[Senate Hearing 114-412]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 114-412

 PROTECTING AMERICA FROM CYBER ATTACKS: THE IMPORTANCE OF INFORMATION 
                                SHARING

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS


                             FIRST SESSION

                               __________

                            JANUARY 28, 2015

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
        
      [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
        
        
        
        
   
                         U.S. GOVERNMENT PUBLISHING OFFICE 

94-272 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                               
        
      
        
        
        
        
        
        
        
        
        
        
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                    Keith B. Ashdown, Staff Director
              William H.W. McKenna, Investigative Counsel
            Sean C. Casey, Senior Professional Staff Member
              Gabrielle A. Batkin. Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
     Stephen R. Vina, Minority Chief Counsel for Homeland Security
           Matthew R. Grote, Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Lauren M. Corcoran, Hearing Clerk
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Carper...............................................     3
    Senator Lankford.............................................    14
    Senator Booker...............................................    16
    Senator Ernst................................................    18
    Senator Baldwin..............................................    19
    Senator McCain...............................................    20
    Senator Ayotte...............................................    22
Prepared statements:
    Senator Johnson..............................................    33
    Senator Carper...............................................    34

                               WITNESSES
                      Wednesday, January 28, 2015

Marc D. Gordon, Executive Vice President and Chief Information 
  Officer, American Express......................................     2
Scott Charney, Corporate Vice President, Trustworthy Computing, 
  Microsoft Corporation..........................................     4
Peter J. Beshar, Executive Vice President and General Counsel, 
  Marsh and McLennan Companies...................................     6
Richard Bejtlich, Chief Security Strategist, FireEye.............     7
Gregory T. Nojeim, Senior Counsel and Director of the Freedom, 
  Security and Technology Project, Center for Democracy and 
  Technology.....................................................     9

                     Alphabetical List of Witnesses

Bejtlich, Richard:
    Testimony....................................................     7
    Prepared statement...........................................    61
Beshar, Peter J.:
    Testimony....................................................     6
    Prepared statement...........................................    54
Charney, Scott:
    Testimony....................................................     4
    Prepared statement...........................................    44
Gordon, Marc D.:
    Testimony....................................................     2
    Prepared statement...........................................    37
Nojeim, Gregory T.:
    Testimony....................................................     9
    Prepared statement...........................................    65

                                APPENDIX

Additional statements for the Record:
    Chamber of Commerce..........................................    77
    ICBA.........................................................    80
    NACFU........................................................    82
    TIA..........................................................    85
 
                     PROTECTING AMERICA FROM CYBER
             ATTACKS: THE IMPORTANCE OF INFORMATION SHARING

                              ----------                              


                      WEDNESDAY, JANUARY 28, 2015

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 1:34 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, McCain, Lankford, Ayotte, Ernst, 
Sasse, Carper, Baldwin, Booker and Peters.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. This hearing will come to order. Senator 
Carper is on his way, but we have just been told we can get 
going here.
    I want to keep my opening remarks very brief because we do 
have votes and I want to make sure we get to the testimony. But 
I want to thank the witnesses for their very well thought out, 
well-prepared testimony, certainly the written testimony. I am 
looking forward to your oral testimony. I want to thank you for 
your flexibility. We have obviously moved the hearing up.
    We have in this Committee agreed upon a mission, and the 
mission is pretty simple: to enhance the economic and national 
security of America. If we focus on that goal, a goal that we 
all share--whether you are Republican or Democrat, we really 
share that. And particularly when it comes to this 
cybersecurity hearing about sharing information to protect our 
cyber assets, it is also a goal we share. So if we concentrate 
on that, recognizing there are different viewpoints on this, I 
think we have a far better chance of actually succeeding. So 
when Senator Carper gets here, we will give him a chance to 
have an opening statement.
    The tradition of this Committee is to swear in witnesses, 
so I would ask the witnesses to stand and raise their right 
hands. Do you swear that the testimony you will give before 
this Committee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Mr. Gordon. I do.
    Mr. Charney. I do.
    Mr. Beshar. I do.
    Mr. Bejtlich. I do.
    Mr. Nojeim. I do.
    Chairman Johnson. Thank you.
    What I would like to do is get right into testimony then, 
and I will start with Marc Gordon. He is the Executive Vice 
President and Chief Information Officer (CIO) of American 
Express. He previously served as CIO of Bank of America and 
Best Buy. Mr. Gordon, your testimony, please.

 TESTIMONY OF MARC D. GORDON,\1\ EXECUTIVE VICE PRESIDENT AND 
          CHIEF INFORMATION OFFICER, AMERICAN EXPRESS

    Mr. Gordon. Thank you, Chairman Johnson and Members of the 
Committee. As you heard, my name is Marc Gordon. I am the 
Executive Vice President and CIO at American Express. I oversee 
the global technology organization for our company, as well as 
information security, and I really appreciate the opportunity 
to testify before this Committee on information sharing. It is 
a topic that I am very passionate about.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Gordon appears in the Appendix on 
page 37.
---------------------------------------------------------------------------
    Based on my experiences as CIO across both the retail 
sector and the financial services sector in Fortune 100 
companies, I would strongly urge the Committee to move forward 
swiftly with information-sharing legislation. I believe that 
effective information sharing may actually be the single 
highest-impact, lowest-cost, fastest-to-implement capability we 
have at hand as a sector and as a Nation to raise the level of 
capability against the many and varied threats that we face. 
The way I like to think about it is an attack against a single 
company can be the entire sector's and Nation's defense, 
quickly shared.
    I realize you are familiar with the threat landscape, and 
we have included many examples in my written testimony on the 
nature and the scale of the threats we face. I will not go 
through those now. What I would emphasize here is that while 
cyber crime is growing meaningfully for us and across 
industries, we are increasingly concerned about what appears to 
be the convergence of players, capabilities, and intentions--
namely, nation-state players or those with nation-State 
capabilities with a particular attention around destructive 
intent across industries.
    In response to these threats, the financial services 
industry has invested literally billions of dollars to protect 
our networks. But there are steps that we can take together 
within and across industries and with the government to make 
the total ecosystem more secure.
    And while there is some sharing of information today, I 
would characterize it as highly variable within industries, and 
especially highly variable across industries. And meaningful 
legislation I believe would expand both the quality and volume 
of cyber information sharing and raise the security level 
overall for all of us.
    But legal barriers and the threat of lawsuits are obstacles 
to information sharing today, and that is where legislation 
that provides targeted protections from liability and 
disclosure is sorely needed.
    There are a few notable items that I would also emphasize 
today in terms of attributes of information sharing that we 
believe are particularly important for effective information 
sharing and to have the desired results.
    First is an emphasis on real-time sharing.
    Second is liability and disclosure protection, not just for 
sharing but also for acting within one's own network on the 
information that is shared.
    Third, that the protections that are afforded in terms of 
liability and disclosure and so forth are extended not just to 
government-sanctioned entities but to private entities, 
businesses sharing among themselves. We feel that is actually 
very important.
    And, finally, that the sharing needs to be bi-directional, 
that is to say, we believe the government should be directed to 
share in the right way classified indicators only known and 
knowable from the government. We think that is a big value add 
to this proposition for the private sector as we protect our 
customers' information.
    Finally, we are committed to protecting the privacy of our 
customers' information and believe that concerns around privacy 
protection should be discussed but can be effectively addressed 
in the legislation.
    Again, I just want to thank you for asking me to be here 
today. I look forward to working with this Committee and other 
Members of the Senate and House, and I look forward to helping 
in any way that we can.
    That concludes my prepared remarks, and I would be happy to 
answer questions.
    Chairman Johnson. Well, thank you, Mr. Gordon.
    Our Ranking Member has arrived, so, Senator Carper, do you 
have some opening comments?

