b"<html>\n<title> - PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n        PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                        PROTECTION, AND SECURITY\n                              TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 28, 2015\n\n                               __________\n\n                           Serial No. 114-29\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n                               __________\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n97-918 PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nCandice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island\n    Chair                            Brian Higgins, New York\nJeff Duncan, South Carolina          Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nLou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey\nScott Perry, Pennsylvania            Filemon Vela, Texas\nCurt Clawson, Florida                Bonnie Watson Coleman, New Jersey\nJohn Katko, New York                 Kathleen M. Rice, New York\nWill Hurd, Texas                     Norma J. Torres, California\nEarl L. ``Buddy'' Carter, Georgia\nMark Walker, North Carolina\nBarry Loudermilk, Georgia\nMartha McSally, Arizona\nJohn Ratcliffe, Texas\nDaniel M. Donovan, Jr., New York\n                   Brendan P. Shields, Staff Director\n                    Joan V. O'Hara,  General Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                    John Ratcliffe, Texas, Chairman\nPeter T. King, New York              Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             Loretta Sanchez, California\nScott Perry, Pennsylvania            Sheila Jackson Lee, Texas\nCurt Clawson, Florida                James R. Langevin, Rhode Island\nDaniel M. Donovan, Jr., New York     Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Brett DeWitt, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n       Christopher Schepis, Minority Subcommittee Staff Director\n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable John Ratcliffe, a Representative in Congress From \n  the State of Texas, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies...................................................     1\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island.................................     3\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Ranking Member, Subcommittee \n  on Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. Brian E. Finch, Senior Fellow, Center for Cyber and Homeland \n  Security, George Washington University:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     9\nMr. Raymond B. Biagini, Partner, Covington and Burling:\n  Oral Statement.................................................    15\n  Prepared Statement.............................................    17\nMs. Andrea M. Matwyshyn, Visiting Professor, Center for \n  Information Technology Policy, Princeton University:\n  Oral Statement.................................................    22\n  Prepared Statement.............................................    23\n\n                             For the Record\n\nThe Honorable John Ratcliffe, a Representative in Congress From \n  the State of Texas, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Letter.........................................................     3\n\n \n        PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES\n\n                              ----------                              \n\n\n                         Tuesday, July 28, 2015\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:20 p.m., in \nRoom 311, Cannon House Office Building, Hon. John Ratcliffe \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Ratcliffe, Perry, Donovan, and \nLangevin.\n    Also present: Representative Watson Coleman.\n    Mr. Ratcliffe. The Subcommittee on Cybersecurity, \nInfrastructure Protection, and Security Technologies will come \nto order.\n    The subcommittee is meeting today to examine the potential \nbenefits of expanding the Support Antiterrorism by Fostering \nEffective Technologies Act, referred to as the SAFETY Act, to \nclarify that on a voluntary basis cybersecurity products and \nservices can be reviewed and certified to receive enhanced \nliability protections for large-scale cyber incidents.\n    Right now, our cyber defenses are weak, and, because \naddressing cybersecurity vulnerabilities is costly, we need to \nfind ways to promote and incentivize investment in \ncybersecurity. We need to incentivize companies to have a \nrobust cyber-risk management plan in place. Through this \nhearing, we want to hear from our expert witnesses if the \nSAFETY Act Office at the Department of Homeland Security could \nbe leveraged to promote and incentivize cybersecurity best \npractices within its existing framework.\n    By way of history, the SAFETY Act was part of the Homeland \nSecurity Act of 2002 and is a voluntary program that currently \nprovides incentives for the development and deployment of anti-\nterrorism technologies. The SAFETY Act ensures that the threat \nof costly litigation does not deter potential manufacturers or \nsellers of anti-terrorism technologies at both large and small \ncompanies from developing and putting into the marketplace \nproducts and services that could reduce the risk or mitigate \nthe consequences of a large-scale terrorist event.\n    Companies qualify for the protections afforded by the \nSAFETY Act by demonstrating through an on-going basis that they \nhave a comprehensive and agile risk management plan. Applicants \nto this voluntary program must submit to a rigorous and \nthorough vetting process at DHS' SAFETY Act Office in order to \nreceive liability protections in the event of an act of \nterrorism.\n    Homeland security and National security challenges are \nconstantly evolving, and the cybersecurity threat is currently \ngrowing. It is in that capacity that earlier this year we \npassed H.R. 1731, the National Cybersecurity Protection \nAdvancement Act. The goal of that legislation, which passed the \nHouse with a bipartisan vote of 355 to 63 and is now awaiting \nSenate action, is to strengthen the sharing of cyber threat \nindicators to guard against criminal groups, hacktivists, or \nnation-state actors.\n    Separately, we have been meeting with stakeholders to find \nother ways to strengthen cybersecurity, including expanding the \nSAFETY Act for cyber purposes. Right now, the SAFETY Act can \nonly be triggered by an act of terrorism. However, for cyber \nattacks, attribution is extremely difficult to determine. \nRegardless of whether the hacker was a terrorist, a nation-\nstate, a cyber criminal, or hacktivist, the impact of a \ndevastating cyber attack would be the same.\n    If there is something more that can be done to increase \ncybersecurity best practices overall and potentially reduce the \nlikelihood of a large-scale cyber attack, this subcommittee is \ngoing to examine it. SAFETY Act coverage for cybersecurity will \nnot solve all of our cybersecurity challenges, but it has the \npotential to make a significant improvement in our Nation's \ncyber defenses.\n    In the coming weeks, the Committee on Homeland Security \nwill consider House-passed legislation from the 113th Congress \nthat would amend the SAFETY Act to establish a, ``qualifying \ncyber incident,'' threshold to trigger SAFETY Act liability \nprotections for vetted cybersecurity technologies.\n    The very creation of the Department of Homeland Security \nstemmed from the attacks on September 11, 2001. While we must \nand will remain vigilant and do everything we can to prevent \nanother devastating attack on Americans, we must also recognize \nthat the threat landscape in this country is changing. Cyber \nspace is, in many ways, the new frontier, and a cyber 9/11 is \nonly a matter of time if we fail to strengthen our cyber \ndefenses. So we need to ensure that we are doing everything \npossible to harden our defenses left of boom, as they say in \nmilitary parlance.\n    This potential legislation has the potential to increase \ninvestments in the security and resilience of our Nation's \ncritical infrastructure, including the power grids, air traffic \ncontrol, and banking systems.\n    Much of our Nation's critical infrastructure is privately \nowned, and in the 21st Century there now exists an \ninterconnectedness of physical security and cybersecurity. This \nmeans that someone sitting at a keyboard can now initiate a \nphysical injury by issuing commands at an office building, an \nair traffic control system, or someone's automobile, resulting \nin loss of life, not just the theft of personal information \nfrom a database.\n    Many products and services weren't built with cybersecurity \nin mind. This is why we need to incentivize market-driven \nsolutions to raise the bar on how we manage our cybersecurity \nrisks. Fortunately, the United States is home to an ingenuous \nentrepreneurial culture, and the best high-tech companies in \nthe world have developed products and services that can help \nimprove the information security resilience of our critical \ninfrastructure and for companies that improve our quality of \nlife.\n    If amending the SAFETY Act to include qualifying cyber \nincidents would better safeguard our Nation and potentially \nprevent a cyber attack that could shut things down and bring \ncommerce to a screeching halt, then we owe it to ourselves and \nour constituents to examine the potential benefits it could \nprovide. This is especially true given the increasing \nimportance of cybersecurity in the lives of every American.\n    At this time, I ask unanimous consent to insert into the \nrecord a letter from the American Gas Association, the Edison \nElectric Institute, and the National Rural Electric Cooperative \nAssociation in support of testimony submitted by Mr. Brian \nFinch on the need to clarify the SAFETY Act to ensure that \nsignificant cybersecurity incidents are clearly covered.\n    Without objection, so ordered.\n    [The information follows:]\n              Letter Submitted by Chairman John Ratcliffe\n                                     July 28, 2015.\nThe Honorable John Ratcliffe,\nChairman, Subcommittee on Cybersecurity, Infrastructure Protection, and \n        Security Technologies.\nThe Honorable Cedric Richmond,\nRanking Member, Subcommittee on Cybersecurity, Infrastructure \n        Protection, and Security Technologies, Washington, DC 20515.\n    Dear Chairman Ratcliffe and Ranking Member Richmond: On behalf of \nthe American Gas Association (AGA), the Edison Electric Institute \n(EEI), and the National Rural Electric Cooperative Association (NRECA) \nwe are writing in support of testimony submitted by Brian Finch on the \nneed to clarify the SAFETY Act to ensure that significant cybersecurity \nincidents are clearly covered under the programs liability protections.\n    The electric and gas utility industries take cybersecurity threats \nvery seriously. Any statutory clarification would be beneficial if it \nhelps to make more explicit that cyber attacks are covered by the \nSAFETY Act and that legal defenses will be available to those using its \ncertified cybersecurity products or processes in the event of a \nsignificant cyber attack. Currently, the SAFETY Act provides that \nliability protections are available in the case of an ``act of \nterrorism,'' which is usually interpreted to include a significant \ncyber attack. To eliminate any doubt, Congress should make clear that \nit intends for a significant cyber attack to be covered. This \nclarification would likely result in an increase in utilization of the \nprogram and adoption of its certified cybersecurity products or \nprocesses.\n    We appreciate the subcommittee's continued focus on this important \nissue. The changes Mr. Finch has suggested are important and we look \nforward to working with you as legislation to clarify the SAFETY Act \nmoves forward.\n                                  American Gas Association.\n                                 Edison Electric Institute.\n           National Rural Electric Cooperative Association.\n\n    Mr. Ratcliffe. I am pleased to be joined today by my \ncolleague from Rhode Island, Mr. Langevin, who is filling in \nfor Ranking Member Richmond.\n    The Chair now recognizes the gentleman from Rhode Island \nfor any statement that he may have.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I, too, want to welcome our witnesses here today.\n    Before I begin, Mr. Chairman, I would like to ask unanimous \nconsent that Mrs. Watson Coleman of New Jersey be allowed to \nparticipate in this hearing, although she is not a Member of \nthe subcommittee.\n    Mr. Ratcliffe. Without objection.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Next, as you mention, the Ranking Member is traveling with \nthe President right now, so I am sitting in. I would like to \nask unanimous consent to submit his opening statement for the \nrecord.\n    Mr. Ratcliffe. Without objection, so ordered.\n    [The statement of Ranking Member Richmond follows:]\n             Statement of Ranking Member Cedric L. Richmond\n                             July 28, 2015\n    Good afternoon Mr. Chairman and thank you for holding this hearing \non cybersecurity best practices.\n    I want to thank Dr. Andrea Matwyshyn from Princeton who has \ntraveled to testify for us today.\n    The Department of Homeland Security, Science and Technology \nDirectorate, is responsible for operating the SAFETY Act through the \nOffice of Safety Act Implementation, or the OSAI.\n    While we are going to hear testimony today about the process for \ncompanies interested in having cybersecurity technologies designated as \nqualified anti-terrorism technologies under the SAFETY Act, we are also \ngoing to discuss some of the features of the draft SAFETY Act \nlegislation that Chairman McCaul has circulated to industry.\n    The SAFETY ACT provides Government-sponsored immunity from \nliability to products or services that have gone through examination by \nthe Office of Safety Act Implementation, and then designated, or \ncertified under the SAFETY Act.\n    Congress has provided this kind of liability protection since 2002 \nto encourage innovation in the development of products and technologies \nfor the homeland security enterprise that would help protect us from \nthe terrorist threats or terrorist events, but only when the Secretary \nhas determined that a terror event has taken place.\n    It would seem to me that the large, prime contractors who already \nsupply the Department of Defense would need little help in providing \nthe Department of Homeland Security with the kinds of services they \nmight need in the civilian threat arena.\n    But small businesses are the backbone of America's workforce and \ninnovation, creating most of the jobs in America. A SAFETY Act \ndesignation or certification for a new innovative product can improve a \nsmaller company's bottom line and help resolve their concerns about \nliability protections. That was the original intent of the Act in 2002.\n    We are all concerned about the ability of American businesses, \nlarge and small, to protect their data and networks in today's \namplified cyber threat atmosphere.\n    The question before us is how to best encourage civilian businesses \nto make sure their cybersecurity efforts are state-of-the-art, and how \ndoes SAFETY Act liability protection play a key role in helping us \nachieve that goal, in the complex, multi-layered arena of \ncybersecurity?\n    I look forward to the testimony today Mr. Chairman, and I yield \nback.\n\n    Mr. Langevin. Very good. Thank you, Mr. Chairman.\n    So let me begin by saying that, as co-chair of the \nCongressional Cybersecurity Caucus with Chairman McCaul, I \nfully agree that organizations, public and private, must do a \nbetter job adopting cybersecurity best practices, as the \nconsequences of cyber attacks can be devastating. I certainly \nalso associate myself with the remarks of the Chairman in his \nopening statement, as well.\n    It is also abundantly clear that network administrators are \nnot currently employing best practices, given that over 80 \npercent of cyber attacks could be stopped with simple hygiene \nmeasures like patch deployment or the use of two-factor \nauthentication.\n    I understand that some of our witnesses today and the \nChairman believe that applying existing policy, the SAFETY Act, \nto this problem may help improve our Nation's cybersecurity \nposture. I have great respect for their point of view, and I \ncertainly believe that incentives are an avenue that we should \nexplore. However, I do think that there are a number of \nquestions this committee should answer as part of our \nconsideration.\n    First, I think we must ask ourselves what we see as the \nunderlying purpose of the SAFETY Act. I have always viewed the \nlegislation as having at its heart the incentivization of \nresearch, design, and development of new technologies. Today, \nnew information security products are being released at a \nprodigious rate, raising questions of whether further SAFETY \nAct protections are necessary to spur innovation. While the \nshield offered under SAFETY Act certification designation can \ncertainly also incent deployment of these new, novel \ntechnologies, we at the committee must determine whether the \nact is properly tailored to the problem that we are addressing.\n    Second, we must also look into the implementation of \ntechnologies certified under the SAFETY Act. Network security \nis incredibly complex, and users of security products can often \nmake mistakes in configuration or interpretation of results. \nFor example, in the Target breach, the company's security \nsoftware alerted on the malware that eventually compromised the \npoint-of-sale terminals; however, the alert was lost in a sea \nof other warnings. How limits of liability would apply in such \ncases is an important concern.\n    Finally, we must examine the SAFETY Act in the context of \ncybersecurity risk management writ large. I have consistently \nfought efforts in Congress to prescribe specific technology \nsolutions, either legislative or regulatory. Information \ntechnology simply moves too fast a pace to be able to say that \ntoday's best solutions will be viable in 5 years, let alone \neven less than that. Instead, I have advocated adoption of risk \nmanagement frameworks like NIST that help companies assess \ntheir level of cybersecurity risk and development processes to \nreduce that risk.\n    One of the best practices universally praised under such \nframeworks is resilience--the idea that a network should not \nrely on a single technology for protection. Part of the reason \nthat data breaches last for more than 6 months, on average, is \nthat companies prioritize perimeter security without a similar \nfocus on detecting anomalies once the network has in fact been \nbreached. So the committee must explore whether the use of the \nSAFETY Act in a cybersecurity context could inadvertently make \nnetworks less resilient.\n    There are other questions I have--for instance, the \nadequacy of the certification process--that I hope the \ncommittee will also explore.\n    Let me again thank the Chairman for convening this \nimportant hearing. I thank the witnesses for appearing, and I \ncertainly look forward to their testimony.\n    Mr. Chairman, before I yield back, I would just ask \nunanimous consent that the statement of the Ranking Member of \nthe full committee, Mr. Thompson, also be entered into the \nrecord.\n    Mr. Ratcliffe. Without objection, so ordered.