[Senate Hearing 114-412]
[From the U.S. Government Publishing Office]
S. Hrg. 114-412
PROTECTING AMERICA FROM CYBER ATTACKS: THE IMPORTANCE OF INFORMATION
SHARING
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JANUARY 28, 2015
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
94-272 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire CORY A. BOOKER, New Jersey
JONI ERNST, Iowa GARY C. PETERS, Michigan
BEN SASSE, Nebraska
Keith B. Ashdown, Staff Director
William H.W. McKenna, Investigative Counsel
Sean C. Casey, Senior Professional Staff Member
Gabrielle A. Batkin. Minority Staff Director
John P. Kilvington, Minority Deputy Staff Director
Stephen R. Vina, Minority Chief Counsel for Homeland Security
Matthew R. Grote, Senior Professional Staff Member
Laura W. Kilbride, Chief Clerk
Lauren M. Corcoran, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator Carper............................................... 3
Senator Lankford............................................. 14
Senator Booker............................................... 16
Senator Ernst................................................ 18
Senator Baldwin.............................................. 19
Senator McCain............................................... 20
Senator Ayotte............................................... 22
Prepared statements:
Senator Johnson.............................................. 33
Senator Carper............................................... 34
WITNESSES
Wednesday, January 28, 2015
Marc D. Gordon, Executive Vice President and Chief Information
Officer, American Express...................................... 2
Scott Charney, Corporate Vice President, Trustworthy Computing,
Microsoft Corporation.......................................... 4
Peter J. Beshar, Executive Vice President and General Counsel,
Marsh and McLennan Companies................................... 6
Richard Bejtlich, Chief Security Strategist, FireEye............. 7
Gregory T. Nojeim, Senior Counsel and Director of the Freedom,
Security and Technology Project, Center for Democracy and
Technology..................................................... 9
Alphabetical List of Witnesses
Bejtlich, Richard:
Testimony.................................................... 7
Prepared statement........................................... 61
Beshar, Peter J.:
Testimony.................................................... 6
Prepared statement........................................... 54
Charney, Scott:
Testimony.................................................... 4
Prepared statement........................................... 44
Gordon, Marc D.:
Testimony.................................................... 2
Prepared statement........................................... 37
Nojeim, Gregory T.:
Testimony.................................................... 9
Prepared statement........................................... 65
APPENDIX
Additional statements for the Record:
Chamber of Commerce.......................................... 77
ICBA......................................................... 80
NACFU........................................................ 82
TIA.......................................................... 85
PROTECTING AMERICA FROM CYBER
ATTACKS: THE IMPORTANCE OF INFORMATION SHARING
----------
WEDNESDAY, JANUARY 28, 2015
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 1:34 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, McCain, Lankford, Ayotte, Ernst,
Sasse, Carper, Baldwin, Booker and Peters.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. This hearing will come to order. Senator
Carper is on his way, but we have just been told we can get
going here.
I want to keep my opening remarks very brief because we do
have votes and I want to make sure we get to the testimony. But
I want to thank the witnesses for their very well thought out,
well-prepared testimony, certainly the written testimony. I am
looking forward to your oral testimony. I want to thank you for
your flexibility. We have obviously moved the hearing up.
We have in this Committee agreed upon a mission, and the
mission is pretty simple: to enhance the economic and national
security of America. If we focus on that goal, a goal that we
all share--whether you are Republican or Democrat, we really
share that. And particularly when it comes to this
cybersecurity hearing about sharing information to protect our
cyber assets, it is also a goal we share. So if we concentrate
on that, recognizing there are different viewpoints on this, I
think we have a far better chance of actually succeeding. So
when Senator Carper gets here, we will give him a chance to
have an opening statement.
The tradition of this Committee is to swear in witnesses,
so I would ask the witnesses to stand and raise their right
hands. Do you swear that the testimony you will give before
this Committee will be the truth, the whole truth, and nothing
but the truth, so help you, God?
Mr. Gordon. I do.
Mr. Charney. I do.
Mr. Beshar. I do.
Mr. Bejtlich. I do.
Mr. Nojeim. I do.
Chairman Johnson. Thank you.
What I would like to do is get right into testimony then,
and I will start with Marc Gordon. He is the Executive Vice
President and Chief Information Officer (CIO) of American
Express. He previously served as CIO of Bank of America and
Best Buy. Mr. Gordon, your testimony, please.
TESTIMONY OF MARC D. GORDON,\1\ EXECUTIVE VICE PRESIDENT AND
CHIEF INFORMATION OFFICER, AMERICAN EXPRESS
Mr. Gordon. Thank you, Chairman Johnson and Members of the
Committee. As you heard, my name is Marc Gordon. I am the
Executive Vice President and CIO at American Express. I oversee
the global technology organization for our company, as well as
information security, and I really appreciate the opportunity
to testify before this Committee on information sharing. It is
a topic that I am very passionate about.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Gordon appears in the Appendix on
page 37.
---------------------------------------------------------------------------
Based on my experiences as CIO across both the retail
sector and the financial services sector in Fortune 100
companies, I would strongly urge the Committee to move forward
swiftly with information-sharing legislation. I believe that
effective information sharing may actually be the single
highest-impact, lowest-cost, fastest-to-implement capability we
have at hand as a sector and as a Nation to raise the level of
capability against the many and varied threats that we face.
The way I like to think about it is an attack against a single
company can be the entire sector's and Nation's defense,
quickly shared.
I realize you are familiar with the threat landscape, and
we have included many examples in my written testimony on the
nature and the scale of the threats we face. I will not go
through those now. What I would emphasize here is that while
cyber crime is growing meaningfully for us and across
industries, we are increasingly concerned about what appears to
be the convergence of players, capabilities, and intentions--
namely, nation-state players or those with nation-State
capabilities with a particular attention around destructive
intent across industries.
In response to these threats, the financial services
industry has invested literally billions of dollars to protect
our networks. But there are steps that we can take together
within and across industries and with the government to make
the total ecosystem more secure.
And while there is some sharing of information today, I
would characterize it as highly variable within industries, and
especially highly variable across industries. And meaningful
legislation I believe would expand both the quality and volume
of cyber information sharing and raise the security level
overall for all of us.
But legal barriers and the threat of lawsuits are obstacles
to information sharing today, and that is where legislation
that provides targeted protections from liability and
disclosure is sorely needed.
There are a few notable items that I would also emphasize
today in terms of attributes of information sharing that we
believe are particularly important for effective information
sharing and to have the desired results.
First is an emphasis on real-time sharing.
Second is liability and disclosure protection, not just for
sharing but also for acting within one's own network on the
information that is shared.
Third, that the protections that are afforded in terms of
liability and disclosure and so forth are extended not just to
government-sanctioned entities but to private entities,
businesses sharing among themselves. We feel that is actually
very important.
And, finally, that the sharing needs to be bi-directional,
that is to say, we believe the government should be directed to
share in the right way classified indicators only known and
knowable from the government. We think that is a big value add
to this proposition for the private sector as we protect our
customers' information.
Finally, we are committed to protecting the privacy of our
customers' information and believe that concerns around privacy
protection should be discussed but can be effectively addressed
in the legislation.
Again, I just want to thank you for asking me to be here
today. I look forward to working with this Committee and other
Members of the Senate and House, and I look forward to helping
in any way that we can.
That concludes my prepared remarks, and I would be happy to
answer questions.
Chairman Johnson. Well, thank you, Mr. Gordon.
Our Ranking Member has arrived, so, Senator Carper, do you
have some opening comments?
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. As we say in Delaware, bienvenido.
[Laughter.]
Bienvenido. We are happy you are here, looking forward to
this hearing. This is a timely, important topic. Let us see
what we can learn from all of you.
Thank you.
Chairman Johnson. Thank you for that.
Our next witness is Scott Charney. He is the Corporate Vice
President of Microsoft's Trustworthy Computing Group where he
focuses on the security and privacy of Microsoft's products.
Scott has also worked for PricewaterhouseCoopers and as Chief
of the Justice Department's Computer Crime and Intellectual
Property Section.
Mr. Charney, you have the floor.
TESTIMONY OF SCOTT CHARNEY,\1\ CORPORATE VICE PRESIDENT,
TRUSTWORTHY COMPUTING, MICROSOFT CORPORATION
Mr. Charney. Chairman Johnson, Ranking Member Carper, and
Members of the Committee, thank you for the opportunity to
appear today at this important hearing. My name is Scott
Charney, and I am the Corporate Vice President for Trustworthy
Computing at Microsoft. It is good to see the Committee's first
hearing of the 114th Congress focuses on cybersecurity. I
commend this Committee and the Members of the Senate for
addressing one of America's most complex challenges.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Charney appears in the Appendix
on page 44.
---------------------------------------------------------------------------
Let me start by describing the cyber threat. The threat
comes in two forms:
First, there are opportunistic criminals who, like burglars
testing doorknobs, do not care who falls prey as long as
someone does.
Second, there are actors described as advance persistent
threats because they are intent on compromising a particular
victim.
These two different types of threats require somewhat
different responses. Basic computer hygiene--such as running
the latest version of software, applying updates, and using
antivirus products--can thwart many opportunistic threats.
Addressing advanced persistent threats, however, requires much
more. Computer security professionals must prevent, detect, and
respond to sophisticated attacks.
Knowing about threats, vulnerabilities, and incidents can
help computer security professionals and others take the right
action. So how does such information sharing occur in practice.
Simply put, a party collects information, identifies a computer
security issue, and then shares it with those who can act on
it. The recipient uses that information to prevent, detect, or
respond to the event, normally collecting more data and sharing
it in return. Often parties are added to the process as the
evidence dictates. Throughout this process, all parties will
maintain the data responsibly, protecting its confidentiality
as appropriate.