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. As we say in Delaware, bienvenido. 
[Laughter.]
    Bienvenido. We are happy you are here, looking forward to 
this hearing. This is a timely, important topic. Let us see 
what we can learn from all of you.
    Thank you.
    Chairman Johnson. Thank you for that.
    Our next witness is Scott Charney. He is the Corporate Vice 
President of Microsoft's Trustworthy Computing Group where he 
focuses on the security and privacy of Microsoft's products. 
Scott has also worked for PricewaterhouseCoopers and as Chief 
of the Justice Department's Computer Crime and Intellectual 
Property Section.
    Mr. Charney, you have the floor.

   TESTIMONY OF SCOTT CHARNEY,\1\ CORPORATE VICE PRESIDENT, 
          TRUSTWORTHY COMPUTING, MICROSOFT CORPORATION

    Mr. Charney. Chairman Johnson, Ranking Member Carper, and 
Members of the Committee, thank you for the opportunity to 
appear today at this important hearing. My name is Scott 
Charney, and I am the Corporate Vice President for Trustworthy 
Computing at Microsoft. It is good to see the Committee's first 
hearing of the 114th Congress focuses on cybersecurity. I 
commend this Committee and the Members of the Senate for 
addressing one of America's most complex challenges.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Charney appears in the Appendix 
on page 44.
---------------------------------------------------------------------------
    Let me start by describing the cyber threat. The threat 
comes in two forms:
    First, there are opportunistic criminals who, like burglars 
testing doorknobs, do not care who falls prey as long as 
someone does.
    Second, there are actors described as advance persistent 
threats because they are intent on compromising a particular 
victim.
    These two different types of threats require somewhat 
different responses. Basic computer hygiene--such as running 
the latest version of software, applying updates, and using 
antivirus products--can thwart many opportunistic threats. 
Addressing advanced persistent threats, however, requires much 
more. Computer security professionals must prevent, detect, and 
respond to sophisticated attacks.
    Knowing about threats, vulnerabilities, and incidents can 
help computer security professionals and others take the right 
action. So how does such information sharing occur in practice. 
Simply put, a party collects information, identifies a computer 
security issue, and then shares it with those who can act on 
it. The recipient uses that information to prevent, detect, or 
respond to the event, normally collecting more data and sharing 
it in return. Often parties are added to the process as the 
evidence dictates. Throughout this process, all parties will 
maintain the data responsibly, protecting its confidentiality 
as appropriate.
    Does this work? Absolutely. For example, Microsoft has 
partnered with other companies and law enforcement agencies to 
take down two botnets which had infected millions of computers 
around the world and were each responsible for over $500 
million in financial fraud.
    So if information sharing is so important and so helpful, 
why is such sharing limited? The short answer is that those 
with critical information are often unable or unwilling to 
share it. They may be unable to share it due to law, 
regulation, or contract, all of which create binding 
obligations of secrecy and expose a company to legal risk if 
information is shared.
    There are also other risks. For example, a company that 
discloses its vulnerabilities may suffer reputational risk, and 
such a disclosure may even make security matters worse if 
hackers leverage that information for further attacks against 
that company or anyone else.
    In light of these issues, how can information sharing be 
encouraged? While my written testimony detailed six core tenets 
that must guide any information-sharing proposal, let me 
describe the most important tenets here.
    First, privacy is a fundamental value and must be protected 
when sharing information. While users around the world may have 
different views about privacy, they want assurances that the 
information they entrust to others is used properly and 
protected. It is also important that governments adhere to 
legal processes for law enforcement and national security 
requests and do not use computer security information-sharing 
mechanisms to advance law enforcement and national security 
objectives.
    Second, government and industry policies on information 
sharing should take into account international implications. 
Many U.S. businesses are multinational companies. If not 
properly constructed, rules in the United States can discourage 
foreign markets from using U.S. technology products and 
services, as well as lead to reciprocal requirements that could 
undermine U.S. security.
    Third, while information sharing has benefits, it also 
poses business risks that must be mitigated. As noted, sharing 
information can expose an organization to legal, regulatory, 
contractual, and reputational risks. Any information-sharing 
regime must attempt to reduce these risks by providing 
appropriate liability protections.
    Finally, information sharing need not follow a single 
structure or model, and governments should not be the interface 
for all sharing. Information sharing already occurs through 
both formal and informal processes, within industry and between 
industry and government, and sometimes across national borders. 
There is no single model because situations and desired 
outcomes differ. Flexibility is critical.
    With current practices and those tenets in mind, how should 
we think about information-sharing legislation? In a nutshell, 
Congress should ensure that existing information-sharing 
arrangements are left undisturbed, ensure the protection of 
civil liberties, and reduce disincentives to sharing. This can 
be done in the following three ways:
    First, the legislation should be scoped to cover 
information that reasonably enables defenders to address cyber 
threats.
    Second, the legislation should be designed to protect 
privacy and civil liberties by requiring data be anonymized, 
restricting secondary uses, protecting against inappropriate 
disclosure, and requiring the government to seek a court order 
when attempting to pierce the veil of anonymity.
    Third, the legislation should grant appropriate liability 
protection for sharing information while recognizing that 
companies must fulfill their contractual obligations to their 
customers.
    Thank you for the opportunity to testify, and I look 
forward to working with the Committee on this effort.
    Chairman Johnson. Thank you, Mr. Charney.
    Our next witness is Peter Beshar. He is the Executive Vice 
President and General Counsel of Marsh & McLennan Companies. 
Before joining Marsh, Mr. Beshar was a partner in Gibson, Dunn 
& Crutcher. Mr. Beshar.

 TESTIMONY OF PETER J. BESHAR,\1\ EXECUTIVE VICE PRESIDENT AND 
          GENERAL COUNSEL, MARSH & MCLENNAN COMPANIES

    Mr. Beshar. Thank you, Chairman Johnson, Ranking Member 
Carper, and Members of the Committee.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Beshar appears in the Appendix on 
page 54.
---------------------------------------------------------------------------
    The evolution in the sophistication and intensity of cyber 
attacks in 2014 was astonishing. And as bad as it was in 2014, 
it got worse in the last month. In December, the German 
Government reported that hackers had caused massive damage to 
an iron plant by disabling the electronic shut-off systems that 
turned off the furnaces. And this escalation of cyber attacks 
reflects a troubling threat posed to our critical 
infrastructure.
    I would like to focus my remarks this afternoon on cyber 
insurance. Some of you may be saying, ``What relevance does 
cyber insurance have to this issue?'' And we would say it has a 
lot, that cyber insurance has the potential to create powerful 
incentives that drive behavioral change in the marketplace and 
that fundamentally that is what this Committee, what the 
Congress, and all of us are trying to accomplish.
    The simple act of applying for cyber insurance forces 
companies to conduct meaningful gap assessments of their own 
capabilities because insurers will want to know: Do you have an 
incident response plan? Do you have good protocols for patching 
software? Are you regularly monitoring your vendor network? And 
this process in and of itself is an important risk mitigation 
tool.
    Once a cyber policy is purchased, the incentive then shifts 
to the insurer to try to assist the policy holders to the 
greatest extent possible to avoid or mitigate attacks. And so 
you are seeing many insurers now offering an array of services 
like monitoring and behavioral analytics and rapid response 
that help policy holders, and the market is really responding. 
So in 2014, the number of our clients that purchased stand-
alone cyber coverage increased by 32 percent over the prior 
year. And we tracked specifically which sectors of the economy 
the cyber take-up rates were the highest, and so they are 
sectors like health care, education, and hospitality and 
gaming. Each of these industries handles a substantial volume 
of sensitive data. We also saw meaningful increases in the 
power and utility sector.
    We also tracked pricing trends on the premiums for cyber 
insurance, and if you read the headlines alone, you would 
assume that premiums went up meaningfully. And, in fact, year-
over-year pricing was really quite stable. Some industries were 
up, some industries were down. What we did witness in the 
fourth quarter of 2014 was in the retailing sector in 
particular, premium prices went up for obvious reasons. And 
underwriters really began differentiating between those 
retailers that were implementing the most sophisticated 
defenses on point-of-sale systems--end-to-end encryption, for 
example--and those retailers that were not doing so. And, thus, 
you are seeing insurance market forces really begin to drive 
incentives and create meaningful reasons to make the type of 
investments in cyber defense that we would want. And this 
phenomenon, Chairman, has occurred many times in many 
industries--workers' compensation, for example. Insurers were 
part of the bold work to really identify safety protocols that 
would improve the security of workers in the workplace. And 
over the last two decades, you have seen the number of 
fatalities in the workplace drop by over 35 percent. And this 
is the type of dynamic that we would like to see unleashed in 
the cyber insurance arena where carriers begin to give 
companies specific credit for implementing two-factor 
authentication or other meaningful protections like detonation 
software. In sum, cyber insurance is one element of many in a 
holistic risk mitigation strategy.
    A second key element, as this Committee has recognized, is 
information sharing between industry and government. To 
accelerate the identification and detection of emerging 
threats, there needs to be greater trust and greater real-time 
threat information sharing, and it should be, as other 
witnesses have commented, more reciprocal.
    Accordingly, we support the sharing of cyber threat 
indicators, like malware threat signatures and known malicious 
Internet Protocol (IP) addresses, provided that reasonable 
liability protections and privacy considerations are addressed. 
We believe that the dual considerations of national security 
and privacy can be fairly and appropriately balanced.
    Thank you, Mr. Chairman.
    Chairman Johnson. Thank you, Mr. Beshar.
    Our next witness is Richard Bejtlich. He is the Chief 
Security Strategist at FireEye. He is also a non-resident 
senior fellow at Brookings and previously directed General 
Electric's Computer Incident Response Team. Mr. Bejtlich.