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             July 28, 2015\n    Good afternoon. I want to thank Chairman Ratcliffe for calling \ntoday's hearing on encouraging cybersecurity best practices, and I want \nto thank the witnesses for testifying here today.\n    I especially want to thank Dr. Andrea Matwyshyn from Princeton \nUniversity who has come to share her expertise and experience with us.\n    Today, we will be discussing the prospect of amending the SAFETY \nAct law to promote certification of more cybersecurity technologies as \nqualified anti-terrorism technologies. Given that there is draft \nlegislation circulating, prepared by the Majority to amend the SAFETY \nAct in this manner, this hearing is timely.\n    Today, under the SAFETY ACT, DHS provides immunity from liability \nto products or services that have been rigorously examined by the \nOffice of Safety Act Implementation.\n    Congress directed DHS to establish this program to encourage \ninnovation in the development of novel anti-terrorism technologies.\n    As I noted in a previous hearing several years ago on this matter, \nthe Government does not charge a penny to perform exhaustive reviews of \neach company's product that applies for, and is qualified for, SAFETY \nAct approval.\n    Mr. Chairman, I am wondering whether in our current fiscal \nsituation, Congress should consider requesting a fee from companies \nwith the means to seek pursue this process and desire to secure the \nliability protection and marketing advantage that comes with SAFETY Act \ncertification.\n    When this committee first began to examine the activities of the \nSAFETY Act Office, I encouraged the Department to perform dedicated \noutreach to attract small, minority, and disadvantaged businesses to \nobtain SAFETY Act certification, and to help them go through the \ncomplicated and time-consuming SAFETY Act approval process.\n    The reasoning behind this emphasis was simple. Large multinational \ncompanies who are likely the prime developers of technologies in the \nhomeland security enterprise, are mostly already involved with \nproviding the Department of Defense technologies and services in that \nsphere.\n    In contrast, small businesses with promising technologies face \ncountless barriers to entry in the marketplace. Given that these firms \nare often the innovators and the backbone of America's workforce, it is \nimportant that DHS go the extra mile.\n    A SAFETY Act designation or certification can improve a company's \nbottom line and help small, savvy companies create jobs. Large, well-\nfunded companies need less help, and those companies are usually \nstocked with a bevy of corporate lawyers to guide them through any \nconcerns about liability protections or access to DHS acquisitions.\n    The draft legislation that is in circulation has no special \nemphasis on small businesses. I am hopeful that as the bill moves \nthrough the legislative process, we can come together to ensure that it \ndoes.\n    I would also put on the record my concern that that the funding to \nexpand the Safety Act Office would not be ``new money'' but rather \ntaken from other DHS activities. It is important to know where that \nmoney would be taken from and what capabilities or programs would be \naffected or diminished.\n    More broadly, there are basic questions about how this legislation \nwould drive innovation with respect to cyber technologies.\n    We would not want to foster an environment in the marketplace where \ncompanies grow complacent having only an interest in securing blanket \nliability protections outweighing the energy of innovation.\n    I look forward to the testimony today Mr. Chairman, and I yield \nback.\n\n    Mr. Ratcliffe. Other Members of the committee are reminded \nthat opening statements may be submitted for the record.\n    We are pleased today to have with us a very distinguished \npanel of witnesses on a very important topic.\n    Mr. Brian Finch is a senior fellow at the Center for Cyber \nand Homeland Security at George Washington University. Mr. \nFinch has a diverse background in homeland security issues and \nthe SAFETY Act.\n    Thank you for being here, Mr. Finch.\n    Mr. Raymond Biagini is a partner at Covington and Burling. \nHe has extensive experience and background in drafting the \noriginal SAFETY Act language and also assists companies in \nobtaining SAFETY Act certifications.\n    Welcome, Mr. Biagini.\n    Finally, we are pleased to be joined by Professor Andrea \nMatwyshyn--did I pronounce that right?\n    Ms. Matwyshyn. You did.\n    Mr. Ratcliffe [continuing]. Matwyshyn, who is a visiting \nprofessor at the Center for Information Technology Policy at \nPrinceton University.\n    Professor, thank you for being here.\n    I would now ask each of the witnesses to stand and raise \nyour right hands so I can swear you in to testify.\n    Do each of you swear or affirm that the testimony which you \nwill give today will be the truth, the whole truth, and nothing \nbut the truth, so help you God?\n    Let the record reflect that the witnesses have answered in \nthe affirmative.\n    You may be seated.\n    The witnesses' full statements will appear in the record.\n    The Chair now recognizes Mr. Finch for 5 minutes for his \nopening statement.\n\n STATEMENT OF BRIAN E. FINCH, SENIOR FELLOW, CENTER FOR CYBER \n      AND HOMELAND SECURITY, GEORGE WASHINGTON UNIVERSITY\n\n    Mr. Finch. Chairman Ratcliffe, Ranking Member Richmond, Mr. \nLangevin, distinguished Members of the subcommittee, my name is \nBrian Finch, and thank you for inviting me to testify before \nyou today on how to effectively promote and incentivize \ncybersecurity best practices.\n    I firmly believe that promoting and incentivizing the use \nof cybersecurity best practices is critical to our Nation's \nsecurity. The challenge, however, is determining what is, ``the \nbest,'' or even, ``quite good.'' The SAFETY Act can help us \nwith that right now.\n    Let me begin by stating what I will not be promoting in my \ntestimony. I will not advocate for expanding the liability \nprotections offered by the SAFETY Act or what triggers those \nprotections. I will not seek to reinterpret the original intent \nbehind the SAFETY Act. Rather, I will discuss how cyber attacks \nand cybersecurity technologies are covered under the SAFETY Act \nas currently written. I will also cover how a minor tweak to \nthe law will improve its use in the cybersecurity context.\n    As this committee knows, SAFETY Act protections are \ntriggered when the Secretary of Homeland Security declares that \nan, ``act of terrorism'' has occurred.\n    Under the SAFETY Act, an act of terrorism is defined as an \nevent that is, ``one, unlawful; two, causes harm to a person, \nproperty, or entity in the United States; and, three, uses or \nattempts to use instrumentalities, weapons, or other methods \ndesigned or intended to cause mass destruction, injury, or \nother loss to citizens or institutions of the United States.'' \nNothing in that definition excludes cyber attacks.\n    Further, note that the SAFETY Act already explicitly states \nthat cybersecurity technologies are eligible to receive \nliability protections. All of the above is why the DHS has \nalready approved cybersecurity SAFETY Act applications.\n    Despite all of this, too many people are still unsure of \nwhether the SAFETY Act applies to cyber attacks and \ncybersecurity technologies. To cure this, the House should once \nagain unanimously pass section 202 of the National \nCybersecurity and Critical Infrastructure Protection Act, or \nNCCIP. That section clarified the SAFETY Act by adding two new \nterms to it, ``cyber incident'' and ``cybersecurity \ntechnologies.'' Those new terms merely made explicit \nprotections already available under the SAFETY Act.\n    As we all know, the decision of Executive branch members to \ndeclare a particular event an act of terrorism in any context \nis a difficult one. Terms such as ``workplace violence'' and \n``cyber vandalism'' are used instead of the ``T'' word. While I \noffer no opinions on the language used by the Executive branch \nto describe certain events, I can say that preventing or \nmitigating the outcomes that occurred in those events is \nexactly what Congress intended when it passed the SAFETY Act. \nThat is why giving the Department of Homeland Security \nSecretary a term other than ``terrorism'' to use when bringing \nin the liability protections of the SAFETY Act is so important.\n    Now, if you will allow me, I would like to provide two \nexamples where, if we could clarify the SAFETY Act, it would \nallow for vastly improved cybersecurity best practices.\n    First, let me talk about cyber risk groups. Companies could \nuse risk-pooling mechanisms like risk-purchasing or risk-\nretention groups to increase their defenses and better mitigate \nrisks.\n    Here's how that would work. First, a group of similarly-\nsituated companies would agree to use certain security \nstandards or technologies, such as, for instance, detonation \nchambers or the NIST Cyber Framework. Next, those companies \nwould then either jointly purchase a cyber insurance policy or \ncreate a pool of insurance that they would all maintain and \nparticipate in. Third, the risk group would also agree to \npursue SAFETY Act protections for the security standards that \nthey have agreed to commit to adhering to.\n    All of this would be possible thanks to the vetting \nconducted under a clarified SAFETY Act. I would add that this \npooling-risk purchasing agreement would be of particular value \nto small businesses, as well as to companies in historically \nunderserved communities, as it would allow their dollars to \ntravel further.\n    Next, cyber HMOs. I argue that cyber insurers should be \nusing a health insurance model to promote best practices. Why? \nBecause, under the cyber HMO model, it promotes wellness \nbehavior that prevents minor scratches from developing into \nserious infections. That cyber HMO plan would also give the \ninsured access to a vast network of cybersecurity vendors and \nprofessionals, as well as low-cost or free access to basic \ncyber hygiene, such as annual physicals, i.e., compromise \nassessments, or vaccines, in this case, perimeter defenses.\n    By encouraging the use of SAFETY Act-vetted products or \nservices, the HMO and its policyholders would have greater \nconfidence in the tools they are using to promote cyber health.\n    Thank you for the opportunity to testify, and I welcome any \nquestions this committee may have.\n    [The prepared statement of Mr. Finch follows:]\n                  Prepared Statement of Brian E. Finch\n                             July 28, 2015\n    Chairman Ratcliffe, Ranking Member Richmond, distinguished Members \nof the subcommittee, thank you for inviting me to testify before you \ntoday on how to effectively promote and incentivize cybersecurity best \npractices.\n    My name is Brian Finch, and I am here today testifying in my \ncapacity as a senior fellow with The George Washington University \nCenter for Cyber and Homeland Security, where I am a member of the \nCenter's Cybersecurity Task Force.\\1\\ I am also a partner with the law \nfirm of Pillsbury Winthrop Shaw Pittman LLP, a senior advisor to the \nHomeland Security and Defense Business Council, and a member of the \nNational Center for Spectator Sport Safety and Security's Advisory \nBoard.\n---------------------------------------------------------------------------\n    \\1\\ While I am testifying in my capacity as a senior fellow with \nThe George Washington University Center for Cyber and Homeland \nSecurity, please note that my comments represent my personal views and \nnot necessarily any positions of the Center.\n---------------------------------------------------------------------------\n    Clearly, the implementation of best cybersecurity practices is \ncritical to our Nation's economic security and physical safety. Our \ncyber enemies are numerous, growing, and increasingly sophisticated.\n    Fortunately there is no lack of will to defend ourselves from the \nattacks these enemies launch. Unfortunately, given the scale, scope, \nand pace of cyber threats we face, our cybersecurity measures writ \nlarge tend to lag behind the said attacks.\n    In light of those threats, I firmly believe that promoting and \nincentivizing the use of cybersecurity best practices and effective \ntechnologies, policies, and procedures are critical to our Nation's \nsecurity. I also firmly believe that the private sector is ready and \nwilling to adopt those best practices, technologies, policies, and \nprocedures. Its challenge, however, is determining which of those items \nare in fact ``the best'' or even ``quite good.''\n    Moreover, we should all acknowledge that the private sector will \nsee all of its cybersecurity decisions second-guessed in the tsunami of \nlitigation that inevitably follows any cyber attack. Thus, programs \nthat help companies determine which cybersecurity measures to adopt and \nwill help them minimize their exposure to unnecessarily expensive and \nprotracted litigation are desperately needed.\n    Thankfully, a program already exists in the United States Code that \nin fact does promote and incentivize the use of cybersecurity best \npractices, technologies, policies, and procedures: The ``SAFETY Act.''\n    The SAFETY Act, which stands for the Support Anti-Terrorism By \nFostering Effective Technologies, was enacted in 2002 as part of the \nHomeland Security Act. The SAFETY Act is one of the most responsibly \ndesigned and effectively implemented liability management programs in \nGovernment today. More importantly, it can and already has been used to \npromote improved cybersecurity, and, with the leadership of this \ncommittee, that success can be expanded.\n    In my testimony below, I will go into greater detail as to how the \nSAFETY Act can currently be used promote the increased use of \ncybersecurity practices as well as effective technologies, procedures, \nand policies. I will also explain why I believe that some very minor \nstatutory tweaks to the SAFETY Act would be exceptionally helpful in \nexpanding its use in the private sector. Finally, I will also provide \nsome examples of how the SAFETY Act could be tied to innovative ideas \nthat will, in general, promote improved cybersecurity.\n important clarification regarding the scope of this written testimony\n    I believe at the outset that it is exceptionally important to \nestablish what I will NOT be promoting in my testimony. I want there to \nbe no misunderstanding with respect to what actions I believe Congress \nor the Executive branch should be undertaking in order to allow the \nSAFETY Act to reach its full potential with respect to cybersecurity.\n    Specifically, my testimony:\n  <bullet> Will NOT advocate for an expansion of the scope of the \n        liability protections offered by the SAFETY Act. The SAFETY \n        Act, as currently drafted, provides to the Department of \n        Homeland Security (DHS) all of the legal authority needed to \n        encourage the wide-spread deployment of effective and useful \n        cybersecurity technologies, policies, and procedures;\n  <bullet> Will NOT advocate for an expansion of the types of unlawful \n        events that may trigger the liability protections offered by \n        the SAFETY Act. Again, as currently drafted, the SAFETY Act \n        gives the Secretary of Homeland Security broad discretion to \n        decide which unlawful acts that cause harm to U.S. persons, \n        property, or economic interests can trigger its liability \n        protections;\n  <bullet> Will NOT seek to revise or reinterpret the intent of the \n        Members of the 107th Congress, who drafted and voted to enact \n        the SAFETY Act;\n  <bullet> Will NOT advocate for the ability of the private sector to \n        excuse itself completely from liability following a cyber \n        attack, much less disincentivize the private sector from \n        continually investing in and upgrading its cyber defenses; and\n  <bullet> Will NOT seek to undermine the ability of DHS to thoroughly \n        review applications for SAFETY Act liability protections or \n        require a dramatic expansion in the size or cost of the Office \n        of SAFETY Act Implementation (OSAI), such that the program \n        office will become unwieldy or unnecessarily costly.\n    Instead, my testimony will advocate for a very simple proposition: \nThat with the addition of a few well-placed words, it will become \nperfectly clear to the private sector that the SAFETY Act applies to \ncybersecurity practices, technologies, procedures, and policies. \nMoreover, these minor tweaks will permanently clarify that the SAFETY \nAct applies to cyber attacks committed by a variety of actors, as well \nas attacks where attribution is unclear or impossible.\n  the safety act as drafted applies to cybersecurity technologies and \n                             cyber attacks\n    A critical point that must be established immediately is that both \nthe SAFETY Act statute (see 6 U.S.C. \x06 441-444) and the implementing \nFinal Rule (see 6 CFR \x06 25) establish that cyber attacks can trigger \nthe law's liability protections and that information technologies \n(including cybersecurity systems and services) are eligible to receive \nSAFETY Act liability protections. By way of review, please note that \nthe SAFETY Act provides extensive liability protections to entities \nthat are awarded either a ``Designation'' or a ``Certification'' as a \nQualified Anti-Terrorism Technology (QATT). Under a ``Designation'' \naward, successful SAFETY Act applications are entitled to a variety of \nliability protections, including:\n  <bullet> All terrorism-related liability claims must be litigated in \n        Federal court;\n  <bullet> Punitive damages and pre-judgment interest awards are \n        barred;\n  <bullet> Compensatory damages are capped at an amount agreed to by \n        both DHS and the applicant;\n  <bullet> That damage cap will be equal to a set amount of insurance \n        the applicant must carry, and once that insurance cap is \n        reached no further damages may be awarded in a given year;\n  <bullet> A bar on joint and several liability; and\n  <bullet> Damages awarded to plaintiffs will be offset by any \n        collateral recoveries they receive (e.g., victims compensation \n        funds, life insurance, etc.)\n    Should the applicant be awarded a ``Certification'' under the \nSAFETY Act for their QATT, all of the liability protections awarded \nunder a ``Designation'' are available. In addition, the Seller of a \nQATT will be entitled to an immediate presumption of dismissal of all \nthird-party liability claims arising out of, or related to, the act of \nterrorism.\n    The only way this presumption of immunity can be overcome is to \ndemonstrate that the application contained information that was \nsubmitted through fraud or willful misconduct. Absent such a showing, \nthe cyber attack-related claims against the defendant will be \nimmediately dismissed.\n    Additionally, when a company buys or otherwise uses a QATT that has \nbeen either SAFETY Act ``Designated'' or ``Certified,'' that customer \nis entitled to immediate dismissal of claims associated with the use of \nthe approved technology or service and arising out of, related to, or \nresulting from a declared act of terrorism.