Does this work? Absolutely. For example, Microsoft has
partnered with other companies and law enforcement agencies to
take down two botnets which had infected millions of computers
around the world and were each responsible for over $500
million in financial fraud.
So if information sharing is so important and so helpful,
why is such sharing limited? The short answer is that those
with critical information are often unable or unwilling to
share it. They may be unable to share it due to law,
regulation, or contract, all of which create binding
obligations of secrecy and expose a company to legal risk if
information is shared.
There are also other risks. For example, a company that
discloses its vulnerabilities may suffer reputational risk, and
such a disclosure may even make security matters worse if
hackers leverage that information for further attacks against
that company or anyone else.
In light of these issues, how can information sharing be
encouraged? While my written testimony detailed six core tenets
that must guide any information-sharing proposal, let me
describe the most important tenets here.
First, privacy is a fundamental value and must be protected
when sharing information. While users around the world may have
different views about privacy, they want assurances that the
information they entrust to others is used properly and
protected. It is also important that governments adhere to
legal processes for law enforcement and national security
requests and do not use computer security information-sharing
mechanisms to advance law enforcement and national security
objectives.
Second, government and industry policies on information
sharing should take into account international implications.
Many U.S. businesses are multinational companies. If not
properly constructed, rules in the United States can discourage
foreign markets from using U.S. technology products and
services, as well as lead to reciprocal requirements that could
undermine U.S. security.
Third, while information sharing has benefits, it also
poses business risks that must be mitigated. As noted, sharing
information can expose an organization to legal, regulatory,
contractual, and reputational risks. Any information-sharing
regime must attempt to reduce these risks by providing
appropriate liability protections.
Finally, information sharing need not follow a single
structure or model, and governments should not be the interface
for all sharing. Information sharing already occurs through
both formal and informal processes, within industry and between
industry and government, and sometimes across national borders.
There is no single model because situations and desired
outcomes differ. Flexibility is critical.
With current practices and those tenets in mind, how should
we think about information-sharing legislation? In a nutshell,
Congress should ensure that existing information-sharing
arrangements are left undisturbed, ensure the protection of
civil liberties, and reduce disincentives to sharing. This can
be done in the following three ways:
First, the legislation should be scoped to cover
information that reasonably enables defenders to address cyber
threats.
Second, the legislation should be designed to protect
privacy and civil liberties by requiring data be anonymized,
restricting secondary uses, protecting against inappropriate
disclosure, and requiring the government to seek a court order
when attempting to pierce the veil of anonymity.
Third, the legislation should grant appropriate liability
protection for sharing information while recognizing that
companies must fulfill their contractual obligations to their
customers.
Thank you for the opportunity to testify, and I look
forward to working with the Committee on this effort.
Chairman Johnson. Thank you, Mr. Charney.
Our next witness is Peter Beshar. He is the Executive Vice
President and General Counsel of Marsh & McLennan Companies.
Before joining Marsh, Mr. Beshar was a partner in Gibson, Dunn
& Crutcher. Mr. Beshar.
TESTIMONY OF PETER J. BESHAR,\1\ EXECUTIVE VICE PRESIDENT AND
GENERAL COUNSEL, MARSH & MCLENNAN COMPANIES
Mr. Beshar. Thank you, Chairman Johnson, Ranking Member
Carper, and Members of the Committee.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Beshar appears in the Appendix on
page 54.
---------------------------------------------------------------------------
The evolution in the sophistication and intensity of cyber
attacks in 2014 was astonishing. And as bad as it was in 2014,
it got worse in the last month. In December, the German
Government reported that hackers had caused massive damage to
an iron plant by disabling the electronic shut-off systems that
turned off the furnaces. And this escalation of cyber attacks
reflects a troubling threat posed to our critical
infrastructure.
I would like to focus my remarks this afternoon on cyber
insurance. Some of you may be saying, ``What relevance does
cyber insurance have to this issue?'' And we would say it has a
lot, that cyber insurance has the potential to create powerful
incentives that drive behavioral change in the marketplace and
that fundamentally that is what this Committee, what the
Congress, and all of us are trying to accomplish.
The simple act of applying for cyber insurance forces
companies to conduct meaningful gap assessments of their own
capabilities because insurers will want to know: Do you have an
incident response plan? Do you have good protocols for patching
software? Are you regularly monitoring your vendor network? And
this process in and of itself is an important risk mitigation
tool.
Once a cyber policy is purchased, the incentive then shifts
to the insurer to try to assist the policy holders to the
greatest extent possible to avoid or mitigate attacks. And so
you are seeing many insurers now offering an array of services
like monitoring and behavioral analytics and rapid response
that help policy holders, and the market is really responding.
So in 2014, the number of our clients that purchased stand-
alone cyber coverage increased by 32 percent over the prior
year. And we tracked specifically which sectors of the economy
the cyber take-up rates were the highest, and so they are
sectors like health care, education, and hospitality and
gaming. Each of these industries handles a substantial volume
of sensitive data. We also saw meaningful increases in the
power and utility sector.
We also tracked pricing trends on the premiums for cyber
insurance, and if you read the headlines alone, you would
assume that premiums went up meaningfully. And, in fact, year-
over-year pricing was really quite stable. Some industries were
up, some industries were down. What we did witness in the
fourth quarter of 2014 was in the retailing sector in
particular, premium prices went up for obvious reasons. And
underwriters really began differentiating between those
retailers that were implementing the most sophisticated
defenses on point-of-sale systems--end-to-end encryption, for
example--and those retailers that were not doing so. And, thus,
you are seeing insurance market forces really begin to drive
incentives and create meaningful reasons to make the type of
investments in cyber defense that we would want. And this
phenomenon, Chairman, has occurred many times in many
industries--workers' compensation, for example. Insurers were
part of the bold work to really identify safety protocols that
would improve the security of workers in the workplace. And
over the last two decades, you have seen the number of
fatalities in the workplace drop by over 35 percent. And this
is the type of dynamic that we would like to see unleashed in
the cyber insurance arena where carriers begin to give
companies specific credit for implementing two-factor
authentication or other meaningful protections like detonation
software. In sum, cyber insurance is one element of many in a
holistic risk mitigation strategy.
A second key element, as this Committee has recognized, is
information sharing between industry and government. To
accelerate the identification and detection of emerging
threats, there needs to be greater trust and greater real-time
threat information sharing, and it should be, as other
witnesses have commented, more reciprocal.
Accordingly, we support the sharing of cyber threat
indicators, like malware threat signatures and known malicious
Internet Protocol (IP) addresses, provided that reasonable
liability protections and privacy considerations are addressed.
We believe that the dual considerations of national security
and privacy can be fairly and appropriately balanced.
Thank you, Mr. Chairman.
Chairman Johnson. Thank you, Mr. Beshar.
Our next witness is Richard Bejtlich. He is the Chief
Security Strategist at FireEye. He is also a non-resident
senior fellow at Brookings and previously directed General
Electric's Computer Incident Response Team. Mr. Bejtlich.
TESTIMONY OF RICHARD BEJTLICH,\1\ CHIEF SECURITY STRATEGIST,
FIREEYE
Mr. Bejtlich. Thank you, Chairman Johnson, Ranking Member
Carper, Members of the Committee. I appreciate the opportunity
to testify today. I am Richard Bejtlich, Chief Security
Strategist at FireEye. Our Mandiant consulting service, known
for its 2013 report on Chinese PLA Unit 61398, helps companies
identify and recover from intrusions.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Bejtlich appears in the Appendix
on page 61.
---------------------------------------------------------------------------
So who is the threat?
We have discovered and countered nation-state actors from
China, Russia, Iran, North Korea, and other countries. The
Chinese and Russians tend to hack for commercial and
geopolitical gain. The Iranians and North Koreans extend these
activities to include disruption via denial of service and
sabotage using destructive malware. We have helped companies
counter organized crime syndicates in Eastern Europe and
elsewhere. Our recent report on a group we call ``FIN4''
described intrusions to facilitate insider trading. We have
also encountered hacker teams for hire and others who develop
and sell malicious software, or malware.
How active is this threat?
In March 2014, the Washington Post reported that in 2013,
Federal agents, often the Federal Bureau of Investigations
(FBI), notified more than 3,000 U.S. companies that their
computer systems had been hacked. This count represents clearly
identified breach victims, and many were likely compromised
more than once.
In my 17 years of doing this work, this is the single best
statistic I have ever seen as far as just how bad the problem
is.
Serious intruders target more than the government, defense,
and financial sectors. No sector is immune.
But how do victims learn of a breach? In 70 percent of
cases--and this has held up through our own consulting and also
through other companies that we work with--someone else,
usually the FBI, tells a victim about a serious compromise.
Only 30 percent of the time do victims identify intrusions on
their own. The median amount of time from when an intruder
initially compromises a victim to when the victim learns about
the breach--and, remember, most of the time they are being told
by someone else. That time, according to our research for 2014,
is 205 days. This number is better than last year's count,
which was 229 days and the year before, in 2012, which was 243
days. So we are making progress, but intruders still spend
about 7 months inside a victim network before anyone notices.
So what is the answer?
Well, as Mr. Chairman mentioned, so-called network hygiene
only gets you so far. We need more strategy here, and in my
opinion, the best strategy is to prevent as many intrusions as
possible, clearly; but we need to quickly detect attackers who
evade regular defenses, respond appropriately, before the
adversary accomplishes his mission. Strategically significant
intrusions do not occur at the speed of light. It takes
intruders time, from hours to weeks, to move from their initial
foothold to the information that they seek.
So defenders win when they stop intruders from achieving
their objectives. I recommend two metrics that we could track
to see whether this is the case, to include the Federal
Government.
