[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                          A GLOBAL PERSPECTIVE
                            ON CYBER THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT
                           AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 16, 2015

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 114-32
                           
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                            U.S. GOVERNMENT PUBLISHING OFFICE
96-993 PDF                       WASHINGTON : 2016                            

_________________________________________________________________________________________                 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
                
                 
                 
                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
SCOTT GARRETT, New Jersey            GREGORY W. MEEKS, New York
RANDY NEUGEBAUER, Texas              MICHAEL E. CAPUANO, Massachusetts
STEVAN PEARCE, New Mexico            RUBEN HINOJOSA, Texas
BILL POSEY, Florida                  WM. LACY CLAY, Missouri
MICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts
    Pennsylvania                     DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia        AL GREEN, Texas
BLAINE LUETKEMEYER, Missouri         EMANUEL CLEAVER, Missouri
BILL HUIZENGA, Michigan              GWEN MOORE, Wisconsin
SEAN P. DUFFY, Wisconsin             KEITH ELLISON, Minnesota
ROBERT HURT, Virginia                ED PERLMUTTER, Colorado
STEVE STIVERS, Ohio                  JAMES A. HIMES, Connecticut
STEPHEN LEE FINCHER, Tennessee       JOHN C. CARNEY, Jr., Delaware
MARLIN A. STUTZMAN, Indiana          TERRI A. SEWELL, Alabama
MICK MULVANEY, South Carolina        BILL FOSTER, Illinois
RANDY HULTGREN, Illinois             DANIEL T. KILDEE, Michigan
DENNIS A. ROSS, Florida              PATRICK MURPHY, Florida
ROBERT PITTENGER, North Carolina     JOHN K. DELANEY, Maryland
ANN WAGNER, Missouri                 KYRSTEN SINEMA, Arizona
ANDY BARR, Kentucky                  JOYCE BEATTY, Ohio
KEITH J. ROTHFUS, Pennsylvania       DENNY HECK, Washington
LUKE MESSER, Indiana                 JUAN VARGAS, California
DAVID SCHWEIKERT, Arizona
FRANK GUINTA, New Hampshire
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
BRUCE POLIQUIN, Maine
MIA LOVE, Utah
FRENCH HILL, Arkansas
TOM EMMER, Minnesota

                     Shannon McGahn, Staff Director
                    James H. Clinger, Chief Counsel
              Subcommittee on Oversight and Investigations

                   SEAN P. DUFFY, Wisconsin, Chairman

MICHAEL G. FITZPATRICK,              AL GREEN, Texas, Ranking Member
    Pennsylvania, Vice Chairman      MICHAEL E. CAPUANO, Massachusetts
PETER T. KING, New York              EMANUEL CLEAVER, Missouri
PATRICK T. McHENRY, North Carolina   KEITH ELLISON, Minnesota
ROBERT HURT, Virginia                JOHN K. DELANEY, Maryland
STEPHEN LEE FINCHER, Tennessee       JOYCE BEATTY, Ohio
MICK MULVANEY, South Carolina        DENNY HECK, Washington
RANDY HULTGREN, Illinois             KYRSTEN SINEMA, Arizona
ANN WAGNER, Missouri                 JUAN VARGAS, California
SCOTT TIPTON, Colorado
BRUCE POLIQUIN, Maine
FRENCH HILL, Arkansas
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    June 16, 2015................................................     1
Appendix:
    June 16, 2015................................................    35

                               WITNESSES
                         Tuesday, June 16, 2015

Bejtlich, Richard, Chief Security Strategist, FireEye, Inc.......     8
Cilluffo, Frank J., Director, the George Washington University 
  Center for Cyber and Homeland Security.........................     5
Madon, Michael, Board of Advisors Member, Center on Sanctions and 
  Illicit Finance, Foundation for Defense of Democracies.........     7

                                APPENDIX

Prepared statements:
    Bejtlich, Richard............................................    36
    Cilluffo, Frank J............................................    41
    Madon, Michael...............................................    56

              Additional Material Submitted for the Record

Duffy, Hon. Sean:
    Written responses to questions for the record submitted to 
      Richard Bejtlich...........................................    66
    Written statement of PayPal..................................    68

 
                          A GLOBAL PERSPECTIVE.
                            ON CYBER THREATS

                              ----------                              


                         Tuesday, June 16, 2015

             U.S. House of Representatives,
                          Subcommittee on Oversight
                                and Investigations,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:03 a.m., in 
room 2128, Rayburn House Office Building, Hon. Sean Duffy 
[chairman of the subcommittee] presiding.
    Members present: Representatives Duffy, Fitzpatrick, 
Fincher, Wagner, Tipton, Poliquin, Hill; Green, Cleaver, 
Beatty, Heck, Sinema, and Vargas.
    Ex officio present: Representative Hensarling.
    Also present: Representative Royce.
    Chairman Duffy. The Oversight and Investigations 
Subcommittee will come to order. The title of today's hearing 
is, ``A Global Perspective on Cyber Threats.''
    Without objection, the Chair is authorized to declare a 
recess of the subcommittee at any time.
    The Chair now recognizes himself for 3 minutes for an 
opening statement.
    The purpose of today's hearing is to identify the United 
States' primary cyber enemies, better understand the growing 
global cyber threat, and ultimately formulate more effective 
responses to cyber incidents.
    The cyber landscape today is vastly different from that of 
past years, with technology an integral component of nearly all 
transactions, means of communication, and methods of 
transportation. In recent years, there has been a growing focus 
on protecting the cyber security of critical infrastructure.
    However, in the wake of the breach of over four million 
personnel records at the Office of Personnel Management, it is 
still clear that much more needs to be done to protect 
Americans from cyber threats.
    Cyber crime provides a clear and present danger to the 
United States of America. At the other end of these attacks are 
nation-states like Russia, China, Iran, and North Korea; 
terrorist groups; criminal organizations; and hacktivists. 
These groups can range from sophisticated cyber actors to 
ideological groups motivated by political or patriotic reasons.
    While the motivations may vary, there remains one constant. 
They intend to hurt America and our interests. Not only are 
they targeting the critical infrastructure of our country such 
as banks, power grids, and food supplies, but they also pose a 
much graver threat directly to the citizens of the United 
States.
    Nearly every government agency has been a target of cyber 
attacks, and with the recent OPM breach, the Federal Government 
has now provided a channel for these criminals to access 
sensitive personal information.
    In the wake of these incidents, the Consumer Financial 
Protection Bureau (CFPB) continues to collect information on 
consumers and their financial practices, and ``Obamacare'' has 
created a vast data hub to collect and store scores of highly 
sensitive personal and health information on American citizens.
    This most recent cyber attack on OPM should underscore the 
urgency around reconsidering the need for such governmental 
data collection programs. The benefits do not allay the privacy 
risks to American citizens.
    The extent to which this information is utilized to harm 
our government's employees is yet to be known. But what is 
known is that more needs to be done to mitigate these cyber 
risks.
    I welcome our distinguished panel this morning, and I look 
forward to hearing more about what the Federal Government can 
do and should be doing to protect our country and our citizens 
from these cyber criminals.
    With that, I yield 4 minutes to the gentleman from Texas, 
Mr. Green.
    Mr. Green. Thank you, Mr. Chairman. And I thank the 
witnesses, as well. Mr. Chairman, there appears to be clear and 
convincing evidence that cyber attacks pose a clear and present 
danger not only to the United States' businesses but also to 
the U.S. Government itself.
    The preponderance of the evidence shows that 2014 was a 
banner year for cyber criminals. According to a report from the 
Heritage Foundation written by Riley Walters, the list of cyber 
attacks in 2014 on private U.S. companies includes the 
following excerpts. And Mr. Chairman, in my opinion, one of the 
best ways to appreciate the magnitude of a problem is to 
examine and review some of the components. Let's review some of 
the components.
    January 2014: Target hacked, 70 million people impacted; 
Neiman-Marcus hacked, 350,000 people impacted; Michaels retail 
store hacked, 2.6 million customers impacted; Yahoo! hacked, 
273 million users impacted.
    April 2014: Aaron Brothers retail store hacked, 400,000 
customers impacted
    May 2014, eBay hacked, 233 million customers impacted.
    June 2014, Feedly Communications hacked, 15 million users 
impacted.
    September 2014: Home Depot hacked, 56 million shoppers 
impacted; Google hacked, 5 million people impacted; Goodwill 
Industries hacked, 868,000 people impacted.
    And of course, in October, JPMorgan Chase hacked, 76 
million households impacted.
    According to this report, in 2014 the annual average cost 
per company of successful cyber attacks increased to $20.8 
million in the financial services industry; $14.5 million in 
the technology sector; and $12.7 million in the communications 
industry.
    These are real people. These are real concerns, and they 
must be addressed.
    Mr. Chairman, I fear that FBI Director James Comey was 
right when he proclaimed there are two kinds of big companies 
in the United States--those who have been hacked and those who 
don't know that they have been hacked.
    Mr. Chairman, I will yield back the balance of my time. 
Actually, rather than yield back, I will share it with the 
gentlelady that you will call next.
    Chairman Duffy. Thank you, Mr. Green.
    The Chair now recognizes the gentleman from Pennsylvania, 
Mr. Fitzpatrick, the vice chairman of our subcommittee, for 1 
minute.
    Mr. Fitzpatrick. Thank you, Mr. Chairman, and I also thank 
the three witnesses for being here today to share your 
experience and your knowledge with the subcommittee.
    The protection of our personal data is increasingly a 
critical part of our private lives, and the threat of data 
breaches from state or non-state actors looms heavy over 
security experts in nearly every sector of the American 
economy.
    These types of attacks have real financial and emotional 
consequences. When families back in my hometown of Levittown 
learn that their information was compromised, they immediately 
become concerned about whether they will be able to use their 
debit card to purchase gas and groceries. But for our Nation's 
financial institutions, the risks are significant and they are 
systemic.
    Mr. Chairman, there is a task force to investigate terror 
finance. I am especially interested in the possibility that 
this data, once stolen, could be sold to fund illicit 
operations, or as recent reports regarding the OPM theft have 
shown, be used against United States government personnel.
    I look forward to hearing the witnesses' testimony, and I 
hope that this committee can work together to strengthen and 
protect this vital part of our Nation's security and 
infrastructure.
    I yield back.
    Chairman Duffy. The gentleman yields back.
    The Chair now recognizes the gentlelady from Arizona for 2 
minutes.
    Ms. Sinema. Thank you, Chairman Duffy and Ranking Member 
Green.
    Earlier this month, the Office of Personnel Management 
revealed that at least four million, and perhaps substantially 
more, current and former Federal employees from nearly every 
Federal agency, some of them military and defense personnel 
living in Arizona, may have had their personal information 
stolen.
    While DHS and the FBI continue to investigate this 
incident, it is strongly suspected that Chinese hackers are 
responsible for the breach. Cyber attacks from state and non-
state actors have increased dramatically in recent years. The 
U.S. Government needs a clear strategy to deter, as well as 
detect and defeat ever-changing cyber threats.
    Federal law sets forth various requirements, roles, and 
responsibilities for securing Federal agencies' systems and 
information. Despite these measures, according to an April 2015 
GAO report, Federal agencies continue to demonstrate 
shortcomings in assessing risks, developing and implementing 
security controls, and monitoring results.
    Securing our government requires strengthened security 
controls and information-sharing infrastructures. Educating 
Federal employees and contractors is also crucial if these 
efforts are to be successful.
    I look forward to hearing more from our witnesses today 
about the effectiveness of actions taken by Federal agencies to 
address cyber vulnerabilities.
    Thank you, Mr. Chairman. I yield back my time.
    Chairman Duffy. The gentlelady yields back.
    We now recognize our witnesses. We have Mr. Frank Cilluffo, 
an associate vice president at George Washington University; 
director of the Center for Cyber and Homeland Security; and co-
director of GW's Cyber Center for National and Economic 
Security. Mr. Cilluffo has published extensively on cyber and 
homeland security.
    In addition, he has served on various national security-
related committees sponsored by the government and nonprofits, 
including as the vice chairman of the Future of Terrorism Task 
Force of the Homeland Security Advisory Council and chairman of 
the Quadrennial Homeland Security Review Advisory Council.
    Previously, Mr. Cilluffo served as Special Assistant to the 
President for homeland security. Immediately after the 
September 11, 2001, terrorist attacks, President George W. Bush 
appointed him to the Office of Homeland Security, where he was 
a principal adviser to Governor Tom Ridge. Mr. Cilluffo 
directed the President's Homeland Security Advisory Council.
    We also have Mr. Michael Madon. He serves on the board of 
advisors of the Center on Sanctions and Illicit Finance at the 
Foundation for Defense of Democracies, and is the vice 
president of business development at Redowl Analytics.
    Previously, Mr. Madon served as Deputy Assistant Secretary 
in the Office of Intelligence and Analysis of the Treasury 
Department, where he developed strategies to help identify and 
mitigate cyber risks within both the Department and the 
financial sector.
    Mr. Madon holds an MBA from Wharton School, a master's of 
international affairs from Columbia, and a BA from Cornell. He 
is the recipient of the Bronze Star, the National Intelligence 
Distinguished Service Medal, and Treasury's Distinguished 
Service Award.
    And finally, last but not least, Mr. Richard Bejtlich. 
Welcome. He is the chief security strategist at FireEye' a 
nonresident senior fellow in the Center for 21st Century 
Security in intelligence of the foreign policy program at 
Brookings; and a board member of the Open Information Security 
Foundation.
    Mr. Bejtlich was Mandiant's chief security officer. Before 
that, he was the director of incident response for GE, and 
before that, he worked extensively in the private sector. 
Previously, Mr. Bejtlich was a military intelligence officer in 
the U.S. Air Force Computer Emergency Response Team, Air Force 
Information Warfare Center and Air Intelligence Agency.
    He has a master's of public policy from Harvard University 
and a BS from the United States Air Force Academy.
    So with that, gentlemen, you will each be recognized for 5 
minutes for an oral presentation of your testimony. And without 
objection, the witnesses' written statements will be made a 
part of the record. Once the witnesses have finished presenting 
their testimony, each member of the subcommittee will have 5 
minutes within which to ask questions.
    Now, on your table, you have three lights--green, yellow, 
and red. Green means go, yellow means you have 1 minute left, 
and red means your time is up. The microphones are sensitive, 
so please make sure that you are speaking directly into them.
    And with that, Mr. Cilluffo, you are recognized for 5 
minutes.