\n    As the SAFETY Act is currently drafted, in order for its \nprotections to be triggered, the Secretary of Homeland Security must \ndeclare that an ``act of terrorism'' has occurred. The definition of an \n``act of terrorism'' is extremely broad and includes any act that:\n    (i) is unlawful;\n    (ii) causes harm to a person, property, or entity, in the United \n        States, or in the case of a domestic United States air carrier \n        or a United States-flag vessel (or a vessel based principally \n        in the United States on which United States income tax is paid \n        and whose insurance coverage is subject to regulation in the \n        United States), in or outside the United States; and\n    (iii) uses or attempts to use instrumentalities, weapons, or other \n        methods designed or intended to cause mass destruction, injury, \n        or other loss to citizens or institutions of the United States.\n    The Secretary has broad discretion to declare that an event is an \n``act of terrorism,'' and once that has been declared, the SAFETY Act \nstatutory protections will be available to the Seller of the QATT and \nothers.\n    Critically, nothing in the SAFETY Act statute or Final Rule \nrequires that there be a finding of a ``terrorist'' intent in order for \nthe Secretary to declare that an ``act of terrorism'' occurred. Indeed, \nthe only discussion of ``intent'' when defining an ``act of terrorism'' \ncomes in the third part. There, all Congress drafted was that the \nattack must have used a weapon or other instrumentality ``intended'' to \ncause some form of injury.\n    Congress had every opportunity to explicitly or implicitly limit \nqualifying ``acts of terrorism'' to politically, religiously, or other \nideologically motivated actions by specifically-defined groups or \npersons. It chose not to do so, instead stating that, for purposes of \nthe SAFETY Act, an ``act of terrorism'' was simply an intentional \nunlawful act intended to cause harm to U.S. persons, property, or \neconomic interests.\n    It can only follow then that the SAFETY Act statute can (and is) \ninterpreted to include cyber attacks as an act that can be considered \nan ``act of terrorism'' and may serve as a trigger for the protections \nof the SAFETY Act.\n    Further, it is vital to note that the SAFETY Act Final Rule \nincludes cybersecurity products and services in its definition of \n``Qualified Anti-Terrorism Technologies,'' or ``QATT,'' or technologies \nthat are eligible to receive SAFETY Act protections.\n    This point is readily demonstrated by the fact that DHS, through \nits Office of SAFETY Act Implementation, has already approved a number \nof cybersecurity products and services. By that measure alone, we know \nthat the SAFETY Act applies to a variety of cybersecurity products and \nservices.\n    Still, it is important to understand the statutory and regulatory \nbasis for the coverage of cybersecurity products and services under the \nSAFETY Act.\n    We can start with the SAFETY Act itself, specifically in 6 USC \x06 \n444(1), defines a ``Qualified anti-terrorism technology'' as follows:\n\n``For purposes of this part, the term ``qualified anti-terrorism \ntechnology'' means any product, equipment, service (including support \nservices), device, or technology (including information technology) \ndesigned, developed, modified, or procured for the specific purpose of \npreventing, detecting, identifying, or deterring acts of terrorism or \nlimiting the harm such acts might otherwise cause, that is designated \nas such by the Secretary.'' (emphasis added).\n\n    Note that this definition specifically covers ``information \ntechnology'' and, further, that the only characteristic needed by any \nproduct, equipment, service, device, or technology in order to be \nconsidered as a QATT is that the item ``is designed, developed, \nmodified, or procured for the specific purpose of preventing, \ndetecting, identifying, or deterring acts of terrorism or limiting the \nharm such acts might otherwise cause.''\n    Thus, by its explicit terms, information technologies--a term that \nincludes cybersecurity products and services--are eligible to be \nconsidered as a QATT under the SAFETY Act.\n    We should also consider the QATT definition set forth in 6 CFR Part \n25.2, which reads as follows:\n\n``Qualified Anti-Terrorism Technology or QATT--The term `Qualified \nAnti-Terrorism Technology' or `QATT' means any Technology (including \ninformation technology) designed, developed, modified, procured, or \nsold for the purpose of preventing, detecting, identifying, or \ndeterring acts of terrorism or limiting the harm such acts might \notherwise cause, for which a Designation has been issued pursuant to \nthis part.'' (emphasis added).\n\n    DHS also explicitly refers to information technologies when \ndefining Qualified Anti-Terrorism Technologies and also links \n``information technologies'' to any Technology designed, etc. to combat \nan ``act of terrorism.''\n    Therefore, any Technology designed, developed, modified, procured, \nor sold for the purpose of preventing, detecting, identifying, or \ndeterring ``acts of terrorism'' will be eligible to be defined as a \nQATT. That includes cybersecurity products and services.\n    I would also refer the committee to the SAFETY Act Final Rule's \ndefinition of ``Technology,'' which is as follows:\n\n``Technology--The term `Technology' means any product, equipment, \nservice (including support services), device, or technology (including \ninformation technology) or any combination of the foregoing. Design \nservices, consulting services, engineering services, software \ndevelopment services, software integration services, threat \nassessments, vulnerability studies, and other analyses relevant to \nhomeland security may be deemed a Technology under this part.'' \n(emphasis added).\n\n    Please note that here again DHS specifically used the term \n``information technology,'' once again establishing that cybersecurity \nproducts, equipment, or services will be considered a ``Technology'' \nfor purposes of the SAFETY Act.\n    Please note too that when elaborating on the types of ``design \nservices'' that may be considered a ``Technology'' (a definition that \nincludes various types of software development and support services), \nDHS stated that ``analyses relevant to homeland security may be deemed \na Technology under this part.'' See 26 CFR Part 25.2.\n    The use of the general term ``homeland security'' is of great \nimport to this hearing. As this committee is well aware, DHS's \n``homeland security'' mission is an ``all hazards'' one, which includes \nprotecting against cyber threats in all forms. Indeed, in recent years \nthe cybersecurity mission--whether related to terrorist groups, nation-\nstates, organized crime, individuals, or others--has become a primary \nmission area for DHS. It follows then that when DHS defined \n``Technologies'' for SAFETY Act purposes to include software services \nrelated to ``homeland security,'' it intended that term to encompass \ncyber attacks in their myriad of forms.\n    In summary, then, there is no question that cyber attacks, \nregardless of who conducted them or why, and cybersecurity products and \nservices are eligible to receive SAFETY Act protections under the plain \nlanguage of the SAFETY Act statute and the Final Rule as originally \ndrafted.\nthe nation would benefit if congress were to amend the safety act in a \nway that makes its coverage of cyber attacks cybersecurity technologies \n                           even more explicit\n    Despite the fact that the SAFETY Act, as already drafted, \nencompasses both cybersecurity products and services and cyber attacks \nunconnected to specific ``terrorist'' groups or motivations, too many \npeople are unsure of whether the SAFETY Act applies to exactly those \nitems and situations. In short, the only way to rectify the situation \nis for Congress to slightly amend the SAFETY Act to make explicit its \ncoverage of cyber attacks and cybersecurity products and services.\n    Thankfully, the path and process for clearing up the SAFETY Act's \napplication in the cyber context has already been blazed, and all this \ncommittee and the House of Representatives need to do is retrace its \nsteps.\n    In the 113th Congress, Members of this committee, including \nChairman McCaul, Ranking Member Thompson, Representative Meehan, and \nRepresentative Clarke introduced the National Cybersecurity and \nCritical Infrastructure Protection Act (NCCIP).\n    Section 202 of the NCCIP would have slightly altered the SAFETY Act \nby essentially adding two new terms to the existing law: ``Cyber \nincident'' and ``cybersecurity technologies.'' These new terms would be \ninserted after the words ``act of terrorism'' and ``anti-terrorism \ntechnologies,'' respectively, in the existing SAFETY Act law.\n    The purpose of these new terms was simple and straightforward: Make \nit 100% clear to potential users of the SAFETY Act that the law applies \nto cybersecurity products and services as well as to cyber attacks that \none might not colloquially put in the same category as the terrible \nevents of Sept. 11, 2001 or the Boston Marathon bombings.\n    These changes were apparently not controversial to this committee \nor this Chamber, as H.R. 3696 passed the House by unanimous voice vote. \nUnfortunately, due to timing issues that prevented the resolution of \nsome concerns by a few Senators, Section 202 was not included when the \nfinal version of H.R. 3696 passed the Senate and was signed into law. \nStill, I remind this committee again that Section 202 was passed \nunanimously by the House, and so this committee should pass the SAFETY \nAct clarifying language once again.\n    This clarification continues to be absolutely vital for a variety \nof reasons. First, I can state without qualification to this committee \nthat the vast majority of eligible SAFETY Act applicants do not realize \nafter reading its statutory language that the SAFETY Act covers non-\n``terrorist''-related cyber attacks or even cybersecurity products and \nservices in general.\n    Rather, most people who are not steeped in the nuances and history \nof the SAFETY Act simply see the words ``act of terrorism'' and \n``Qualified Anti-Terrorism Technologies'' and think only in terms of \nal-Qaeda, ISIS, right-wing militias, and the like.\n    The statute or Final Rule evidences no such limitations, and, \nfurther, there is no legislative history that I am aware of that would \ndefinitively limit the application of the SAFETY Act to such groups, \ntheir actions, or items designed to deter, defeat, or combat them.\n    Inclusion of Section 202 language would eliminate that confusion. \nAll parties would now be fully on notice of the application of the \nSAFETY Act to cyber incidents and cybersecurity technologies, thus \nallowing everyone to get on to the business of deciding whether the \nSAFETY Act is right for them or if the product or service merits the \nliability protections it offers.\n    Second, inserting the term ``cyber incident'' would be of great \nvalue to the Executive branch, particularly the Secretary of Homeland \nSecurity. Under the SAFETY Act, the decision to declare an incident an \n``act of terrorism'' is assigned to the Secretary of Homeland Security. \nThus she or he is the person who decides whether a company that holds a \nSAFETY Act award may actually assert the defense in Federal court. \nWithout that designation, the defenses of the SAFETY Act are not \navailable under the law to the SAFETY Act awardee.\n    As the past few years have demonstrated, the decision of Executive \nbranch members to declare a particular event an act of terrorism in any \ncontext is a difficult one. From the shootings at Fort Hood to the \ncyber attack on Sony Pictures, and even to the recent cyber attack on \nthe U.S. Office of Personnel Management, the Executive branch treads \nvery cautiously when deciding how to describe an incident. Creative \nterms such as ``workplace violence'', ``cyber vandalism'', or even \nreferences to a general ``security breach'' are used instead of the \n``T'' word.\n    I offer no opinions on the terms used by the Executive branch in \nthose incidents, yet I would dare say we all agree that there is no \ndisagreement on their impact on American lives and our economy. Lives \nwere lost, businesses were crippled, and Government programs have been \ncrippled for years to come. It is those outcomes--or more specifically \npreventing or mitigating them--that Congress was focused on when it \npassed the SAFETY Act in 2002.\n    That is why adding the term ``cyber incident'' as defined in \nSection 202 of NCCIP is a vital tool to give to the Homeland Security \nSecretary. The Secretary should have the same flexibility to \nacknowledge the seriousness of a given incident, and, in the case of \nthe SAFETY Act, trigger specific liability protections, without having \nto utilize a term that may cause a larger than necessary impact. \nSection 202 thus represents a simple tool with which to wield the \nSAFETY Act with greater delicacy.\n    Finally, I must emphasize that the language of Section 202 only \nclarifies the SAFETY Act and is entirely consistent with the original \nintent of the law. Section 202 does not expand the SAFETY Act, as have \nargued.\n    When one looks back at the creation, implementation, and use of the \nSAFETY Act, it has always been clear that the purpose of the law has \nbeen to promote the use by the private sector of useful and effective \nsecurity products and services in order to deter or mitigate massively \ndamaging unlawful events.\n    The SAFETY Act was designed to help mitigate those events by \nproviding the possibility of limited liability protections following \nthe unlawful ``act of terrorism.'' These liability protections were \ndeemed needed because of concerns about potentially endless litigation \nfollowing a major attack.\n    Time has borne out those concerns. The attacks of 9/11 spurred \nlitigation that lasted more than a decade and whose costs ran well into \nthe hundreds of millions of dollars. Similar litigation arising out of \nthe 1993 World Trade Center attack also lasted for more than a decade, \nand now every new terrorist incident spurs numerous new lawsuits.\n    Cyber attacks are no different. High-profile attacks spur multiple \nlawsuits, and indeed the cost of managing litigation post-cyber attack \nis beginning to represent one of the most expensive consequences of a \ncyber attack. Considering that millions of cyber attacks occur daily, \nand that these attacks are growing more sophisticated and successful \nwith each passing moment, liability protections for cybersecurity \nvendors and users are absolutely critical.\n    This is especially true given that many of these attacks are \nconducted by foreign governments and are essentially unstoppable by the \nprivate sector. That fact will not deter plaintiffs' counsel, however, \nand so no matter how good a product is or how much is invested in \ndefensive programs, companies will still face massive litigation. That \ntrend cannot continue, and so it is only proper to use the SAFETY Act \nas originally intended to control that outrageous trend.\n    In summary then, clarifying--but not amending--the SAFETY Act so \nthat it explicitly covers cyber incidents and cybersecurity \ntechnologies is not only appropriate given the seriousness of the cyber \nthreat. It is also appropriate given the general misunderstanding of \nhow the SAFETY Act works and the need to provide flexibility to the \nHomeland Security Secretary when determining whether to let the \nprotections of the SAFETY Act be applied.\n                optimizing use of a clarified safety act\n    Clarifying the SAFETY Act so that it clearly applies to non-\n``terrorist'' cyber attacks and cybersecurity products and services \nwill have multiple benefits. Please allow me to highlight two examples \nof improved cybersecurity this committee would likely support that \nwould benefit from a clarified SAFETY Act.\n(1) ``Cyber Risk Groups''\n    One challenge facing private-sector companies when implementing \ncyber defenses is how to effectively cooperate with other companies to \nprotect themselves and best use their limited resources. Particularly \nusing a clarified SAFETY Act, companies could use risk-pooling \nmechanisms to increase their defenses and better mitigate risk.\n    Risk-pooling mechanisms come in a number of forms, including ``risk \npurchasing'' and ``risk retention'' groups. Those groups allow \ncollections of companies (usually similarly situated in terms of \nindustry sector) to jointly purchase or create insurance coverage that \nwould otherwise be unavailable or excessively expensive.\n    Here's how it can work:\n    1. A group of similarly-situated companies agree to form a risk \n        purchasing or retention group in order to obtain cybersecurity \n        insurance.\n    2. The companies agree to use certain security standards or \n        technologies (for instance SANS 20 controls, ``detonation \n        chambers,'' information sharing via dedicated ``private \n        clouds,'' the recent National Institutes of Standards and \n        Technologies voluntary cybersecurity framework, etc.)\n    3. The companies then pool their resources to either jointly \n        purchase an existing cyber insurance policy or to create a pool \n        of insurance that they would maintain.\n    4. The risk group also agrees to pursue SAFETY Act protections for \n        the standards it has created and committed to adhering to.\n    5. As part of the agreement, any company that fails to adhere to \n        the security standards will be asked to leave the group at the \n        next renewal period.\n    Using a clarified SAFETY Act on top of the insurance pool \neffectively limits the exposure of the group to the amount of insurance \nthey have purchased, or even a portion thereof.\n    Further, this arrangement also potentially allows more of the \ninsurance funds to be used for losses the company has directly suffered \n(damaged equipment, lost data, business interruption, etc.) rather than \nlosses suffered by third parties.\n    The pool arrangement allows companies to collaborate and establish \na baseline of security that each would commit to maintaining, all of \nwhich fall under the umbrella of a review by DHS. None of this would be \npossible without a clarified SAFETY Act.\n    I would add the pooling/risk purchasing agreement would be of \nparticular value to small businesses or ones that serve historically \nunderserved communities. For instance, cooperatives that provide \nutility services would benefit greatly from this arrangement as it \nwould allow them to provide broader cybersecurity at reasonable costs \nto their members. Considering that their members are in historically \nunderserved communities, this would be an excellent public benefit \nevery member of this committee could support.\n(2) ``Cyber HMOs''\n    A challenge this committee and others have faced is how to use \ncyber insurance to promote best cybersecurity practices. That problem \nremains unsolved, but I contend a clarified SAFETY Act can help the \nNation better utilize insurance solutions.\n    First, I start with the proposition that cyber attacks are a \nconstant threat, much more akin to medical claims than property or \ncasualty claims. We know they will occur on a regular basis, and so \ninsurers need to establish an infrastructure that supports constant \ncare over a lifetime.