.\n    Mr. Royce. So, in terms of our obligations with NATO, you \nsee the possibility here that cyberwar and cyber terrorism, or \nthe actions taken, depending upon the extent of it, could be so \ninterpreted?\n    Mr. Cilluffo. Absolutely. I mentioned earlier Five-Eyes, \nNATO, Transatlantic, and then bilats with Korea, Japan--\n    Mr. Royce. You are listing a lot of treaties here that we \nare in--it is an interesting question because obviously, in the \ncase of North Korea hacking into the banking system of South \nKorea, you had that special bureau in North Korea. It gets even \nmore complicated because I think those individuals were doing \nsome training up in Moscow.\n    I think they were training them, but, as we dig deeper and \ndeeper into this, this is, sort of, the trip-wire that we are \ndiscussing here because they were intending to bring down the \nbanking system in South Korea, and, in fact, did quite a job of \nmaking it possible for a few days for that to work. I always \nwondered where they got the expertise in North Korea to do \nthat, but, who in the Administration decides what is an act of \ncyberwar, or cyber terrorism, or cyber vandalism as the \nPresident called that Sony hack--cyber vandalism.\n    Who makes that decision in terms of differentiating how we \ndesignate one of these assaults?\n    Mr. Bejtlich. Sir, from what I have seen, it is the \nPresident\'s call.\n    Mr. Royce. And how, if at all, is the Administration \nresponding differently between cyber attacks from inside the \nUnited States to those that are generated from outside the \nborder of the United States?\n    Mr. Bejtlich. Sir, from the perspective of attacks that are \nconducted by people in the United States, we generally have the \nlaw enforcement capability to find them, apprehend them, and \nprosecute them--which is a capability that does have some \neffect here.\n    Mr. Royce. Does this call into question whether the \nPentagon should have the capability if this is, as you have \nindicated, an act of war to a certain point? That we should--\nonce upon a time, Billy Mitchell sort of drove our policy by \ndropping that test bomb on that battleship closer than he was \nsupposed to, to make a point that we needed an air force. We \nneeded a new branch of the service, basically, because this was \ngoing to be a new form of warfare, and along came Pearl Harbor \nand proved Billy Mitchell--he may have been court martialed for \nit, but he was absolutely right.\n    We needed a separate branch. We needed an air force. Are we \nin a situation now where because--and let\'s face it--we have \nadvanced warning on this in terms of what Iran intends and some \nof the other actors intend, to say nothing of some of the other \nterrorist organizations that now call themselves a state. They \nhave announced that this is a cheap way for them to carry out \nwar against the infidel, or war against the United States--\n    Mr. Bejtlich. Yes sir--\n    Mr. Royce. Are we at that point where we need to consider \nthis in terms of our national security in the same way during \nWorld War Two that it dawned on us that we needed a separate \nbranch of the service, the Air Force, in order to handle a new \nmode of warfare?\n    Mr. Bejtlich. Yes, sir, I tend to lean tend towards the \ncreation of a cyber force, and I have some pending research on \nthat topic.\n    Mr. Cilluffo. Congressman Royce, if I can build on that, it \nreally is about delineating Title 10 activity within our armed \nservices community.\n    Right now, I think some of the intelligence activity trumps \nsome of the Title 10 activity. I do think we have to get to the \npoint where we can stand up combatant commands and, at some \npoint, I, at the very least, see cybercom being, firstly, a \nfull combatant command, not part of strategic command. And, \nalso, more in a Title 10 hat than its Title 50 hat coupled with \nNSA.\n    Mr. Royce. And that leads me to the next question, which \nis, how far along is Moscow on this? If they are at the point \nnow where they are taking from the North Korean bureau \nresponsible for cyber attacks, taking students into Moscow and \nteaching them these capabilities--I read this in the paper, I \ndon\'t have the details on it, but it is pretty obvious that \nthey got the training somewhere.