 TESTIMONY OF RICHARD BEJTLICH,\1\ CHIEF SECURITY STRATEGIST, 
                            FIREEYE

    Mr. Bejtlich. Thank you, Chairman Johnson, Ranking Member 
Carper, Members of the Committee. I appreciate the opportunity 
to testify today. I am Richard Bejtlich, Chief Security 
Strategist at FireEye. Our Mandiant consulting service, known 
for its 2013 report on Chinese PLA Unit 61398, helps companies 
identify and recover from intrusions.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Bejtlich appears in the Appendix 
on page 61.
---------------------------------------------------------------------------
    So who is the threat?
    We have discovered and countered nation-state actors from 
China, Russia, Iran, North Korea, and other countries. The 
Chinese and Russians tend to hack for commercial and 
geopolitical gain. The Iranians and North Koreans extend these 
activities to include disruption via denial of service and 
sabotage using destructive malware. We have helped companies 
counter organized crime syndicates in Eastern Europe and 
elsewhere. Our recent report on a group we call ``FIN4'' 
described intrusions to facilitate insider trading. We have 
also encountered hacker teams for hire and others who develop 
and sell malicious software, or malware.
    How active is this threat?
    In March 2014, the Washington Post reported that in 2013, 
Federal agents, often the Federal Bureau of Investigations 
(FBI), notified more than 3,000 U.S. companies that their 
computer systems had been hacked. This count represents clearly 
identified breach victims, and many were likely compromised 
more than once.
    In my 17 years of doing this work, this is the single best 
statistic I have ever seen as far as just how bad the problem 
is.
    Serious intruders target more than the government, defense, 
and financial sectors. No sector is immune.
    But how do victims learn of a breach? In 70 percent of 
cases--and this has held up through our own consulting and also 
through other companies that we work with--someone else, 
usually the FBI, tells a victim about a serious compromise. 
Only 30 percent of the time do victims identify intrusions on 
their own. The median amount of time from when an intruder 
initially compromises a victim to when the victim learns about 
the breach--and, remember, most of the time they are being told 
by someone else. That time, according to our research for 2014, 
is 205 days. This number is better than last year's count, 
which was 229 days and the year before, in 2012, which was 243 
days. So we are making progress, but intruders still spend 
about 7 months inside a victim network before anyone notices.
    So what is the answer?
    Well, as Mr. Chairman mentioned, so-called network hygiene 
only gets you so far. We need more strategy here, and in my 
opinion, the best strategy is to prevent as many intrusions as 
possible, clearly; but we need to quickly detect attackers who 
evade regular defenses, respond appropriately, before the 
adversary accomplishes his mission. Strategically significant 
intrusions do not occur at the speed of light. It takes 
intruders time, from hours to weeks, to move from their initial 
foothold to the information that they seek.
    So defenders win when they stop intruders from achieving 
their objectives. I recommend two metrics that we could track 
to see whether this is the case, to include the Federal 
Government.
    The first metric is tracking simply the number of 
intrusions or the types of intrusions that occur in a given 
year. There are many companies I visit, and I ask that simple 
question. They cannot answer that question.
    The second metric is to measure the amount of time that 
elapses from when the intruder gets into your network and you 
notice. We want that number to be as small as possible.
    Well, how does threat intelligence play into this?
    ``Threat intelligence'' refers to the tactics, tools, and 
procedures used by intruders to abuse software and networks. It 
does not depend upon sensitive information about U.S. persons. 
And I will note that the President's proposal is compatible 
with this definition of ``threat intelligence.''
    Will that help?
    Threat intelligence will help defenders more quickly 
resist, identify, and respond to intrusions, but only if the 
organization is postured to succeed. Unless you have a sound 
strategy, the right technology, people, and processes, no 
amount of threat intelligence will help you.
    There are usually three cases for sharing threat 
intelligence: from the government to the private sector; within 
the private sector, and from the private sector to the 
government. And all three face challenges.
    In the government-to-private scenario, I recommend or I 
encourage the government to grant clearances to private 
security teams who are not working on government contracts. The 
government should also augment their narrative style reports--
in other words, text and sentences--with appendices that are in 
machine-readable format so we could facilitate that real-time 
sharing that was mentioned by my colleagues.
    In the private-to-private case, I would second the idea of 
having more information-sharing organizations in the private 
sector.
    And now we get to the toughest case, and this is the 
private-to-government case, and it is contentious, for two 
reasons.
    First, companies are reluctant to publicize they have 
breaches besides what is necessary to comply with laws. So the 
private sector fears penalties if they disclose. So I would 
recommend that they not be held liable simply for notifying the 
government that they have been compromised.
    Second, some privacy advocates fear that liability 
protection will let companies submit customer data to the 
government. If you properly format threat intelligence, this 
will not be a problem. In my written testimony, I have an 
example of a pilot program in the government involving the 
Department of Energy that we think is doing a decent job 
working with this sort of information, but I will leave that to 
your questions.
    Again, I thank you for the opportunity to testify.
    Chairman Johnson. Thank you, Mr. Bejtlich.
    Our next witness is Gregory Nojeim. He is the Senior 
Counsel and Director of the Freedom, Security & Technology 
Project at the Center for Democracy & Technology. Greg 
previously served as Associate Director and Chief Legislative 
Counsel in the ACLU's Washington legislative office.
    Mr. Nojeim.