\n    Following on the health care analogy, cyber insurers should view \ntheir policies through the lens of a health insurance model and not a \ngeneral liability or casualty policy. In my mind, it follows then that \ncyber insurers should develop cyber policies using a ``HMO'' model.\n    Under that model, the insurer's goal will be to promote the \n``right'' kinds of claims--ones that encourage healthy behavior. Yet \neven with the incentivizing of healthy behavior, inevitably some sort \nof disease will work its way into the blood stream. The cyber HMO model \nworks well here too as it will support interventional care that \nprevents minor scratches from developing into a serious infection.\n    A best-case scenario would work out this way: A ``cyber HMO'' is \nestablished, which companies can gain access to by paying monthly \npremiums along with associated ``co-pays,'' ``deductibles,'' and \nsimilar expenses typically associated with a health insurance plan.\n    That cyber HMO plan would give the insured access to a vast network \nof cybersecurity vendors and professionals at discounted rates that \ncould be called upon in the event of a problem (the ``co-pays'' and \n``co-insurance'' equivalents).\n    The cyber HMO plans would also provide low-cost or even free access \nto basic ``cyber hygiene'' care, such routine diagnostic examination of \ninformation technology systems, perimeter defense systems, and other \nbasic defense systems (the ``annual physical'' and ``low-cost or free \nvaccine'' equivalents).\n    More ``advanced'' defense systems could be subject to a higher co-\npay and deductible, and companies could even chose to go ``out of \nnetwork'' if they want, but they would have to shoulder more of the \ncost.\n    The clarified SAFETY Act would help here, too, by helping decide \nwhether a cybersecurity product or service should be ``covered'' under \nthis insurance model. By encouraging the use of products or services \nvetted by DHS through the SAFETY Act, the HMO and its policyholders \nwould have greater confidence in the tools they are using to promote \ncyber health.\n    The ``cyber HMO'' is one that actively rewards healthy cyber \nbehavior--a Gordian knot that no carrier has been able to untie yet \nusing traditional insurance models. That's a critical piece of the \ncybersecurity puzzle, as the challenge has been how to get companies to \nengage in effective cybersecurity, rather than any form of \ncybersecurity.\n                               conclusion\n    Thank you for the opportunity to testify before the committee \ntoday. I will be happy to answer any questions you might have.\n\n    Mr. Ratcliffe. Thank you, Mr. Finch.\n    The Chair now recognizes Mr. Biagini for 5 minutes for his \nopening statement.\n\nSTATEMENT OF RAYMOND B. BIAGINI, PARTNER, COVINGTON AND BURLING\n\n    Mr. Biagini. I thank you, Mr. Chairman. Thanks for having \nme here. I thank the Members of the committee for this \nopportunity. Indeed, it's a privilege to speak with you about \nthe possible expansion of the SAFETY Act to cover qualifying \ncyber incidents.\n    Let me address in short what I see as the key questions for \nthis committee's consideration.\n    First, are liability protections needed to incentivize \ncompanies to enhance their own cybersecurity systems and to \nincentivize providers of cyber solutions to design more \neffective technologies? I believe the answer is yes.\n    In short, we face a potentially devastating existential \ncybersecurity threat. As I outline in my written remarks, the \nmagnitude of this threat cannot be overstated. The 9/11 \nCommission authors likened a cyber attack on U.S. critical \ninfrastructure to the terrorist threat before September 11, \ncalling the cyber domain as the battlefield of the future.\n    Those distinguished authors of the Commission report \nrecommended legislation to incentivize the design and \ndeployment of cybersecurity. We only have to look at the recent \nhack at OPM to confirm that the cyber wolf is knocking at our \ncritical-infrastructure door.\n    There is also a sense that corporations are moving too \nslowly to upgrade and enhance their own cybersecurity within \ntheir corporate walls.\n    Regarding cyber insurance, carriers often lack the data \nthey need to quantify losses from cyber attacks. When they do \nwrite cyber insurance, it often has large deductibles, \ninadequate limits, and exclusions for attacks by nation-states. \nThis is particularly concerning for companies involved in \ncybersecurity in the critical infrastructure arenas of health \ncare, financial, electrical, and energy.\n    The laudable efforts by NIST to get companies to \nparticipate in the basic cyber hygiene program may be \nprogressing too slowly. So I believe the enormity of the risk, \ncoupled with the slowness of corporations' self-policing, and \nwith some softness in the insurance markets, a surgical, \nlegislative, incentivizing solution is appropriate.\n    But the second question is: Why turn to the SAFETY Act as a \nvehicle to be used for this incentivizing approach?\n    I have had the fortunate experience over the past 13 years \nto not only witness but to play an active role in the \nsignificant evolution of the SAFETY Act, as itself a truly best \npractice among homeland security companies big and small. The \nSAFETY Act has, in fact, stimulated companies to do cutting-\nedge research, design, development, and deployment of anti-\nterror technology and to incur the end-users to buy and deploy \nSAFETY Act technologies.\n    From the very beginning of the act, small companies have \nbenefited. The first recipient of SAFETY Act coverage was a \nsmall company, Michael Stapleton Associates, who got SAFETY Act \ncoverage for their anti-terror training regimen for bomb-\nsniffing dogs.\n    Fast-forward to today. DHS is granting SAFETY Act coverage \nto the likes of the Port Authority of New York and New Jersey \nfor a complement of highly sophisticated anti-terror \ntechnologies to protect the new Freedom Tower. They have \nprovided SAFETY Act coverage to the Kentucky International \nAirport and its cybersecurity programs and to a small and \ngrowing number of cybersecurity companies providing \nvulnerability assessments and resiliency testing of cyber \nnetworks.\n    The SAFETY Act Office has shown that they can expedite \ncoverage when deployments are subject to Federal contracts and \ngive great weight to technologies that have preexisting \npositive track records in the Federal or military space.\n    In short, the SAFETY Act and its implementers have shown a \ndemonstrable ability to evolve and address emerging \ntechnologies of increasing complexity. Properly resourced, I \nbelieve they can do so in the SAFETY Act if it is expanded \nthrough this amendment.\n    I want to mention that I know--that, indeed, the SAFETY Act \nis helping to improve the technology that is out there, and \nhere is why. Every day, almost every week, I get approached by \ncompanies that would like to pursue SAFETY Act coverage, and \nmany, many times I tell them they are not ready. They are not \nready for SAFETY Act coverage at this time, because they don't \nhave the bona fides yet. They may not have had sufficient \ntesting done or self-evaluation of their technologies. They may \nnot have done important hazards analysis or risk analysis. They \nmay not have done the operational and training manuals that the \nSAFETY Act Office will require them to have.\n    Many, many times, those same applicants come back around \nabout 2 months later or 3 months, and they have the bona fides, \nand they have improved their technology, and now they are ready \nto seek SAFETY Act coverage. So, in this sense, the SAFETY Act \nhas, indeed, acted as a gatekeeper.\n    The last point I would like to make, Mr. Chairman, is that, \nas you mentioned, oftentimes the SAFETY Act--amending the \nSAFETY Act to cover cyber attacks. Cyber attacks cannot often \nbe attributed to terrorists. It just makes sense to amend the \nSAFETY Act, because cyber attackers, by nature and often \ndeliberately, do not leave behind the ``whodunnit'' signature \nthat terrorists crave, in fact proclaim, after they commit a \nhorrific attack. The amendment here properly focuses on the \n``what,'' did the cyber attack cause material damage severely \naffecting the United States, not on the ``who,'' in terms of \nwhether it was a terrorist or not.\n    I believe that the cause here is worthy, the circumstances \nare sufficiently compelling, and I believe the results will be \nsalutary.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Biagini follows:]\n                Prepared Statement of Raymond B. Biagini\n                             July 28, 2015\n    Good afternoon. Thank you, Chairman Ratcliffe, and the Members of \nthis subcommittee, for the opportunity--indeed privilege--to speak with \nyou today about this important topic of potentially expanding the U.S. \nSAFETY Act to provide needed liability protections arising out of \n``qualifying cyber incidents,'' as that term is described in the \nproposed amendment. I support the proposed approach.\n    I have a particularly keen interest in this topic, and note that I \nhave always been hesitant to engage in activities that might lead to \nthe amendment of the SAFETY Act, because I am the original author of \nthe core liability protection provision of the SAFETY Act. I wrote that \nprovision in June 2002 at the request of some of our law firm's \nhomeland security contractor clients. Together, we examined the legal \nlandscape and homeland security marketplace immediately following the \nhorrific attacks of 9/11 and quickly recognized the need for new \nlegislation to address key public policy needs:\n  <bullet> To stimulate companies, large and small, to research, \n        design, develop, and deploy cutting-edge anti-terror technology \n        without fear of enterprise-threatening liability suits.\n  <bullet> To stimulate the terror insurance market which had stopped \n        providing terror coverage after the 9/11 attacks.\n  <bullet> To enhance homeland security in the United States and \n        abroad.\n    Guided by these policy considerations, I drafted in June 2002 the \n``Certification'' section (now Section 863(d)(1), (2), and (3)) of what \nbecame the U.S. SAFETY Act, passed by Congress in November 2002 as part \nof the Homeland Security Act. In short, the SAFETY Act is landmark \nlegislation, eliminating or minimizing tort liability for sellers or \nproviders of anti-terror technology (``ATT'') approved by U.S. \nDepartment of Homeland Security (``DHS'') should suits arise in the \nUnited States after an act of terrorism.\n    As described more fully below, DHS has awarded SAFETY Act coverage \nfor hundreds of cutting-edge anti-terror products and services since \nits inception in 2002, thereby satisfying many of the policy concerns \ndescribed above. In fact, in many respects, the SAFETY Act has become a \nhomeland security industry ``best practice'' risk management technique, \nspurring companies, including small businesses, to research, design, \ndevelop, and deploy anti-terror technology to protect America without \nfear of ``enterprise-threatening'' tort liability should there be \nanother 9/11 terror incident. But given the remarkably rapid expansion \nover the past several years of increasingly penetrating cyber attacks \non key sections of the American economy and Government infrastructure, \nit is time to thoughtfully consider a surgical upgrade of the SAFETY \nAct so that that law can ``catch up'' to the realities of the cyber \nthreat we now face. In short, the proposed legislation recognizes a \nfundamental principle: The ``trigger'' of liability protections for a \n``qualifying cyber attack'' should turn not on the identity of the \nattacker, i.e., is he or she a terrorist, but on the severity of the \nattack on critical U.S. interests. Moreover, this amendment will begin \nto requite the public policy concerns that existed in 2002 and exist \ntoday--the need to incentivize companies to further develop cutting-\nedge cyber solutions and to upgrade and enhance their cybersecurity \nsystems; and the need to stimulate the availability of cyber insurance, \nparticularly for key high-value cyber targets in the energy, aviation, \nelectrical, and health care industries. These public policy and \nmarketplace dynamics auger for thoughtful consideration of this \nproposed legislation.\n                   a. key features of the safety act\n1. Liability Protections\n    Should a company obtain SAFETY Act tort protection from DHS, these \nprotections fall into one of two categories:\n\n``Certification--the highest form of protection--creates a presumption \nthat the seller of ATT is immediately dismissed from suit unless clear \nand convincing evidence exists that the seller acted fraudulently or \nwith willful misconduct in submitting data to DHS during the \napplication process. Certification coverage also eliminates punitive \ndamages claims; requires that any suit after an act of terrorism be \nfiled in Federal court; and caps the awardee's liability, usually at \nits terror insurance limits.''\n\n    Certification coverage is usually awarded by DHS when the \napplicant's technology has been widely deployed and has a track record \nof ``proven effectiveness.''\n    The lesser form of SAFETY Act coverage is known as ``Designation'' \ncoverage and is usually provided when the anti-terror technology has \nlimited actual deployment in the field:\n\n``Designation--provides all of the protections under Certification \ncoverage except the presumption of dismissal.''\n\n    Importantly, certification and designation protections apply ``up \nand down'' the supply chain, i.e., the awardee's subcontractors, \nvendors, and distributors ``derivatively'' obtain the same SAFETY Act \ntort protections as the awardee. But most important, those that buy or \ndeploy SAFETY Act-approved technology--whether they are commercial or \nGovernment customers--also are protected derivatively from tort \nliability arising out of an act of terror.\n\n2. Limits on the Liability Protections\n    The SAFETY Act's liability protections are triggered only if DHS's \nSecretary designates a particular incident an ``act of terrorism'' \nunder the SAFETY Act. ``Act of terrorism'' is defined as an unlawful \nact causing harm to a person, property, or entity in the United States, \nusing or attempting to use instrumentalities, weapons, or other methods \ndesigned or intended to cause mass destruction, injury or other loss to \ncitizens or instrumentalities of the United States. The Secretary of \nDHS will determine on a case-by-case basis whether a particular \nterrorist attack is covered under the SAFETY Act. This threshold \nstatutory requirement to first designate a particular attack as an \n``act of terrorism'' under the SAFETY Act before the liability \nprotections are applicable is an obvious limitation that may not be \nnecessary or appropriated in considering whether to expand the SAFETY \nAct to ``qualifying cyber incidents.''\n    The SAFETY Act can also apply ``extraterritorially,'' i.e., even if \nthe act of terror occurs outside the United States, the SAFETY Act can \napply to suits filed in the United States so long as the ``harm,'' to \ninclude financial harm, is suffered by U.S. persons, property, \ninstrumentalities, or entities. And SAFETY Act protections can also \napply ``retroactively'' to cover anti-terror technologies that an \napplicant has already deployed and which are substantially equivalent \nto those technologies for which it has obtained coverage.\n    The SAFETY Act defines ``loss'' as death, injury, or property \ndamage, including business interruption loss. The definition of ``anti-\nterror technologies'' includes ``any product, equipment, service \n(including support services), device, or technology (including \ninformation technology)'' which has a material anti-terror purpose.\n    Finally, in order to obtain the tort liability protections, an \napplicant for SAFETY Act coverage must carry terror insurance which \nwill respond to third-party tort liability suits arising out of a \ncovered act of terrorism. The cost of the insurance cannot unreasonably \ndistort the pricing of the anti-terror technology. The terror coverage \nlimits usually become the applicant's ultimate ``cap'' on liability. In \npractice, if an applicant does not have terror coverage, the SAFETY Act \nOffice will work with the applicant to find terror coverage at a price \nthat the applicant can afford.\n              b. the safety act as implemented since 2002\n    Over the past 13 years, particularly in the last 7-8 years, DHS has \nvigorously implemented the SAFETY Act, providing coverage to hundreds \nof companies--from small businesses to some of the largest corporations \nin the world--for the anti-terror products or services they provide in \nthe United States and abroad. In fact, the first SAFETY Act award went \nto a small company, Michael Stapleton Associates, for its bomb-sniffing \ndog training regimen, its X-ray screening, and bomb detection system.\n    Representative SAFETY Act awards over the past 13 years include \ncoverage for:\n  <bullet> threat and vulnerability assessment protocols;\n  <bullet> airport baggage handling systems;\n  <bullet> biometrically-secured airport identification and access \n        system under the Registered Traveler Program;\n  <bullet> perimeter intrusion detection systems;\n  <bullet> cargo inspection systems deployed at ports and borders;\n  <bullet> physical security guard services;\n  <bullet> secure broadband wireless communications infrastructure and \n        command-and-control systems;\n  <bullet> lamp-based infrared countermeasure missile-jamming systems;\n  <bullet> anti-IED jamming systems.\n    In some of these cases, the SAFETY Act Office was able to \n``expedite'' its review and award of coverage by giving weight to the \nfact that these anti-terror products and services had proven \neffectiveness through long-term deployments with Federal and military \ncustomers.\n    Importantly, DHS has also awarded SAFETY Act coverage to private \nand quasi-Governmental entities for their security protocols, \nprocedures, and policies used to determine the nature and scope of \nsecurity they deploy to protect their own facilities and assets. \nSpecifically,\n  <bullet> a major chemical company obtained coverage for its facility \n        security services, including its vulnerability assessments, \n        cybersecurity, emergency preparedness and response services, \n        and its perimeter security, at its facilities that were \n        governed by the Maritime Transportation Security Act;\n  <bullet> the Cincinnati/Northern Kentucky Airport obtained coverage \n        for its security management plan, its operations and training \n        procedures for its airport police, rescue, and firefighting \n        personnel, its emergency operations center, and airport \n        security plans;\n  <bullet> the New York/New Jersey Port Authority obtained coverage for \n        the security assessments and design/architectural engineering \n        services incorporating security-related design features at the \n        New Freedom Tower and World Trade Center site;\n  <bullet> the NFL obtained coverage for the stadium security standards \n        and compliance auditing program;\n  <bullet> three large professional sports venues obtained coverage for \n        their security practices and protocols;\n  <bullet> the New York Stock Exchange Security System obtained \n        coverage for its command-and-control and integration of a \n        multi-layered security system.