\n    If they are setting up and using proxies, and have become \nthat aggressive, how far along are they, apparently, in setting \nup a separate department and giving them this charge--this \nresponsibility, in terms of their offensive capability.\n    Mr. Madon. Sir, I think it is quite evident from the \nattacks that we have seen that they, the Chinese, and our \nadversaries, are quite far along. And, I think that our \nresponse needs to be vigorous, and needs to be extremely \npublic--\n    Mr. Royce. We are behind them, in other words. We are not \nas far along as they are in terms of defense. Thank you very \nmuch.\n    Chairman Duffy. The gentleman\'s time has expired. The Chair \nnow recognizes the gentleman from Arkansas, Mr. Hill, for 5 \nminutes.\n    Mr. Hill. Thank you, Mr. Chairman. I appreciate the \nopportunity. Excellent topic. It deals on our committee hearing \nthat we had the other day on cyber security issues. We have--I \nam working 60 cases in Little Rock of doctors who have had \ntheir identity stolen for filing their tax returns this year. \nSo, it is a real-life issue, and certainly in Little Rock, \nArkansas.\n    And, one thing that struck me--we talk a lot around here, \nand we have our budget priorities, and the Administration has \ntheir budget priorities of the flavor of the month, whether it \nis environment, or something else, and yet, I think one of the \nbiggest risks that we have are the IT systems of our Federal \nGovernment.\n    And we haven\'t talked much about that today. The IRS, of \ncourse, their disclosure--I thought West Virginia was \nimpenetrable, but perhaps not. And, we had the HUD Secretary in \nlast week, and his IT system was probably put in when President \nJohnson was in office.\n    So my question is, can you asses for me the risk we have \nwith the data maintenance systems of our domestic agencies? \nObviously, OPM will have a classified briefing today on it at \n1:00.\n    Mr. Madon. Sir, I think it is unfortunately very apparent \nthat it is underfunded, it is underresourced, and that there \nare true institutional challenges with those systems. It is a \nreminder that our information doesn\'t necessarily have to be \nhighly classified to be critically important. And, I think it \ncalls for funded, comprehensive review of the risk exposure \nacross the Federal Government.\n    And, I think what they will find is that they \nvulnerabilities--there are standard vulnerabilities across the \nenterprise, but also specific vulnerabilities for each \ninstitution. And, I think that the solutions have to be a \nfunded mandate to take care of those risks and vulnerabilities.\n    There are too often unfunded mandates that give confusing \nguidance to some of these institutions and departments, and I \nthink a very crystal clear funded mandate to get these IT \nsystems up to par is critical.\n    Mr. Hill. I agree with that, and I am concerned on both \nsides of the aisle that there is a lot of--Congress likes to \ndole out punishment to Executive Branch agencies that are bad \nactors, of which there are many, and the list is long and \npainful, but in the IT and data security area, I think that is \nthe wrong place for Congress to withhold critically needed \nfunding, which affects all of our data. So, I think we should \nbe concerned about it.\n    Mr. Cilluffo, you made a comment about regional and smaller \nbanks. I am a former CEO of a--and active in the regional \nbanking arena. And next to consumer laws and credit quality, I \nwould say IT security is the number one thing banks spend money \nand time on, both in their capital expenditures budgets, and in \ntheir operating budget.\n    I think if more businesses operated in that manner, we \nwould be a lot better off. So, a second question on the Federal \nsystems, are they spending adequate time in penetration testing \nof our Federal IT systems? Something we have spent 24 hours a \nday, and hundreds of thousands of dollars a year on in my \nbusiness.\n    Mr. Cilluffo. First, and I also do think that the financial \nservices sector serves as a model for other sectors of our \ncritical infrastructure, but if you take JPMorgan, spending \n$250 million, had 1,000 people devoted, they did everything \njust right, and they still got hit. So, at the end of the day, \nit is more than just resources.