TESTIMONY OF GREGORY T. NOJEIM,\1\ SENIOR COUNSEL AND DIRECTOR 
   OF THE FREEDOM, SECURITY & TECHNOLOGY PROJECT, CENTER FOR 
                     DEMOCRACY & TECHNOLOGY

    Mr. Nojeim. Thank you, Senator Johnson, Senator Carper, 
Members of the Committee. I am pleased to testify on behalf of 
the Center for Democracy and Technology (CDT). We are 
nonpartisan, nonprofit technology policy organization dedicated 
to protecting civil liberties and human rights on the Internet. 
We applaud the Committee for holding the first hearing of the 
114th Congress on cybersecurity. It is an important issue. It 
should be a particularly important issue for this Committee. It 
can play a key role in addressing the information-sharing 
problem.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Nojeim appears in the Appendix on 
page 65.
---------------------------------------------------------------------------
    I am going to explain today the role that information 
sharing can play in countering the threat of cyber attacks. I 
will identify different approaches to encouraging information 
sharing as well as the essential civil liberties attributes of 
a successful information-sharing policy.
    Other panelists have already described very well the direct 
harms of cyber attacks. I will just add one: Major cyber 
attacks on Target, JPMorgan Chase, Home Depot, and Sony 
Pictures command the headlines so much that, in addition to 
direct harms, these large-scale attacks also threaten to chill 
use of online services and of the Internet itself.
    There is no silver bullet that will wipe away the danger of 
cyber attacks. As my colleagues have noted, many cyber attacks 
could be stopped by basic digital hygiene, and Congress should 
be encouraging that. And a good way for doing that also is the 
Cybersecurity Insurance Program.
    On the other hand, other attacks, the advanced persistent 
attacks, they will often require the sharing of information 
about potential threats and how to defend against them.
    Cybersecurity information sharing also poses risks to civil 
liberties. After all, it does involve the sharing of some 
communications content and of some personally identifiable 
attributes of communications. As Mr. Bejtlich mentioned, the 
flow of this information to the government triggers concerns 
that cybersecurity information sharing could evolve into a 
surveillance program, and the concern is particularly acute 
when the permission to share trumps all laws.
    We favor a more focused approach: Create specific 
exceptions to the laws that inhibit information sharing. Start 
with the Wiretap Act and with the Electronic Communications 
Privacy Act. They permit communications service providers to 
share communications information to protect their own networks. 
But they do not permit them to share information to protect 
others. That can be fixed with straightforward amendments that 
we would be happy to work with you on. As other laws that 
inhibit necessary information sharing are identified, 
cybersecurity exceptions could be created to them as well.
    The broader, riskier approach of trumping all laws that 
might otherwise stand in the way of information sharing 
requires exacting civil liberties protections to prevent abuse. 
All of the major cybersecurity proposals take what we think is 
the riskier approach of trumping all laws. The White House bill 
does it; the Cyber Intelligence Sharing and Protection Act 
(CISPA) did it; and so did Cybersecurity Information Sharing 
Act (CISA), the Senate Intelligence Committee's bill from last 
year.
    What are those civil liberties protections that need to be 
incorporated?
    First, narrowly define the information that can be shared 
and include only that which is necessary to describe a threat.
    Second, prioritize company-to-company sharing because the 
private sector owns most of the critical infrastructure that 
must be protected against cyber attack and because private-to-
private information sharing does not create some of the fears 
about the flow of information to the government.
    Third, apply privacy protections prior to any level of 
information sharing, whether by a private entity or a 
governmental entity.
    Fourth, ensure continued civilian control of the 
government's cybersecurity program for the civilian sector.
    Fifth, require that information shared for cybersecurity 
reasons be used for cybersecurity, with limited exceptions for 
law enforcement use to counter imminent threats of bodily harm, 
and to prosecute cyber crime.
    Sixth, be careful about authorizing countermeasures. 
Countermeasures that could amount to hacking back against an 
individual or entity suspected of hacking into one's own system 
should not be authorized. They create more problems. They open 
a Pandora's Box.
    And, seventh, create strong privacy procedures governing 
the sharing of information by governmental entities.
    With respect to these seven factors, I think the White 
House bill does a better job on all of them except for 
prioritizing the company-to-company sharing. We have specific 
concerns with the White House bill. It could be a lot better. 
But it was a significant improvement over the Senate's last 
look at information sharing, which was CISA.
    I close by observing that today is Data Privacy Day. It is 
a day observed around the world for promoting data privacy. Let 
us work together to ensure that cybersecurity information 
respects data privacy, even when it is shared, and helps 
preserve the Internet as a great engine of communication, 
innovation, and prosperity. Thank you.
    Chairman Johnson. Well, thank you, Mr. Nojeim. Again, thank 
you to all the witnesses for your thoughtful testimony.
    To give more Members a chance to ask questions, we are 
going to limit the time for questions to 5 minutes each. Also, 
to remind veteran Members and let the new Members know what the 
tradition of this Committee is in terms of order of 
questioning--it is the people here in attendance when the gavel 
drops. It will be in order of seniority, rotating between 
sides. And then after the gavel falls, just in order of 
appearance.
    So, with that, I am not going to ask questions so that more 
Members have a chance to ask questions. I will turn it over to 
our Ranking Member, Senator Carper.
    Senator Carper. I want to thank the Chairman for yielding 
his time to his Ranking Member.
    We do a lot of oversight work here. We do a lot of asking 
of studies by the Government Accountability Office (GAO) and 
others. Sometimes we just send letters, and I noted a change of 
behavior, and sometimes we legislate. Last year, when we were 
in the 113th Congress, we legislated in three or four different 
Bills with respect to cybersecurity. We sought really to 
bolster the capabilities of the Department of Homeland Security 
(DHS) on that front.
    We passed three or four modest bills, but I think together 
they are very meaningful. One was to make the Cyber Ops Center 
of DHS real and meaningful, codified it. I think that is a very 
good thing. We also have enabled them to strengthen their 
workforce. And a third area that we have worked in is to better 
enable them to protect the dot.gov domain. And so those three 
things taken together I think are helpful.
    We tried to pass information-sharing legislation, as you 
know, in the House and the Senate. We got it out of Committee 
in the Senate but not through the full Senate.
    We have shared jurisdiction on that issue, and some would 
say we actually have maybe more jurisdictional claim on 
information sharing than other committees. But we are going to 
be working fairly hard in this vineyard very soon.
    We have three places to look--maybe more than three. Your 
job is going to find more places to look in terms of developing 
good policy, but, one, the Administration's proposal; two, the 
Senate Committee's bill, the Intel Committee bill from last 
year; and then the work that the House has done.
    I am going to ask each of you, if you would, using those 
three as maybe a touchstone for us in cobbling together smart 
legislative policy on cyber, especially on information sharing, 
what would be one or two major points that you would have us 
take into mind to consider as we do our work. Mr. Gordon.
    Mr. Gordon. Thank you very much, Senator. I agree there was 
great progress last year. I would love to see that bill with 
information sharing.
    If I look across the bills--CISA, CISPA, and the 
President's proposal--the areas that I would highlight as--
first, there are many in common, so I am not going to cover 
those, but the differences or the areas that I would highlight, 
one, I think there is greater or lesser emphasis on real-time 
sharing, and I would propose that that is very significant in 
terms of the speed at which attacks cascade across--within 
industries and across industries. I believe that real time is 
very important.
    Second--and a number of people have mentioned it here--I 
think it is important that the construct not just protect in 
terms of liability entities sanctioned by the government, but 
also that it encourages and facilitates company-to-company 
sharing, that is to say that the liability protections would 
extend to companies sharing among themselves, not just with 
another entity.
    The third and fourth I would highlight very quickly. One is 
protecting sharing. Liability in terms of sharing is important. 
But I also believe protecting acting within one's own network 
is also important. So it is not enough simply to share, but one 
has to be able to actually act on what is shared, and I would 
emphasize that.
    And then the final one, which a number of folks I think 
have mentioned as well, that for us is very important is the 
bi-directional nature of sharing. I believe that as I reflect 
on it, both the CISA and CISPA bills did have a great deal of 
focus on basically requiring the government to get more active 
in sharing, particularly in classified indicators, shared in 
the right way; whereas, I believe the President's proposal is 
silent on that. And I believe that bi-directional sharing I 
feel is very important, and for us there are the threats that 
we experience that we can share across the private sector. 
Typically those occur while we are under attack, so what we are 
sharing is essentially information about an attack that is 