\n    These significant awards, as well as the fact that the Federal \nAcquisition Regulations now require Federal agencies issuing homeland \nsecurity solicitations to first consult with the DHS SAFETY Act Office \nto determine if expedited coverage is appropriate, have helped the \nSAFETY Act toward reaching its full potential.\nc. the proposed legislation: a limited but appropriate expansion of the \n             safety act to cover qualified cyber incidents\n1. Current Atmospheric Conditions\n    The cyber threat to U.S. Governmental institutions and critical \ninfrastructure as well as to commercial entities is increasing at an \nalarming rate. Examples include:\n  <bullet> the recent hack into OPM affecting over 22 million \n        individuals, apparently by China;\n  <bullet> the 2014 attack on J.P. Morgan involving cyber theft of data \n        belonging to 76 million households, likely by Russia;\n  <bullet> the attack on Sony Pictures, apparently by North Korea;\n  <bullet> the indictment of 5 Chinese military officials for hacking \n        proprietary data held by Westinghouse and U.S. Steel.\n    Indeed, on July 22, 2014, the 9/11 Commission authors likened the \nthreat of a cyber attack on U.S. critical infrastructure to the \nterrorist threat before September 11, 2001, calling ``the cyber domain \nas the battlefield of the future.'' These authors urged legislation to \nincentivize enhanced cybersecurity. Further, the United States has \nidentified cyber attacks as the single greatest threat to National \nsecurity and at the forefront of the Nation's defense and critical \ninfrastructure, characterizing cyber attackers as undeterred by the \nthreat ``we'll shutdown your systems'' if you attack ours.\n    In addition to these policy-level concerns, market dynamics are at \nwork. Many companies are slow to improve their systems to prevent or \nmitigate against an attack. Cyber insurance for key sectors of the \neconomy, especially critical infrastructure, e.g., health, financial, \ncan be hard to get and expensive, often containing significant \nexclusions. The U.S. goal to strengthen cybersecurity resilience by \nhaving industry voluntarily follow NIST guidelines is progressing \nslowly. DHS, Commerce, and Executive branch agencies have suggested \nthat tort mitigation legislation may be necessary to stimulate industry \nto enhance cybersecurity and the insurance industry to increase its \nfootprint in the cyber market.\n2. Why Amend the SAFETY Act to Cover Non-Terror-Based ``Qualifying \n        Cyber Incident?''\n    There are numerous reasons that a discriminate expansion of the \nSAFETY Act makes sense as a means to mitigate increasing cyber threats. \nThe first has to do with the inherent characteristics and differences \nbetween a cyber versus terrorist attack. In the latter, public \nownership and notoriety of who the perpetrator is, remains a distinct \ngoal and desire of those perpetrating a terrorist attack. Also, while \ntheir methods of accomplishing the terror attack are usually simple and \n``low-tech,'' what matters to the terrorist is that the victims (as \nwell as his competitors) know WHO committed the heinous act. By \ncontrast, the cyber attacker prefers to be cloaked in secret, to act \nstealthily, not revealing highly-complex methods, sources, or \nsignatures, while being able to suddenly and massively disrupt broad \ntechnological networks. As such, the proposed SAFETY Act amendment \nappropriately focuses on whether a qualifying cyber incident causes \n``material levels of damage'' and ``severely affects'' the United \nStates, as the ``trigger'' for coverage, not on whether the attacker \ncan be labeled a ``terrorist.''\n    Second, over the past 13 years, pursuit of SAFETY Act coverage has \nbecome a ``best practice'' for companies in the homeland security \nmarket, which necessarily requires such companies to demonstrate \n``proven effectiveness'' of their anti-terror products or services. \nIndeed, DHS already has awarded coverage for certain cybersecurity \nsolutions and technologies. DHS's focus on ``proven effectiveness'' \nwill apply equally to cyber solution providers and those companies that \nare deciding on the quality and scope of their cyber threat protections \nprogram. As such, the SAFETY Act should have the salutary benefit of \nimproving the quality of cyber technology and use, thereby hardening \nnetworks and enhancing the level of cybersecurity generally throughout \nthe United States.\n    Third, as a prerequisite to obtaining SAFETY Act protection, the \nAct has always required an applicant to maintain terror insurance \ncoverage; the amendment would similarly require an applicant to \nmaintain cyber insurance to obtain the protections. This combination of \nliability protections and insurance requirements spurred the terror \ninsurance markets to open up and will likely have the same effect on \ncyber insurance markets, particularly in the highly-vulnerable \naviation, health, electric, and energy critical infrastructure arenas. \nSimilarly, if SAFETY Act liability protection is provided to those \ncompanies providing proven cyber solutions, especially to high-value \ntargeted industries, the insurance markets will likely respond \npositively because of the layer of immunity and claims-elimination \nprotection afforded to its insureds if they are sued after a \n``qualifying cyber incident.''\n    Fourth, the procedures for obtaining SAFETY Act coverage have been \ndemonstrated to be reasonably predictable and, when needed, nimble. \nThese procedures include protocols for expediting or ``fast-tracking'' \napplications; modifying a coverage award when a company's technology \nhas materially changed; and renewing coverage after an initial award. \nCompanies who fail to update DHS with material changes to their \ntechnology or fail to provide the technology or service as outlined to \nDHS in obtaining SAFETY Act coverage could find themselves without \nprotection should a lawsuit arise.\n    That said, the challenge for the SAFETY Act Office will be to \nobtain the necessary resources and expertise to handle an increased \nnumber of cyber-based SAFETY Act applications and to be able to nimbly \nbut meaningfully review cyber applications which inherently involve \nchanging technologies and threat environments.\n    Finally, the proposed legislation does not conflict with the Senate \ninformation-sharing and monitoring bills. These bills focus on the \nimportant need to enhance a specific critical activity--the sharing of \ncyber threat information between and among commercial and Governmental \nentities--by providing protection for such sharing and monitoring \ncompanies from liability arising out of these specific activities. The \nproposed House legislation is focused on those companies that design, \ndevelop, and deploy and use cyber solutions, e.g., threat and theft \nprotection; vulnerability assessments; fraud and identity protection, \netc. The House legislation is meant to incentivize a broad swath of \nproviders and users of such cyber technology by providing significant \ntort protections afforded under the SAFETY Act should a ``qualifying \ncyber incident'' occur.\n                               conclusion\n    The proposed legislation to discriminately expand the SAFETY Act is \nreasonably calculated to address both policy-based concerns and market \ndynamics. Its emphasis on the severity and impact of the cyber attack \nand not on the identity of the attacker as the trigger for protection \nis appropriate. DHS's continued requirement that a technology--cyber or \notherwise--have a record of ``proven effectiveness'' and the statutory \nrequirement to carry cyber insurance, will likely spur higher quality \ntechnology and more available insurance. The challenge for the DHS \nSAFETY Act Office will be to have sufficient qualified resources who \ncan conduct meaningful and timely reviews in an atmosphere of rapidly-\nchanging technology and threats. In the end, this amendment, like the \noriginal SAFETY Act, should be driven by a common spirit and intent: To \ntake proactive legislative incentivizing steps now--to avoid a \ncatastrophic debilitating incident involving a major critical \ninfrastructure or economic sector of the United States. This proposed \ndiscriminate amendment of the SAFETY Act is a step in the right \ndirection.\n\n    Mrs. Watson Coleman. Mr. Chairman.\n    Mr. Ratcliffe. Thank you, Mr. Biagini.\n    The Chair now recognizes Mrs. Watson Coleman.\n    Mrs. Watson Coleman. Thank you, Mr. Chairman, and thank \nyou, Mr. Langevin.\n    I just want to take this opportunity to acknowledge and \nwelcome and thank Dr. Andrea Matwyshyn for being here today and \nbeing a part of this very impressive panel.\n    Dr. Matwyshyn is currently the Microsoft visiting professor \nat the Center for Technology Policy at Princeton University, \nwhich is part of the 12th Congressional District that I am \nproud to serve.\n    She is a legal academic studying technology innovation and \nits legal implications, particularly corporate information. In \n2013 to 2014, she served as a senior policy advisor and \nacademic in residence at the U.S. Federal Trade Commission, \nfocusing her work on corporate information security issues.\n    She is a full professor of law at Northeastern University \nand a faculty affiliate of the Center for Internet and Society \nof Stanford Law School. She has had many very impressive \nappointments at many very impressive schools, from the Wharton \nSchool, the University of Pennsylvania, all the way to the \nSingapore Management University, Cambridge University, \nUniversity of Oxford, and Notre Dame.\n    Prior to entering academia, she was a private attorney, \nfocusing her work on technology transactions. She has \npreviously testified on issues of information security, and she \nis called upon and often quoted on these issues.\n    We are delighted to have her today, and thank you for \nhaving this hearing and providing this opportunity for us to \nhear from her.\n    Thank you.\n    With that, I yield back.\n    Mr. Ratcliffe. The gentlelady yields back. I thank the \ngentlelady for that introduction, and also glad to have you as \npart of our subcommittee today. A number of the Democratic \nMembers of this subcommittee are traveling with the President \npresently overseas, so we very much appreciate you being here \nwith us today.\n    With that, the Chair recognizes Dr. Matwyshyn for 5 minutes \nfor her opening statement.\n\n STATEMENT OF ANDREA M. MATWYSHYN, VISITING PROFESSOR, CENTER \n    FOR INFORMATION TECHNOLOGY POLICY, PRINCETON UNIVERSITY\n\n    Ms. Matwyshyn. Thank you.\n    Chairman Ratcliffe, Member Langevin, and other \ndistinguished Members of the subcommittee, it is my great honor \nto be with you here today to discuss the topic that I have \ndevoted my academic career to studying: Information security \nand the National crisis that we face in working toward making \nour Nation more secure, both in terms of our defense and in \nterms of our economy in particular.\n    The SAFETY Act was passed in 2002, and, at that time, it \nundoubtedly served as a critically-stimulating impetus for the \nemergence of physical space products from entrepreneurs to \nenable our society to move toward a more secure physical \nenvironment. However, the SAFETY Act in 2015 is, unfortunately, \nnot an optimal fit for the information security ecosystem.\n    The information security ecosystem is one that is driven by \nconstant, frequently overnight, innovation. As such, expanding \nor interpreting the SAFETY Act to provide liability limitation \nfor product, certain products only, in the information security \necosystem will disrupt rather than encourage an already \nsuccessfully burgeoning market of cutting-edge information \nsecurity products and services.\n    The market is projected to reach approximately $93 billion \nworth of information security products and services in the next \n2 years. We are seeing many successful IPOs; we are seeing \nventure capitalists investing heavily.\n    Expanding or including information security within the \nSAFETY Act liability limitations will, in essence, negatively \nshift the purchasing behaviors of companies away from \ndetermining products based on the recommendations of their \ninformation security engineers and code quality toward the \nrecommendations of CFOs, general counsel, and other perhaps \nless technologically-sophisticated individuals who are \nconcerned about risk mitigation rather than information \nsecurity first and foremost.\n    As such, the certification period is not a fit for \ninformation security technologies. Instead, it is likely to \nengender a false sense of security in enterprises and may, \nunfortunately, incentivize them to, for example, fail to comply \nwith the new ISO standards in information security or to obtain \nthe relevant information security policies that the insurance \nindustry increasingly offers, with over 50 major insurance \ncompanies now having robust offerings set in this space.\n    The next few points I will briefly mention are elaborated \nupon more thoroughly in my written testimony.\n    As I was preparing for this hearing, the availability of \ninformation regarding the transparency of the process of \ncertification was, in my opinion, not as thorough as I would \nhave hoped to be able to have an objective assessment of it. In \nparticular, it is critical that any certification that provides \nthe substantial benefit of a limitation of liability be driven \nby an independent, rigorous, third-party testing, including \npenetration testing and all the state-of-the-art technology \nmeasures that would be best suited to this kind of \ncertification.\n    With DHS having, unfortunately, limited capability in \nenforcement, this means that companies may be unwilling to \ncorrect their technologies in a timely manner when DHS even \nfinds a problem. In fact, we see this behavior from companies \nin the current marketplace.\n    So the expansion or inclusion of the SAFETY Act limited \nliability framework for information security products would, \nunfortunately, I believe, create disincentives to fix, timely \npatch, and well-disclose in security advisories the types of \ninformation that is absolutely critical to companies and to our \nagencies in defending us in a holistic approach with respect to \nthe information security threats that we face.\n    Context is everything, and the only way that we will \nsucceed in defending our Nation and our economy is through a \nmulti-lateral, coordinated approach between the public sector \nand the private sector that is sensitive to this set of moving \npieces that need to be coordinated simultaneously.\n    Finally, the expansion of this limited liability could \nimpair the work of other agencies, including the FCC and the \nFTC. I have Federalism concerns, where the States, I believe, \nare the appropriate laboratories of experimentation first for \nany liability limitation approach.\n    Thank you.\n    [The prepared statement of Ms. Matwyshyn follows:]\n               Prepared Statement of Andrea M. Matwyshyn\n                             July 28, 2015\n    Chairman Ratcliffe, Ranking Member Richmond, Representative \nLangevin, and other distinguished Members of the committee, it is my \nhonor to be here with you today to discuss the future of information \nsecurity in the United States and the SAFETY Act. My testimony today \nreflects cumulative knowledge I have acquired during my last 16 years \nas both a corporate attorney and academic conducting research on the \nlegal regulation of information security. My testimony also reflects \nthe practical business knowledge I have obtained through long-standing \nrelationships with insiders at Fortune 100 technology companies, \ntechnology entrepreneurs, consumer rights advocates, and independent \ninformation security professionals. Finally, this testimony is informed \nby insights acquired during my service as the Federal Trade \nCommission's Senior Policy Advisor/Academic in Residence, advising on \nmatters of information security.\n    During the last decade, awareness of information security has \ndramatically increased in both the public and private sector, and State \ndata security statutes have contributed significantly to this \nimprovement. However, the field of information security is still in its \nearly years, and the overall level of information security knowledge \nand care that currently exists in the United States is still \ninadequate. As high-profile data breaches such as the security failures \nof organizations such as OPM and Sony permeate the news, citizen \nconfidence in the data stewardship capabilities of both companies and \nGovernment agencies is eroding. Dramatic information security \nimprovements are necessary throughout both the public and private \nsector, and it is this social context that frames today's legal and \npolicy conversation around the SAFETY Act.\n    The SAFETY Act's primary feature--a grant of limited liability to \ncompanies whose products are certified by the Department of Homeland \nSecurity and to their customers--is a poor fit for stimulating \nimprovements and incentivizing adherence to best practices in \ninformation security. SAFETY Act certifications for information \nsecurity products are not likely to lead to improved information \nsecurity in either the public or private sector. Instead, such grants \nof limited liability for information security products and services are \nmore likely to have the inverse effect. They are likely to \nunintentionally create incentives for lower quality in information \nsecurity products and services, indirectly undermining National \nsecurity and consumer protection advancement.\n1. Limitations of liability are likely to disrupt information security \ninnovation in the marketplace--an outcome that contradicts the goals of \nthe SAFETY Act--and to create disincentives for corporate purchasing \nbased on information security technical efficacy\n    The marketplace for information security products and services has \ndramatically evolved since the passage of the SAFETY Act. While the \nSAFETY Act's liability limitation incentives for creation of new \ninformation security products may have been helpful in 2002, in 2015 \nthey are unnecessary. The market for information security is robust and \nhas matured significantly: According to some estimates, sales of \ndigital security products and services are likely to approach $80 \nbillion worldwide in 2015 and rise to $93 billion in the next 2 \nyears.\\1\\ Information security company companies are successfully \nobtaining venture capital easily and engaging in IPOs,\\2\\ and high-\nquality information security products are successfully appearing in the \nmarket. Because of this healthy market growth, any selective liability \nlimitation incentives injected today by the SAFETY Act are likely to be \nundesirably disruptive and damagingly counterproductive to the \nsuccessfully blooming market for information security products and \nservices.\n---------------------------------------------------------------------------\n    \\1\\ http://www.betaboston.com/news/2015/07/17/cybersecurity-firm-\nrapid7-raises-103m-in-years-first-boston-tech-ipo/.\n    \\2\\ Id.