\n    On the pen-testing side, and I think my colleague said it \njust right, policy without resources is rhetoric. Most of the \nsystems that we have today are built on weak foundations. In \nother words, you can have all the complex security, but if it \nis built on quicksand, or if a home is built in a flood area, \nit is still going to get flooded no matter how advanced the \nsystem is. So, I do think pen-testing is critical.\n    But, I also think it has to be more than a check-the-box \nkind of mentality. So, it shouldn\'t just be advanced warning. \nWe all know there is going to be a pen-test, there should be no \nwarning pen-tests that can be done in a simulated kind of way \nthat doesn\'t affect the day to day operations of the \norganization. So, exercise, exercise, exercise, and exercise \nyet again is the answer.\n    Mr. Bejtlich. And, sir, just quickly, before you do the \npen-test, in other words, checking to see if you can get into \nthe front door, you should go in the house and see who is \nalready there.\n    Mr. Hill. Yes. I yield back.\n    Chairman Duffy. The gentleman yields back. If the panel \nwould agree, the ranking member and I would like to do a second \nround. We have a few more minutes. Thank you. The Chair then \nyields himself 5 more minutes.\n    We have a lot of government agencies that collect \ninformation. Sometimes these agencies hold on to this \ninformation. Is the risk to Americans greater if not just their \nfinancial institution or their hospital has information, but \nthe government also collects this information and houses it as \nwell? Is it a double risk to the American citizen?\n    Is that a yes?\n    Mr. Madon. Yes. That is as close to a factual statement, \nabsolutely, and I think part of the challenge is it is \ncurrently not a thoughtful approach. Right? There is obviously \ninformation that should be kept and held, and I think--but it \nshould not be rote. It should be something that is considered, \nand thoughtful and there should be a true look at what \ninformation we are holding, and whether it is important or not.\n    Mr. Bejtlich. And, also, sir, a presumption; what happens \nif this data is stolen.\n    Chairman Duffy. I want to hear that--I only have 5 minutes. \nI want to hit a couple of different issues.\n    So, I would imagine that terrorist organizations maximize \ntheir capabilities against America, and our allies. Whatever \ncapability they have, they will use against us. So, if they \nhave the capability of taking down an electric grid, they \nprobably would. Fair enough.\n    Since they haven\'t done that, they probably don\'t have that \nkind of capability yet. Is that a fair assumption on my part?\n    Mr. Cilluffo. That is fair. The one flipside is they are so \ndependent for their own tradecraft on some of this that they \nmay at least think about it in a calculated way. But, yes, if \nthey have the capability, they will use it.\n    Chairman Duffy. But is it fair to say too that the Chinas \nand the Russias of the world probably have the capabilities of \ndoing some catastrophic damage to critical infrastructure, if \nthey so choose?\n    Mr. Cilluffo. You bet.\n    Chairman Duffy. I want to give you all a chance, but I only \nhave 3 minutes left. If we could quickly hear about the dangers \nof hacking back. I know Mr. Cilluffo, you don\'t agree with \nthat. I don\'t know if Mr. Madon, or Mr. Bejtlich, quickly, do \nyou guys think that is a good idea or a bad idea?\n    Mr. Bejtlich. Governments can--government-conducted \noperations, I am okay with. Private sector, I would not be okay \nthat.\n    Chairman Duffy. Mr. Madon, you can be a contrarian if you \nwant.\n    Mr. Madon. And I am going to be somewhat okay.\n    Chairman Duffy. I thought you would be.\n    Mr. Madon. And that is that I think it is important to \nstart the conversation, and I understand that attribution is an \nincredibly important part of that conversation, but I think to \njust discredit the value that the private sector could bring to \nthis fight, without really deep consideration, we do so at our \nown peril.\n    Chairman Duffy. Okay.\n    Mr. Cilluffo. And, rules of the road are important here, \nMr. Chairman. You need clarity. So, before you do anything, you \nneed to know what is--\n    Chairman Duffy. Strict guidelines.\n    Mr. Cilluffo. --and what is acceptable behavior.