unfolding. What the government has access to that simply is not 
known to us are the attacks that could take place and the 
nature of those attacks. I think that would be a tremendous 
value-add. So I would include the bi-directional sharing in 
terms of emphasis.
    Senator Carper. OK. Thanks. Mr. Charney.
    Mr. Charney. I agree with the points made. I think certain 
bills did not go far enough on the civil liberties side. I 
worry a little with the Administration proposal that we not 
impact current industry-to-industry sharing that is really 
working well. Marc's points were spot on. The only other thing 
I would add is the international flavor of this. As a company 
that has customers all over the world and who is constantly 
combating international threats, it is very important to 
recognize that whatever the Congress does, others may emulate.
    And so, for example, the U.S. Government could say, ``Tell 
us about every vulnerability you know about,'' and you could 
say, ``Well, that would be really interesting to know.'' And 
then every other government in the world will ask for the same 
thing, and suddenly things can become very difficult. And so 
thinking about the international implications of what is done 
here is super important.
    Senator Carper. All right. Thanks. My time has expired.
    Chairman Johnson. No; go ahead.
    Senator Carper. Mr. Beshar, and maybe I would ask you to 
just short it up just a little bit, if you will, please.
    Mr. Beshar. Very briefly, Senator Carper, two points.
    First, there is a hierarchy of data that would be of 
interest to the government that sits in these companies' hands. 
And if you try to focus on the cyber threat indicators and 
begin this journey there as opposed to trying to go deeper on 
the data that is part of this exchange, I think that will be a 
very fruitful step.
    Second, the idea that in the President's bill there are 
obligations that all of our companies have to try to strip out 
the personally identifiable data, I think that is a very 
constructive step forward, as Greg has identified.
    Senator Carper. All right. Thanks.
    Mr. Bejtlich. Senator Carper, briefly, I would encourage 
whatever resources are necessary to help the FBI with its 
notification mission. Speaking as the spokesperson for the 
intel community, that third-party notification is just very 
valuable.
    And, second, I would encourage whatever is required to get 
more prosecutions. I do not think it is necessary to lengthen 
prison times and that sort of thing. I think we just need to 
make better use of the laws that are there and to get more of 
these bad guys.
    Senator Carper. Good. Thank.
    Last, but not least?
    Mr. Nojeim. So I think I am going to focus just on three 
issues:
    Stripping out irrelevant personally identifiable 
information (PII) before you share a cyber threat indicator. 
The White House bill does a pretty good job of that. CISA did 
not require that.
    Second, on use restrictions, making sure that if a company 
shares information for cybersecurity reasons, it is used for 
cybersecurity. There are some national security uses that are 
cybersecurity uses. Those should be allowed. There are some law 
enforcement uses that are cybersecurity uses. If you want to 
prosecute a cyber crime, that serves a cybersecurity purpose. 
That should be allowed.
    Countering an imminent threat to a person, that should be 
allowed, but not much more. And I think the White House bill 
did a much better job on that score than did CISA.
    And, finally, on hacking back, making sure that if 
countermeasures are going to be authorized, they can only 
operate on your own network. You do not want a countermeasure 
that could, when stolen from your network and placed on 
somebody else's computer, including a victim's computer, 
encrypt or damage data on that computer.
    Senator Carper. Thank you all very much. That was very 
helpful. Thanks.
    Chairman Johnson. Thank you. And now we will stay more on 
time. Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you all for being here and being a 
part of this. Let me ask some cost questions and the gain from 
this. We are talking about between a hundred--estimates of $100 
billion to $450 billion in costs a year somewhere right now on 
the cyber attacks. Give me a rough ballpark on the breakdown of 
that between damages that are paid out that are preventable if 
we have this enhanced information sharing and those that are 
not preventable because of a zero-day attack and we are stuck, 
we are at the beginning of it.
    So what I am trying to affirm is we get this in motion, we 
get better information sharing. What difference does it make 
economically? And anyone can attack that.
    Mr. Gordon. That is a great question. I am not sure I can 
answer it directly in terms of a percentage. But what comes to 
mind for me is what percentage of those losses are repeat 
attacks, meaning they happen more than once. And I would say in 
the right construct of information sharing, bi-directional real 
time, a very high percentage of repeats--that is back to my 
comment earlier, which is one company's attack can become the 
Nation's defense if we do it the right way. It will not prevent 
that first attack, but it can prevent all the ones that follow 
potentially.
    So I cannot answer specifically the dollar amounts. I do 
not know how to break that down.
    Senator Lankford. So the guess here is to try to figure out 
how many attacks that are out there are repeat attacks.
    Mr. Gordon. That might be a way to look at it.
    Senator Lankford. So any ballpark on that you would see 
from just what you have seen or anyone has seen on cyber 
attacks out there that are known threats, or were they just not 
known to you or to those companies?
    Mr. Bejtlich. Senator, at Mandiant, just even our own 
customer base, when we do a response, depending on who the 
actor is, if it is the Chinese or the Russians, they are going 
to be back. In some cases, their recidivism rate is as high as 
a third. So that is just against one company is hit, and then 
they are hit again by the same group after we leave.
    Senator Lankford. OK. Let me ask a question. What is next 
on this? Information sharing, I think there is fairly common 
agreement we need to have some level of information sharing. It 
is how to protect personally identifiable information and such. 
What is the next level on this? Where does this go?
    Mr. Charney. I can take that. I think to deal with advanced 
persistent threats, you need a very robust security program 
that has three elements: you need high-level protections in 
place; you need great detective capabilities, because the bad 
guys will keep attacking; and you need very fast response 
processes. And what we have found, of course, in many of the 
hacks that occur today, even if they are called ``advanced 
persistent threats,'' they are not all that advanced. People 
attack unpatched systems. People are running old operating 
systems and old software. And we need to get all boats to rise.
    The challenge has been, of course, that for 20 to 30 years 
people have built networks with tough, hard perimeters, but the 
middles are really soft. And in these advanced persistent 
threats, the bad guy comes in and gets a foothold in the 
network and then moves across the network.
    So the information technology (IT) industry and users of IT 
are all focused on a few core things that are starting to 
happen.
    First, you need multi-factor authentication. You need to 
get rid of user names and passwords because they are just too 
easy to guess or calculate and break in.
    Second, we need what we call ``domain isolation.'' If 
someone attacks and gets in somewhere, they should not be able 
to move everywhere.
    And, third, we have to do a much better job, as people say, 
of detecting things so we can respond quickly. So hopefully 
with more information sharing you put the detections in place, 
and then you can act much more quickly and prevent a lot of the 
damage.
    Senator Lankford. OK. Let me ask a followup question to 
that. With a lot of the issues based on the fact that companies 
are not doing basic patches, they are not doing some of the 
things that are commonplace, then we have this extra layer that 
we are adding to this with personally identifiable information 
that they have got to be able to secure that, sequester that 
away, and so that does not get out as well. If they are not 
doing patches, how diligent are they going to be to make sure 
they are also protecting the information once it gets shared 
that people truly have their privacy protected as well?
    Mr. Charney. Well, so it is absolutely clear that if you do 
not have a good protection program, you are going to lose 
valuable data----
    Senator Lankford. Right.
    Mr. Charney [continuing]. Whether it is economic data or 
personally----
    Senator Lankford. But that is happening right now.
    Mr. Charney. That is happening right now, and you need to--
there are two things to think about. One is raising the 
protections, which is what information sharing is supposed to 
help do, so that you can prevent that. But the second thing is 
that the security model is changing across the industry in two 
respects. One is in some cases you actually do not need that 
personally identifiable information to engage in a transaction.
    So, for example, in the credit card arena, there are 
companies who are looking at--and PayPal does this already--not 
giving the credit card to every merchant in the world, but just 
passing an authentication code to authorize the payment. And if 
you do things like that, then it is much harder--even if you 
steal the information, you are not getting anything that is 
replayable and reusable, and you will see that coming in many 
new ways because we are going to start attaching identities to 
particular devices. People have tablets. They have phones. They 
have portable PCs. And if we can tie your credential to that 
device, then if someone else tries to use that credential from 
another device, it will not work.
    So there is a lot of preventative things we can do from 
protecting networks to thinking about information differently 
and how we protect it.
    Senator Lankford. Thank you, Mr. Chairman.
    Chairman Johnson. The remaining order will be Senator 
Booker, Senator Baldwin, Senator McCain and then Senator 
Ayotte. Senator Booker.