STATEMENT OF FRANK J. CILLUFFO, DIRECTOR, THE GEORGE WASHINGTON 
       UNIVERSITY CENTER FOR CYBER AND HOMELAND SECURITY

    Mr. Cilluffo. Thank you, Mr. Chairman. And thank you, 
Ranking Member Green, and the distinguished members of the 
subcommittee for the opportunity to testify before you today.
    I thought ``red'' meant we were being hacked, given the 
topic, but I am glad that I have to sum up my remarks quickly.
    I thought all of you did a terrific job summing up the 
threat, so I will try to zero in on a handful of different 
issues that, hopefully, we will have time to explore further 
during Q&A.
    Clearly, the United States currently faces a dizzying array 
of cyber threats from many and varied actors. Virtually every 
day, there is a new incident in the headlines, and the 
initiative today clearly remains with the attacker.
    The U.S. financial services sector, from banks to credit 
card companies to exchanges and clearinghouses, is clearly in 
the crosshairs and is a primary target for cyber attacks and 
cyber crime.
    To give you a sense of the magnitude of the problem, 
consider the following figures, which were provided to me by a 
major U.S. bank on a not-for-attribution basis. Just last week, 
they faced 30,000 cyber-attacks. This amounts to an attack 
every 34 seconds each and every day.
    And these are just the attacks that the bank actually knows 
about by virtue of a known malicious signature or IP address. 
As for the source of the attacks, approximately 22,000 came 
from criminal organizations and 400 from nation-states.
    A few words on the threat itself. First, not all hacks are 
the same, nor are all hackers the same. The threat comes in 
various shapes, sizes, and forms, ranging from nation-states at 
the high end of the threat spectrum to foreign terrorist 
organizations, criminal enterprises, and hacktivists.
    Just as diverse as the threat actors themselves are their 
intentions; capabilities; and tactics, techniques, and 
procedures (TTPs) and the tools they utilize to commit these 
crimes.
    Put another way, nearly every form of conflict today and 
tomorrow will have a cyber dimension to it. Whereas 
technologies will continue to evolve and change, human nature 
remains consistent. If it happens in the physical world, it is 
happening in the cyber world, and increasingly, you are seeing 
the physical and cyber worlds converge.
    One factor that makes cyber unique, of course, is time and 
space, or speed and impact. You can commit a cyber crime 
without ever stepping foot in the target area or even the same 
country, and it would take years, say, to rob bank after bank 
after bank, which can now be done in a matter of nanoseconds by 
pointing and clicking on a mouse.
    A couple of very quick top-line words on the threat actors. 
As I mentioned earlier, nation-states and their proxies 
continue to present the greatest, meaning most advanced and 
persistent, threat in the cyber domain. Topping the list are 
countries that are integrating computer network attack and 
computer network exploit into their war-fighting doctrine and 
strategy.
    The most sophisticated and active countries are China and 
Russia. It is also worth noting that the two countries recently 
signed a major cyber security agreement, dubbed by a friend of 
mine as a new axis of e-vil. Both China and Russia are known to 
use proxies to do their bidding to provide plausible 
deniability of their attacks if they get caught.
    After these two countries, come Iran and North Korea. While 
perhaps not up to par with Russia or China in terms of 
capability, both countries are investing very heavily into 
building out their cyber capacity, and what they may lack in 
capability, they more than make up for in intent.
    Moreover, they are more likely to turn to computer network 
attack, rather than merely espionage, as demonstrated by Iran's 
distributed denial of service attacks on U.S. banks and North 
Korea's recent attack on Sony.
    Next up are foreign terrorist organizations. They certainly 
possess the motivation and intent, but fortunately, they have 
yet to fully develop a sustained cyber attack capability. The 
recent doxing attacks, however, on our U.S. military and law 
enforcement personnel is a very troubling sign, with their 
coming up with new tactics, and I think it is indicative of an 
emerging threat. It is likely that ISIS or their sympathizers 
will increasingly turn to disruptive cyber attacks.
    By contrast, criminal organizations possess substantial 
capabilities, but their motivation and intent obviously differs 
from foreign terrorist organizations. Rather than being 
motivated by ideology, they are motivated by profit. And they 
are continuing--one of the trends we are seeing is working as 
proxies with other nation-states, as I mentioned vis-a-vis 
Russia.
    And then, of course, you have hacktivists. And regardless 
of the cause, they are going to use their techniques for 
special interests, and some of those can be very sophisticated. 
And their intent is normally to embarrass to bring attention to 
their cause.
    While I planned to say a couple of words on what we should 
do about all this, I hope we will have an opportunity to 
discuss that during Q&A.
    Mr. Chairman, thank you.
    [The prepared statement of Mr. Cilluffo can be found on 
page 41 of the appendix.]
    Chairman Duffy. Thank you, Mr. Cilluffo.
    The Chair now recognizes Mr. Madon for 5 minutes.

STATEMENT OF MICHAEL MADON, BOARD OF ADVISORS MEMBER, CENTER ON 
   SANCTIONS AND ILLICIT FINANCE, FOUNDATION FOR DEFENSE OF 
                          DEMOCRACIES

    Mr. Madon. Chairman Duffy, Vice Chairman Fitzpatrick, 
Ranking Member Green, and other distinguished members of the 
subcommittee, it is an honor to appear before you to discuss 
the global cyber threats we face, and in my view, more 
importantly, what we can do about it.
    During my time at Treasury, I was fortunate to work for and 
with a team of true innovators developing novel strategies and 
approaches to identify and mitigate the cyber risks and 
vulnerabilities facing both the Department and the financial 
sector more broadly.
    The thoughts I am sharing today are inspired by that early 
Treasury work and the thinking spearheaded by Juan Zarate and 
his Center on Sanctions and Illicit Finance.
    If the recent attacks against JPMorgan Chase and Citibank 
serve as examples, banks are prime targets for sophisticated, 
organized cyber attacks, despite a dramatic increase in cyber 
security spending. In my view, the rise in frequency and 
breadth of cyber attacks can be attributed to five primary 
threats--nation-states, cyber terrorists, hacktivists, 
organized criminal elements and malicious, compromised, or 
negligent employees--in other words, the insider threat.
    So why banks? On a tactical level, banks hold not just 
money but also collect and centralize sensitive personally 
identifiable information and clients' intellectual property.
    But our cyber threats see a greater purpose in hitting 
banks. They serve as both key systemic actors important for the 
functioning of the global economy and as chief protagonists in 
the isolation of bad actors from the financial system.
    It is clear from watching these attacks dramatically 
increase in both frequency and damage, that our Nation's 
current defensive posture is simply not sufficient to address 
the threat. We need to have a more proactive approach, one that 
shifts the paradigm away from defense to offense.
    We can take inspiration from the anti-money-laundering and 
sanctions model forged at Treasury, and leverage financial 
pressure against cyber threats to better protect the financial 
system.
    This economic and cyber security approach requires a new 
paradigm of U.S. public-private engagement and collaboration, 
adopting language from Treasury's successful campaign. Cyber-
driven targeted financial measures is, at its core, a 
thoughtful set of decisions that change our cyber posture from 
a defensive crouch to an offensive charge.
    These measures can encourage the creation of internal 
financial intelligence units to enhance financial sector and 
augment U.S. intelligence community collection and analysis 
efforts. These measures include:
    Enhancing the safe harbor regime to encourage greater 
information sharing among financial institutions.
    Enhancing Section 314(b) of the USA Patriot Act to allow 
financial institutions to share information about suspect 
cyber-related financial activity within their sector, without 
liability.
    Accelerating the U.S. Government's targeting of state 
actors, networks, and individuals that attack U.S. private 
sector systems, especially financial systems.
    Deploing the President's emergency economic powers for the 
use of multiple tools to address the reality of major cyber 
espionage, crime, and infiltration affecting the U.S. financial 
and commercial system.
    And encouraging Congress to craft legislation to empower 
the Secretary of the Treasury to identify jurisdictions, 
institutions or networks that are sponsoring or willfully 
allowing their territory or systems to be used to attack 
American financial institutions as a precursor to sanctions.
    Innovative attacks require innovative responses, and 
Congress could enlist the private sector to participate in 
cyber-driven targeted active defensive measures that reward, 
enable, and empower the private sector to help defend itself in 
concert with the government. Yes, this would require rule-
setting, more active collaboration, and explicit line drawing 
and processes, but such a regime is imaginable.
    This model could be based on the tradition of congressional 
issuances of letters of marque and reprisal, as provided for 
explicitly in Article 1, Section 8 of the U.S. Constitution. 
This model could take different forms to include a reward 
program for those groups able to uncover, identify, and even 
deliver cyber hackers to U.S. courts or authorities, such as 
unleashing cyber forensic teams and private litigants and 
plaintiffs' lawyers against those attacking U.S. systems; 
empowering victims of attacks to sue the perpetrators and those 
benefiting directly from any cyber infiltrations, just as 
victims of terrorism are provided the right to sue terrorists 
and their supporters today; and encouraging Justice, DHS, and 
Treasury to consider issuing special cyber warrants to allow 
private sector actors to track and even disrupt cyber attacks 
in certain instances to defend their systems.
    Committee members, thank you for allowing me to appear 
before you and discuss global cyber threats. My colleagues at 
the Center on Sanctions and Illicit Finance and I look forward 
to collaboratively devising and implementing strategies to 
defeat the growing cyber threats that confront our Nation.
    Thank you.
    [The prepared statement of Mr. Madon can be found on page 
56 of the appendix.]
    Chairman Duffy. Thank you, Mr. Madon.
    And Mr. Bejtlich, you are now recognized for 5 minutes for 
your opening statement.