\n    Chairman Duffy. So, you get a chance to talk to Congress. I \nwill ask each of you to give me the top two priorities that we \nshould have in this institution to help protect, and to fight \nback in this game of cyber war. What are two takeaways from \neach of as a top priority?\n    Mr. Bejtlich. Sir, my first priority would be find the guys \nwho are already in the network, and kick them out. And, then \nsecondly, based on what you learn during that exercise, figure \nout what you have to do in order to find them the next time \nthey get in, and kick them out faster. And then eventually, get \nyour defenses in order so that it is much, much less likely \nthat they can get in the first place.\n    Chairman Duffy. And, did you say that we don\'t have that \ncapability? Or, you are not, because, obviously we would have \nkicked them out of OPM if we had the technology.\n    Mr. Bejtlich. You are right.\n    Chairman Duffy. So, you are saying that has to be \ndeveloped, that has to be a focus?\n    Mr. Bejtlich. Right. We need to fund that, sort of, \nstrategy, and also the technology, and bring it in to do that.\n    Chairman Duffy. Mr. Madon?\n    Mr. Madon. One, explore offensive strategies that have \nworked in the past as a holistic government solution, and take \nthose strategies and use them as a template for the next \naggressive cyber campaign. That is one.\n    Two, truly consider the insider threat, as my colleague was \nmentioning. That often gets short shrift in the cyber debate. \nSo, that would be highlighted.\n    Chairman Duffy. So you are telling us to think outside the \nbox, use all the reasonable tools at our disposal?\n    Mr. Madon. Yes, sir.\n    Chairman Duffy. Mr. Cilluffo?\n    Mr. Cilluffo. Firstly, to support the--as my colleague just \nmentioned, some of our computer network attack capabilities to \nensure that we continue to be the most sophisticated actor in \nthis domain.\n    Provide the ability to articulate what a deterrent strategy \nis, and then should a perpetrator transgress, be willing to \nstand up in a unified kind of way to respond commensurately.\n    And ultimately, ensure that you have some of the members \nand staff who are technologically savvy and can serve as \nadvisers at all times because policy technology people--and you \nhave great people here, so lean on them.\n    Chairman Duffy. I will. Listen, I think this has been \nfascinating testimony. Talking about our security, I think we \nmight get to this hearing without you having to answer \nquestions about servers in other locations, and that is--\nanyway.\n    Ranking Member Green, I yield to you for 5 minutes.\n    Mr. Green. Thank you, Mr. Chairman. If you need additional \ntime.\n    Mr. Hill, permit me to thank you for indicating that \ntechnology is important, and that we should be careful about \nhow we raid some of these funds because I, too, am concerned \nabout that approach. So, I thank you for bringing it up and \nmentioning the later part which has to do with some of the \nactions that we take without going through regular order.\n    Let me ask this of you. I understand the profile of the \nhacker. I understand that profile, and I am talking now more \nspecifically about identity theft. What I am not sure of is the \nprofile of the person who actually acquires the information in \nthis dark world that we have been talking about, and actually \nuses it. Is this a person who purchases 1,000 identities and \nproceeds with that 1,000 trying to do as much mischief as \npossible, or does the person acquire one identity and work \nthat? What is the profile of the criminal mind in the criminal \nwho does this?\n    Mr. Madon. Sir, I think using one slice is there is no one \nprofile, and if you take the OPM case, I am pretty confident \nwearing my former counterintelligence hat that there are some \nvery happy Chinese counterintelligence officers right now who \nare combing through our information to identify vulnerabilities \nin U.S. employees and trying to exploit those vulnerabilities \nfor recruitment.\n    Mr. Green. Is it your general consensus that this is a \nprofile that would not simply be a person who would live in the \nUnited States? Do we have people who live in our country who \nacquire this information and use it?