The first metric is tracking simply the number of
intrusions or the types of intrusions that occur in a given
year. There are many companies I visit, and I ask that simple
question. They cannot answer that question.
The second metric is to measure the amount of time that
elapses from when the intruder gets into your network and you
notice. We want that number to be as small as possible.
Well, how does threat intelligence play into this?
``Threat intelligence'' refers to the tactics, tools, and
procedures used by intruders to abuse software and networks. It
does not depend upon sensitive information about U.S. persons.
And I will note that the President's proposal is compatible
with this definition of ``threat intelligence.''
Will that help?
Threat intelligence will help defenders more quickly
resist, identify, and respond to intrusions, but only if the
organization is postured to succeed. Unless you have a sound
strategy, the right technology, people, and processes, no
amount of threat intelligence will help you.
There are usually three cases for sharing threat
intelligence: from the government to the private sector; within
the private sector, and from the private sector to the
government. And all three face challenges.
In the government-to-private scenario, I recommend or I
encourage the government to grant clearances to private
security teams who are not working on government contracts. The
government should also augment their narrative style reports--
in other words, text and sentences--with appendices that are in
machine-readable format so we could facilitate that real-time
sharing that was mentioned by my colleagues.
In the private-to-private case, I would second the idea of
having more information-sharing organizations in the private
sector.
And now we get to the toughest case, and this is the
private-to-government case, and it is contentious, for two
reasons.
First, companies are reluctant to publicize they have
breaches besides what is necessary to comply with laws. So the
private sector fears penalties if they disclose. So I would
recommend that they not be held liable simply for notifying the
government that they have been compromised.
Second, some privacy advocates fear that liability
protection will let companies submit customer data to the
government. If you properly format threat intelligence, this
will not be a problem. In my written testimony, I have an
example of a pilot program in the government involving the
Department of Energy that we think is doing a decent job
working with this sort of information, but I will leave that to
your questions.
Again, I thank you for the opportunity to testify.
Chairman Johnson. Thank you, Mr. Bejtlich.
Our next witness is Gregory Nojeim. He is the Senior
Counsel and Director of the Freedom, Security & Technology
Project at the Center for Democracy & Technology. Greg
previously served as Associate Director and Chief Legislative
Counsel in the ACLU's Washington legislative office.
Mr. Nojeim.
TESTIMONY OF GREGORY T. NOJEIM,\1\ SENIOR COUNSEL AND DIRECTOR
OF THE FREEDOM, SECURITY & TECHNOLOGY PROJECT, CENTER FOR
DEMOCRACY & TECHNOLOGY
Mr. Nojeim. Thank you, Senator Johnson, Senator Carper,
Members of the Committee. I am pleased to testify on behalf of
the Center for Democracy and Technology (CDT). We are
nonpartisan, nonprofit technology policy organization dedicated
to protecting civil liberties and human rights on the Internet.
We applaud the Committee for holding the first hearing of the
114th Congress on cybersecurity. It is an important issue. It
should be a particularly important issue for this Committee. It
can play a key role in addressing the information-sharing
problem.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Nojeim appears in the Appendix on
page 65.
---------------------------------------------------------------------------
I am going to explain today the role that information
sharing can play in countering the threat of cyber attacks. I
will identify different approaches to encouraging information
sharing as well as the essential civil liberties attributes of
a successful information-sharing policy.
Other panelists have already described very well the direct
harms of cyber attacks. I will just add one: Major cyber
attacks on Target, JPMorgan Chase, Home Depot, and Sony
Pictures command the headlines so much that, in addition to
direct harms, these large-scale attacks also threaten to chill
use of online services and of the Internet itself.
There is no silver bullet that will wipe away the danger of
cyber attacks. As my colleagues have noted, many cyber attacks
could be stopped by basic digital hygiene, and Congress should
be encouraging that. And a good way for doing that also is the
Cybersecurity Insurance Program.
On the other hand, other attacks, the advanced persistent
attacks, they will often require the sharing of information
about potential threats and how to defend against them.
Cybersecurity information sharing also poses risks to civil
liberties. After all, it does involve the sharing of some
communications content and of some personally identifiable
attributes of communications. As Mr. Bejtlich mentioned, the
flow of this information to the government triggers concerns
that cybersecurity information sharing could evolve into a
surveillance program, and the concern is particularly acute
when the permission to share trumps all laws.
We favor a more focused approach: Create specific
exceptions to the laws that inhibit information sharing. Start
with the Wiretap Act and with the Electronic Communications
Privacy Act. They permit communications service providers to
share communications information to protect their own networks.
But they do not permit them to share information to protect
others. That can be fixed with straightforward amendments that
we would be happy to work with you on. As other laws that
inhibit necessary information sharing are identified,
cybersecurity exceptions could be created to them as well.
The broader, riskier approach of trumping all laws that
might otherwise stand in the way of information sharing
requires exacting civil liberties protections to prevent abuse.
All of the major cybersecurity proposals take what we think is
the riskier approach of trumping all laws. The White House bill
does it; the Cyber Intelligence Sharing and Protection Act
(CISPA) did it; and so did Cybersecurity Information Sharing
Act (CISA), the Senate Intelligence Committee's bill from last
year.
What are those civil liberties protections that need to be
incorporated?
First, narrowly define the information that can be shared
and include only that which is necessary to describe a threat.
Second, prioritize company-to-company sharing because the
private sector owns most of the critical infrastructure that
must be protected against cyber attack and because private-to-
private information sharing does not create some of the fears
about the flow of information to the government.
Third, apply privacy protections prior to any level of
information sharing, whether by a private entity or a
governmental entity.
Fourth, ensure continued civilian control of the
government's cybersecurity program for the civilian sector.
Fifth, require that information shared for cybersecurity
reasons be used for cybersecurity, with limited exceptions for
law enforcement use to counter imminent threats of bodily harm,
and to prosecute cyber crime.
Sixth, be careful about authorizing countermeasures.
Countermeasures that could amount to hacking back against an
individual or entity suspected of hacking into one's own system
should not be authorized. They create more problems. They open
a Pandora's Box.
And, seventh, create strong privacy procedures governing
the sharing of information by governmental entities.
With respect to these seven factors, I think the White
House bill does a better job on all of them except for
prioritizing the company-to-company sharing. We have specific
concerns with the White House bill. It could be a lot better.
But it was a significant improvement over the Senate's last
look at information sharing, which was CISA.
I close by observing that today is Data Privacy Day. It is
a day observed around the world for promoting data privacy. Let
us work together to ensure that cybersecurity information
respects data privacy, even when it is shared, and helps
preserve the Internet as a great engine of communication,
innovation, and prosperity. Thank you.
Chairman Johnson. Well, thank you, Mr. Nojeim. Again, thank
you to all the witnesses for your thoughtful testimony.
To give more Members a chance to ask questions, we are
going to limit the time for questions to 5 minutes each. Also,
to remind veteran Members and let the new Members know what the
tradition of this Committee is in terms of order of
questioning--it is the people here in attendance when the gavel
drops. It will be in order of seniority, rotating between
sides. And then after the gavel falls, just in order of
appearance.
So, with that, I am not going to ask questions so that more
Members have a chance to ask questions. I will turn it over to
our Ranking Member, Senator Carper.
Senator Carper. I want to thank the Chairman for yielding
his time to his Ranking Member.
We do a lot of oversight work here. We do a lot of asking
of studies by the Government Accountability Office (GAO) and
others. Sometimes we just send letters, and I noted a change of
behavior, and sometimes we legislate. Last year, when we were
in the 113th Congress, we legislated in three or four different
Bills with respect to cybersecurity. We sought really to
bolster the capabilities of the Department of Homeland Security
(DHS) on that front.
We passed three or four modest bills, but I think together
they are very meaningful. One was to make the Cyber Ops Center
of DHS real and meaningful, codified it. I think that is a very
good thing. We also have enabled them to strengthen their
workforce. And a third area that we have worked in is to better
enable them to protect the dot.gov domain. And so those three
things taken together I think are helpful.
We tried to pass information-sharing legislation, as you
know, in the House and the Senate. We got it out of Committee
in the Senate but not through the full Senate.
We have shared jurisdiction on that issue, and some would
say we actually have maybe more jurisdictional claim on
information sharing than other committees. But we are going to
be working fairly hard in this vineyard very soon.
We have three places to look--maybe more than three. Your
job is going to find more places to look in terms of developing
good policy, but, one, the Administration's proposal; two, the
Senate Committee's bill, the Intel Committee bill from last
year; and then the work that the House has done.
I am going to ask each of you, if you would, using those
three as maybe a touchstone for us in cobbling together smart
legislative policy on cyber, especially on information sharing,
what would be one or two major points that you would have us
take into mind to consider as we do our work. Mr. Gordon.
Mr. Gordon. Thank you very much, Senator. I agree there was
great progress last year. I would love to see that bill with
information sharing.
If I look across the bills--CISA, CISPA, and the
President's proposal--the areas that I would highlight as--
first, there are many in common, so I am not going to cover
those, but the differences or the areas that I would highlight,
one, I think there is greater or lesser emphasis on real-time
sharing, and I would propose that that is very significant in
terms of the speed at which attacks cascade across--within
industries and across industries. I believe that real time is
very important.
Second--and a number of people have mentioned it here--I
think it is important that the construct not just protect in
terms of liability entities sanctioned by the government, but
also that it encourages and facilitates company-to-company
sharing, that is to say that the liability protections would
extend to companies sharing among themselves, not just with
another entity.
The third and fourth I would highlight very quickly. One is
protecting sharing. Liability in terms of sharing is important.