   STATEMENT OF RICHARD BEJTLICH, CHIEF SECURITY STRATEGIST, 
                         FIREEYE, INC.

    Mr. Bejtlich. Chairman Duffy, Ranking Member Green, and 
members of the subcommittee, thank you for the opportunity to 
testify.
    My employer, FireEye, provides software to stop digital 
intruders; we have 3,400 customers in 67 countries, including 
half of the Fortune 500. In 2014, our Mandiant consulting 
service conducted hundreds of investigations in 13 countries. 
So my testimony today is based on not only my experience doing 
our own work, but also on the experience of our company doing 
these investigations.
    The title of this hearing includes the phrase ``cyber 
threat,'' and it is important to understand the threat, but we 
also need to expand that to include the concept of risk. We 
need to think in terms of threats, vulnerabilities, and 
consequences. Risk is a function of these three factors, and if 
we influence any one, our overall level of security will 
change, as well.
    Furthermore, while risk is a forward-looking concept, where 
we worry about what could happen, some scenarios have already 
occurred, making that theoretical risk an actualized event.
    I separate damaging scenarios into two buckets, chronic and 
acute. Chronic scenarios occur over an extended period, with 
impacts spread across time in ways that can be difficult to 
measure. Acute scenarios, on the other hand, involve immediate 
and distinct impact, usually with obvious physical or virtual 
damage. Thankfully, we have not yet seen a combination of those 
two, meaning long-term, highly-visible costly damage. And 
hopefully, that will remain the case.
    The United States is currently suffering three important 
chronic damage scenarios. First, foreign nation-state actors 
are stealing sensitive data and commercial secrets from private 
organizations, for use by their domestic industries.
    Second, these actors are stealing sensitive and classified 
data on American military and intelligence plans and 
technologies to benefit their strategic interests.
    Third, foreign actors are stealing personally identifiable 
information and financial instruments from citizens and 
organizations to benefit national capabilities and fuel 
underground crime.
    The United States is also susceptible to two acute damage 
scenarios. First, many of us worry about attacks against 
critical infrastructure. The electrical grid, financial sector, 
water supply, and telecommunications systems are the big four 
targets. To date, according to public testimony and public news 
reporting, some foreign actors have already infiltrated 
elements of critical infrastructure, while others have 
attempted to disrupt critical infrastructure.
    The second acute damage scenario involves disruption or 
destruction of virtual infrastructure. And we have two public 
examples where foreign actors have infiltrated American 
companies and destroyed data on thousands of computers.
    I would like to talk briefly about the four big threat 
actors, and without probably any surprise, they will be the 
same ones mentioned by my colleagues. We worry about nation-
states, organized criminals, terrorists, and activists.
    There is some overlap and mixing of these groups, but if we 
are able to handle the top end, the nation-states, our 
abilities will sort of flow down and cover the others, so I 
would like to talk briefly about the four big nation-state 
actors: Russia; China; North Korea; and Iran. And I will 
mention that just in the last year-and-a-half alone, Mandiant 
has responded to intrusions by all four countries, including 
the big public ones I am sure you are aware of.
    Russia poses acute and chronic challenges. Russian 
government forces can conduct full-spectrum information 
operations, and they possess top tier cyber capabilities, 
including the ability to preserve their operational security 
and frustrate forensic analysis.
    China also poses chronic and acute challenges. They can 
conduct full-spectrum information operations, although not at 
the Russian level. Unfortunately, what they lack in their top-
tier capability, they make up for in volume and persistence. 
For example, the Chinese theft of commercial and sensitive data 
from American companies is unequaled. In my 18 years of doing 
this work, I have never seen anything like it.
    Turning to the other two big threat actors, North Korea and 
Iran, both of them primarily pose acute challenges--in other 
words, the ability to conduct a short, sharp attack. We have 
seen this now with the North Koreans, or at least forces that 
were under their control, with the attack against Sony Pictures 
Entertainment in November of 2014.
    Iran has a similar capability. In fact, they conducted a 
virtual destruction action against the Sands Casino in February 
of 2014. Both of these countries have geopolitical risks 
associated with them, which makes it perhaps more likely that 
they would use a cyber attack to compensate for their military 
deficiencies.
    I would like to conclude by mentioning that I hope during 
the hearing, we can talk about some alternative strategies to 
deal with these threats, primarily shifting from a strategy, at 
least in the government, of closing the barn door after the 
horses have left, to one of actively looking for intruders that 
are already in the network; and also, hopefully, moving from a 
situation where if you lose your Social Security number, there 
is really no way to recover from that, to one where there are 
business processes that can accommodate the loss of personal 
data.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Bejtlich can be found on 
page 36 of the appendix.]
    Chairman Duffy. Thank you.
    The Chair now recognizes himself for 5 minutes of 
questions. The testimony we heard today is quite sobering. I 
imagine everyone on the panel and everyone here today has 
received a letter that has said, ``Your personal information 
has been compromised.'' I think I have received 4 letters in 
the last 8 months. The first one I received was quite 
disturbing. Sadly, we are just getting used to the fact that 
our information continues to be compromised.
    Is anyone's information--is any information safe, whether 
we are talking about personal information, we are talking about 
programs in the Federal Government? To the panel--
    Mr. Cilluffo. Richard, do you want to--
    Mr. Bejtlich. Sure, I will take a quick shot at it. Sir, I 
would argue that history has shown that no data is potentially 
safe. We are talking--if you are talking at the very end of our 
capabilities in the government, you have the risk of insiders, 
like Mr. Snowden or Chelsea Manning. In the private sector, you 
have nation-state actors going after private companies.
    And from my own personal experience, it takes a sustained 
effort by a private company to simply hold off a nation-state, 
or at least to detect when they have gotten into your company 
so you can kick them out quickly.
    So it is very difficult to protect information at all.
    Mr. Cilluffo. Mr. Chairman, to build on that, I think we 
will never be in a position to say we can prevent all attacks. 
But there are steps we can take to mitigate the consequences 
and the potential damage by segmenting and segregating certain 
information in different sorts of networks. And that starts 
looking inside, understanding your family jewels, understanding 
what matters most to either, A, a company, or B, a government, 
or whatever it may be.
    But to Richard's point, how many companies, even the 
biggest in the world, went into business thinking they had to 
defend themselves against foreign intelligence services? That 
is precisely what is happening. The current approach is by 
definition reactive. Every time we get hit, instead of calling 
the police, we call the locksmith. We are building higher 
walls, getting bigger locks. At the end of the day that, by 
definition, is doomed for failure. It is reacting, reacting, 
reacting. We have to push the equation in a different kind of 
way. I am happy to touch on some thoughts during Q&A.
    Chairman Duffy. I think that goes to Mr. Madon's point, 
where he was talking about not just being on defense. He was 
talking about being on offense. And one that we had looked to 
the Federal Government not just for defense. I don't know if we 
are doing any offensive measures or not, but is there a role 
for the private sector, do you think, Mr. Madon, in the 
offensive play, not just defense?
    Mr. Madon. I do, and I think it is very varied. I don't 
think there is just one approach. I think first it starts, as 
was mentioned earlier, with information sharing. That is a 
critical component but that is not the only component. It is 
how you share information. And part of that information-sharing 
relationship between the government and the private sector has 
to start with safe harbor.
    I can't tell you how many times I hear folks from the 
financial sector want to share information with the government 
but they are concerned about liability. And that liability--I 
think before true information sharing occurs, that liability 
needs to be addressed.
    Mr. Cilluffo. Could I build on that? Because, think about 
it, cyber crime is the only crime I know of where we blame the 
victim. Every other crime, you blame the perpetrator. In this 
case, we are blaming the victim.
    And I am not disagreeing that companies can and must do 
more, but at the end of the day they are up against an 
adversary that is very sophisticated and will require at least 
the rules of the road. I am not ready for sanctioning companies 
to necessarily hack back, but there is a whole bit of policy 
space between hacking back and doing nothing but being reactive 
and building higher walls.
    Proactive forensics collection. This is key. Think about it 
as a football analogy. You have linebackers. Yes, they are 
defending against other people trying to score on your system, 
but they are blitzing the quarterback. There is more we can do 
in that environment as well, whether it is through 
technologies.
    But most importantly we need to define the rules of the 
road because right now if companies were to engage in this, 
they would be breaking laws, the Computer Fraud and Abuse Act 
in particular. I think that does require some updating and 
close examination.
    Mr. Madon. And my main point is, let's get the conversation 
started. Let's really have a robust conversation with our 
Nation, with ourselves, about what it looks like for the 
private sector to really track and even disrupt cyber attacks 
in certain instances to defend their systems.
    Yes, sir?
    Chairman Duffy. Go ahead. You can finish this thought.
    Mr. Madon. And of course, it would not happen overnight. I 
think there is no expectation of that. And it would require a 
defendable attribution regime because as our technology gets 
increasingly more precise, the ability to attribute the 
location of these attacks becomes more enhanced.
    Chairman Duffy. Thank you. I have several more questions 
but my time has expired. The Chair now recognizes Mr. Cleaver 
for 5 minutes.
    Mr. Cleaver. Thank you, Mr. Chairman. All three of you made 
profound statements with which I agree, and I thank you for 
being here. Does the United States engage in hacking into 
systems around the world?
    Mr. Bejtlich. Well, sir, it depends on what you mean by 
hacking. It has been reported in the press, I think as you 
would expect, that there are traditional intelligence 
operations the U.S. Government conducts, as every other country 
does. The significant difference, though, for the United States 
is that we don't steal commercial secrets and then give them to 
our domestic companies for the purposes of commercial 
advantage.
    Mr. Cleaver. The reason I asked the question, is I am 
following up on something that was said earlier, and that is, 
when we discover that a nation is in fact hacking into 
commercial operations or into the Pentagon, which I think has 
been done a couple of times, I am just wondering about the 
response, in a way that is more than saying, ``We know you did 
it,'' which is what I think we have said recently.
    That wouldn't stop me from robbing a 7-Eleven, if I were a 
7-Eleven robber, for somebody to say, ``Well, Cleaver, I know 
you did it.''
    Mr. Madon. Sir, I think that is precisely the point. You 
highlighted the essential problem, which is that it is 
incredibly ambiguous what exactly we are doing as a nation when 
our most valuable--our treasures are being stolen from us, 
left, right, and center. And I think having a transparent, 
concrete plan to address those issues is sorely needed.
    Mr. Cilluffo. Congressman, if I can build on that just a 
teeny bit, clearly, we need to penalize the perpetrators and 
the adversaries from this behavior and change their behaviors. 
To me, that does require articulating a clear cyber deterrence 
strategy, to deter, compel, and dissuade. Obviously, that is 
going to take on different instruments and instrumentalities 
based on both the perpetrator and the incident itself.
    But I feel we do have to be more transparent and be willing 
to speak about leaning forward. What good is having the 
doomsday machine if no one knows you have it? At the end of the 
day, of course the United States has the capability, but we use 
it in a very sophisticated and measured, commensurate kind of 
way.