              OPENING STATEMENT OF SENATOR BOOKER

    Senator Booker. I want to thank the Chairman. This is a 
fantastic and very important hearing that we are having. I 
appreciate your leadership, and I want to thank my Ranking 
Member as well.
    Gentlemen, it is the balance, again, between privacy and 
security, and I think that there is a huge tension in this 
area. The degree and nature of the attacks are startling and 
stunning. And I just have really quick questions that should be 
very brief. But the first is: What role does the government 
have, being that so many mistakes are being made in what is 
called the hygiene area? It is remarkable to me how many 
mistakes we make, and I sat with my staff and realized even for 
my own passwords I was not using dual authentication methods 
and the like. But so many businesses out there just are not 
doing the basic common sense that would prevent a lot of this 
from going on.
    And so I am wondering, in just the idea of the role of 
government, what could we be doing to either incentivize or 
mandate levels of hygiene? Or is that, in some of your opinion, 
not the role of government at all?
    Mr. Nojeim. I am going to start with that. I do not think 
it is a good idea to mandate levels of hygiene. I think that 
the mandates will rapidly grow outdated, and they will become 
the floor instead of the ceiling. Companies are going to 
innovate. They are going to come up with new ways to protect 
data, and I think that you want to encourage them to do that. 
Give them tax credits, give them other assistance, but I do not 
think you should try to mandate exactly what they do.
    Mr. Bejtlich. I would concur with that, Senator. The 
insurance example is a great one. If someone keeps breaking 
into my house, it is going to be tougher for me to get a 
premium because they can tell I do not lock my doors and that 
sort of thing.
    The government should restrict itself to the things that it 
will not let the private sector do, which is hack other people, 
or prosecute or do those sorts of things. So I think the role 
of the government should be to do those things that are unique 
to the government, to do the threat mitigation by either 
deterrence or by prosecution or that sort of thing, and the 
private sector can work on the things that we are good at.
    Senator Booker. Yes?
    Mr. Charney. I would add one more point. The government can 
lead by example. The government is a large enterprise, and it 
has customers, too, but their customers are called 
``citizens.'' And citizens file taxes online and file for 
benefits online and want information from the government. So 
the government could do a better job, I think, of adopting the 
latest technologies, managing their systems really well, and 
leading by example.
    Senator Booker. OK. Let me just shift for a second.
    And, by the way, 14 months in the U.S. Senate, we are not 
leading by example with a lot of the practices I see. But I 
just want to then to the perverse business incentives and the 
idea that you provide some kind of full liability or when it 
comes to information sharing with the government, are we 
creating an environment where we are going to promote 
oversharing with government some of the privacy information? 
And I am really worried about that. In many ways, it is just 
giving the government access to another level of domestic 
surveillance by creating perverse business incentives for 
oversharing. Is that a concern?
    Mr. Gordon. The way we look at sharing, if we actually look 
at both what we share and what is shared with us and what we 
would like to amplify over time in terms of sharing, what we 
are essentially talking about are things called ``cryptographic 
hashes'' or pieces of software code. There is nothing 
associated with customers in any shape or form in terms of 
essentially what is effective for sharing. And so I think even 
the way the prior legislation speaks to pulling out PII, our 
view is--and I went back and looked at what we have shared and 
what we like to share more of--it is indicators of attack, 
indicators of compromise, and the like that we do not see that 
there is any real issue at the end of the day as long as we 
focus on sharing that type of information.
    Mr. Beshar. Senator Booker, we would concur with that, that 
even in the last year, the extent of the threat has intensive; 
that if there are going to be attacks on critical 
infrastructure and it is less graffiti and financial crime and 
more threatening of power grids and the like, then that balance 
has to at least be calibrated. And as the other witnesses have 
said, I think by stripping out the personally identifiable 
data, you legitimately address the privacy concerns that are 
there, at least with respect to cyber threat indicators.
    Mr. Gordon. I would like to add one more thing and think 
about it this way: If somebody broke into our data center and 
started attacking our computers with an axe, we would report 
the fact that they have done that. If they broke into our data 
centers and started siphoning off customer information, we 
would report the same thing. The analog for me here is I am 
reporting the axe that got used and the fact that siphoning is 
occurring. I am not even reporting because I do not know in 
most cases who it is.
    So that is the nature of what we are talking about sharing 
essentially, is the fact that an axe was taken to our data 
center.
    Mr. Nojeim. Senator, there are three steps here.
    First, you narrowly define the information that can be 
shared. It has to be necessary to describe the threat.
    Second, you require companies to look for and strip out any 
personally identifiable information that is not relevant to the 
threat.
    And, third, you make it so the liability protections only 
operate when the companies play by those rules. That would do 
the trick.
    Mr. Charney. Can I add one point to that? There are times 
when we do need to do attribution and find source. So if you 
only share anonymous data, you can protect and detect, but you 
cannot deter. And that is why in our testimony, one of the 
things we point out is when you need to get identifying 
information so you can do attribution and take action, we have 
legal processes, court orders, and other things that are 
designed to protect civil liberties and strike the right 
balance.
    Senator Booker. Thank you.
    Thank you, Chairman.
    Chairman Johnson. Senator Ernst has returned, so we will go 
to you next, and then Senator Baldwin.

               OPENING STATEMENT OF SENATOR ERNST

    Senator Ernst. Thank you, Mr. Chairman. Gentlemen, thank 
you for being here today. We greatly appreciate your expertise 
in this area.
    Iowa just in recent years has really become a tech hub. We 
have Google located there, Facebook. We have Microsoft coming 
soon to West Des Moines. We also have many financial 
institutions, insurance companies, both large and small. We 
have a lot of small business.
    So when we are talking about this, we largely think about 
those larger entities, but what can we do through a voluntary 
process to assist and encourage small businesses to voluntarily 
share information and do it in a way that is not cost 
prohibitive or time prohibitive for those smaller groups? I 
would love to hear your thoughts on that. Thank you.
    Mr. Bejtlich. Senator Ernst, this may sound 
counterintuitive because a lot of people have worries about the 
cloud. But to tell you the truth, the cloud may be--assuming 
you use a worthy cloud provider who has their act together, the 
cloud is of great benefit. I advise many small startups, and 
they do not build out networks the way we did 10 or even 15 
years ago. They do everything on the cloud.
    So if the cloud providers--Google, Microsoft, Amazon, and 
these others--have a robust security program and they protect--
or the users protect how they access those services using two-
factor and other methods, that is actually a pretty good 
scenario. It takes the IT duty away from that mom-and-pop shop 
and puts it in the hands of some professionals.
    Mr. Beshar. Senator Ernst, I am proud to report that we 
have 1,500 employees in Urbandale, and it is a terrific 
workforce and a great asset for our company.
    Senator Ernst. Yes. Thank you.
    Mr. Beshar. It is similar to Senator Lankford's question, 
that it is difficult to visit burdens on small and mid-sized 
enterprises that are perhaps customary and commonplace for the 
larger companies.
    At the same time, one of the real takeaways from 2014 is 
that the security of the larger organizations is really 
dependent upon smaller enterprises, that many of the companies 
that have been in the news have been attacked not through the 
front door but through the side door of the back door of the 
vendor network. So things like the Administration's 
cybersecurity framework, the National Institute for Standards 
and Technology (NIST) framework, I think is a helpful, 
relatively straightforward tool to try to assist small and 
medium enterprises to go through some of the steps that we are 
talking about.
    Senator Ernst. Any other thoughts?
    [No response.]
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Baldwin.