But I also believe protecting acting within one's own network
is also important. So it is not enough simply to share, but one
has to be able to actually act on what is shared, and I would
emphasize that.
And then the final one, which a number of folks I think
have mentioned as well, that for us is very important is the
bi-directional nature of sharing. I believe that as I reflect
on it, both the CISA and CISPA bills did have a great deal of
focus on basically requiring the government to get more active
in sharing, particularly in classified indicators, shared in
the right way; whereas, I believe the President's proposal is
silent on that. And I believe that bi-directional sharing I
feel is very important, and for us there are the threats that
we experience that we can share across the private sector.
Typically those occur while we are under attack, so what we are
sharing is essentially information about an attack that is
unfolding. What the government has access to that simply is not
known to us are the attacks that could take place and the
nature of those attacks. I think that would be a tremendous
value-add. So I would include the bi-directional sharing in
terms of emphasis.
Senator Carper. OK. Thanks. Mr. Charney.
Mr. Charney. I agree with the points made. I think certain
bills did not go far enough on the civil liberties side. I
worry a little with the Administration proposal that we not
impact current industry-to-industry sharing that is really
working well. Marc's points were spot on. The only other thing
I would add is the international flavor of this. As a company
that has customers all over the world and who is constantly
combating international threats, it is very important to
recognize that whatever the Congress does, others may emulate.
And so, for example, the U.S. Government could say, ``Tell
us about every vulnerability you know about,'' and you could
say, ``Well, that would be really interesting to know.'' And
then every other government in the world will ask for the same
thing, and suddenly things can become very difficult. And so
thinking about the international implications of what is done
here is super important.
Senator Carper. All right. Thanks. My time has expired.
Chairman Johnson. No; go ahead.
Senator Carper. Mr. Beshar, and maybe I would ask you to
just short it up just a little bit, if you will, please.
Mr. Beshar. Very briefly, Senator Carper, two points.
First, there is a hierarchy of data that would be of
interest to the government that sits in these companies' hands.
And if you try to focus on the cyber threat indicators and
begin this journey there as opposed to trying to go deeper on
the data that is part of this exchange, I think that will be a
very fruitful step.
Second, the idea that in the President's bill there are
obligations that all of our companies have to try to strip out
the personally identifiable data, I think that is a very
constructive step forward, as Greg has identified.
Senator Carper. All right. Thanks.
Mr. Bejtlich. Senator Carper, briefly, I would encourage
whatever resources are necessary to help the FBI with its
notification mission. Speaking as the spokesperson for the
intel community, that third-party notification is just very
valuable.
And, second, I would encourage whatever is required to get
more prosecutions. I do not think it is necessary to lengthen
prison times and that sort of thing. I think we just need to
make better use of the laws that are there and to get more of
these bad guys.
Senator Carper. Good. Thank.
Last, but not least?
Mr. Nojeim. So I think I am going to focus just on three
issues:
Stripping out irrelevant personally identifiable
information (PII) before you share a cyber threat indicator.
The White House bill does a pretty good job of that. CISA did
not require that.
Second, on use restrictions, making sure that if a company
shares information for cybersecurity reasons, it is used for
cybersecurity. There are some national security uses that are
cybersecurity uses. Those should be allowed. There are some law
enforcement uses that are cybersecurity uses. If you want to
prosecute a cyber crime, that serves a cybersecurity purpose.
That should be allowed.
Countering an imminent threat to a person, that should be
allowed, but not much more. And I think the White House bill
did a much better job on that score than did CISA.
And, finally, on hacking back, making sure that if
countermeasures are going to be authorized, they can only
operate on your own network. You do not want a countermeasure
that could, when stolen from your network and placed on
somebody else's computer, including a victim's computer,
encrypt or damage data on that computer.
Senator Carper. Thank you all very much. That was very
helpful. Thanks.
Chairman Johnson. Thank you. And now we will stay more on
time. Senator Lankford.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you all for being here and being a
part of this. Let me ask some cost questions and the gain from
this. We are talking about between a hundred--estimates of $100
billion to $450 billion in costs a year somewhere right now on
the cyber attacks. Give me a rough ballpark on the breakdown of
that between damages that are paid out that are preventable if
we have this enhanced information sharing and those that are
not preventable because of a zero-day attack and we are stuck,
we are at the beginning of it.
So what I am trying to affirm is we get this in motion, we
get better information sharing. What difference does it make
economically? And anyone can attack that.
Mr. Gordon. That is a great question. I am not sure I can
answer it directly in terms of a percentage. But what comes to
mind for me is what percentage of those losses are repeat
attacks, meaning they happen more than once. And I would say in
the right construct of information sharing, bi-directional real
time, a very high percentage of repeats--that is back to my
comment earlier, which is one company's attack can become the
Nation's defense if we do it the right way. It will not prevent
that first attack, but it can prevent all the ones that follow
potentially.
So I cannot answer specifically the dollar amounts. I do
not know how to break that down.
Senator Lankford. So the guess here is to try to figure out
how many attacks that are out there are repeat attacks.
Mr. Gordon. That might be a way to look at it.
Senator Lankford. So any ballpark on that you would see
from just what you have seen or anyone has seen on cyber
attacks out there that are known threats, or were they just not
known to you or to those companies?
Mr. Bejtlich. Senator, at Mandiant, just even our own
customer base, when we do a response, depending on who the
actor is, if it is the Chinese or the Russians, they are going
to be back. In some cases, their recidivism rate is as high as
a third. So that is just against one company is hit, and then
they are hit again by the same group after we leave.
Senator Lankford. OK. Let me ask a question. What is next
on this? Information sharing, I think there is fairly common
agreement we need to have some level of information sharing. It
is how to protect personally identifiable information and such.
What is the next level on this? Where does this go?
Mr. Charney. I can take that. I think to deal with advanced
persistent threats, you need a very robust security program
that has three elements: you need high-level protections in
place; you need great detective capabilities, because the bad
guys will keep attacking; and you need very fast response
processes. And what we have found, of course, in many of the
hacks that occur today, even if they are called ``advanced
persistent threats,'' they are not all that advanced. People
attack unpatched systems. People are running old operating
systems and old software. And we need to get all boats to rise.
The challenge has been, of course, that for 20 to 30 years
people have built networks with tough, hard perimeters, but the
middles are really soft. And in these advanced persistent
threats, the bad guy comes in and gets a foothold in the
network and then moves across the network.
So the information technology (IT) industry and users of IT
are all focused on a few core things that are starting to
happen.
First, you need multi-factor authentication. You need to
get rid of user names and passwords because they are just too
easy to guess or calculate and break in.
Second, we need what we call ``domain isolation.'' If
someone attacks and gets in somewhere, they should not be able
to move everywhere.
And, third, we have to do a much better job, as people say,
of detecting things so we can respond quickly. So hopefully
with more information sharing you put the detections in place,
and then you can act much more quickly and prevent a lot of the
damage.
Senator Lankford. OK. Let me ask a followup question to
that. With a lot of the issues based on the fact that companies
are not doing basic patches, they are not doing some of the
things that are commonplace, then we have this extra layer that
we are adding to this with personally identifiable information
that they have got to be able to secure that, sequester that
away, and so that does not get out as well. If they are not
doing patches, how diligent are they going to be to make sure
they are also protecting the information once it gets shared
that people truly have their privacy protected as well?
Mr. Charney. Well, so it is absolutely clear that if you do
not have a good protection program, you are going to lose
valuable data----
Senator Lankford. Right.
Mr. Charney [continuing]. Whether it is economic data or
personally----
Senator Lankford. But that is happening right now.
Mr. Charney. That is happening right now, and you need to--
there are two things to think about. One is raising the
protections, which is what information sharing is supposed to
help do, so that you can prevent that. But the second thing is
that the security model is changing across the industry in two
respects. One is in some cases you actually do not need that
personally identifiable information to engage in a transaction.
So, for example, in the credit card arena, there are
companies who are looking at--and PayPal does this already--not
giving the credit card to every merchant in the world, but just
passing an authentication code to authorize the payment. And if
you do things like that, then it is much harder--even if you
steal the information, you are not getting anything that is
replayable and reusable, and you will see that coming in many
new ways because we are going to start attaching identities to
particular devices. People have tablets. They have phones. They
have portable PCs. And if we can tie your credential to that
device, then if someone else tries to use that credential from
another device, it will not work.
So there is a lot of preventative things we can do from
protecting networks to thinking about information differently
and how we protect it.
Senator Lankford. Thank you, Mr. Chairman.
Chairman Johnson. The remaining order will be Senator
Booker, Senator Baldwin, Senator McCain and then Senator
Ayotte. Senator Booker.
OPENING STATEMENT OF SENATOR BOOKER
Senator Booker. I want to thank the Chairman. This is a
fantastic and very important hearing that we are having. I
appreciate your leadership, and I want to thank my Ranking
Member as well.
Gentlemen, it is the balance, again, between privacy and
security, and I think that there is a huge tension in this
area. The degree and nature of the attacks are startling and
stunning. And I just have really quick questions that should be
very brief. But the first is: What role does the government
have, being that so many mistakes are being made in what is
called the hygiene area? It is remarkable to me how many
mistakes we make, and I sat with my staff and realized even for
my own passwords I was not using dual authentication methods
and the like. But so many businesses out there just are not
doing the basic common sense that would prevent a lot of this
from going on.
And so I am wondering, in just the idea of the role of
government, what could we be doing to either incentivize or
mandate levels of hygiene? Or is that, in some of your opinion,
not the role of government at all?
Mr. Nojeim. I am going to start with that. I do not think
it is a good idea to mandate levels of hygiene. I think that
the mandates will rapidly grow outdated, and they will become
the floor instead of the ceiling. Companies are going to
innovate. They are going to come up with new ways to protect
data, and I think that you want to encourage them to do that.