    To Richard's point, a number of these countries are doing 
it to benefit their companies. That is an unfair playing field 
and U.S. companies are penalized greatly by the perceived and/
or real sins of others and we are getting our shirts cleaned in 
this case.
    So I do feel there is a way, and there are other 
instruments that can be brought to bear, both proactive, but 
also sanctions. The Administration recently promulgated an 
Executive Order that allows for using economic sanctions 
against cyber perpetrators.
    I think it is going to be put to the test really soon. We 
will see how it plays out in reality, if we can translate those 
nouns into verbs.
    Mr. Cleaver. Someone hit on this earlier, but is it 
possible--do we in fact have the technology now, or are we 
capable of producing the technology that would create a zero-
fail system?
    Mr. Bejtlich. Sir, in my experience there is no such thing 
as a non-hackable system, and I think that is what you mean by 
zero-fail.
    Mr. Cleaver. Yes. So, go ahead, Mr. Madon?
    Mr. Madon. And likewise, there will never be a system or a 
condition where attribution will be 100 percent. That is also 
an ideal. But I think it is a matter of weighing risks. And 
this revolution in attribution where technologies are advancing 
to the extent where we are very confident that certain attacks 
originated from a certain state actor, for example, I think 
that we are getting to a place where we can be comfortable with 
the amount of risk that we are taking on.
    Mr. Cleaver. After North Korea hacked into our system, Kim 
publicly said that didn't happen, we didn't do it. And so I was 
hoping on the next day we could produce something, some 
indisputable evidence that yes, you did it, and here is how we 
know you did it. Does that exist?
    Mr. Madon. That is the Treasury model, sir. That is 
precisely what we did with illicit finance. We confronted those 
nation-state actors with declassified intelligence and said, 
yes, you did.
    Mr. Cilluffo. Can I build on that, because I am going to 
throw a compliment in Richard's direction. Mandiant, in their 
report on China and their activity, that was the smoking 
keyboard. Very difficult to discern, but they did demonstrate 
smoking keyboards. You are starting to see attribution improve 
dramatically. Never to 100 percent. The smart actors are using 
proxies. They want the veneer of plausible deniability if they 
get their hands caught in the cookie jar.
    But there are other means than simply cyber forensics to 
get information on who is doing what, so we have other 
intelligence capabilities that can be brought to bear.
    Mr. Cleaver. Thank you.
    Chairman Duffy. The gentleman's time has expired. A smoking 
keyboard, that is quite an analogy.
    The Chair now recognizes the gentleman from Pennsylvania, 
Mr. Fitzpatrick, the vice chairman of this subcommittee, and 
the chairman of the Task Force to Investigate Terrorism 
Financing, for 5 minutes.
    Mr. Fitzpatrick. I thank the chairman. Mr. Cilluffo, the 
four nation-states that you mentioned in your opening 
statement--Russia, China, Iran, and North Korea--it seems like 
every time you talk about nation-states and cyber terrorism, 
those are the four nations that sort of roll off your tongue.
    I was wondering if you can discuss how each of those 
nations decide or select the subject of the attack and how it 
may differentiate between the four of them?
    Mr. Cilluffo. Excellent question, and not an easy answer 
because it is going to come in various sizes and forms. In 
China, we heard, and I think Richard said, it is a numbers 
game. They have so many bodies they can throw at the problem 
that they are quite sophisticated, deeply involved in not only 
military application and cyber capability but obviously in 
economic and industrial espionage.
    Russia, I think, is the more sophisticated actor of those 
two. They are integrating cyber into not only their war 
fighting but into their intelligence apparatus, which often 
includes human intelligence, according to the U.S. National 
Counterintelligence directorate of a couple of years ago. They 
lean so heavily on--and it is worth touching on proxies.
    So in China, we know military officers are moonlighting. 
After work hours, they are doing business for others. In 
Russia, what you have is more a criminal underground, that they 
turn a blind eye, but when the government wants them, they do 
their bidding. Which is maybe very different than Iran, for 
example, which is turning to its hacking underground, the 
Ashiyane network, the Basij. They are actually co-opting them 
into the fold, their activity, which is very different.
    So when the stakes are really high, the country that--and 
it is worth noting--so computer network exploiter, espionage, 
computer network attack is using attack mode. If you can 
exploit, you can attack. And there has been article after 
article after article on countries that have done the cyber 
equivalent intelligence preparation of the battlefield of, say, 
our electric grid. That has no economic value but it has 
significant value in a national security kind of setting. So I 
am concerned that if the intent shifts, the capability goes up 
exponentially.
    Now Iran, North Korea, they are less constrained perhaps by 
some of this activity, so they are going to be going to the 
cyber drive-by shooting equivalent, which is easily built 
because the bar is low, and also a more sophisticated 
capability.
    And it is worth noting, these are the countries we talk 
about. Every country that has a modern military has a cyber 
capability as well, so it is worth noting that.
    Mr. Fitzpatrick. Is it possible to know really whether the 
attack is coming from the state sponsor or from just a group of 
private hackers, say within Russia?
    Mr. Cilluffo. That is the $64,000 question. So the 2007 
attacks on Estonia, was that driven by the Kremlin? I think the 
messaging was driven by the Kremlin but I think in this case 
you actually had criminal actors engage in that activity. So 
that is where some of this forensics collection becomes so 
important.
    Mr. Fitzpatrick. Did you have an opinion as to the number 
of prosecutions or actions brought by the Administration in 
response to cyber attacks?
    Mr. Cilluffo. Not nearly enough. Right now, we are 
penalizing the victim. So I actually think that in Russia's 
case, you have a small number of actors who are responsible for 
developing most of the tools that are being used in the 
underground, or the malware, or the botnets that are being 
rented.
    If we could go after--I recently had the head of EUROPOL in 
and he said 80 percent of their attacks were coming from 
Russian-speaking countries. He had claimed there are about 150 
super-hackers. Maybe instead of spending billions of dollars on 
our cyber security, we should aggressively pursue those 150 
hackers.
    Mr. Fitzpatrick. Mr. Madon, on the subject of financial 
institutions, clearly, there is a public role in coordinating 
response and defenses, and a purely private role as well. But 
within the financial institutions, we have to encourage the 
institutions to be communicating with each other, to support 
each other.
    But also within individual institutions, is there a 
challenge of divisions of certain, say, banks or related banks 
in different countries, even within those institutions talking 
to each other?
    Mr. Madon. Of course that is the case, sir. But I think 
that the decision by many global financial institutions to 
create these financial intelligence units that cross the 
different verticals within the bank is a terrific effort. And I 
am seeing more and more of those units being created and being 
empowered and properly funded.
    Mr. Fitzpatrick. My time has expired.
    Chairman Duffy. The gentleman yields back. The Chair now 
recognizes the gentlelady from Ohio, Mrs. Beatty, for 5 
minutes.
    Mrs. Beatty. Thank you, Mr. Chairman, and Ranking Member 
Green. And thank you to our expert witnesses here today. I am 
not sure how I feel. I guess I wanted you to be able to answer 
Congressman Duffy's question by saying, yes, that some of our 
information is protected and safe and we could work through 
this and come up with a fail-safe system. But that does not 
appear to be the case.
    As I recall, in February James Clapper, the Director of 
National Intelligence, testified before the Senate Armed 
Services Committee, and in that testimony, he stated that in 
the future we might see more cyber operations that will change 
or manipulate electronic information in order to compromise its 
integrity--that is, its accuracy and reliability--instead of 
deleting or disrupting access to it.
    And obviously as members of the subcommittee who oversee 
the financial regulators, part of our role is to ensure the 
integrity of financial information.
    So I would like to know whether the panel agrees with 
Director Clapper's assessment of future cyber operations to 
manipulate data, and if you do, what can our financial 
institutions and regulators do to combat such attacks to ensure 
the prevention of manipulation of financial data?
    Mr. Bejtlich. Yes, ma'am, I agree with that assessment. The 
manipulation of data such that there is an effect, but no one 
really understands what happened. That is the top end of the 
problem. The way to counter that, and honestly, the way to 
counter all of these problems, in my opinion, is to have a 
strategy that relies on detecting the infiltration before the 
adversary completes the mission.
    In other words, we currently have delays of upwards of 200 
days or so between when an intruder gets into a network and 
someone notices. And the someone noticing, two-thirds of the 
time, is the FBI. That needs to change. We need to have a much 
tighter window so that when an intruder gets into the network, 
someone notices quickly and cuts them off before their 
accomplish their mission.
    So although we can't stop everyone from getting to the 
data, if we can stop them before they change it, steal it, or 
destroy it, then we win.
    Mr. Madon. I also agree with General Clapper on that. I 
would say there is another half of that equation, which is 
actually more disturbing. I mentioned this briefly, and that is 
the insider threat. So an insider threat can be a malicious 
employee who started in an organization feeling great about the 
financial institution, and then somewhere along the line became 
disgruntled. It could be a compromised system, or it could be a 
very sloppy employee.
    I think focusing these efforts also on the insider threat, 
and understanding your employee--financial institutions are 
becoming and have--are experts at knowing their customer. They 
are required to do that. I think it is time to also expand that 
to include knowing your employees.
    Mrs. Beatty. Okay.
    Mr. Cilluffo. Sadly, I too agree. We have actually seen it 
based in recent public cases as well that the data has been 
manipulated. But I think in terms of your oversight 
responsibilities, if I may be so presumptuous, what makes this 
committee so significant is a sustained campaign against our 
banks, markets, clearinghouses or other areas is the potential 
to erode trust and confidence in our very systems themselves.
    It is all about perception, and that is with markets, and 
that can include data manipulation. But there are backups. 
There are ways where you can stave off the bleeding, and I 
think both of the other witnesses said there is a lot more we 
can do in terms of detection.
    And I might note, of all the sectors of our critical 
infrastructures, yours is so much further along than others. I 
am actually worried about regional banks more than I am Wall 
Street. It is Main Street. It is all the regional banks and 
financial institutions outside of Wall Street that are going to 
be the primary targets.
    Mrs. Beatty. Okay, thank you. In my few seconds left, two 
of you testified that with corporations being at the tip of the 
spear in the question which related to public and private 
partnerships.
    What are the tools needed in the private sector, and if we 
start with regional banks, what are the tools they need to be 
in the game, to help themselves and us with them?
    Mr. Cilluffo. The financial services sector has what is 
called the Financial Services Information Sharing and Analysis 
Center, the FSISAC. It is the gold standard of information 
sharing and analysis centers. They have even gone so far as 
having automated information sharing in terms of known 
signatures and I.P. addresses through an entity called Soltra.
    So I think that we need to expand that beyond some of the 
bigger financial institutions to others, but there is a model 
to turn to and it is one that is actually working.
    Chairman Duffy. The gentlelady yields back. The Chair now 
recognizes the gentlelady from Missouri, Mrs. Wagner, for 5 
minutes.
    Mrs. Wagner. Thank you, Mr. Chairman, and I thank our 
panelists for being with us here today. As we have all 
discussed, cyber security is quickly becoming one of the 
largest threats to our country and carries severe national and 
economic security concerns. The studies have shown the number 
of security incidents in the United States every day range in 
the hundreds of thousands, and we seem to learn of a new major 
cyber breach almost every week.
    Earlier this year, millions of customers with health 