              OPENING STATEMENT OF SENATOR BALDWIN

    Senator Baldwin. Thank you, Mr. Chairman and Ranking 
Member, for holding this hearing. I really appreciate it.
    I have a couple questions I want to get out there, but I 
wanted to actually start, having heard the response to Senator 
Booker's first question about the appropriate government role, 
and I just want to make sure I understand your responses as 
really coming from the business enterprises that you have the 
expertise in, because, as I have looked at it, I have seen 
perhaps areas where we should have a more robust government 
role when we deal with things like--I know, Mr. Beshar, you 
mentioned the electrical grid, critical transportation 
infrastructure, some of our infrastructure. Is that fair that 
you are really answering for your industries and not--or is 
this advice throughout no matter what type of attack we are 
looking at? I just want to clarify that for the record. Do you 
want to just go down the--Mr. Gordon?
    Mr. Gordon. The role of the government question, in the 
context of hygiene, which I think was a substantial part of it, 
I would concur. I feel that, first of all, the definition of 
``hygiene'' is very dynamic. I mean, it literally changes day 
to day. I do not think the government should have much of a 
role in that. And I would say the market has very quickly taken 
care of that in terms of boards paying attention to hygiene. I 
think that is an increasingly smaller problem.
    The other dimension, which I think is outside the purview 
of this discussion, but I do think the question of the role of 
the government in preventative action and in deterrence, I 
think that is still unclear probably to some greater or lesser 
degree, not the role of the private sector.
    Mr. Charney. In my written testimony, I talked about the 
four roles of government relative to IT, because in addition to 
being a large enterprise with customers, they also do have a 
traditional public safety and national security responsibility. 
And, I am a big fan of market forces, and they work great for 
innovation, but it is hard to make a market case for the cold 
war. When you have a national security imperative, the 
government often has a major role to play, and part of that is 
that, as a large enterprise, they are attacked a lot. As former 
Chief of the Computer Crime and Intellectual Property Section, 
I can tell you that, in the early days, the two most attacked 
agencies were the Department of Defense (DOD) and the National 
Aeronautics and Space Administration (NASA) because NASA had 
cool stuff. And the government has this information and often 
knows of threats and shares it with industry, which makes us 
more effective in protecting the ecosystem and our customers.
    And then there is also the question of how to deter 
particularly these nation-state attacks. Microsoft has been 
very vocal that we need norms for the Internet. We have norms 
for State behavior in a range of areas, like money laundering 
and weapon of mass destruction. We actually do not have norms 
for cyber activity. And so we see nation-state activity that 
would be very hard for the private sector to fend off. I mean, 
nation states can put spies in your organization. It is well 
known that a Russian spy was arrested at Microsoft. How does a 
private company fend off a well-funded, persistent nation-state 
attack?
    And so the government can help by helping establish those 
norms and in the right places taking steps to help, regulate 
the behavior of others, so to speak.
    Senator Baldwin. OK. I am hoping to get to another 
question, so either real quick, or----
    Mr. Beshar. Please.
    Senator Baldwin. OK. For Mr. Nojeim, you talked--I really 
appreciate your analysis of the three principal proposals and 
your recommendations to strengthen them. Just narrowing in on 
the Obama Administration's cybersecurity proposal, obviously 
critical details have yet to be finalized in that, including 
for privacy guidelines. So I am wondering what are your 
recommendations for, first, defining what constitutes 
personally identifiable information; and, second, for sharing 
cyber threat data that includes such personally identifiable 
data.
    Mr. Nojeim. So we went through an exercise of trying to 
list all the types of personally identifiable data that we are 
talking about. I do not think that Congress should try to go 
down that road. We did not know years ago that IP addresses 
could become personally identifiable with the additional 
information. Maybe some people knew it; maybe some people did 
not. But the fact of the matter is that sometimes the 
aggregation of information can make it personally identifiable 
when people thought it was not before.
    So rather than going down the road of trying to list the 
particular categories of personally identifiable information, I 
think it is better to require that personally identifiable 
information be stripped out and then task DHS with coming up 
with the list through a Notice and Comment process, and that 
list will change over time, and everybody will know it will 
change over time. So I do not think you want to go down the 
road of trying to list that in the statute.
    And then when it comes to removing it when it is not 
necessary to describe a threat, I think that is going to happen 
naturally in the automated process of sharing threat 
information. Companies are going to develop systems that other 
companies will buy that they will use to share this threat 
information. They will have to be able to describe the threat. 
And those same systems that describe the threat can be used to 
filter out the irrelevant information.
    Chairman Johnson. Senator McCain.

               OPENING STATMENT OF SENATOR MCCAIN

    Senator McCain. Thank you, Mr. Chairman. I thank the 
witnesses.
    A week ago or a couple weeks ago, the Armed Forces Network 
was hacked into and not only did radical messages show up on 
the screen, but also names and addresses of individuals. And I 
do not think a lot of Americans know that Armed Forces Network 
is at every base, every ship, every defense installation of any 
size, not only in the United States but in all our bases all 
around the world.
    So it was a pretty clever action on their part and I think 
pretty sophisticated, and not only did it give them a 
propaganda coup, but most people believe that Armed Forces 
Network is run by the Armed Forces. It is not. It is contracted 
out to a commercial organization. And it not only was 
propaganda, but also when names and addresses of people are put 
out, it obviously poses a direct threat to literally their 
lives.
    What happened? What could we have done to prevent it? And 
what do we need to prevent something like that in the future? 
Is that you, Mr. Charney, or Mr. Gordon? Whoever wants to take 
that.
    Mr. Charney. Well, first and foremost, many large 
organizations outsource IT functions, and it is absolutely 
crucial that their outsourcing contracts have requirements for 
security and privacy that meet the needs of the party that is 
hiring the contractor.
    Senator McCain. So the Pentagon should have been smarter.
    Mr. Charney. I have a lot of friends in the Pentagon. I 
think they are great. But certainly their contracts should 
require that the information be protected at the right level, 
and now with things like the NIST framework, the International 
Organization for Standardization (ISO) standards, there are 
more and more ways to audit and measure the security controls 
in an environment.
    And so, for example, for a lot of our cloud-based 
customers, they now ask to see our audit reports, which we 
share, because they want to make sure before they entrust their 
data to us that we are taking the necessary steps to protect 
it. And we have to enforce that through contracts with 
customers.
    Senator McCain. So, again, whoever in the Pentagon let that 
contract did not let the right contract.
    Mr. Charney. Either that or the term was in the contract 
but no one evaluated whether the contractual terms were being 
followed.
    Senator McCain. Mr. Gordon, do you have any comment?
    Mr. Gordon. Not a lot to add other than when you look at 
the most common attack factors, websites is one. One of the 
most prominent is websites, so companies put a lot of energy 
into a set of controls around that. I am not familiar with 
actually what the vulnerabilities were that were breached, but 
I agree with Scott. I think that the right third parties and 
businesses put those controls in place to prevent those kinds 
of breaches.
    Mr. Bejtlich. Senator McCain, I think on paper almost 
anyone looks good, but the proof is when you can test it and 
find out if your defenses are strong. I am sure you are 
familiar with the term ``red-teaming.'' If someone had red-
teamed against that user account or a system or a network and 
found, wow, it is very easy for me to get in here, I am not 
going to cause any damage, I am going to report back to the 
owner, it took me 5 minutes to break into this system, and you 
fix the problem before the bad guy finds out. That is one way 
to avoid it.
    Senator McCain. Anyone else?
    [No response.]
    Well, it was interesting that General Dempsey, our Chairman 
of the Joint Chiefs of Staff, recently said that we have a 
technological advantage in every form of warfare over our 
potential adversaries except for one, and that is the issue 
that we are discussing today. I thank you.