Give them tax credits, give them other assistance, but I do not
think you should try to mandate exactly what they do.
Mr. Bejtlich. I would concur with that, Senator. The
insurance example is a great one. If someone keeps breaking
into my house, it is going to be tougher for me to get a
premium because they can tell I do not lock my doors and that
sort of thing.
The government should restrict itself to the things that it
will not let the private sector do, which is hack other people,
or prosecute or do those sorts of things. So I think the role
of the government should be to do those things that are unique
to the government, to do the threat mitigation by either
deterrence or by prosecution or that sort of thing, and the
private sector can work on the things that we are good at.
Senator Booker. Yes?
Mr. Charney. I would add one more point. The government can
lead by example. The government is a large enterprise, and it
has customers, too, but their customers are called
``citizens.'' And citizens file taxes online and file for
benefits online and want information from the government. So
the government could do a better job, I think, of adopting the
latest technologies, managing their systems really well, and
leading by example.
Senator Booker. OK. Let me just shift for a second.
And, by the way, 14 months in the U.S. Senate, we are not
leading by example with a lot of the practices I see. But I
just want to then to the perverse business incentives and the
idea that you provide some kind of full liability or when it
comes to information sharing with the government, are we
creating an environment where we are going to promote
oversharing with government some of the privacy information?
And I am really worried about that. In many ways, it is just
giving the government access to another level of domestic
surveillance by creating perverse business incentives for
oversharing. Is that a concern?
Mr. Gordon. The way we look at sharing, if we actually look
at both what we share and what is shared with us and what we
would like to amplify over time in terms of sharing, what we
are essentially talking about are things called ``cryptographic
hashes'' or pieces of software code. There is nothing
associated with customers in any shape or form in terms of
essentially what is effective for sharing. And so I think even
the way the prior legislation speaks to pulling out PII, our
view is--and I went back and looked at what we have shared and
what we like to share more of--it is indicators of attack,
indicators of compromise, and the like that we do not see that
there is any real issue at the end of the day as long as we
focus on sharing that type of information.
Mr. Beshar. Senator Booker, we would concur with that, that
even in the last year, the extent of the threat has intensive;
that if there are going to be attacks on critical
infrastructure and it is less graffiti and financial crime and
more threatening of power grids and the like, then that balance
has to at least be calibrated. And as the other witnesses have
said, I think by stripping out the personally identifiable
data, you legitimately address the privacy concerns that are
there, at least with respect to cyber threat indicators.
Mr. Gordon. I would like to add one more thing and think
about it this way: If somebody broke into our data center and
started attacking our computers with an axe, we would report
the fact that they have done that. If they broke into our data
centers and started siphoning off customer information, we
would report the same thing. The analog for me here is I am
reporting the axe that got used and the fact that siphoning is
occurring. I am not even reporting because I do not know in
most cases who it is.
So that is the nature of what we are talking about sharing
essentially, is the fact that an axe was taken to our data
center.
Mr. Nojeim. Senator, there are three steps here.
First, you narrowly define the information that can be
shared. It has to be necessary to describe the threat.
Second, you require companies to look for and strip out any
personally identifiable information that is not relevant to the
threat.
And, third, you make it so the liability protections only
operate when the companies play by those rules. That would do
the trick.
Mr. Charney. Can I add one point to that? There are times
when we do need to do attribution and find source. So if you
only share anonymous data, you can protect and detect, but you
cannot deter. And that is why in our testimony, one of the
things we point out is when you need to get identifying
information so you can do attribution and take action, we have
legal processes, court orders, and other things that are
designed to protect civil liberties and strike the right
balance.
Senator Booker. Thank you.
Thank you, Chairman.
Chairman Johnson. Senator Ernst has returned, so we will go
to you next, and then Senator Baldwin.
OPENING STATEMENT OF SENATOR ERNST
Senator Ernst. Thank you, Mr. Chairman. Gentlemen, thank
you for being here today. We greatly appreciate your expertise
in this area.
Iowa just in recent years has really become a tech hub. We
have Google located there, Facebook. We have Microsoft coming
soon to West Des Moines. We also have many financial
institutions, insurance companies, both large and small. We
have a lot of small business.
So when we are talking about this, we largely think about
those larger entities, but what can we do through a voluntary
process to assist and encourage small businesses to voluntarily
share information and do it in a way that is not cost
prohibitive or time prohibitive for those smaller groups? I
would love to hear your thoughts on that. Thank you.
Mr. Bejtlich. Senator Ernst, this may sound
counterintuitive because a lot of people have worries about the
cloud. But to tell you the truth, the cloud may be--assuming
you use a worthy cloud provider who has their act together, the
cloud is of great benefit. I advise many small startups, and
they do not build out networks the way we did 10 or even 15
years ago. They do everything on the cloud.
So if the cloud providers--Google, Microsoft, Amazon, and
these others--have a robust security program and they protect--
or the users protect how they access those services using two-
factor and other methods, that is actually a pretty good
scenario. It takes the IT duty away from that mom-and-pop shop
and puts it in the hands of some professionals.
Mr. Beshar. Senator Ernst, I am proud to report that we
have 1,500 employees in Urbandale, and it is a terrific
workforce and a great asset for our company.
Senator Ernst. Yes. Thank you.
Mr. Beshar. It is similar to Senator Lankford's question,
that it is difficult to visit burdens on small and mid-sized
enterprises that are perhaps customary and commonplace for the
larger companies.
At the same time, one of the real takeaways from 2014 is
that the security of the larger organizations is really
dependent upon smaller enterprises, that many of the companies
that have been in the news have been attacked not through the
front door but through the side door of the back door of the
vendor network. So things like the Administration's
cybersecurity framework, the National Institute for Standards
and Technology (NIST) framework, I think is a helpful,
relatively straightforward tool to try to assist small and
medium enterprises to go through some of the steps that we are
talking about.
Senator Ernst. Any other thoughts?
[No response.]
Thank you, Mr. Chairman.
Chairman Johnson. Senator Baldwin.
OPENING STATEMENT OF SENATOR BALDWIN
Senator Baldwin. Thank you, Mr. Chairman and Ranking
Member, for holding this hearing. I really appreciate it.
I have a couple questions I want to get out there, but I
wanted to actually start, having heard the response to Senator
Booker's first question about the appropriate government role,
and I just want to make sure I understand your responses as
really coming from the business enterprises that you have the
expertise in, because, as I have looked at it, I have seen
perhaps areas where we should have a more robust government
role when we deal with things like--I know, Mr. Beshar, you
mentioned the electrical grid, critical transportation
infrastructure, some of our infrastructure. Is that fair that
you are really answering for your industries and not--or is
this advice throughout no matter what type of attack we are
looking at? I just want to clarify that for the record. Do you
want to just go down the--Mr. Gordon?
Mr. Gordon. The role of the government question, in the
context of hygiene, which I think was a substantial part of it,
I would concur. I feel that, first of all, the definition of
``hygiene'' is very dynamic. I mean, it literally changes day
to day. I do not think the government should have much of a
role in that. And I would say the market has very quickly taken
care of that in terms of boards paying attention to hygiene. I
think that is an increasingly smaller problem.
The other dimension, which I think is outside the purview
of this discussion, but I do think the question of the role of
the government in preventative action and in deterrence, I
think that is still unclear probably to some greater or lesser
degree, not the role of the private sector.
Mr. Charney. In my written testimony, I talked about the
four roles of government relative to IT, because in addition to
being a large enterprise with customers, they also do have a
traditional public safety and national security responsibility.
And, I am a big fan of market forces, and they work great for
innovation, but it is hard to make a market case for the cold
war. When you have a national security imperative, the
government often has a major role to play, and part of that is
that, as a large enterprise, they are attacked a lot. As former
Chief of the Computer Crime and Intellectual Property Section,
I can tell you that, in the early days, the two most attacked
agencies were the Department of Defense (DOD) and the National
Aeronautics and Space Administration (NASA) because NASA had
cool stuff. And the government has this information and often
knows of threats and shares it with industry, which makes us
more effective in protecting the ecosystem and our customers.
And then there is also the question of how to deter
particularly these nation-state attacks. Microsoft has been
very vocal that we need norms for the Internet. We have norms
for State behavior in a range of areas, like money laundering
and weapon of mass destruction. We actually do not have norms
for cyber activity. And so we see nation-state activity that
would be very hard for the private sector to fend off. I mean,
nation states can put spies in your organization. It is well
known that a Russian spy was arrested at Microsoft. How does a
private company fend off a well-funded, persistent nation-state
attack?
And so the government can help by helping establish those
norms and in the right places taking steps to help, regulate
the behavior of others, so to speak.
Senator Baldwin. OK. I am hoping to get to another
question, so either real quick, or----
Mr. Beshar. Please.
Senator Baldwin. OK. For Mr. Nojeim, you talked--I really
appreciate your analysis of the three principal proposals and
your recommendations to strengthen them. Just narrowing in on
the Obama Administration's cybersecurity proposal, obviously
critical details have yet to be finalized in that, including
for privacy guidelines. So I am wondering what are your
recommendations for, first, defining what constitutes
personally identifiable information; and, second, for sharing
cyber threat data that includes such personally identifiable
data.
Mr. Nojeim. So we went through an exercise of trying to
list all the types of personally identifiable data that we are
talking about. I do not think that Congress should try to go
down that road. We did not know years ago that IP addresses
could become personally identifiable with the additional
information. Maybe some people knew it; maybe some people did
not. But the fact of the matter is that sometimes the
aggregation of information can make it personally identifiable
when people thought it was not before.