insurer Anthem had their personal information compromised, and 
just recently, as we have discussed over and over again and we 
will be in briefings later on today, the Office of Personnel 
Management announced that millions of confidential records on 
current and former Federal Government employees have been 
compromised.
    Not only does this represent a major threat and breach of 
privacy for the individuals whose information is compromised, 
but it hampers our ability to gather intelligence abroad, and 
empowers and emboldens foreign governments, many of whom are 
behind these attacks.
    In both of these instances that I mentioned before, we know 
the attacks are attributed to China, to their cyber unit that 
engineered the attack. However, what we don't know is, how is 
our government responding and helping to prevent attacks like 
this in the future?
    You all have talked about a number of risk factors out 
there and things that are being done, but clearly current 
actions by the United States to address specifically Chinese 
and Russian cyber space capabilities is not sufficient. And I 
never, ever like it when the U.S. Government is in a reactive 
mode. Nor do I like to hear that it takes upward of 200 days to 
notice an intruder.
    As some of you talked about building, we just seem to be 
reacting, building that firewall higher and higher, yet wow. 
Why is it taking upwards of 200 days for us to notice, 
recognize an intruder? Would anyone like to respond to that?
    Mr. Madon. Sure, I couldn't agree with you more, ma'am. 
There are certain things we can do. One is, as I mentioned, 
enhancing Section 314(b) of the USA Patriot Act, which will 
allow financial institutions to share information about cyber-
related financial activity within their sector without 
liability. So enhancing those safe harbor provisions is 
absolutely critical to that.
    Mrs. Wagner. Mr. Madon, let me interrupt. I believe the 
House has moved on that through CISPA, and on a voluntary 
basis, as agreed for that kind of sharing, both within industry 
and in the government, if they voluntarily choose to. Is that 
correct?
    Mr. Madon. Yes. So I think the safe harbor, not just trends 
of cyber information but specific, pointed information that 
banks can share with each other.
    Mrs. Wagner. Right.
    Mr. Madon. So expanding it not just between the private 
institutions and the government, but also within and among 
financial institutions.
    Mrs. Wagner. Without liability.
    Mr. Madon. So what I am saying is, start the conversation, 
figure out a way to enable that, because if there isn't a 
conversation and sort of a template that banks and financial 
sector institutions can use, then the information simply isn't 
going to flow.
    So I am not saying it is easy, ma'am, and it would take 
quite a bit of thought, but I think that if the conversation 
begins in bringing in the private sector to come up with 
creative solutions, there is a possibility.
    Mrs. Wagner. I think you are right. Let me ask you also, 
Mr. Madon, while I am at it, are there currently adequate 
international frameworks in place governing nation-states' use 
of cyber attack?
    Mr. Madon. In short, no. I don't think there are. But I 
think what we can do is again look at the Treasury model and 
look at the financial action task force as a model, which is an 
international body which sets international standards and norms 
on anti-money-laundering, accounting, the financing of 
terrorism and proliferation financing.
    We can use that FADV model in a cyber context as a way of 
bringing the nation-states to work in a FADV-type body and 
assess implementation and effectiveness of international norms 
and standards.
    Mr. Cilluffo. Can I add just very briefly?
    Mrs. Wagner. Yes.
    Mr. Cilluffo. There are some initiatives out there. The 
Council of Europe, for example has a cyber crime convention 
which I think is at least a starting point in terms of inducing 
changes in behavior.
    But I think the bigger issue here is we do need to 
articulate a clear deterrence strategy, and we don't deter 
cyber. We deter actors, so it will have to have a deterrence 
strategy that is focused on all the different perpetrators and 
actors and what the commensurate penalties and response will 
be.
    So I think there is an awful lot that needs to be done, and 
I think we actually need new cyber alliances. Let's start with 
our five-eyes community--the U.S., the U.K., Canada, New 
Zealand, and Australia--and build that out to our transatlantic 
partners in Europe, then start building out, building that out 
to allies in Asia, Japan, Korea, in the Middle East, Israel, 
and on it goes. We haven't really had those conversations in a 
significant kind of way.
    Mrs. Wagner. Thank you very, very much.
    I apologize for going over, Mr. Chairman. I yield back.
    Chairman Duffy. The gentlelady yields back. The Chair now 
recognizes the gentleman from California, Mr. Vargas, for 5 
minutes.
    Mr. Vargas. Thank you very much, Mr. Chairman. Again, thank 
you for this discussion. It is interesting today to hear some 
of the words that came out: smoking keyboards; stop the 
bleeding; doomsday machine. It almost seems like a 1960s movie 
in some ways. Hopefully, it has a happy ending.
    One of the things that did strike me was that you said we 
need to have a robust discussion in our country, and I think we 
are starting to have that, to be frank. Everyone is afraid of 
losing their personal information, especially their Social 
Security number.
    And we need to penalize the cyber criminals. That gets 
tough if they are the top-ranked nations, foreign nations. That 
is a difficult situation. We need to lean forward. We have the 
capabilities, the doomsday machine. What doomsday machine? I am 
not familiar with any doomsday machine.
    Mr. Cilluffo, I think you are the one who mentioned we 
have--what doomsday? What are you talking about?
    Mr. Cilluffo. It was meant to demonstrate that we have 
offensive capabilities that can be brought to bear as well. And 
if you don't articulate, and to some extent be transparent 
about that, perpetrators--
    Mr. Vargas. Let's talk about that, because I think what you 
meant is maybe disrupt them. In other words, if they are 
disrupting us, we disrupt them more. Is that what you mean? 
What do you mean by these capabilities?
    One thing is trying to find out who they are, and it sounds 
like we have the capabilities to do that, to figure out now who 
are the perpetrators. It seems like we are getting better and 
better at that. So we find out it is Russia. What do we do?
    Mr. Cilluffo. That is way after-the-fact, though. So to 
Richard's point, there are steps that can be taken left of 
boom, or in this case before an actual breach and/or incident 
occurs. And in terms of some of our capabilities, sometimes all 
you need to do is demonstrate that and that has a net deterrent 
effect, or it can dissuade. It can raise the stakes, make the 
penalties so high that they may decide not to engage in this 
activity.
    So what we are really talking about is inducing changes in 
behavior. If people feel that they can get away with this and 
get away with this in a wanton kind of way, you are going to 
see more and more and more and more activity. So the point is, 
how do we shift that equation where you raise the costs.
    Mr. Bejtlich. Sir, if I could just quickly say, this is 
sort of like an American football game where you have the 
Patriots versus the Broncos. Tom Brady plays against the 
Broncos' defense and Peyton Manning plays against the Patriots' 
defense. We need our Tom Brady going against their Peyton 
Manning. In other words, our offense disrupting their offense.
    Mr. Vargas. I like the football analogy. I was a 
linebacker. I like the blitzing linebacker. It is fun to tackle 
the quarterback. But I guess my question really is, it seems 
like you could figure out who these guys are, but then how do 
you punish them? Really honestly, at the end of the day, how do 
you go and punish them? You have all these companies in China 
that are stealing our information. How do you at the end of the 
day punish them other than strict sanctions? How do you do 
that?
    Mr. Bejtlich. Sir, at the operational level I have seen 
these guys attacking targets and slowing down and not being 
able to accomplish their mission because of friction introduced 
by the defender. If you are an attacker and someone is suddenly 
attacking your system, kicking you off the target, kicking you 
off your own system, maybe deleting your system, that raises 
the cost quite a bit.
    And many times we think that these guys are 10 feet tall 
and bullet-proof. There are guys who are sitting in uniform, 18 
years old, following a script, essentially.
    Mr. Vargas. Let me get to one thing I did want to get to 
before my time runs out, and that is, you did talk about Social 
Security, that if someone's Social Security number is hacked, 
there should be some protocols in place or something to be able 
to put that person back to where he or she was.
    Why don't you talk a little bit about that, because I think 
people are very interested in that.
    Mr. Bejtlich. Yes, sir. So when you steal a credit card and 
you lose a credit card, there is basically no cost to recover 
from that. When you lose your Social Security number, when you 
lose your healthcare records, I don't know how you recover from 
that. You are looking at unbounded cost.
    We need to replace the Social Security number with 
something that if it is public, it doesn't matter. We need to 
move to a system where we acknowledge that if the data gets 
out, there is a way for the customer to recover from that. And 
right now, when a Social Security number is used as a method of 
identification and authentication--if you know my Social, you 
can log into Web sites essentially, and that has to be changed.
    Mr. Vargas. Anyone else want to comment on that? Because I 
think that is important, something that a little thinking 
outside the box. Would you like to comment on that, sir?
    Mr. Madon. Sir, sorry, on your former point I would say you 
mentioned sanctions. And I just point to the incredible work 
that the Executive Branch and Congress did--
    Mr. Vargas. If I could interrupt you for just one second. 
One of the things that was interesting--I am from California 
and of course we have great capabilities there. The FBI and the 
Treasury have been named over and over again as models of doing 
a good job. Private companies are also, and I think that is 
important to know because it seems today that we are talking 
mostly about the good work that the Federal Government has 
done, but California also--
    Mr. Cilluffo. Mr. Vargas, could I just pick up on that, 
because I actually think the future is within the private 
sector, and not only domestically but also in cooperation, 
concerted efforts with others.
    Mr. Vargas. Thank you. My time has expired. Thank you, Mr. 
Chairman.
    Chairman Duffy. The gentleman yields back. The Chair now 
recognizes Mr. Tipton from Colorado for 5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman.
    I appreciate you bringing up the Broncos and the Patriots. 
I am out of Colorado, so, this is very disturbing, obviously, 
in terms of the real threats that we are going to be facing as 
a country.
    Mr. Cilluffo, you were talking about penalizing the risk 
victims, and I happen to agree with that. We are going after 
the banks who didn't--or, even Home Depot, I think that was 
cited earlier, in terms of testimony, as opposed to the 
culprits who are perpetrating the crime.
    A lot of my concern that I see is when we are looking at 
the Chinese as an example, we have heard the reports that they 
have our plans for the F-35. They were able--not only coming at 
it from an economic standpoint, but also from a military 
standpoint as well. And, we are talking about the doomsday 
machine when we are--staying with the football end of this, its 
said that the best offense is a good defense.
    I understand being proactive, so how do we find that proper 
balance? As a Nation, shouldn't we be incredibly concerned if 
they are able to get into our military industrial complex to be 
able to steal some of our best technology? And, then we move 
into the financial end of the world, and our bank accounts are 
going to be exploited, and then we can shut down the electrical 
grid as well.
    How do we get those components together to be able to be on 
the offense?
    Mr. Madon. Sir, that is a great concern, and I actually 
share the view that the private sector is very much a part of 
the solution to that.
    Some of the reforms that I mentioned earlier are a rewards 
program for groups to uncover and identify cyber hackers to 
U.S. courts and authorities; empowering the victims of attacks 
to sue the perpetrators, and those benefiting directly from 
cyber infiltrations, just as victims of terrorist attacks can 
do so today.
    And, also, unleashing cyber forensic teams, and private 
litigants, and plaintiffs' lawyers against those attacking U.S. 
systems.
    Mr. Tipton. Now, what are we going to do? There is 
something called sleep malware that can be put into a system to 
be activated at a later time. When we are identifying some of 
the threats that are going to be in place against us--if it is 
just sitting there, and it is late, and it is not doing 