\n    Mr. Madon. There is certainly a criminal element, as well. \nSo, I think each attack is very varied, I don\'t think there is \none flavor. And I think it could either be used for--to sell \non, as my colleagues were mentioning, the Dark Web. It could be \nused by a nation-state to conduct counterintelligence \nactivities, so I think there is a broad range of ways to use \nthis critical information.\n    Mr. Green. I am concerned right now with people in the \nUnited States, because you have talked about some of the \nsanctions that can be imposed, and while litigation is a \npossibility, when you are talking about litigation in a \nnational or international setting, it can be quite difficult \nbecause of treaties and other things that would be necessary.\n    But, let\'s talk about people within the United States. Do \nwe find that we have people who are going into this dark place \nand acquiring this information, and they are using it, and they \nare right here in the United States? They are among us.\n    Mr. Bejtlich. Yes. Yes, sir, that happens, and many times \nthey are prosecuted.\n    Mr. Green. And, what I am trying to--my next question is, \ndo they purchase one identity, or do they purchase a thousand? \nI am trying to get some sense of where--how this information is \nactually used. Is it used by a single perpetrator with one \nidentity, or does this perpetrator decide that, ``I will just \nsit here, and I will create 20 different identities, and I will \nfind a way to make money doing it?\'\'\n    Mr. Bejtlich. Sir, the cases I have seen typically involve \neither the bulk collection, the bulk sale, or bulk fraud \nassociated with that date. You tend not to see single actors \nwith a few identities.\n    Mr. Green. Let\'s go back to--you spoke of rewards, almost \nas though this would be a bounty. Would you explain how you \nthink that might work--the reward system?\n    Mr. Madon. It could model something like the qui tam system \nwhere you have individuals who notice that there are nefarious \nactivities, for example, the whistleblower program where they \nbring these activities to law enforcement and they get rewarded \nfor that. And, I think it could be a system that is very \nsimilar to that system, where there are rewards provided by \nFederal, State, and local government for individuals who report \ncyber crime.\n    Mr. Green. Now, what is the fallacy in this, if you think \nthat there is a fallacy? Someone else. What is the fallacy in \nproviding a reward for a whistleblower, as it where, different \ntype, who brings evidence to the government for prosecution \npurposes? What is the fallacy in that?\n    Okay, thanks. I take it that is something that you would \nall agree is feasible and doable, and something that we should \nconsider.\n    Mr. Bejtlich. I will just say that it is the first time I \nhave heard of such a thing, so I don\'t really have an opinion \nat this point.\n    Mr. Cilluffo. And you would probably want to put bounds \naround, just like in the conventional world, bounty hunting in \ngeneral. So, I haven\'t really thought about this in such a way, \nbut if you go back in our history with piracy, yes, we did have \nthe Letters of Mark, and the U.S. Government enabled and \nempowered entities to not only get a bounty, but keep the \nbooty, literally, in terms of some of the activity there. They \nwere sanctioned by the government.\n    Mr. Green. If I may quickly, Mr. Chairman, I think that \nthis has been indicated to be a system of providing \ninformation, intelligence to the government, not acquiring \nassets, public or individual--not acquiring assets, but \nproviding information. Is that what you are talking about, sir?\n    Mr. Madon. That is right, but I don\'t--I think in the \ncurrent construct, I think the switch from providing \ninformation on cyber attack to information on--putting on the \ntime machine hat, an attack on the open seas--I see very little \ndaylight actually between the two. I think they both cause \nincredible damage to our country.\n    Mr. Green. Thank you, Mr. Chairman. I owe you 1 minute and \n6 seconds.\n    Chairman Duffy. The ranking member yields back. The Chair \nnow recognizes the gentleman from Arkansas, Mr. Hill, if you \nhave more questions.\n    Mr. Hill. Just a theme I would like to wrap up on--I was \nhaving dinner the other night, or trying to, and the power went \nout in the restaurant. And I was drinking my beer--which is off \nthe record, I didn\'t have a beer; I had a coke.