So rather than going down the road of trying to list the
particular categories of personally identifiable information, I
think it is better to require that personally identifiable
information be stripped out and then task DHS with coming up
with the list through a Notice and Comment process, and that
list will change over time, and everybody will know it will
change over time. So I do not think you want to go down the
road of trying to list that in the statute.
And then when it comes to removing it when it is not
necessary to describe a threat, I think that is going to happen
naturally in the automated process of sharing threat
information. Companies are going to develop systems that other
companies will buy that they will use to share this threat
information. They will have to be able to describe the threat.
And those same systems that describe the threat can be used to
filter out the irrelevant information.
Chairman Johnson. Senator McCain.
OPENING STATMENT OF SENATOR MCCAIN
Senator McCain. Thank you, Mr. Chairman. I thank the
witnesses.
A week ago or a couple weeks ago, the Armed Forces Network
was hacked into and not only did radical messages show up on
the screen, but also names and addresses of individuals. And I
do not think a lot of Americans know that Armed Forces Network
is at every base, every ship, every defense installation of any
size, not only in the United States but in all our bases all
around the world.
So it was a pretty clever action on their part and I think
pretty sophisticated, and not only did it give them a
propaganda coup, but most people believe that Armed Forces
Network is run by the Armed Forces. It is not. It is contracted
out to a commercial organization. And it not only was
propaganda, but also when names and addresses of people are put
out, it obviously poses a direct threat to literally their
lives.
What happened? What could we have done to prevent it? And
what do we need to prevent something like that in the future?
Is that you, Mr. Charney, or Mr. Gordon? Whoever wants to take
that.
Mr. Charney. Well, first and foremost, many large
organizations outsource IT functions, and it is absolutely
crucial that their outsourcing contracts have requirements for
security and privacy that meet the needs of the party that is
hiring the contractor.
Senator McCain. So the Pentagon should have been smarter.
Mr. Charney. I have a lot of friends in the Pentagon. I
think they are great. But certainly their contracts should
require that the information be protected at the right level,
and now with things like the NIST framework, the International
Organization for Standardization (ISO) standards, there are
more and more ways to audit and measure the security controls
in an environment.
And so, for example, for a lot of our cloud-based
customers, they now ask to see our audit reports, which we
share, because they want to make sure before they entrust their
data to us that we are taking the necessary steps to protect
it. And we have to enforce that through contracts with
customers.
Senator McCain. So, again, whoever in the Pentagon let that
contract did not let the right contract.
Mr. Charney. Either that or the term was in the contract
but no one evaluated whether the contractual terms were being
followed.
Senator McCain. Mr. Gordon, do you have any comment?
Mr. Gordon. Not a lot to add other than when you look at
the most common attack factors, websites is one. One of the
most prominent is websites, so companies put a lot of energy
into a set of controls around that. I am not familiar with
actually what the vulnerabilities were that were breached, but
I agree with Scott. I think that the right third parties and
businesses put those controls in place to prevent those kinds
of breaches.
Mr. Bejtlich. Senator McCain, I think on paper almost
anyone looks good, but the proof is when you can test it and
find out if your defenses are strong. I am sure you are
familiar with the term ``red-teaming.'' If someone had red-
teamed against that user account or a system or a network and
found, wow, it is very easy for me to get in here, I am not
going to cause any damage, I am going to report back to the
owner, it took me 5 minutes to break into this system, and you
fix the problem before the bad guy finds out. That is one way
to avoid it.
Senator McCain. Anyone else?
[No response.]
Well, it was interesting that General Dempsey, our Chairman
of the Joint Chiefs of Staff, recently said that we have a
technological advantage in every form of warfare over our
potential adversaries except for one, and that is the issue
that we are discussing today. I thank you.
OPENING STATEMENT OF SENATOR AYOTTE
Senator Carper [presiding]. Senator Ayotte.
Senator Ayotte. Thank you, Chairman.
Senator Carper You are welcome. [Laughter.]
Senator Ayotte. I wanted to followup on a comment that Mr.
Bejtlich made about law enforcement capacity here, and you had
said we do not need more laws, what we need is greater
prosecutions and an ability of the FBI and other law
enforcement agencies to prosecute these individuals.
I was Attorney General of our State, and in the limited
cases that I was involved in on these issues, the prosecutions
are very challenging. As you know, often the actor can be from
another country, and we are not even talking about nation-state
actors there, just the location.
What thoughts do you have as to how we can better help our
law enforcement agencies have the right tools to pursue
appropriate cases, so that we have some examples that we are
not just allowing these things to happen?
Mr. Bejtlich. Thank you for the question, Senator. I think
there are a couple angles to it. One of them is, as you
mentioned with overseas actors, international cooperation. If
you are a hacker and you are in the United Kingdom and you are
attacking the United States, that is a bad situation for that
hacker. We are going to work with our partners and are going to
get them back. If you are in an Eastern European country or
some other location--so international cooperation is first.
Second is training. You need to be trained to do this sort
of work. You need to know how to carry off a successful
prosecution, what are the defenses that could be there, and how
to collect the information properly. It is very similar to what
we saw in the intel world in warfare. Guys used to go in, smash
the computers, and then they would bring back fragments, and
you realize you could not use it. You had to teach them how to
collect evidence and that sort of thing.
And the third part is you have to make it a career path. We
saw this with the turnaround in the FBI now where it is now a
career path to be an intel person; it is a career path to be a
cyber person. You need to have that sort of recognition and
success for following those.
Senator Ayotte. Thank you. I was very interested in the
discussion we had that Senator Ernst asked about, the
challenges for smaller and mid-sized businesses. Having been
briefed, for example, on the Sony hack--that obviously was a
nation-state actor, but, frankly, SONY is a larger company and
even some of our larger companies do not have all the
protections in place that need to be there. And so, there are
challenges for smaller and mid-sized businesses. You have
talked about the use of the cloud-based system in terms of
resource efficiency for smaller companies.
As we look at more of our companies moving to that, what
are the security challenges we are going to have to be aware of
with the cloud-based system that we should be focusing on?
Because, as you know, getting into the system from the smaller
connection is probably the easier way to do things.
Mr. Charney. So Microsoft, of course, offers large-scale
cloud services, and people often ask me, ``Is the cloud good or
bad for security?'' The answer is yes.
It is good for security because, as mentioned earlier,
because it is core to our business and we have a lot of
security expertise. We probably are more rigorous about
security than many companies might be.
At the same time, it is important to understand that in the
cloud model you have a multi-tenanted environment. You have a
lot of customers using the same cloud service, which makes it a
very rich target.
Senator Ayotte. Right.
Mr. Charney. And so we do things to make sure that our
customers' data is segmented from one another and prevent that
lateral movement.
But the other important thing is that, even when you use
the cloud, security becomes a shared responsibility. What I
mean by that is a small business might issue its user names and
passwords to its employees, and if an employee loses that
password to a bad person, that person can log on as that
employee. The cloud will not know.
Senator Ayotte. Right.
Mr. Charney. It looks like an authorized use.
So we have been committed for quite some time to providing
more security technologies that are just secure by default in
our newer products--and I talked about this a little earlier--
identities that cannot be stolen because they are bound to
machines. We have to get to a place--I am all for user
education. It is a wonderful thing. But I think we put too much
of a burden on end users to manage security when it is actually
a complex undertaking.
Senator Ayotte. You have all talked about what you see as a
problem with the Administration's proposal not allowing sharing
and liability protection among companies. So in a cloud-based
system, is that the way the legislation drafted is particularly
acute? Or does that not matter because you are thinking about
transmitting the information at a higher level?
Mr. Charney. So for us, we have to be clear. We have two
types of information. We have our information about our network
that we can share as we see fit, even if we take some risk in
sharing. And Microsoft actually does a lot of sharing today. We
have programs where we share threat and vulnerability
information with customers, with governments, and others. We
share our source code with governments as well. So we can
accept that risk.
At the same time we have customer information, and they
have expectations, usually enforced through contractual terms,
that they do not want us using their data in any way without
their permission and consent.
And so when we look at some of this information sharing, we
want to make sure that the information we share today, which is
substantial, is not disrupted by a new regulation or regime
that says, for example, you can only give data to DHS. Well,
no, we want to share data with our partners all the time, and
we do, so do not disrupt that. It does not solve the problem of
sharing customer information. That we will not do without the
customer's permission, and we want to make sure that any
regulatory regime respects that contractual obligation, because
the biggest problem we have, as a global company, I go overseas
all the time, and customers in other countries say, ``Will you
turn over our data to the U.S. Government?'' That is what they
are worried about. And when the answer is sometimes yes because
we could get a court order or other things--we are fighting a
case like this right now involving a U.S. order to turn over
data from our Irish data center, a customer e-mail. it is not
our data. It is the customer's data. And if we do not protect
the privacy of that information, then what happens all over the
world is people say, ``So I should use a local provider, right?
Because if I use your cloud service, you are a global company;
you are headquartered in the United States. You are just going
to give all our data to the U.S. Government.'' And what will
happen over time is American information technology products
and services that have been so successful around the world,
well, in all those other parts of the world people will say,
``Whoa, maybe we are better off with local technology, not
being compelled by the U.S. Government.'' And that in the long
term for America would be a terrible thing.
Senator Ayotte. Thank you very much for clarifying this. I
appreciate it.
Senator Carper. Senator Ayotte, I think we are going to
wrap it right there. Would you all just stay in place, and,
Senator, we are going to take a real quick recess. Senator
Johnson has run to vote. He will be right back, and when he
does, he will resume, and I know he has some questions. And I
might join you back again, too. Thank you very much.
Senator Booker. Mr. Chairman, is the vote imminent, or do
we have a chance for one more round?
Senator Carper. The vote started 11 minutes ago. I think we
have 3 or 4 minutes left on the clock.