anything, can we identity that now?
    Mr. Cilluffo. Actually, that is an excellent point, because 
most breaches today occur vis-a-vis or through vulnerabilities 
in your supply chain, or third-party vendors. And until you 
start looking at this issue holistically, that is a legitimate 
vulnerability we need to be thinking about.
    I might also note, though, the defense industrial base, 
they do have unique pilots, vis-a-vis, information sharing with 
the public and the private sector with government--along with 
the financial services sector. I think they are up there, but 
even they, as we saw, have been successfully hacked--whether it 
is RSA, you name the entity. They have been hacked to one 
extent or another.
    I am going to take a different approach--I think the 
economic instruments here could be very valuable and useful. I 
actually think China, long term, will have enough to lose that 
they will recognize that there is some change in behavior that 
they need to consider and think about, unfortunately it is not 
there now. They are seeing immediately in front of them, why 
spend billions on R&D if we can just steal it, and spend it on 
gaining market share.
    But, at some point they will have market share that they 
are really concerned about, but I do think that could level it 
out a little bit, which is different than actors that want to 
cause harm. So,--that are driven--and I am not suggesting China 
doesn't, because they are investing in a military technologies 
as well, but that is something we need to be thinking about.
    Mr. Tipton. Do we have an issue, as a country, when we are 
having software, as an example, maybe being written in China? 
Coming into our country, and then we start bringing into the 
component of it, trust your employees--we have technology that 
we are using in our systems right now that is being written 
overseas. Is that something that we need to examine?
    Mr. Bejtlich. Yes, sir, it is absolutely a concern, and, in 
fact, the top end attackers, when they realize they can't get 
into a target technically using the cyber component, they try 
to get their nationals hired as programmers in sensitive 
companies.
    Mr. Tipton. And secure coding, that is something the United 
States ought to be investing in. If we built planes the way we 
code for software, none of us would ever fly. So, at the end of 
the day there are initiatives from a STEM education standpoint 
that we can be looking at in terms of secure coding and the 
like.
    Mr. Madon. There are companies out there, like my own, 
which is looking very much at the inside threat which a 
compromised system would be, so that when that malicious 
software fires up it is identified within the system. So, there 
are tools, and techniques out there to identify those problems. 
It is not foolproof, but they exist, and getting better.
    Mr. Tipton. Thank you, Mr. Chairman. My time has expired, 
and I yield back.
    Chairman Duffy. The gentleman yields back. The Chair now 
recognizes the ranking member of the subcommittee, the 
gentleman from Texas, Mr. Green, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I thank the witnesses 
as well, and I greatly appreciate your testimony.
    You have spoken of an offensive tactic, or strategy, if you 
will. And, what you seem to be saying is rather than have a 
firewall, create a backfire; fire back. Be offensive. Let 
people know that there are penalties, that there is a price to 
pay for encroaching upon our technology and our systems, our 
software.
    Now, is there technology currently available such that we 
can now, without attribution, without the certainty of 
attribution, attack the source without having actual 
attribution?
    Mr. Bejtlich. Sir, the U.S. Government has unique 
attribution capabilities to trace all the way back to the true 
source of an activity. This is one of the few areas I disagree 
with my co-panelists in that I don't feel that it is the role 
of the private sector to be doing hack-back. We can enable 
attribution, we can help through our own forensic 
investigations, figure out what is happening.
    I would much rather see the private sector engage in 
finding intruders and removing them quickly, and leave the 
power of striking back at the adversary as part of the state's 
monopoly of force.
    Mr. Green. Yes, if we had this unique ability to strike 
back at the point of origin, what is it that causes us to 
hesitate, if indeed we are hesitating?
    Mr. Cilluffo. Congressman, first, for the record, I don't 
advocate hacking back. I think there is a lot that can be done 
in terms of proactive forensics collection, but, one thing--and 
you used fireback, I look at it more as suppressive fire so you 
are protecting your systems. The challenge with some of the 
technology--
    Mr. Green. Excuse me, if I may, I really am not talking 
about suppressive fire. I appreciate your--
    Mr. Cilluffo. No, I was saying--
    Mr. Green. --I understand, but what I would like to know is 
what can we do to the hacker that is actually attacking our 
system. Why can we not? If we know that the point of origin is 
a certain place, why can't we go to that place and take 
offensive action as opposed to continuing to be on the defense?
    Mr. Madon. Sir, at a minimum, we can remove them from the 
formal financial sector. We can--
    Mr. Green. --No, no, no, I am not--I am talking about 
attacking that system. What is it that prevents us as a part of 
our counter measures, our defense becomes an offense of 
attacking that system that is attacking us?
    Mr. Cilluffo. Friendly fire?
    Mr. Green. I don't--
    Mr. Cilluffo. --because there could be innocents along--in 
other words, exploiting other systems that you would be taking 
down, and god forbid, one manages a hospital in Pyongyang--
    Mr. Green. --I see, but--
    Mr. Cilluffo. --or whatever it may be.
    Mr. Green. Well, I needed to hear that.
    Mr. Bejtlich. Sir, I think there is also a gain-loss in the 
intel community which says they would much rather watch the 
fireworks then let the adversary know that they see the 
fireworks by interfering with their system. So, there might be 
some resistance that has to be overcome.
    Mr. Green. All right, let's talk about credit cards for 
just a moment. It is my understanding that you can go online 
and buy credit card information. I am interested in seeing this 
actually happen--seeing a demonstration of this kind of 
activity. I understand that if you are sophisticated enough, 
you are supposed to be able to do this, and people are actually 
buying credit card numbers, and they are buying social security 
cards.
    Is there any place available to members, or more 
specifically to me so that I can get a demonstration of how 
this actually works?
    Mr. Bejtlich. Sir, there are companies out there that 
investigate this sort of behavior. It is not something we do at 
FireEye. You may actually be able to find some banks who will 
show this because one of the ways they validate they have been 
hacked is to go out and buy a sample of these credit cards to 
determine if it came from their system. And by doing so, they 
initiate a response.
    Mr. Green. Are these available--is the credit card 
information available to just anybody? Can anybody go online 
and find this information and buy the--so that I can steal 
another person's identity? Actually buy this information? Is it 
available?
    Mr. Bejtlich. It is available, but you tend to have to be a 
vetted person who is brought in by another criminal.
    Mr. Cilluffo. It is referred to as the Dark Web, so there 
is the cyber equivalent of black markets, and it is worth 
noting that credit card data is now going for cents on the 
dollar whereas health care records are going for much more 
because the potential to commit fraud and the likelihood of 
getting caught is less.
    And, also worth noting in particular, they are going after 
children's health records because they are not checking their 
credit until they are 18, so you could have 10 years of fraud 
committed against you.
    Mr. Green. Are you of the opinion that the penalties for 
identity theft are sufficient? Do we have sufficient mandatory 
penalties, do we need stiffer penalties for identity theft?
    Mr. Bejtlich. Sir, I think the penalties probably are harsh 
enough. We just had a prosecution of someone who ran something 
called the ``Silk Road,'' and he essentially got life in prison 
for running an underground site.
    Chairman Duffy. The gentleman yields back. The Chair now 
recognizes the gentleman from Maine, Mr. Poliquin, for 5 
minutes.
    Mr. Poliquin. Thank you very much, Mr. Chairman. I 
appreciate it, and I thank all of you gentleman for being here 
today.
    This is a very sobering exercise for a lot of us who are 
not experts in the area that you folks are in. We have to--as a 
country, I believe, stay on offense when it comes to a lot of 
these issues, and Congresswoman Wagner commented on that a 
little bit. And, what I have heard today where you have not 
only terrorist organizations, and you have organized crime, but 
you also have sovereign states.
    You have countries that are supporting cyber attacks 
against our infrastructure, our health insurance companies, our 
cell phone companies, military installations, and this is, as 
we all know, very serious stuff. It threatens our way of life, 
our economy, jobs, and when our economy can't function because 
of these sort of threats then we can't generate the tax 
revenues that we need to defend ourselves.
    This is really serious stuff, and there is a big cost to 
this, and I understand that. I don't understand all the 
specifics, but I understand there is a huge cost to our country 
in doing this. So, in anything in life, any organization you 
need to have leadership. If you have leadership and you marshal 
the resources of a country like ours to address a problem, I am 
certain we can do that, and it sounds like we are not doing 
that, and we are not staying on offense in a coordinated way as 
much as we can be.
    So, my question to you, and I will start with each of you, 
whomever would like to go first, Mr. Cilluffo--am I pronouncing 
it right?
    If you were the President of the United States, and you 
controlled one third of our government, and you were the 
Commander in Chief, what would be the one thing that you would 
do to fix this problem?
    Mr. Cilluffo. A great question. I wish there was one silver 
bullet I could turn to address this, but, by and large, I would 
look at owning the interagency piece. Do all that we can to 
enhance not only our own cybersecurity, but also demonstrate 
our capability. Articulate a deterrent strategy, articulate the 
penalties, follow through. There are a lot of nouns, not a 
whole lot of verbs. We have to follow through. These bright 
lines are being transgressed regularly.
    And, more importantly, I would find ways to build on the 
private sector's capability--
    Mr. Poliquin. Okay. Let's drill down a little bit more, if 
I may, Mr. Cilluffo. We are not the only country that has this 
problem. We know who the bad actors are, right? Russia, China, 
North Korea, and Iran when it comes to state sponsoring of 
these cyber attacks. So, other developed nations across the 
world have these same problems. A lot of our friends in Europe, 
for example, and the Pacific Rim.
    So, my question is, wouldn't part of this activity to stay 
on offense as a country, to protect our homeland, protect our 
economy and way of life, and our freedom include coordination 
with other--
    Mr. Cilluffo. Unequivocally.
    Mr. Poliquin. With other people around the world?
    Mr. Cilluffo. Unequivocally.
    Mr. Poliquin. And that can be done, correct?
    Mr. Cilluffo. It can, and it has not--
    Mr. Poliquin. --and it has not been done, correct?
    Mr. Cilluffo. Not to the extent it needs to be done.
    Mr. Poliquin. Mr. Madon, what do you think? If you were the 
President of the United States and you had all these resources 
at your disposal, what would you do?
    Mr. Madon. I would call a meeting together with my staff 
and say, ``What authorities do I have to hit them back, hit 
them back hard, and do it publicly? Very publicly?''
    Mr. Poliquin. And, that would include, clearly--because you 
mentioned this before, dealing with international law, or the 
development thereof, to make sure that those that are 
responsible for this are held accountable because in many 
cases, it seems to me, that we probably have the resources to 
find out who these people are.
    We certainly know who the countries are, correct?
    Mr. Madon. Absolutely, sir.
    Mr. Poliquin. Mr. Bejtlich?
    Mr. Bejtlich. Sir, I would first accept that the government 
is compromised. We need to go out there and find these guys 
now. We have to do that.
    Mr. Poliquin. When you say the government is compromised, 
do you mean in a case like China, or Russia? Is that what you 
mean?
    Mr. Bejtlich. There are intruders in the network. We need 
to go out there, find them, and kick them out. That will be the 
first message we send, is that we see you, and we are doing 
something about it.
    Mr. Poliquin. And we have the resources to do that, in your 
opinion?
    Mr. Bejtlich. I don't know, sir, if we have the resources 
necessary.
    Mr. Poliquin. Do we need to do anything here, anything in 
Congress? Do you have the legislative support that you need, or 