\n---------------------------------------------------------------------------\n    Because of the fast pace of innovation in information security, it \nis likely that the liability protection offered to certified products \nby the SAFETY Act will outlive the optimal technical efficacy of those \ncertified products. Yet, any technology deployed during the period of \ndesignation is protected for the lifetime of designation. Indeed, the \nolder a certified product becomes, the more outdated and potentially \nvulnerable it is likely to become, particularly because material \nchanges may require DHS notification/refiling to maintain \ncertification. Meanwhile, the SAFETY Act liability shield remains \nconstant across time. Thus, it is precisely the older, potentially more \nvulnerable certified technologies that may command a lower pricepoint \nand superficially appear most cost-effective to corporate decision \nmakers without technical expertise.\n    As a consequence, business purchasing incentives could undesirably \nshift away from maximizing best practices in information security in \nfavor of maximizing liability limitation. Corporate CFOs and general \ncounsels will be likely to override the technical judgement of the CISO \nand their information security engineers in at least a portion of \ncorporate information security products purchasing decisions. Companies \nwill therefore likely shift away from purchasing based primarily on \ntechnical efficacy toward purchasing information security products \nbased on whether they are certified under the SAFETY Act, even when \nthose certified products may be of inferior technical quality or a \nworse business fit. In granting limitations of liability to only \ncertain information security companies under the SAFETY Act, DHS would \nunnecessarily manipulate an already-competitive information security \nmarketplace, potentially hindering adoption of new information security \ntechnologies in favor of older ones.\n    A significant and growing portion of the information security \nexpert community does not view the use of liability limitation \napproaches as the correct path to improving public and private-sector \ninformation security. As vulnerabilities will increasingly lead to \npotential loss of human life,\\3\\ code quality and information security \nrigor in products become paramount. Similarly, sophisticated technology \ncompanies with heavy investments in information security in many cases \ndo not necessarily support limitations of security liability, and they \nare concerned that less ethical companies are misrepresenting the \nquality of the security in their products and services. Due to low \nenforcement and lack of information security liability, the market \ncurrently inadequately sanctions misrepresentations of information \nsecurity quality in products and services. Liability limitation for \ninformation security products will only exacerbate this code quality \nproblem, unfairly disadvantaging the companies who purchase the best-\nof-breed information security products based on technical information \nsecurity concerns and enterprise fit rather than based on DHS \ncertification.\n---------------------------------------------------------------------------\n    \\3\\ http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-\nvehicles-bug-fix/.\n---------------------------------------------------------------------------\n    Selective liability limitation through the SAFETY Act also \ndisadvantages information security start-ups. Start-ups are most likely \nto be allocating resources to code development at the expense of \nallocating budget to the legal resources necessary to apply for a \ncertification under the SAFETY Act. Yet, security start-ups sometimes \noffer the most appropriate product for a particular information \nsecurity corporate need from a technical perspective.\n2. The level of technical rigor in procedures in the SAFETY Act \ncertification process are suboptimally transparent\n    Pursuant to my review of available information regarding the SAFETY \nAct certification process, the process of certification is currently \nsuboptimally transparent. Available DHS materials raise material \nconcerns regarding the technical rigor and thoroughness of the vetting \nprocess for certification of information security products and \nservices. DHS states in informational materials on its website \nregarding the certification process that it views itself as \n``nonregulatory'' and that a body of unidentified ``technical experts'' \nwill provide ``suggestions.'' The process appears to be largely \napplicant self-reported with respect to product and services \nperformance and quality. It is not clear from available DHS materials \nthat DHS performs any independent penetration testing, analysis of code \nquality, assessment of patching speed or quality review of self-\nreporting through prior applicant security advisories during the \nprocess of evaluating applications. Members of the information security \nresearch community have also raised various concerns regarding the \nprocess.\\4\\ For example, my consultations with private-sector \nvulnerability database experts have yielded potentially important \nunanswered questions regarding the quality of currently-certified \ninformation security products' advisory release history.\\5\\\n---------------------------------------------------------------------------\n    \\4\\ http://www.csoonline.com/article/2918614/disaster-recovery/\nfireeye-offers-new-details-on-customer-liability-shields-under-the-\nsafety-act.html.\n    \\5\\ Interview with content managers at OSVDB.\n---------------------------------------------------------------------------\n    An applicant-driven, non-transparent process is not optimal for a \nGovernmental process culminating in the substantial privilege of a \ngrant of limited liability for harms resulting from information \nsecurity inadequacy. When these process ambiguities are added to the \nsub-optimally precise definitions in the SAFETY Act regarding the \nclassification of security incidents and the broad discretion afforded \nto DHS in interpretation, substantial concerns exist regarding the \ncurrent structure of the certification process.\n3. Grants of limited liability for information security products are \nlikely to negatively impact timely patching, code integrity vigilance, \nand the quality of advisory disclosures in certified information \nsecurity products\n    DHS currently lacks adequate enforcement authority to require \ncorrection of corporate information security inadequacies or to stop \ncompanies from selling dangerously vulnerable products in the \nmarketplace. In fact, as expressly stated with visible frustration in \nDHS advisories, companies feel at liberty to brazenly disregard DHS's \ndemands for correction of even serious security vulnerabilities in \ntheir products and services.\\6\\ Adding a layer of liability protection \nunder the SAFETY Act for information security products would only \nexacerbate this bigger DHS enforcement problem, creating additional \nincentives for certified companies to neglect or delay patching or \nupdating of their products.\n---------------------------------------------------------------------------\n    \\6\\ https://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 (``Festo \nhas decided not to resolve these vulnerabilities, placing critical \ninfrastructure asset owners using this product at risk.'')\n---------------------------------------------------------------------------\n    Removing risk of liability eliminates an important corporate \nincentive for timely patching, internal vigilance regarding code \nquality, and release of adequate security advisory notices. The primary \ninformation security challenge faced in the marketplace today is \npolicing the consistent quality of information security products and \nservices in light of their increasing vulnerability across time. \nDeteriorating quality and unpatched information security products \ncreate a false sense of security and leave their users vulnerable to \nattack. The liability limitations of the SAFETY Act do nothing to \nimprove the quality and integrity of information security products. \nInstead, they potentially create perverse incentives for lower levels \nof product and services vigilance through a liability buffer for \ncertified companies.\n4. Grants of limited liability under the SAFETY Act for information \nsecurity products may indirectly disrupt information security \nenforcement work of other agencies, harming our economy and National \nsecurity\n    DHS's selective certification of particular information security \ntechnologies and grants of liability limitation may hinder the work of \nother agencies working to improve information security. In particular, \nthe work of the Federal Trade Commission, Federal Communications \nCommission, Securities and Exchange Commission, and Consumer Financial \nProtection Bureau may be impacted. These and other agencies are \ncurrently expanding efforts to police the quality of information \nsecurity and data stewardship offered by businesses to consumers and \nbusiness partners. These agency efforts are still in their nascence in \nmany cases, but ramping up swiftly. A limitation of liability would \npotentially meaningfully circumscribe these agencies' efficacy in using \nfines or disgorgements to obtain redress for consumer, businesses, and \nNational security harms arising from information security inadequacy. \nThis is an undesirable limitation on important work by other agencies \naimed at improving information security in our economy.\n5. Limiting States' rights to impose liability for corporate \ninformation security misconduct will further erode consumer trust and \ndamage innovation in the United States\n    Information is only as secure as the weakest link in the chain of \npossession. Therefore, it is essential that the highest possible floor \nof information security be created across organizations in both the \npublic and private sector. However, the field of information security \nlaw is very young, and best practices of conduct continue to evolve \nrapidly. As such, determining the best legal regime for addressing \ninformation security liability will require experimentation on the \nState level to arrive at an optimal legal framework. A broader social \nand scholarly conversation on information security policy is \ndesperately needed, and it requires time to develop. At this juncture I \nbelieve strongly that it is dramatically premature and undesirable to \nFederally limit liability for information security misconduct \ndemonstrating a lack of due care in any form, including through the \nSAFETY Act.\n    States have traditionally been the laboratories of experimentation \nfor novel legal approaches to liability. The best course of action with \nrespect to any consideration of limitation of liability is one \nexercising deference to Federalism concerns and States' regulatory \ninterests in redressing the harms of their citizens for information \nsecurity harms. Different States engage with consumer protection \nquestions in different ways, and no National consensus currently exists \nwith respect to the best course of action for information security \nliability. Federally imposing the model of the SAFETY Act liability \nlimitations undesirably breaks with the Federalist tradition of \ndeference to State liability determinations. It also disrupts the \ntraditional deference of allowing State contract law to be the primary \nsource of liability shifting determinations between contracting \nparties. Information security companies are usually represented by \nattorneys who may lack SAFETY Act expertise but who are amply capable \nof negotiating contractual limitations of liability with business \npartners, as are, in turn, the attorneys of the companies that rely on \nthose information security. Contract and tort law are already beginning \nto adequately rise to the challenges presented by the information \nsecurity marketplace, and Federal intervention into software liability \nlimitation is not necessary and premature at this juncture.\n    Thus, I strongly urge this committee to exclude information \nsecurity products and services from the SAFETY Act and avoid legal \napproaches driven by limitations of liability in information security. \nSelectively granted limitations of liability through the SAFETY Act \nwill hinder innovation in information security and negatively disrupt \nthe information security marketplace. They are also likely to \nindirectly damage National security and stifle consumer protection \nefforts of other agencies.\n    Instead, I urge this committee to engage with a number of untried \nand more promising approaches likely to stimulate wide-spread \ninformation security improvements in the private sector. One approach \nthat holds significantly greater promise is the repurposing of SAFETY \nAct funding toward phased-out information security tax incentives \nacross 10 years for small businesses and entrepreneurs. These tax \nbenefits would offer incentives for enterprises that are operating on \ntight budgets to invest in information security education, hire \nsecurity personnel, and purchase information security goods and \nservices. A tax incentive approach does not suffer from the significant \nnegative secondary consequences described above, and it offers a more \nimmediate and direct impact on improving private-sector information \nsecurity.\n\n    Mr. Ratcliffe. Thank you, Dr. Matwyshyn.\n    The Chair now recognizes myself for 5 minutes for \nquestions.\n    So I think, as I listen to the testimony of all three of \nyou, where I found agreement is that you all believe that the \nSAFETY Act itself is working very well or as it was originally \nintended, and the SAFETY Act Office, likewise, is a very \nproperly functioning part of DHS currently.\n    I think you would all probably also agree, as we all would, \nthat we do need to incentivize the creation of cyber \ntechnologies to provide solutions and protections for what is a \nvery obvious and public threat to our cybersecurity right now \nacross this country.\n    Obviously, where I did hear disagreement was Dr. Matwyshyn, \nessentially, her testimony is--or your opinion, Doctor, as I \nunderstand it, is you don't think that the SAFETY Act or the \nSAFETY Act Office is the best place for this and could be \ndisruptive, I think as you said, to the information security \necosystem.\n    So let me start with Mr. Finch and Mr. Biagini and give you \nan opportunity to comment on that.\n    Mr. Finch. Well, I would disagree for several reasons.\n    First of all, first, when it comes to cutting-edge \ntechnologies being introduced into the marketplace, I actually \nthink that one of the critical problems that we see when it \ncomes to information security is that too many companies, as \nwell as the Federal Government, rely on outdated technologies \nfor far too long.\n    A critical problem that I have seen on a regular basis, for \ninstance, is that far too many organizations rely on outdated \nsignature-based technologies, standard anti-virus technologies. \nPart of the reason that is, particularly in the private sector, \nis that companies are extremely concerned about liability when \nthey switch technologies. If they switch from a proven \ntechnology to one that is, ``advanced'' or ``experimental,'' \nthey are concerned that they can face liability for making a \n``wrong decision,'' and that there would be allegations of \nnegligence or failure to exercise due diligence.\n    The SAFETY Act would give a level of comfort that: (A) The \nproduct has been vetted, and, (B), that there is some measure \nof liability protection associated with its use.\n    The other point I would make is that, when you go through \nthe SAFETY Act certification process--and I know Mr. Biagini is \nexceptionally familiar with this, as am I--it is one of the \nmost rigorous processes that you will ever encounter when it \ncomes to determining whether or not there is a rigorous quality \ncontrol, quality analysis, and continuous improvement process \nin place. You will not receive SAFETY Act protections unless \nyou have in place a rigorous program to ensure that your \nproduct continues to work once it is deployed and that you \ncontinue to match threats. It is not fire and forget.\n    In addition, when the Department grants you liability \nprotections, it clearly defines the threats that the device \nwill protect against and what the liability protections will \nprotect against. So if you have a standard signature-based \nanti-virus program, it will not offer you protections against \nnon-signature-based, polymorphic, heuristic, behavioral-based \nmalware with constantly-changing software.\n    So simply having a SAFETY Act-approved anti-virus \nsignature-based defense isn't going to protect you and is not \ngoing to be an incentive to not adopt new protections.\n    Mr. Ratcliffe. Thank you, Mr. Finch.\n    Mr. Biagini.\n    Mr. Biagini. Yes, Mr. Chairman. Just a couple of additional \npoints. I agree with what Mr. Finch said, and I would add, you \nknow, the comment that there is lots of investment going on, \nmoney is pouring into this area and so forth, what will happen \nto all of that if and when there is a giant enterprise-\nthreatening attack on a critical infrastructure and liability \nis massive and is spread around--deaths, injuries, business \ndisruption, companies' very existence is threatened?\n    That is what we don't want to have happen. We have to take \nthe natural next steps to evolve the SAFETY Act to move toward \nthat full implementation and protect companies to keep that \ninvestment going, No. 1.\n    No. 2, as Mr. Finch mentioned and you mentioned, Mr. \nChairman, at the beginning about the SAFETY Act process being \nan on-going process once you get SAFETY Act coverage, \nabsolutely correct, it is not a static situation.\n    You, as an applicant, once you get SAFETY Act coverage, if \nyou are upgrading your technology, if you are changing your \ntechnology in any material way, you need to go to the SAFETY \nAct Office. They are open for business to take on any \nmodifications. They will do it in real time. The modifications \nwill occur. Your SAFETY Act coverage will be upgraded to cover \nthe next versions of what you are making.\n    So it is a very on-going process that is well done at the \nSAFETY Act Office.\n    Mr. Ratcliffe. Thank you, Mr. Biagini.\n    In your testimony, you emphasize that severity and impact, \nnot the identity of the attacker, should be the operative \nconsideration in triggering SAFETY Act protections.\n    Can you give a scenario of how coverage for a qualified \ncyber incident would be triggered? In answering that, would you \ncomment on whether or not you think any of the cyber incidents \nthat have occurred to date rise to that level of severity and \nimpact?\n    Mr. Biagini. Well, certainly, I think an attack on the \nelectrical grid of the United States, nuclear plants, our \nenergy sources, our water treatment sectors, any attacks like \nthat that would debilitate, take down our ability to deliver \nthose kinds of absolute necessities to the American citizenry \nwould constitute the kind of severely impactful incidents that \nwould receive coverage under this amendment.\n    Do any of the ones that have occurred to date, in my mind, \nrise to that level? Possibly. Possibly.\n    But where I think the emphasis ought to be is on critical \ninfrastructure--as I say, the health care system, the financial \nsystem, the energy systems, the water treatment systems, and so \nforth, those that make up the bread and butter, if you will, of \nkeeping America and the populace well and safe. Attacks on \nthose that cause great impact and material damage are the types \nof attacks I think should be recognized under this amendment.\n    Mr. Ratcliffe. Thank you, Mr. Biagini.\n    My time has expired. The Chair now recognizes Mr. Langevin \nfor 5 minutes.