Senator Booker. Being that I cannot come back, may I ask
one more?
Senator Carper. You may go ahead, and when you have
finished, just recess unless Senator Johnson is back.
Senator Booker. That is a lot of power you are leaving me
with, sir. [Laughter.]
Senator Carper. I have every confidence in you.
Senator Booker [presiding]. Thank you very much.
Gentlemen, just real quick. I have seen how perception
problems with private business affect those businesses'
abilities to operate overseas. And I have seen comments by
high-level officials here that then make other countries demand
that our American companies have servers located in their
country as well.
Do you have any concerns about us sharing information,
companies sharing information with the Federal Government
agencies, then making foreign countries more concerned about
those companies operating in their nations?
Mr. Beshar. I think it is a legitimate consideration,
Senator Booker, so the draft legislation really speaks about
exempting company that provide information from U.S. civil and
criminal liability. If there is data from Europe or other parts
of the world that is embedded in some of the information, a
question at least arises of the scope of that liability
protection.
Senator Booker. OK. Any other thoughts of the child that it
could be creating or something we should worry about?
Mr. Charney. Well, we have had to grapple with this problem
post the Snowden disclosures where government and customers all
over the world have expressed concern about relying on U.S.
technology. And we have been very clear that we do defense, not
offense. We do not put the back doors in products. We do not
turn over encryption keys.
Where you can get stuck at the end of that discussion is if
the U.S. Government does compel the production of data and does
it with a non-disclosure order, there is some risk to the
foreign enterprise that their data will be turned over to the
United States without notice.
Senator Booker. Right.
Mr. Charney. And that does worry them. What we have tried
to do is explain to them, because I think this is true,
government access is a business risk. It is really what it is.
I was with a group of chief security officers in France, and I
knew some of them were running very old technology and were not
current on their patching and hygiene. And they started talking
to me about U.S. Government access if they put their data in
our cloud. And I said, OK, so you have networks that are wide
open and hackers can get in and steal all your stuff, but you
are worried about putting it in my more secure cloud because
the U.S. Government might get it. Who are you more worried
about--hackers or the U.S. Government? What business are you
in? I mean, if you are in the terrorism business, you should be
worried about the U.S. Government. But it still does create
friction in the system.
Mr. Nojeim. After the Snowden disclosures, a number of U.S.
companies said, ``We are not going to voluntarily turn over
customer information to the National Security Agency (NSA).''
OK? Now along comes cybersecurity legislation, and some of the
iterations of the legislation say it is all voluntary,
companies will voluntarily share information; some of the
information is going to be from their customers. So if a
company is going to play by those rules, how can it promise
that it is not going to share information with the NSA if the
legislation says anything you share with a government agency
for cybersecurity reasons must immediately be shared with all
these other agencies, including the NSA?
That was a problem in the CISA bill, the Senate bill that
never came to the floor, that I do not think you want to
repeat.
Mr. Gordon. I come back to the nature of what we are
sharing, which is attack and threat information, and the
sharing of that information only enhances our security for our
customers in the United States and around the world. That is
how we think about it.
Chairman Johnson. [presiding]. Thank you for holding down
the fort there, Senator Booker.
I do have a number of questions I would like to put forward
until the next vote is called, and then we will wrap up the
hearing. So, again, I just want to thank all of you for coming
here and taking time and really preparing some very thoughtful
testimony and, I thought, really good responses to questions.
Mr. Nojeim, let me test my theory in terms of us all
sharing the same goal. I think it is just true that if we do
not get this under control, if we allow cyber attacks to
continue, the threat in terms of loss of privacy really is even
greater, correct?
Mr. Nojeim. I think that if there was a major cyber attack
like the scale of what triggered the attack on--it is the cyber
equivalent of the attacks on the Twin Towers, that we would end
up with a cyber PATRIOT Act.
Chairman Johnson. So we share the same goal. Here in
government we can pass a law that can help. It is not going to
be a panacea. It is not going to solve all the problems. But I
think if everybody on all sides of this issue, if we work
together, focus on that goal, let us face it, another--I hate
to single out instances, but another Target instance. Their
privacy is just destroyed. So we do share that same goal of
trying to get to a particular result.
Mr. Nojeim. We do.
Chairman Johnson. I want to ask all of you this. When you
take a look at the White House proposal, what is coming out of
the Senate Intelligence Committee, that is what we are going to
be dealing with here in the Senate, either of those two
proposals or some kind of combination.
What is going to be the biggest threat in terms of us
crossing the goal line with a piece of legislation? I will
start with you, Mr. Nojeim.
Mr. Nojeim. The biggest threat that you are trying to avoid
or the biggest problem in the bill?
Chairman Johnson. I would say the biggest problem in the
bill as well as the outside interests in terms of attacking
whatever is presented. In other words, what are the poison
pills in some of these bills? What do we need to be worried
about? What do we need to work on?
Mr. Nojeim. Here is what I think you need to work on:
First is ensuring that you properly define the information
that can be shared and that you ensure that any irrelevant
personally identifiable information is removed prior to the
share.
Second, make sure that whatever legislation, whatever rules
govern the sharing of information within agencies of the
government, that those procedures are clear and that they are
strong and that they protect privacy.
Third, I think you should prioritize company-to-company
sharing--do more on that score. And I think also that you have
to be mindful of the role that the intelligence agencies are
going to play in the information-sharing scheme.
I think you want to ensure civilian control, and the best
way to do that is to ensure that the shares, the initial
information shares, go from the private sector to DHS, and that
DHS then applies privacy procedures to the data before any of
it is reshared with any other agency.
Chairman Johnson. OK. Well, thank you.
Mr. Charney, I will give everybody a chance to answer that
question, but we had an interesting conversation in terms of
the necessity of sharing personal information in terms of what
information we are talking about sharing. And you said there is
no need whatsoever in terms of sharing personal information if
we are just trying to prevent attacks. In other words, if we
are sharing those threat signatures, no personal information is
required. But if you want to go solve the crime, if you want to
go find the bad actors, that is where you might need personal
information. Is that correct?
Mr. Charney. Yes, that is correct, and also just to be
clear, sometimes an attack indicator is an IP address, like
attacks are coming from this IP address, so we will go look at
our network to see if that IP address is reaching out to us.
And in some places, IP addresses alone are considered
personally identifiable information.
I think in the United States we more try to focus not on
the IP address, but does it combine with other information to
point to a person. And I think the way to solve this problem
generally about using PII is to make sure that when the
government wants to get personally identifiable information, it
uses the transparent, judicial procedures already in place with
which we are all familiar and balance the competing interests
between government access to PII and privacy.
Chairman Johnson. In other words, you go to the court
system, you get a warrant in order to do that. Mr. Nojeim, does
that----
Mr. Gordon. There is----
Chairman Johnson. I just want to ask Mr. Nojeim, does that
comport with what you would be willing to do or agree to?
Mr. Nojeim. You do not need a warrant for the IP addresses.
It is a lesser process.
Scott, I am not sure that it is going to work that way. At
the end of the day, IP addresses are often needed to
investigate a cyber attack to find out where it is coming from.
Companies are going to want to do that. The private sector
information-sharing entities that the White House envisions, I
think they are going to get IP addresses that are relevant to
the cyber attacks.
Mr. Charney. They are going to get the IP address, and you
can do an IP lookup and open source. But if we turn over
information about an attack and the government says, OK, we now
want to see account information and subscriber information, we
require a judicial process. It may be a subpoena, it may be a
2703(d) court order, or it may be a search warrant. My point is
it reached a point where the government wants more, and we
require a legal process to be followed so that our customers
know we are protecting their privacy and not just giving away
the data voluntarily.
Mr. Nojeim. I agree.
Chairman Johnson. Mr. Gordon.
Mr. Gordon. I think there is an important subtlety with IP
addresses because that does tend to be the place that this
conversation converges, and an IP address in the context in
which we see it is not a customer's IP address. It is not
affiliated in any shape or form with a customer. When we see an
IP address in the context of sharing, it is a place from which
an attack is unfolding, or it is a place from which stolen data
has been sent. That is all we know and, frankly, all in our
context we care to know.
And so sharing that would enable someone else to in turn
block an attack from that same location without ever knowing
who it is on the other end. I think the law enforcement
attribution, that is where there are other dimensions to this,
but I do not think it is a yes-no. I think there is a context
to sharing. We would never share information related to our
customers. This is information related to an attack.
Chairman Johnson. Mr. Charney, real quick.
Mr. Charney. Yes, that is true for you, and it is true for
us. But if one of us was with a phone company or a cable
provider that provided the Internet access and the government
said here is the IP address, who is the customer, for them IP
address is more than just an attack factor. It might be a
customer's name and address.
Mr. Gordon. Sure, but they would require a subpoena for
that.
Chairman Johnson. Now you almost start answering another
question I had. Does the White House proposal contain adequate
liability protection to induce the private sector to share with
the government, to induce the private sector to share within
the private sector? I think a number of you have testified that
is really one of the primary information-sharing platforms we
want.
Mr. Gordon. From what I understand, it does not cover
company-to-company sharing at all, so it will not incentivize
that.
Likewise, it does not cover, as I understand it, the acting
from the sharing, even within your own network. And I think
those appear to be two gaps.
Chairman Johnson. So how important is the company-to-
company? And what level are we at right now? What level do we
want to be at?
Mr. Gordon. I think it is very important. I think there is
a tremendous amount of company-to-company sharing that happens
today, and this essentially would potentially incent us away
from that and toward this more structured into the government
sharing. And there are numerous instances that I have been
involved in where we have information that pertains only to a
single company, it is very specific. And so sharing that
through some hub-and-spoke context I think would be
inappropriate.