anything else that we can do in Congress to make sure that we 
have an opportunity to stay on offense with respect to this?
    Mr. Bejtlich. I think a reinterpretation of the FISMA law 
that focuses more attention on detecting and responding to 
intruders, and less on building up the walls might be 
necessary.
    Mr. Poliquin. Okay. Great. Anything else from any of you?
    I appreciate very much you being here to help educate us. 
Keep this country on offense to stop this. Mr. Chairman, I 
yield back.
    Thank you very much.
    Chairman Duffy. The gentleman yields back. Without 
objection, members of the full Financial Services Committee, 
who are not members of the subcommittee, may participate in 
today's hearing for the purposes of making an opening 
statement, and asking questions. We do have Mr. Royce from the 
full committee. Mr. Royce is also chairman of the House Foreign 
Affairs Committee.
    Mr. Royce, you are recognized for 5 minutes.
    Mr. Royce. First, let me thank Chairman Duffy, because we 
are looking at the same issue in the Foreign Affairs Committee. 
I thought I would pursue a line of questioning here. There are 
some questions that--they are brief questions, but they are a 
little complicated. I will start with Mr. Cilluffo and ask him 
what constitutes an act of war in cyberspace?
    Mr. Cilluffo. I am not sure we have enough time for me to 
try to explain--
    Mr. Royce. Oh, try to be succinct.
    Mr. Cilluffo. If it does affect our national and economic 
security, and it is driven by a nation-state actor, Article 5 
could be triggered. For example, in the NATO context, if Russia 
engaged in a computer network attack against Lithuania, that 
doesn't have to be a military attack, it can also be on 
civilian infrastructures.
    Mr. Royce. So, in terms of our obligations with NATO, you 
see the possibility here that cyberwar and cyber terrorism, or 
the actions taken, depending upon the extent of it, could be so 
interpreted?
    Mr. Cilluffo. Absolutely. I mentioned earlier Five-Eyes, 
NATO, Transatlantic, and then bilats with Korea, Japan--
    Mr. Royce. You are listing a lot of treaties here that we 
are in--it is an interesting question because obviously, in the 
case of North Korea hacking into the banking system of South 
Korea, you had that special bureau in North Korea. It gets even 
more complicated because I think those individuals were doing 
some training up in Moscow.
    I think they were training them, but, as we dig deeper and 
deeper into this, this is, sort of, the trip-wire that we are 
discussing here because they were intending to bring down the 
banking system in South Korea, and, in fact, did quite a job of 
making it possible for a few days for that to work. I always 
wondered where they got the expertise in North Korea to do 
that, but, who in the Administration decides what is an act of 
cyberwar, or cyber terrorism, or cyber vandalism as the 
President called that Sony hack--cyber vandalism.
    Who makes that decision in terms of differentiating how we 
designate one of these assaults?
    Mr. Bejtlich. Sir, from what I have seen, it is the 
President's call.
    Mr. Royce. And how, if at all, is the Administration 
responding differently between cyber attacks from inside the 
United States to those that are generated from outside the 
border of the United States?
    Mr. Bejtlich. Sir, from the perspective of attacks that are 
conducted by people in the United States, we generally have the 
law enforcement capability to find them, apprehend them, and 
prosecute them--which is a capability that does have some 
effect here.
    Mr. Royce. Does this call into question whether the 
Pentagon should have the capability if this is, as you have 
indicated, an act of war to a certain point? That we should--
once upon a time, Billy Mitchell sort of drove our policy by 
dropping that test bomb on that battleship closer than he was 
supposed to, to make a point that we needed an air force. We 
needed a new branch of the service, basically, because this was 
going to be a new form of warfare, and along came Pearl Harbor 
and proved Billy Mitchell--he may have been court martialed for 
it, but he was absolutely right.
    We needed a separate branch. We needed an air force. Are we 
in a situation now where because--and let's face it--we have 
advanced warning on this in terms of what Iran intends and some 
of the other actors intend, to say nothing of some of the other 
terrorist organizations that now call themselves a state. They 
have announced that this is a cheap way for them to carry out 
war against the infidel, or war against the United States--
    Mr. Bejtlich. Yes sir--
    Mr. Royce. Are we at that point where we need to consider 
this in terms of our national security in the same way during 
World War Two that it dawned on us that we needed a separate 
branch of the service, the Air Force, in order to handle a new 
mode of warfare?
    Mr. Bejtlich. Yes, sir, I tend to lean tend towards the 
creation of a cyber force, and I have some pending research on 
that topic.
    Mr. Cilluffo. Congressman Royce, if I can build on that, it 
really is about delineating Title 10 activity within our armed 
services community.
    Right now, I think some of the intelligence activity trumps 
some of the Title 10 activity. I do think we have to get to the 
point where we can stand up combatant commands and, at some 
point, I, at the very least, see cybercom being, firstly, a 
full combatant command, not part of strategic command. And, 
also, more in a Title 10 hat than its Title 50 hat coupled with 
NSA.
    Mr. Royce. And that leads me to the next question, which 
is, how far along is Moscow on this? If they are at the point 
now where they are taking from the North Korean bureau 
responsible for cyber attacks, taking students into Moscow and 
teaching them these capabilities--I read this in the paper, I 
don't have the details on it, but it is pretty obvious that 
they got the training somewhere.
    If they are setting up and using proxies, and have become 
that aggressive, how far along are they, apparently, in setting 
up a separate department and giving them this charge--this 
responsibility, in terms of their offensive capability.
    Mr. Madon. Sir, I think it is quite evident from the 
attacks that we have seen that they, the Chinese, and our 
adversaries, are quite far along. And, I think that our 
response needs to be vigorous, and needs to be extremely 
public--
    Mr. Royce. We are behind them, in other words. We are not 
as far along as they are in terms of defense. Thank you very 
much.
    Chairman Duffy. The gentleman's time has expired. The Chair 
now recognizes the gentleman from Arkansas, Mr. Hill, for 5 
minutes.
    Mr. Hill. Thank you, Mr. Chairman. I appreciate the 
opportunity. Excellent topic. It deals on our committee hearing 
that we had the other day on cyber security issues. We have--I 
am working 60 cases in Little Rock of doctors who have had 
their identity stolen for filing their tax returns this year. 
So, it is a real-life issue, and certainly in Little Rock, 
Arkansas.
    And, one thing that struck me--we talk a lot around here, 
and we have our budget priorities, and the Administration has 
their budget priorities of the flavor of the month, whether it 
is environment, or something else, and yet, I think one of the 
biggest risks that we have are the IT systems of our Federal 
Government.
    And we haven't talked much about that today. The IRS, of 
course, their disclosure--I thought West Virginia was 
impenetrable, but perhaps not. And, we had the HUD Secretary in 
last week, and his IT system was probably put in when President 
Johnson was in office.
    So my question is, can you asses for me the risk we have 
with the data maintenance systems of our domestic agencies? 
Obviously, OPM will have a classified briefing today on it at 
1:00.
    Mr. Madon. Sir, I think it is unfortunately very apparent 
that it is underfunded, it is underresourced, and that there 
are true institutional challenges with those systems. It is a 
reminder that our information doesn't necessarily have to be 
highly classified to be critically important. And, I think it 
calls for funded, comprehensive review of the risk exposure 
across the Federal Government.
    And, I think what they will find is that they 
vulnerabilities--there are standard vulnerabilities across the 
enterprise, but also specific vulnerabilities for each 
institution. And, I think that the solutions have to be a 
funded mandate to take care of those risks and vulnerabilities.
    There are too often unfunded mandates that give confusing 
guidance to some of these institutions and departments, and I 
think a very crystal clear funded mandate to get these IT 
systems up to par is critical.
    Mr. Hill. I agree with that, and I am concerned on both 
sides of the aisle that there is a lot of--Congress likes to 
dole out punishment to Executive Branch agencies that are bad 
actors, of which there are many, and the list is long and 
painful, but in the IT and data security area, I think that is 
the wrong place for Congress to withhold critically needed 
funding, which affects all of our data. So, I think we should 
be concerned about it.
    Mr. Cilluffo, you made a comment about regional and smaller 
banks. I am a former CEO of a--and active in the regional 
banking arena. And next to consumer laws and credit quality, I 
would say IT security is the number one thing banks spend money 
and time on, both in their capital expenditures budgets, and in 
their operating budget.
    I think if more businesses operated in that manner, we 
would be a lot better off. So, a second question on the Federal 
systems, are they spending adequate time in penetration testing 
of our Federal IT systems? Something we have spent 24 hours a 
day, and hundreds of thousands of dollars a year on in my 
business.
    Mr. Cilluffo. First, and I also do think that the financial 
services sector serves as a model for other sectors of our 
critical infrastructure, but if you take JPMorgan, spending 
$250 million, had 1,000 people devoted, they did everything 
just right, and they still got hit. So, at the end of the day, 
it is more than just resources.
    On the pen-testing side, and I think my colleague said it 
just right, policy without resources is rhetoric. Most of the 
systems that we have today are built on weak foundations. In 
other words, you can have all the complex security, but if it 
is built on quicksand, or if a home is built in a flood area, 
it is still going to get flooded no matter how advanced the 
system is. So, I do think pen-testing is critical.
    But, I also think it has to be more than a check-the-box 
kind of mentality. So, it shouldn't just be advanced warning. 
We all know there is going to be a pen-test, there should be no 
warning pen-tests that can be done in a simulated kind of way 
that doesn't affect the day to day operations of the 
organization. So, exercise, exercise, exercise, and exercise 
yet again is the answer.
    Mr. Bejtlich. And, sir, just quickly, before you do the 
pen-test, in other words, checking to see if you can get into 
the front door, you should go in the house and see who is 
already there.
    Mr. Hill. Yes. I yield back.
    Chairman Duffy. The gentleman yields back. If the panel 
would agree, the ranking member and I would like to do a second 
round. We have a few more minutes. Thank you. The Chair then 
yields himself 5 more minutes.
    We have a lot of government agencies that collect 
information. Sometimes these agencies hold on to this 
information. Is the risk to Americans greater if not just their 
financial institution or their hospital has information, but 
the government also collects this information and houses it as 
well? Is it a double risk to the American citizen?
    Is that a yes?
    Mr. Madon. Yes. That is as close to a factual statement, 
absolutely, and I think part of the challenge is it is 
currently not a thoughtful approach. Right? There is obviously 
information that should be kept and held, and I think--but it 
should not be rote. It should be something that is considered, 
and thoughtful and there should be a true look at what 
information we are holding, and whether it is important or not.
    Mr. Bejtlich. And, also, sir, a presumption; what happens 
if this data is stolen.
    Chairman Duffy. I want to hear that--I only have 5 minutes. 
I want to hit a couple of different issues.
    So, I would imagine that terrorist organizations maximize 
their capabilities against America, and our allies. Whatever 
capability they have, they will use against us. So, if they 
have the capability of taking down an electric grid, they 
probably would. Fair enough.
    Since they haven't done that, they probably don't have that 
kind of capability yet. Is that a fair assumption on my part?
    Mr. Cilluffo. That is fair. The one flipside is they are so 
dependent for their own tradecraft on some of this that they 
may at least think about it in a calculated way. But, yes, if 
they have the capability, they will use it.
    Chairman Duffy. But is it fair to say too that the Chinas 
and the Russias of the world probably have the capabilities of 
doing some catastrophic damage to critical infrastructure, if 
they so choose?
    Mr. Cilluffo. You bet.
    Chairman Duffy. I want to give you all a chance, but I only 
have 3 minutes left. If we could quickly hear about the dangers 