\n    And they literally asked us to leave the restaurant because \nthe power went out. I said, ``Why don\'t you just take my order, \ncook the food, and I will pay you cash?\'\'\n    ``Oh, well, we can\'t do that. We have no way to account \nfor--we have no way to write it down.\'\' How pitiful is that? \nBut when you get that societally, and when you think about that \nin a banking context, we are now so dependent on this \ninterconnected Web, that I do view cybercrime as--for the next \ngeneration, the same as a nuclear threat. And, that is not too \ndramatic, I think, even though we think about the massive loss \nof life in a nuclear environment. But, the ability to shut down \nthe power grid in a capital market system, or the electrical \ngrid--and the data communication system in a modern economy now \nis--could be just as horrific.\n    So, how do we broadcast a system of mutual assured \ndestruction in cyber? How do we begin through treaty work, \nbilateral work, communication? Instead of keeping it so sub-\nrosa that we actually say, ``Hey, look pal, you try to take \ndown our commercial or national security interest, you are \ntoast.\'\'\n    What is the process there? How do we get there on that?\n    Mr. Cilluffo. That is precisely, Congressman, the approach, \nI think, we do need to take because we can\'t treat this as a \nquiet issue alone. We have to--it has to not only have \nsunlight, but for it to have any semblance of impact and \nconsequence to change behavior, it needs to be publicly \narticulated. I think that is a deterrent strategy, I think we \nneed to look at all the instrumentalities--military, political, \neconomic, and others that can be brought to bear.\n    Recognize that cyber related issues are on par with \ntraditional forms of diplomatic issues, and it really is going \nto come down to signaling and having the wherewithal to follow \nthrough on our words, which we haven\'t had great success in \nrecent on always following through on redlines that we have \ndevised. But, we do need to put mark--we do need to put lines \nin the silicon and demonstrate when they are crossed, expect a \nresponse.\n    The one issue, I would say, that is a little different, \nvis-a-vis, nuclear, is that the bar is so low to have a cyber \ncapability, whereas you needed a huge infrastructure both \nscientifically and economically to have a nuclear capability. \nIn this case--\n    Mr. Hill. That would make it more disturbing.\n    Mr. Cilluffo. I hear you, and the club is so much bigger, \nbut there are, again, as I started out--not all hacks are the \nsame, not all hackers are the same, and there are certain \nthings we can do to delineate those actors that are most brazen \nin their activity.\n    Mr. Hill. Any other comments?\n    Mr. Madon. Sir, I vehemently agree. And, I think, sitting \nback and saying, over, and over, again, ouch that hurts, and \nbasically signaling to our adversaries that they can continue \nto attack us with impunity is unacceptable for our Nation.\n    And, I think we need to explore all options and come up \nwith a campaign, and a thoughtful approach about how to respond \nto these attacks.\n    Mr. Hill. Thank you, panel, and thank you for your service \nfor our country, and I yield back, Mr. Chairman.\n    Chairman Duffy. The gentleman yields back. I want to thank \nthe witnesses for their testimony today. I feel just a tad bit \nsafer knowing that you three are on Team USA. Thank you for \nbeing here. Thank you for all of your work. And thank you for \nyour testimony.\n    The Chair notes that some Members may have additional \nquestions for this panel, which they may wish to submit in \nwriting. Without objection, the hearing record will remain open \nfor 5 legislative days for Members to submit written questions \nto these witnesses and to place their responses in the record. \nAlso, without objection, Members will have 5 legislative days \nto submit extraneous materials to the Chair for inclusion in \nthe record.\n    This hearing is adjourned.\n    [Whereupon, at 11:48 a.m., the hearing was adjourned.]\n\n                            A P P E N D I X\n\n\n\n                             June 16, 2015\n                             \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'