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I again want to thank our witnesses for being here.\n    Mr. Finch, Mr. Biagini, it seems like you have kind of gone \nto the doomsday end of the spectrum on this conversation.\n    I guess I would like to ask Dr. Matwyshyn if you would \nrespond and if you would clarify and give your perspective on \nthat, on the SAFETY Act and liability protection, if that is \nthe best way, as I touched base in my statement.\n    But, also, I would like to ask you, and then the panel can \nalso chime in, does the information security expert community \nuniformly support--and I am asking Mr. Richmond's question, to \nclarify, on this second half. Does the information security \nexpert community uniformly support the use of liability \nlimitation approaches as the correct path to improving public \nand private-sector information security?\n    So we will start with you, Dr. Matwyshyn.\n    Ms. Matwyshyn. It would be my pleasure to answer those \nquestions.\n    Taking the doomsday scenario first and foremost, it would \nbe devastatingly misguided in protecting our National security \nand our economy to allow the general counsel to be selecting \nthe products that the security team is using in defending our \nNation. When we are talking about that kind of a high-stakes \nsituation, we need to have the security experts--the engineers, \nthe chief information security officer--using the state-of-the-\nart technology, whether it is certified or not, to defend us \nand keep us all safe.\n    A technology at the end-of-life of certification is still \ncertified. We could find ourselves with business decision \nmakers implementing a 5-year-old not-fully-patched technology \nin critical infrastructure. That is not the optimal way to \ndefend us against attack.\n    Information security changes dramatically, overnight in \nsome instances. Think about Shellshock; it changed everything. \nA technology that hasn't patched for Shellshock 4 years later, \nthat is a severe problem. That is not the way that we want to \nbe making these decisions.\n    The liability doesn't exist yet. The case law hasn't \ndeveloped. So the information security ecosystem is not being \ncrippled by copious liability coming from all directions at \nthem in the courts. So those concerns are premature.\n    What is not premature is the significant need to encourage \ncompanies to responsibly implement reasonable security \npractices through a holistic analysis of their own enterprise \nand to determine the state-of-the-art technologies that best \nfit their business needs, particularly in critical \ninfrastructure.\n    Members of the information security research community do \nnot support liability limitation approaches uniformly. In fact, \nmany of them believe that the best security teams are being \nunfairly unrecognized for their efforts because of the weak \nenforcement of information security and that companies without \nthe same degree of care in information security are getting the \nbenefit of the marketing value of saying that they have top-\nnotch information security when they actually don't.\n    So the top-tier information security professionals are not \nworried, in many cases, about the risk of liability at present, \nbecause the evolution of the product ecosystem would first \nrecognize the bottom tier of sub-optimally secure product/\nservices companies. That ferreting out would be a substantial \nbenefit to the overall security of our ecosystem and the \neconomy and our National security.\n    So the major changes that can happen overnight in security \nreally require the use of the best technology as it exists in \nthat moment, not one that is driven by a choice around \nliability limitation.\n    Mr. Langevin. Thank you.\n    To Mr. Finch and Mr. Biagini, would you care to ask--could \nyou give us your perspective on that part of the question Mr. \nRichmond wanted to ask? Does the information security expert \ncommunity uniformity support the use of liability limitation \napproaches as the correct path to improving public and private-\nsector information security? To your knowledge, have concerns \nbeen raised by technology experts regarding this approach?\n    Mr. Finch. Well, I obviously can't speak uniformly for the \ninformation security community, Mr. Langevin.\n    By the way, I very much support and thank you for all your \nefforts with respect to cybersecurity. You are truly one of the \nleaders in this community. You have done more to bring \nattention to this subject than, I think, most people in \nCongress, so thank you for that.\n    But I would say that the information security community is \ncompletely overwhelmed at this point with the number of \nthreats. I think you would agree that it is really a triage \nmatter for them at this point. Their problem is just being \noverwhelmed with the number of attacks and trying not to get \nfired when the incident occurs. It is not an ``if'' the \nincident occurs; it is not even ``when.'' It is, how long has \nit been occurring? So it's very much, how do we get handle on \nthis?\n    Part of the issue that is completely beyond their control \nis that they really can't do anything other than try and slow \ndown the number of events that are occurring. There needs to be \nan offensive component of this, which is the responsibility of \nthe other side of this dais. It's the Executive branch's \nresponsibility, and that's a subject for another hearing.\n    But when it comes to liability protection, that's \nabsolutely a concern of a number of the members of the \ninformation security community, because, remember, now the CIO \nand the CISO are getting a seat at the directors and officers \ntable at this point, and risk management is coming to their \nplate. They are sitting in at the board meetings. They are \nsitting in at the stockholder meetings. They are learning about \nthe serious concerns. They are being fired. They are being held \naccountable to the boards of directors and to the CEOs and the \nCFOs, et cetera.\n    So, absolutely, liability is of significant concern to them \nand how to manage that and, also, how to tell the difference \nbetween what is snake oil and what is not when it comes to \ninformation security technologies.\n    That's an important consideration when it comes to SAFETY \nAct, as well. Even if the liability protections are not \ntriggered by a declaration from the Secretary of Homeland \nSecurity, whether an act of terrorism or a cyber incident, the \nmere fact that it has been reviewed by the Department of \nHomeland Security is extremely helpful to a CIO or a CISO.\n    Mr. Langevin. Mr. Biagini.\n    Mr. Biagini. Yes, I would add one other concept. I think we \nhave to be careful not to let the perfect get in the way of the \ngood, if you will. The SAFETY Act process is a well-established \none. The SAFETY Act Office has shown its ability to review and \napprove cybersecurity technologies.\n    There is great concern about liability in that sphere. It \nis on top of mind of many, many companies that I deal with. You \nknow, the process that has been established over the last 13 \nyears has been a good one; it continues to evolve. I think it \ncan--I'm certain it can stand and meet and beat the \nrequirements that might be upon it with this amendment.\n    So I would second Mr. Finch's remarks that liability is a \ndriver here among the industry members. Even though there \nhasn't been a, if you will, debilitating attack yet leading to \nthat kind of enterprise-threatening liability, what we don't \nwant to do is wait for that to happen and then try to act with \nappropriate legislation.\n    Mr. Langevin. Thank you, and yield back.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes the former district attorney from \nNew York, my colleague Mr. Donovan.\n    Mr. Donovan. Thank you, Mr. Chairman.\n    I will just open this up to the panel, because I am not \nsure who is the person who would want to answer this or who \nwould have the expertise.\n    But don't companies protect their data? Don't nuclear \nregulatory power plants protect their systems, and the water \ntreatment systems, without the incentive of having limited \nliability? Why do they need that incentive to do this, take \nthese measures to protect themselves?\n    I open that up to anyone who would care to answer.\n    Or, if no one cares to answer----\n    Ms. Matwyshyn. I am happy to.\n    Mr. Biagini. Would you like to?\n    Ms. Matwyshyn. So I concur with the spirit of your \nquestion. We want our nuclear power plants and water treatment \nfacilities to engage with the state-of-the-art of security for \nthe purpose of protecting their operations and be driven by the \ndesire to defend our Nation and our populace, not by concerns \nof limitations of liability and whether they're present or \nabsent.\n    That's why the engineering determinations of the state-of-\nthe-art security technology must take precedence, or we will \ninevitably see the data breaches that are permeating our \nsociety currently and the types of serious incidents that are, \nunfortunately, regularly happening continue and escalate.\n    The OPM breach, for example, that was much less the--if we \nlook at the root causes, it was, yes, we have malicious actors \non one side, but there were some basic, fundamental errors that \ncould have been caught through a thorough internal audit and \nreview process.\n    So we have standards, such as the ISO standards, now that \nwill encourage companies and other organizations to perform \nthese rigorous internal audits. We all need to learn and grow \ntogether to defend ourselves together as a country rather than \nlook for ways to limit liability and just try to engage with \nreasonable standards of security.\n    The liability will, in my opinion, not emerge if companies \nsimply engage with reasonable security measures. I trust our \nfederalist structure of letting our courts across various \nStates work with these issues and letting various States \ndecide. No officer and director will ever be fired for conduct \nthat reflects the state-of-the-art use of security practices. \nSo the risk does not exist when companies engage with these \nissues in a rigorous technical manner.\n    Mr. Donovan. The other two gentlemen, Mr. Biagini or Mr. \nFinch.\n    Mr. Finch. Yes. I think companies are very much invested in \ncybersecurity. I know that for a fact. Every director, every C \nsuite member that I speak to is extremely concerned about \ncybersecurity. They know it's a problem; they know they need to \ndo something about it.\n    Where they are held up, where they are paralyzed, frankly, \nis what do we do? They are hearing so much about, what is \nstate-of-the-art, what is the best practice? Frankly, it \nchanges depending on who you're talking to and what the news of \nthe day is, with respect to a new vulnerability or a new \nattack.\n    Let's remember that our adversaries truly have the \nadvantage when it comes to cyber attacks. To use military \nparlance, they have complete freedom of movement. They can pick \nthe time, the place, and the manner of their attack, with \nabsolutely no concern about being prosecuted or having their \nactions interfered with. There is no threat that a law \nenforcement agency--particularly if you're operating under the \nprotection of a foreign government or in a lawless area, no law \nenforcement agency, no government is going to come after you \nand disrupt your planning. So you can take your time and \npractice until you get it right.\n    So, no matter how advanced your defense is, you will be \npenetrated. Breach after breach has demonstrated that. In a \nworld where 500,000 pieces of malware are created on a daily \nbasis, there is no way any company is going to be able to \ndefend against that.\n    To the doctor's point, what is reasonable? That is the \nquestion. That is absolutely the question. I think what we're \nforgetting here is that it's not necessarily about whether \nthere's going to be a liability, finding a liability; it's \nabout getting to the point of when a determination is made \nregarding liability. It's going to be extraordinarily \nprotracted and expensive in order to get to that point.\n    Litigation related to the 1993 World Trade Center bombing \nwent on for over 15 years. Litigation related to the 2001 \nSeptember 11 terrorist attacks went on for over a dozen years. \nHundreds of millions of dollars were spent in legal fees.\n    Now, as two lawyers at the table, that sounds really nice, \nbut, frankly, as an American, I don't want that to happen. I'd \nmuch rather see that we have companies investing in the right \ntechnologies to mitigate those events and likely stop those \nevents or make sure that the losses are far less significant \nthan they actually were on those two terrible days.\n    Mr. Donovan. My time has run out.\n    Mr. Biagini, if I could just ask you a second--a different \nquestion. Who determines what the best practices are? Is it \nDHS? Is it the industry that determines the best practices? If \nthis amendment to the SAFETY Act is done, what is going to give \nthose companies the protection under that limited liability? \nWho is going to make that determination?\n    Mr. Biagini. Congressman, a couple responses to that.\n    Oftentimes, when we file SAFETY Act applications, there are \nindustry standards involved, there are regulatory standards \ninvolved, there are company standards and internal standards \ninvolved that are in play with an application. When the SAFETY \nAct Office gets an application like that, they look at all of \nthose. They look to see that you're complying with, if not \nexceeding, the various standards that may apply.\n    In the situation with cybersecurity, I think we'll have \nsomething similar. We'll have regulatory standards. We'll \nprobably have NIST guidelines. We'll have company standards. \nWe'll have industry standards. The SAFETY Act Office will be \nlooking at all of that, as they do with any application, to \nlook for compliance and exceeding compliance.\n    Back to your initial question about, well, aren't companies \nalready protecting themselves, what I do for a living is I \ndefend against tort suits that are filed in court, and I \nrepresent companies that get sued. Oftentimes, when all they \ncan show is they're complying with minimum standards, whether \nit's an industry standard or a regulatory standard, in court, \nthat doesn't go very far. That won't get them a very good \ndefense.\n    So, in order to incent them to go above and beyond whatever \nthese minimum standards may be, whether they're industry or \notherwise, I think that's why we're talking today about the \npossibility of the SAFETY Act providing those additional \nincentives.\n    Mr. Donovan. Thank you.\n    Mr. Ratcliffe. The gentleman yields back.\n    The Chair now recognizes my friend from Pennsylvania, Mr. \nPerry.\n    Mr. Perry. Thank you, Mr. Chairman.\n    Mr. Finch, I think, as has been noted in testimony, many \ncompanies are slow to make improvements to their management of \ncyber risk because security costs money, obviously.\n    How do you think amending the SAFETY Act to cover \ncybersecurity gives companies further incentives to adopt cyber \nbest practices, if so?\n    Mr. Finch. Well, first of all, utilizing SAFETY Act-\napproved technologies and services or going through the process \nactually helps contain costs, whether it's the risk-management \ncost associated with insurance--and, as Mr. Biagini noted as \nwell, the actual improvement in processes, policies, and \nprocedures, this is very much a best practices review \ninternally as much as it is a liability review.\n    So you actually obtain efficiencies by going through this \nprocess and identifying problems that you have internally that \nare fixed going through the SAFETY Act process. They have to be \nfixed in order to obtain SAFETY Act protections. I have had any \nnumber of applicants say to me afterwards, ``We're a better \ncompany for having gone through this process.''\n    Mr. Perry. But what's the cost? I mean, is there, like, a--\nis there some kind of way to measure the cost by either your \nrevenues or your sales of your personnel or some way to measure \nthe cost per increment to determine--I mean, at the end of the \nday, everybody's got to meet the bottom line, so----\n    Mr. Finch. Absolutely. It's an individualized analysis. To \nbe perfectly frank, there are a number of companies that elect \nnot to go through the SAFETY Act process because they don't \nnecessarily think that it is in their economic interest to do \nso, whether it's because their liability concerns aren't that \nsignificant or they don't have the dollars and they're \nsatisfied just relying upon insurance.\n    But the companies that feel that their liability concerns \nare so great, they look at the potential expense of this \nprocess--which is free, by the way. It is a free process. The \nDepartment of Homeland Security doesn't charge anything. Where \nmoney is involved, it's internal personnel time involved in \nputting together an application. If you need to retain outside \ncounsel or a consultant, you can have someone work with you in \norder to put that application together. That typically runs in \nthe tens of thousands of dollars. When you amortize that over a \n5-year period, it's not very much money for a company to go \nthrough that process.\n    But, at the end of the day, you know, you did hit on a very \nimportant point, which is that, you know, companies don't have \nunlimited amounts of money to spend on cybersecurity. They \nstill have to operate a successful business. This is actually a \nvery important point that we need to talk about, as well, which \nis that companies could spend as much money as they have in \ntheir treasury on cybersecurity products and services and best \npractices, and they will still get breached, and they will \nstill face litigation after that breach for having negligent \ndesign or negligent implementation of their security program.\n    In all likelihood, that case will still go to a jury or to \na decision by a court. Companies will say, well, what are we \nsupposed to do in order to actually prove that we did the right \nthing? They may eventually be vindicated in court. I'm sure if \nsomeone like Mr. Biagini is representing them, they will come \nout just fine. But, again, they will wind up spending a lot of \nmoney on something like that.\n    So we want to avoid that kind of situation. We want to give \nthem confidence and say, look, not only are you doing the right \nthing and spending your money wisely, but we'll also give you a \nlittle bit of limited liability protection, not a complete \ngrant of immunity--that's not what this program is--but we will \ngive you some liability protections.\n    One other thing I would like to say very quickly. I think \nthat if you were to include cyber attacks and cybersecurity \ntechnologies as a small amendment to the SAFETY Act, one of \nmost exciting opportunities that I see being utilized in this \ncontext is shifting the focus from cyber defenders to other \ncompanies involved in information technology.\n    When I was in 7th grade, I had a project in wood shop where \nwe had to take an egg, and, using a few small pieces of paper \nand wood sticks, we had to build a crate around the egg and \ndrop it from 5 feet and hope that the egg didn't break. Of \ncourse, I failed. I'm not very good at technical things, which \nis why I'm a lawyer. I'm also not good at math, full \ndisclosure. But the point is that cybersecurity is like that \nbrown paper around the egg. What's the underlying egg? It's the \nhardware and the software.