of hacking back. I know Mr. Cilluffo, you don't agree with 
that. I don't know if Mr. Madon, or Mr. Bejtlich, quickly, do 
you guys think that is a good idea or a bad idea?
    Mr. Bejtlich. Governments can--government-conducted 
operations, I am okay with. Private sector, I would not be okay 
that.
    Chairman Duffy. Mr. Madon, you can be a contrarian if you 
want.
    Mr. Madon. And I am going to be somewhat okay.
    Chairman Duffy. I thought you would be.
    Mr. Madon. And that is that I think it is important to 
start the conversation, and I understand that attribution is an 
incredibly important part of that conversation, but I think to 
just discredit the value that the private sector could bring to 
this fight, without really deep consideration, we do so at our 
own peril.
    Chairman Duffy. Okay.
    Mr. Cilluffo. And, rules of the road are important here, 
Mr. Chairman. You need clarity. So, before you do anything, you 
need to know what is--
    Chairman Duffy. Strict guidelines.
    Mr. Cilluffo. --and what is acceptable behavior.
    Chairman Duffy. So, you get a chance to talk to Congress. I 
will ask each of you to give me the top two priorities that we 
should have in this institution to help protect, and to fight 
back in this game of cyber war. What are two takeaways from 
each of as a top priority?
    Mr. Bejtlich. Sir, my first priority would be find the guys 
who are already in the network, and kick them out. And, then 
secondly, based on what you learn during that exercise, figure 
out what you have to do in order to find them the next time 
they get in, and kick them out faster. And then eventually, get 
your defenses in order so that it is much, much less likely 
that they can get in the first place.
    Chairman Duffy. And, did you say that we don't have that 
capability? Or, you are not, because, obviously we would have 
kicked them out of OPM if we had the technology.
    Mr. Bejtlich. You are right.
    Chairman Duffy. So, you are saying that has to be 
developed, that has to be a focus?
    Mr. Bejtlich. Right. We need to fund that, sort of, 
strategy, and also the technology, and bring it in to do that.
    Chairman Duffy. Mr. Madon?
    Mr. Madon. One, explore offensive strategies that have 
worked in the past as a holistic government solution, and take 
those strategies and use them as a template for the next 
aggressive cyber campaign. That is one.
    Two, truly consider the insider threat, as my colleague was 
mentioning. That often gets short shrift in the cyber debate. 
So, that would be highlighted.
    Chairman Duffy. So you are telling us to think outside the 
box, use all the reasonable tools at our disposal?
    Mr. Madon. Yes, sir.
    Chairman Duffy. Mr. Cilluffo?
    Mr. Cilluffo. Firstly, to support the--as my colleague just 
mentioned, some of our computer network attack capabilities to 
ensure that we continue to be the most sophisticated actor in 
this domain.
    Provide the ability to articulate what a deterrent strategy 
is, and then should a perpetrator transgress, be willing to 
stand up in a unified kind of way to respond commensurately.
    And ultimately, ensure that you have some of the members 
and staff who are technologically savvy and can serve as 
advisers at all times because policy technology people--and you 
have great people here, so lean on them.
    Chairman Duffy. I will. Listen, I think this has been 
fascinating testimony. Talking about our security, I think we 
might get to this hearing without you having to answer 
questions about servers in other locations, and that is--
anyway.
    Ranking Member Green, I yield to you for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. If you need additional 
time.
    Mr. Hill, permit me to thank you for indicating that 
technology is important, and that we should be careful about 
how we raid some of these funds because I, too, am concerned 
about that approach. So, I thank you for bringing it up and 
mentioning the later part which has to do with some of the 
actions that we take without going through regular order.
    Let me ask this of you. I understand the profile of the 
hacker. I understand that profile, and I am talking now more 
specifically about identity theft. What I am not sure of is the 
profile of the person who actually acquires the information in 
this dark world that we have been talking about, and actually 
uses it. Is this a person who purchases 1,000 identities and 
proceeds with that 1,000 trying to do as much mischief as 
possible, or does the person acquire one identity and work 
that? What is the profile of the criminal mind in the criminal 
who does this?
    Mr. Madon. Sir, I think using one slice is there is no one 
profile, and if you take the OPM case, I am pretty confident 
wearing my former counterintelligence hat that there are some 
very happy Chinese counterintelligence officers right now who 
are combing through our information to identify vulnerabilities 
in U.S. employees and trying to exploit those vulnerabilities 
for recruitment.
    Mr. Green. Is it your general consensus that this is a 
profile that would not simply be a person who would live in the 
United States? Do we have people who live in our country who 
acquire this information and use it?
    Mr. Madon. There is certainly a criminal element, as well. 
So, I think each attack is very varied, I don't think there is 
one flavor. And I think it could either be used for--to sell 
on, as my colleagues were mentioning, the Dark Web. It could be 
used by a nation-state to conduct counterintelligence 
activities, so I think there is a broad range of ways to use 
this critical information.
    Mr. Green. I am concerned right now with people in the 
United States, because you have talked about some of the 
sanctions that can be imposed, and while litigation is a 
possibility, when you are talking about litigation in a 
national or international setting, it can be quite difficult 
because of treaties and other things that would be necessary.
    But, let's talk about people within the United States. Do 
we find that we have people who are going into this dark place 
and acquiring this information, and they are using it, and they 
are right here in the United States? They are among us.
    Mr. Bejtlich. Yes. Yes, sir, that happens, and many times 
they are prosecuted.
    Mr. Green. And, what I am trying to--my next question is, 
do they purchase one identity, or do they purchase a thousand? 
I am trying to get some sense of where--how this information is 
actually used. Is it used by a single perpetrator with one 
identity, or does this perpetrator decide that, ``I will just 
sit here, and I will create 20 different identities, and I will 
find a way to make money doing it?''
    Mr. Bejtlich. Sir, the cases I have seen typically involve 
either the bulk collection, the bulk sale, or bulk fraud 
associated with that date. You tend not to see single actors 
with a few identities.
    Mr. Green. Let's go back to--you spoke of rewards, almost 
as though this would be a bounty. Would you explain how you 
think that might work--the reward system?
    Mr. Madon. It could model something like the qui tam system 
where you have individuals who notice that there are nefarious 
activities, for example, the whistleblower program where they 
bring these activities to law enforcement and they get rewarded 
for that. And, I think it could be a system that is very 
similar to that system, where there are rewards provided by 
Federal, State, and local government for individuals who report 
cyber crime.
    Mr. Green. Now, what is the fallacy in this, if you think 
that there is a fallacy? Someone else. What is the fallacy in 
providing a reward for a whistleblower, as it where, different 
type, who brings evidence to the government for prosecution 
purposes? What is the fallacy in that?
    Okay, thanks. I take it that is something that you would 
all agree is feasible and doable, and something that we should 
consider.
    Mr. Bejtlich. I will just say that it is the first time I 
have heard of such a thing, so I don't really have an opinion 
at this point.
    Mr. Cilluffo. And you would probably want to put bounds 
around, just like in the conventional world, bounty hunting in 
general. So, I haven't really thought about this in such a way, 
but if you go back in our history with piracy, yes, we did have 
the Letters of Mark, and the U.S. Government enabled and 
empowered entities to not only get a bounty, but keep the 
booty, literally, in terms of some of the activity there. They 
were sanctioned by the government.
    Mr. Green. If I may quickly, Mr. Chairman, I think that 
this has been indicated to be a system of providing 
information, intelligence to the government, not acquiring 
assets, public or individual--not acquiring assets, but 
providing information. Is that what you are talking about, sir?
    Mr. Madon. That is right, but I don't--I think in the 
current construct, I think the switch from providing 
information on cyber attack to information on--putting on the 
time machine hat, an attack on the open seas--I see very little 
daylight actually between the two. I think they both cause 
incredible damage to our country.
    Mr. Green. Thank you, Mr. Chairman. I owe you 1 minute and 
6 seconds.
    Chairman Duffy. The ranking member yields back. The Chair 
now recognizes the gentleman from Arkansas, Mr. Hill, if you 
have more questions.
    Mr. Hill. Just a theme I would like to wrap up on--I was 
having dinner the other night, or trying to, and the power went 
out in the restaurant. And I was drinking my beer--which is off 
the record, I didn't have a beer; I had a coke.
    And they literally asked us to leave the restaurant because 
the power went out. I said, ``Why don't you just take my order, 
cook the food, and I will pay you cash?''
    ``Oh, well, we can't do that. We have no way to account 
for--we have no way to write it down.'' How pitiful is that? 
But when you get that societally, and when you think about that 
in a banking context, we are now so dependent on this 
interconnected Web, that I do view cybercrime as--for the next 
generation, the same as a nuclear threat. And, that is not too 
dramatic, I think, even though we think about the massive loss 
of life in a nuclear environment. But, the ability to shut down 
the power grid in a capital market system, or the electrical 
grid--and the data communication system in a modern economy now 
is--could be just as horrific.
    So, how do we broadcast a system of mutual assured 
destruction in cyber? How do we begin through treaty work, 
bilateral work, communication? Instead of keeping it so sub-
rosa that we actually say, ``Hey, look pal, you try to take 
down our commercial or national security interest, you are 
toast.''
    What is the process there? How do we get there on that?
    Mr. Cilluffo. That is precisely, Congressman, the approach, 
I think, we do need to take because we can't treat this as a 
quiet issue alone. We have to--it has to not only have 
sunlight, but for it to have any semblance of impact and 
consequence to change behavior, it needs to be publicly 
articulated. I think that is a deterrent strategy, I think we 
need to look at all the instrumentalities--military, political, 
economic, and others that can be brought to bear.
    Recognize that cyber related issues are on par with 
traditional forms of diplomatic issues, and it really is going 
to come down to signaling and having the wherewithal to follow 
through on our words, which we haven't had great success in 
recent on always following through on redlines that we have 
devised. But, we do need to put mark--we do need to put lines 
in the silicon and demonstrate when they are crossed, expect a 
response.
    The one issue, I would say, that is a little different, 
vis-a-vis, nuclear, is that the bar is so low to have a cyber 
capability, whereas you needed a huge infrastructure both 
scientifically and economically to have a nuclear capability. 
In this case--
    Mr. Hill. That would make it more disturbing.
    Mr. Cilluffo. I hear you, and the club is so much bigger, 
but there are, again, as I started out--not all hacks are the 
same, not all hackers are the same, and there are certain 
things we can do to delineate those actors that are most brazen 
in their activity.
    Mr. Hill. Any other comments?
    Mr. Madon. Sir, I vehemently agree. And, I think, sitting 
back and saying, over, and over, again, ouch that hurts, and 
basically signaling to our adversaries that they can continue 
to attack us with impunity is unacceptable for our Nation.
    And, I think we need to explore all options and come up 
with a campaign, and a thoughtful approach about how to respond 
to these attacks.
    Mr. Hill. Thank you, panel, and thank you for your service 
for our country, and I yield back, Mr. Chairman.
    Chairman Duffy. The gentleman yields back. I want to thank 
the witnesses for their testimony today. I feel just a tad bit 
safer knowing that you three are on Team USA. Thank you for 
being here. Thank you for all of your work. And thank you for 
your testimony.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    This hearing is adjourned.
    [Whereupon, at 11:48 a.m., the hearing was adjourned.]

                            A P P E N D I X



                             June 16, 2015
                             
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]