Mr. Nojeim. To be fair to the White House proposal, it does
allow for the sharing--you could call this private-to-private,
right? You can share to a private hub, and then that hub can
share out back to the private sector. It does not allow the
company-to-company sharing. It does not incentivize the
company-to-company sharing that we all think is necessary. But
it does allow the sharing to the hub.
The trick with the company-to-company sharing is to create
a mechanism that ensures that the companies are playing by the
information-sharing rules. So far, the mechanisms that have
been discussed have all been rejected by the companies. They
include things like creating a private right of action if the
company does not play by the rules, and things like audits.
They have all been rejected. So the question is: How do you
ensure that the companies play by the rules? I do not think
that we have gotten to that point yet, and I think that is why
the White House went with this hub-and-spoke model.
Chairman Johnson. Mr. Beshar, I am intrigued by the role
that insurance can play and quite honestly, being a
manufacturer, having been ISO certified, I can see a role that
things like ISO certification can play, just simply private
sector, here are the standards that can be created, that can be
revised and updated very rapidly. Can you just kind of speak to
that?
Mr. Beshar. Sure. I think that is really the power of
insurance, Mr. Chairman, that it can drive behavior change
across large swaths of the people that is not driven by the
government. It is just because there is a creation of the
appropriate set of incentives that each one of these actors--
large companies, small, mid-sized companies, even individuals--
they take it upon themselves to say here are the steps that I
can take to position myself as a better risk or I just think
are prudent under the circumstances. So I think it has a
tremendous power.
I think the Administration's proposal has actually struck
quite a nice compromise that there are clear liability
protections from civil and criminal exposure. There is the idea
that it will not be used, the information, for extraneous
purposes by regulators, and it will not be subject to FOIA
requests or similar State laws. But then at the same time,
there is an obligation on the companies to try to take out and
strip out the personally identifiable information. So I think
that is the path to go down.
Chairman Johnson. Mr. Bejtlich, can you kind of chime in on
this? I was really struck by your testimony in terms of really
what percentage of companies do not even know they have been
hacked. So can you just speak to me in terms of where you think
the hole is there?
Mr. Bejtlich. Well, Senator, I think part of the problem is
that many companies measure the wrong things. The example I
like to use is you have a football team, and imagine if the way
you determined how you were doing was to measure how tall all
your players were, how fast they ran the 40, where they went to
college, and then you took a look at them on paper and said,
``Oh, that is how good we are,'' when really you need to find
out how they play in a game. And that is where these metrics of
how long has it been since someone broke in and to when you
discovered it, and what steps can you take--technology
diagnostic, process diagnostic, what are the steps you can take
to reduce that count?
I see this in the Federal Government. With the continuous
diagnostic monitoring, all the emphasis is on make sure we are
patched, make sure we are configured properly. That is all
great, but that is hygiene. That does not tell you what the
score is going to be when you get on the field and you
encounter the adversary.
Chairman Johnson. Let us continue going down the row here
just in terms of looking at these proposals that are out there.
What are going to be the impediments to putting something
together and actually get it passed? I will start with you,
again, Mr. Bejtlich.
Mr. Bejtlich. Senator, one of the biggest issues I see is
the deficit of trust in the security community. The security
community up to the Snowden revelations, things were getting
better. I mean, you had General Alexander appear at a hacker
conference, DEF CON. There was real good will being built
there. And then the Snowden revelations came out, and now we
have this real trust deficit.
I think one of the ways to perhaps address that would be to
take a look at the Computer Fraud and Abuse Act. Some of the
changes that have been proposed to that have really scared the
security community into thinking that just being a researcher
and trying to do the right thing and find vulnerabilities and
report them so that they can be fixed could be a prosecutable
event in and of itself.
So maybe one of the ways to approach this is to pair
reforming the CFAA so that it is friendlier to good hackers
with this information sharing and try to address that trust
deficit.
Chairman Johnson. OK. Mr. Beshar.
Mr. Beshar. I think the focus, Senator, should really be on
information sharing and the rebuilding of trust between
industry and government. Personally, I think the intercompany
issues should be pushed somewhat to the side.
Chairman Johnson. Mr. Charney.
Mr. Charney. I agree that industry and government sharing
is important. The other party I would think about is the
customers, because the privacy concerns stem from the customers
who want to entrust their information to third parties, and I
think the discussion we have had today about how could we
provide privacy protections for the data that is shared but
ensure that the data could be used with less risk of liability
is the right formulation.
Chairman Johnson. Mr. Gordon.
Mr. Gordon. I agree. I think that is the one issue that
looms around this. Otherwise, I think there is, at least for
the private sector, tremendous support for this. And I think
the conversation about removing PII in the way that we share
information is a very reasonable approach that really would
solve this.
Chairman Johnson. That is a real critical aspect of this.
One thing we really have not talked too much about--unless it
was asked when I was gone--is really breach notification. Can
you just kind of speak to the necessity for that and what
problems that creates for any organization that is going to be
required to do so? We will start with you, Mr. Gordon.
Mr. Gordon. I think that having a national breach
notification standard is appropriate and would actually be
helpful, and especially one that supersedes because, as you
know, every State has a version of it and it is very
complicated to navigate. I think it is appropriate and we
should do it.
Chairman Johnson. Is that the only level we are at right
now, is just State? Have there been smaller jurisdictions that
have offered any?
Mr. Gordon. I am only aware of State at this point.
Chairman Johnson. OK, Mr. Charney.
Mr. Charney. I agree with that. The only other thing I
would pay attention to is when breach notification has to be
given. There have been some proposals, for example, that there
should be a definitive timeline. But very often when you are
investigating these cases, it takes awhile to figure out
exactly what has happened and who has been breached, and you do
not want to give out partial notifications. You want to
understand the scope of the adversary's activity and whether he
is still in. And once you start giving notification, you have
told the adversary that you are on to them.
So there should be some reasonable time to give breach
notification, but a time fixed in stone, like 48 hours, is not
flexible enough.
Chairman Johnson. What would be a reasonable timeframe?
And, again, that looks to me like any kind of timeframe is
somewhat of a conundrum.
Mr. Charney. It is a little bit of a conundrum, and it
certainly should not be open ended. But in all sorts of places,
the law requires reasonableness and a reasonable-man standard,
so to speak. And the reality is these cases can be very
complex, and it can take awhile to figure out exactly what
happened and who should be notified. And what you do not want
to end up is notifying too soon and actually compromising the
investigation, and maybe even a law enforcement investigation.
Chairman Johnson. I am assuming you are not going to give
me a timeframe.
Mr. Charney. I am not going to give you----
Chairman Johnson. And that is actually reasonable. Mr.
Beshar----
Mr. Gordon. I would completely support that. I think
putting any time against it is nonsensical, because every
instance is different, and I think reasonable is the right
standard.
Mr. Beshar. We strongly support a uniform Federal breach
notification standard, and our hope, Mr. Chairman, would be
that it preempts the State regimes.
Chairman Johnson. OK. Mr. Bejtlich.
Mr. Bejtlich. Mr. Chairman, the one thing--I would concur
with my colleagues, but the one caution I would add is that
breach has to be properly defined. There are many low-level
things that get caught, stopped, and so forth. If you had to
somehow report on all of those, it would be a disaster.
Chairman Johnson. Can you kind of typify some sort of
level? We were talking about data breach. Now you are talking
about when personal information is lost and people really need
to understand that so they can either cancel your credit card
or----
Mr. Bejtlich. That is right. You would not want to define a
breach as someone broke into a computer. You would want to
define it as they stole PII, something that the person who is
affected would not know otherwise and they need to----
Chairman Johnson. Going back to your testimony, where 67
percent of the businesses that you are potentially auditing do
not even know they have been breached.
Mr. Bejtlich. That is right.
Chairman Johnson. So how do you account for that? Is it the
point where they actually are aware of it? Is that when the
data breach notification requirement would hit in? I mean, you
also have to account for that as well, right?
Mr. Bejtlich. Right. There needs to be some time--because
you can receive a notification and it may not actually
represent a real problem. I have been involved with some of
those as well. You do need some time to identify yes, this
notification does point to something real and--for example, if
someone stole dummy data that was not actually real and the
bureau noticed it, there is no problem there. It was dummy data
for testing or whatever. But if you get the notification, you
see this is real data, now I have to report.
Chairman Johnson. Mr. Nojeim.
Mr. Nojeim. So the biggest obstacle to passing information-
sharing legislation is failure to pass legislation to deal with
the NSA's bulk collection program. I think you have to do that
before you get to cybersecurity information sharing, because
everybody knows that some of this information shared under the
cybersecurity program is going to end up at the NSA. Unless you
do something to reform NSA, I do not think you can do the cyber
first.
The biggest obstacle to the data breach notification
legislation is the way, for example, the White House bill
preempts State laws that protect data that the White House bill
does not protect. So, for example, California protects health
information, but the White House bill explicitly carves that
protection out. But it would preempt that California protection
anyway. I think that is a problem that needs to be fixed.
Chairman Johnson. OK. We have the second vote called, so I
am going to have to be closing this hearing. But I want to ask
one more question because I want to go back to the data breach
notification.
When you are not even aware that you have been hacked and
some of that information is already flowing, I mean, how do we
address that to make sure that companies are not unfairly
penalized?
Mr. Beshar. I would just say, Mr. Chairman, it has to flow
from discovery.
Chairman Johnson. Discovery, OK. Very good. Well, again, I
just want to thank all the witnesses for your, again,
thoughtful testimony and answers to our questions.
The hearing record will remain open for 15 days until
February 12 at 5 p.m. for the submission of statements and
questions for the record.
This hearing is adjourned.
[Whereupon, at 3:07 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]