\n    That hardware and software has lots of bugs and \nvulnerabilities. I think a wonderful application that is \nwaiting out there is to have the underlying software and \nhardware developers go through the SAFETY Act process.\n    As Mr. Biagini knows--he talked about it with the airports, \nthe port authority, et cetera--the infrastructure itself, not \nnecessarily the defensive technologies, is now actually \napplying. Wouldn't it be great if Adobe Flash actually built \nsecurity into its own product so we didn't have to design all \nthese security products to stop it from having vulnerabilities \nthat are exploited by the Chinese and the Russians?\n    Mr. Perry. Thank you, Mr. Chairman. I yield.\n    Mr. Ratcliffe. The gentleman yields back.\n    Because we have a number of questions that haven't been \nanswered, the Chair will entertain a second round of questions. \nI recognize myself for 5 minutes.\n    So, Mr. Finch, to the points that you were just making with \nregard to litigation and limited liability and the costs \nassociated with that, I guess I would like to hear a little bit \nabout how the SAFETY Act Office currently works with insurance \ncompanies.\n    Then, separately, can you discuss how adding cyber \nincidents as a trigger to the SAFETY Act would potentially spur \ngrowth in the cyber insurance marketplace? You know, \nunderwriters and actuaries grapple with risk analysis, and it \nwould seem to me that this change would help with that, but I \nwould like your perspective on that.\n    Mr. Finch. Sure.\n    With respect to the SAFETY Act Office working with the \ninsurance community, it works with a number of carriers as well \nas brokers to help determine what the marketplace is for \ninsurance. Because, remember, under the SAFETY Act statute, \nthere are actually statutory limitations as to the types of \ninsurance or the amounts that the SAFETY Act can impose as a \nrequirement on applicants. There are two. No. 1, an application \ncannot be forced to carry more insurance than is available on \nthe world market. Second, an applicant cannot be forced to \ncarry an amount of insurance that would unreasonably distort \nthe price of their product, i.e., make them uncompetitive.\n    So the SAFETY Act Office has to stay somewhat in contact \nwith the carrier and broker community in order to understand \nwhat the terrorism insurance marketplace will look like and \nwill now also have to stay in contact with the cyber insurance \nmarketplace to understand what that looks like.\n    Again, it is an interesting one, because the cyber \ninsurance marketplace mostly relates to data breaches, at this \npoint. It is actually a fairly limited marketplace, only about \n$3 billion in global capacity. The most insurance that any one \ncompany can obtain is maybe $200 million, $250 million for a \ndata breach. Note what is missing: Physical damage, personal \ninjury, loss, et cetera. That is not an insurance marketplace \nthat is really available.\n    Having the SAFETY Act out there, having carriers know that \nthey can sell this insurance but, with the SAFETY Act, they \nwill actually be insuring products and services that they know \nhave been vetted, will help them. It will help them collect \ndata that will be useful for actuarial purposes and actually \nprovide a more stable marketplace that will support their \nbusiness model at the end of the day.\n    I would also add, too, that I was recently at an insurance \nconference, and it's a fairly obvious point but not one I had \nnecessarily thought of--and, again, another failing of mine is \nsometimes I miss the very obvious things right in front of my \nface. But we as individuals do not carry one insurance policy \nfor everything in our life. We have life insurance, we have \ndisability insurance, we have health care insurance, we have \nautomobile insurance, we have homeowners insurance, et cetera.\n    For some reason, we have been thinking about cybersecurity \ninsurance as a one-policy-fits-all program. I don't think that \nis correct. I think there are multiple cyber insurance policies \nthat need to be available.\n    I think the SAFETY Act would actually help stimulate that, \nwhether it is my cyber HMO model, whether it is the \nreimbursement policies that we're currently taking about or \nsome other types of cyber insurance programs that we haven't \neven thought about at this point. The problem is so broad and \nso significant that the SAFETY Act could help serve as a \nstimulus to really diversify the insurance marketplace.\n    Mr. Ratcliffe. Mr. Biagini.\n    Mr. Biagini. Yeah, just a few comments on that.\n    Think about it in this sense. If an insured has these \nliability protections and they end up being a first line of \ndefense should there be a cyber incident that results in \nlawsuits, the carrier is going to be more willing to sell \ninsurance into that scenario, into that potential situation, if \nit already knows that the insured could defend itself in those \nlawsuits well with these kind of tort protections.\n    That is exactly what has happened when the SAFETY Act was \npassed initially, is it granted these presumption of dismissal \nprotections, it capped liabilities, and so forth. That \nstimulated the insurance market back into action, along with \nthe passage of TRIA. So I've seen a direct connection over the \nyears in that sense.\n    Also, you know, when an applicant comes to the SAFETY Act \nOffice and is trying to get SAFETY Act coverage and doesn't \nhave insurance--terror insurance, in this case--the SAFETY Act \nOffice will work with that applicant, will look for quotes in \nthe insurance market that would be consistent with the revenues \nthat this applicant is generating from this particular \ntechnology.\n    It is a very synergistic process whereby the SAFETY Act \nOffice is being very responsive to that applicant. It is also \npulsing insurance and getting insurance involved and ultimately \nwriting insurance for that--having that applicant get a modicum \nof insurance in order to get the SAFETY Act coverage. So it is \na very--there's a lot of synergy with the whole process of \ngetting SAFETY Act coverage with the insurance industry.\n    Mr. Ratcliffe. Thank you, Mr. Biagini.\n    Dr. Matwyshyn, as I read your testimony, your written \ntestimony, it seemed to me that your perspective is that the \nliability limitation that would be granted through the SAFETY \nAct would be a disadvantage for cybersecurity start-ups.\n    It would seem to me that most folks would see a SAFETY Act \ndesignation or a certification that comes with the rigorous \nvetting that DHS would do--would see that as an advantage. So I \nwant you to comment on how you see it as a disadvantage.\n    Ms. Matwyshyn. I'd be happy to.\n    The first step in being able to file for the certification \nrequires hiring a very expensive attorney. When two high-level \ninformation security engineers get together in a garage to \nstart a start-up, they don't have that money. They are \nfrequently the ones who are creating the state-of-the-art \nsecurity products.\n    So we are disadvantaging their new, fledgling start-up, \nwhich may be the state-of-the-art technology and best capable \nto defend us and our infrastructure, in the purchasing decision \nof a corporate decision maker who looks at the choice of \nsecurity technologies not solely through the lens of the \ntechnical rigor of a security engineer but perhaps primarily \nthrough the lens of liability limitation, broadly speaking, and \nother corporate concerns.\n    Getting the state-of-the-art technologies in place is the \nparamount goal, to the extent we can achieve it inside our \neconomy and inside our infrastructure. So that's my concern \nwith the entrepreneurship limitations that would result, I \nthink, from an expansion of this act.\n    Mr. Ratcliffe. Thank you, Dr. Matwyshyn.\n    Gentlemen, I want to give you--my time has expired, but I \nwant to give you an opportunity to respond to what you just \nheard from Dr. Matwyshyn and that perspective that she has.\n    Mr. Biagini. Well, the doctor may be interested in knowing \nthat, oftentimes, we take on clients that we don't bill and \nthat have a technology that would make a difference in the \nmarketplace. They need to be able to get it off the ground. \nThey need to be able to sleep at night that, if they do sell it \ninto the marketplace, they won't get sued out of existence if \nthere is a terrorist attack or, in this case, a cyber incident.\n    Having SAFETY Act coverage has been the difference, many \ntimes, between that small company that decides to just sit on \nthe sidelines and not do any further development and getting \nthe coverage which gives them a boost in the marketplace, \nconfidence to sell their technology into the marketplace \nwithout the fear of being sued out of existence. That has \nhappened many times in my practice.\n    Mr. Ratcliffe. As a follow-up to that, do you happen to \nknow what percentage of SAFETY Act certifications right now go \nto small businesses?\n    Mr. Biagini. I would not. I would just be guessing.\n    Mr. Finch. Mr. Chairman, I think that would actually be a \nquestion for the Office of SAFETY Act Implementation, which \nactually leads me to a point I'm rather remiss in not making \nearlier, which is that I do think what's been left out of this \ndiscussion is how well the Office of SAFETY Act Implementation \noperates. I would dare say that they are the best-functioning \nelement within the Department of Homeland Security.\n    You know, we may have our disagreements with them at times, \nbut I've always found them to be fair and reasonable. They are \nextremely dedicated to their work. To Dr. Matwyshyn's point, \nthey are exceptionally helpful to small businesses and are \nvery, in fact, proud of the fact that they will work with small \nbusinesses to help guide them through the process without the \naid of counsel or a client.\n    It is, of course, a voluntary program. There is no \nobligation to retain an attorney. The clients that Mr. Biagini \nand I represent typically want to retain an attorney because \nthis is fundamentally a legal process and the general counsel \nwants to have a counsel involved. But there are also plenty of \ncompanies that do this on their own. I know, in particular, \nthat there are any number of small companies that have gone \nthrough this process and have done so quite successfully on \ntheir own, working with the SAFETY Act Office, which is \ndedicated not to approving applications just for the sake of \napproving them but helping applicants be successful.\n    Mr. Ratcliffe. Thank you, Mr. Finch.\n    The Chair now recognizes Mr. Langevin for his questions.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Before I begin, just to answer the Chairman's question, \nfrom CRS, in 2013, 60 technologies were approved under the \nSAFETY Act, including 22 from small businesses, that's 37 \npercent; 14 from medium-size businesses, that's 23 percent; and \n24 from large businesses, or 40 percent.\n    So, if I could, I will go to Dr. Matwyshyn before I have a \ncouple questions I'd like to ask.\n    This has obviously been a wide-ranging discussion today and \ngreat point-and-counterpoint, which is how I would like to \ndebate. So I will ask if there is anything that really stands \nout that you would like to mention for the record. Then I have \na couple questions.\n    Ms. Matwyshyn. Yes, just a few points.\n    First and most fundamentally, the question of whether an \nenterprise is compromised or attacked goes to whether there are \nunderlying vulnerabilities. So the first step in a strong \ninformation security program of any sort is the self-analysis \nto identify those vulnerabilities. Buying a product that has a \ncertification will not address the underlying corporate \ninformation security problems that exist in various \nenterprises.\n    Also, those purchased products are frequently \nmisimplemented. So having the in-house staff necessary to \nengage with the technical-rigor piece of this is absolutely \nessential.\n    But one historical fact that, if I may, I'd like to bring \nto our attention is that there is a robust evolution happening \nin contracting practices across various entities with respect \nto information security liability shifting. So we have private-\nsector, private-ordering solutions that are getting at some of \nthese problems that we're talking about today. We just need to \nlet the market work through some of these problems in private-\nordering ways.\n    So some of the liability concerns, to the extent they \nexist, are being addressed contractually now. That's exactly \nwhat happened after September 11. I was a practicing corporate \nattorney at that time, and we modified our contracts. So there \nwere new provisions that were incorporated as needed to shift \nliability to address some of these types of new risks that were \nemerging.\n    To the extent that the information security insurance \nmarket is emerging, it's my understanding that there is some \ngranularity in the types of policies based on the types of \nenterprise that the particular insurance companies are \ntargeting.\n    So I think the major point that I'd like to emphasize is \nthat the underlying defensive posture of the vulnerable \nenterprises needs to be the focal point of any successful \nholistic information security improvement program and ensuring \nthat they are fixing the challenges that they face, the \nproblems that they have in terms of vulnerabilities in the code \nthat's implemented inside their organizations, first and \nforemost. Then the secondary concerns of purchasing various \nproducts to assist them, that is a second-tier concern. The \nunderlying problematic flaws that they may have in their \nenterprise is where we start, in terms of the approach.\n    The last point I'll just quickly mention. To that end, I \nthink we have not yet tried certain other types of incentive \nprograms, such as, for example, tax incentives to small \nbusinesses to encourage them to engage with education in \ninformation security, hire more information security staff, or \nto conduct meaningful self-audits and get auditors in.\n    So, personally, I think that tax incentives would be a \nstronger way to go to raise the bottom level of the floor of \ninformation security across our economy. So I'd submit that as \na potential other avenue.\n    Mr. Langevin. Sure. Thank you. I like that point, as well.\n    So, as a matter of fairness, I want to give both to Mr. \nFinch and Mr. Biagini the opportunity to say--to ask if there's \nanything in particular that you've been champing at the bit to \nclarify or add.\n    But before I could do that, if I could just ask this one \nquestion. Hopefully, we can do this very briefly. Following up \non the Chairman's earlier question, I'd like to ask each of you \nspecifically, is there a cyber incident since 2002 that you \nbelieve should be Classified under a definition of \n``cybersecurity incident''?\n    Mr. Finch. Oh, there could be several. I think that the \ndata breach at USIS theoretically could be a cyber incident. \nWhile that was targeted and only involved 250,000 or so \nrecords, that was conducted by a nation-state, and that was \ndone purposefully for espionage purposes and to commit harm. It \ncould cause all sorts of National security and other types of \nharm. So that, theoretically, could be a cyber incident.\n    If there was actual dollar losses associated with the \ndistributed denial-of-service attacks by the Iranian Government \nand its cohorts against the banking industry, I believe it was \nabout 2 years ago now, theoretically, that could be a cyber \nincident, as well.\n    We've been fortunate in that there's been no kinetic events \nthat have occurred within the United States, but they have \noccurred. There's been gas pipeline explosions in Turkey. There \nhas been destruction of furnaces in industrial plants in \nGermany, I believe it was. Those would certainly qualify as \ncyber incidents.\n    I also think, though, that, you know, we're fortunate in \nthat, you know, I'm sort-of struggling a little bit to identify \nsome particular cyber incidents. That shows that--one concern \nthat I've heard is that this may be overused. It actually \ndemonstrates that this is something that wouldn't necessarily \nbe used that often. Much like there has been no declared act of \nterrorism because, knock on wood, we haven't truly had a \nsignificant act of terrorism on United States soil since 9/11.\n    In situations where we have had some, such as the Boston \nbombing or if you want to call the recent events in Chattanooga \nan act of terrorism, which, again, is beyond my purview, there \nreally weren't any SAFETY Act-approved technologies or services \nin the area such that there was a need to designate the event \nan act of terrorism.\n    But I do feel confident in saying that, with the spread of \nadvanced cyber attacks capabilities, it's coming. When you can \ngo out on the Dark Web and buy malware for $30, when you can \nbuy zero-days for a couple hundred dollars or maybe $1,000 or \n$2,000, and you can buy the services of hackers for less than \nthe cost of getting one of my daughters to clean her room, \nwhich is not a lot of money--and, in my case, my daughters \nstill don't do it--the point is that there will be some \nsignificant, significant events that will occur in the near \nfuture, and we will all, unfortunately, realize that we live in \na very dangerous cyber era.\n    Mr. Langevin. With the Chairman's indulgence, if you'd have \nany points that you are champing at the bit to clarify or add?\n    Mr. Biagini. No. Just that, prior to 9/11, I remember a \nnumber of companies doing a lot of investment in anti-terror \ndevices and homeland security activity, and then 9/11 occurred, \nand all of a sudden there was things that dried up. The \ninsurance dried up for terror coverage. Companies were not \nwilling to do any more investment in R&D for homeland security \ntechnology. We had to stimulate that, and we did, through the \nSAFETY Act and TRIA and so forth.\n    I just don't want us to be in that situation, where we do \nnothing here, we say status quo; an attack occurs that we can \nall agree on is of the kind that we're talking about; and then \nwe're standing here saying, why didn't we do something when we \nhad a chance?\n    We have a chance to be proactive and to get out ahead of \nthis and do the kinds of things that will stimulate and make \nsure that we are belt-and-suspendering all of this, as the \ndoctor alluded to. I think this is one of the tools to do that.\n    Mr. Langevin. Okay. Very good.\n    My time is way over. I will yield back.\n    But, if I could, Mr. Chairman, I know that Mr. Richmond had \nadditional questions, and I have additional questions. If I \ncould, without objection, I'd like to submit those for the \nrecord. If our witnesses would respond to those in writing, \nwe'd be grateful.\n    Mr. Ratcliffe. Absolutely.\n    The gentleman yields back.\n    I thank all of the witnesses here for your valuable \ntestimony and the Members for all of their questions.\n    As Congressman Langevin said, some Members have additional \nquestions, which we'll ask you to respond to in writing. \nPursuant to committee rule 7(e), the hearing record will be \nheld open for a period of 10 days.\n    Without objection, the subcommittee stands adjourned.\n    [Whereupon, at 3:45 p.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n"