              OPENING STATEMENT OF SENATOR AYOTTE

    Senator Carper [presiding]. Senator Ayotte.
    Senator Ayotte. Thank you, Chairman.
    Senator Carper You are welcome. [Laughter.]
    Senator Ayotte. I wanted to followup on a comment that Mr. 
Bejtlich made about law enforcement capacity here, and you had 
said we do not need more laws, what we need is greater 
prosecutions and an ability of the FBI and other law 
enforcement agencies to prosecute these individuals.
    I was Attorney General of our State, and in the limited 
cases that I was involved in on these issues, the prosecutions 
are very challenging. As you know, often the actor can be from 
another country, and we are not even talking about nation-state 
actors there, just the location.
    What thoughts do you have as to how we can better help our 
law enforcement agencies have the right tools to pursue 
appropriate cases, so that we have some examples that we are 
not just allowing these things to happen?
    Mr. Bejtlich. Thank you for the question, Senator. I think 
there are a couple angles to it. One of them is, as you 
mentioned with overseas actors, international cooperation. If 
you are a hacker and you are in the United Kingdom and you are 
attacking the United States, that is a bad situation for that 
hacker. We are going to work with our partners and are going to 
get them back. If you are in an Eastern European country or 
some other location--so international cooperation is first.
    Second is training. You need to be trained to do this sort 
of work. You need to know how to carry off a successful 
prosecution, what are the defenses that could be there, and how 
to collect the information properly. It is very similar to what 
we saw in the intel world in warfare. Guys used to go in, smash 
the computers, and then they would bring back fragments, and 
you realize you could not use it. You had to teach them how to 
collect evidence and that sort of thing.
    And the third part is you have to make it a career path. We 
saw this with the turnaround in the FBI now where it is now a 
career path to be an intel person; it is a career path to be a 
cyber person. You need to have that sort of recognition and 
success for following those.
    Senator Ayotte. Thank you. I was very interested in the 
discussion we had that Senator Ernst asked about, the 
challenges for smaller and mid-sized businesses. Having been 
briefed, for example, on the Sony hack--that obviously was a 
nation-state actor, but, frankly, SONY is a larger company and 
even some of our larger companies do not have all the 
protections in place that need to be there. And so, there are 
challenges for smaller and mid-sized businesses. You have 
talked about the use of the cloud-based system in terms of 
resource efficiency for smaller companies.
    As we look at more of our companies moving to that, what 
are the security challenges we are going to have to be aware of 
with the cloud-based system that we should be focusing on? 
Because, as you know, getting into the system from the smaller 
connection is probably the easier way to do things.
    Mr. Charney. So Microsoft, of course, offers large-scale 
cloud services, and people often ask me, ``Is the cloud good or 
bad for security?'' The answer is yes.
    It is good for security because, as mentioned earlier, 
because it is core to our business and we have a lot of 
security expertise. We probably are more rigorous about 
security than many companies might be.
    At the same time, it is important to understand that in the 
cloud model you have a multi-tenanted environment. You have a 
lot of customers using the same cloud service, which makes it a 
very rich target.
    Senator Ayotte. Right.
    Mr. Charney. And so we do things to make sure that our 
customers' data is segmented from one another and prevent that 
lateral movement.
    But the other important thing is that, even when you use 
the cloud, security becomes a shared responsibility. What I 
mean by that is a small business might issue its user names and 
passwords to its employees, and if an employee loses that 
password to a bad person, that person can log on as that 
employee. The cloud will not know.
    Senator Ayotte. Right.
    Mr. Charney. It looks like an authorized use.
    So we have been committed for quite some time to providing 
more security technologies that are just secure by default in 
our newer products--and I talked about this a little earlier--
identities that cannot be stolen because they are bound to 
machines. We have to get to a place--I am all for user 
education. It is a wonderful thing. But I think we put too much 
of a burden on end users to manage security when it is actually 
a complex undertaking.
    Senator Ayotte. You have all talked about what you see as a 
problem with the Administration's proposal not allowing sharing 
and liability protection among companies. So in a cloud-based 
system, is that the way the legislation drafted is particularly 
acute? Or does that not matter because you are thinking about 
transmitting the information at a higher level?
    Mr. Charney. So for us, we have to be clear. We have two 
types of information. We have our information about our network 
that we can share as we see fit, even if we take some risk in 
sharing. And Microsoft actually does a lot of sharing today. We 
have programs where we share threat and vulnerability 
information with customers, with governments, and others. We 
share our source code with governments as well. So we can 
accept that risk.
    At the same time we have customer information, and they 
have expectations, usually enforced through contractual terms, 
that they do not want us using their data in any way without 
their permission and consent.
    And so when we look at some of this information sharing, we 
want to make sure that the information we share today, which is 
substantial, is not disrupted by a new regulation or regime 
that says, for example, you can only give data to DHS. Well, 
no, we want to share data with our partners all the time, and 
we do, so do not disrupt that. It does not solve the problem of 
sharing customer information. That we will not do without the 
customer's permission, and we want to make sure that any 
regulatory regime respects that contractual obligation, because 
the biggest problem we have, as a global company, I go overseas 
all the time, and customers in other countries say, ``Will you 
turn over our data to the U.S. Government?'' That is what they 
are worried about. And when the answer is sometimes yes because 
we could get a court order or other things--we are fighting a 
case like this right now involving a U.S. order to turn over 
data from our Irish data center, a customer e-mail. it is not 
our data. It is the customer's data. And if we do not protect 
the privacy of that information, then what happens all over the 
world is people say, ``So I should use a local provider, right? 
Because if I use your cloud service, you are a global company; 
you are headquartered in the United States. You are just going 
to give all our data to the U.S. Government.'' And what will 
happen over time is American information technology products 
and services that have been so successful around the world, 
well, in all those other parts of the world people will say, 
``Whoa, maybe we are better off with local technology, not 
being compelled by the U.S. Government.'' And that in the long 
term for America would be a terrible thing.
    Senator Ayotte. Thank you very much for clarifying this. I 
appreciate it.
    Senator Carper. Senator Ayotte, I think we are going to 
wrap it right there. Would you all just stay in place, and, 
Senator, we are going to take a real quick recess. Senator 
Johnson has run to vote. He will be right back, and when he 
does, he will resume, and I know he has some questions. And I 
might join you back again, too. Thank you very much.
    Senator Booker. Mr. Chairman, is the vote imminent, or do 
we have a chance for one more round?
    Senator Carper. The vote started 11 minutes ago. I think we 
have 3 or 4 minutes left on the clock.
    Senator Booker. Being that I cannot come back, may I ask 
one more?
    Senator Carper. You may go ahead, and when you have 
finished, just recess unless Senator Johnson is back.
    Senator Booker. That is a lot of power you are leaving me 
with, sir. [Laughter.]
    Senator Carper. I have every confidence in you.
    Senator Booker [presiding]. Thank you very much.
    Gentlemen, just real quick. I have seen how perception 
problems with private business affect those businesses' 
abilities to operate overseas. And I have seen comments by 
high-level officials here that then make other countries demand 
that our American companies have servers located in their 
country as well.
    Do you have any concerns about us sharing information, 
companies sharing information with the Federal Government 
agencies, then making foreign countries more concerned about 
those companies operating in their nations?
    Mr. Beshar. I think it is a legitimate consideration, 
Senator Booker, so the draft legislation really speaks about 
exempting company that provide information from U.S. civil and 
criminal liability. If there is data from Europe or other parts 
of the world that is embedded in some of the information, a 
question at least arises of the scope of that liability 
protection.
    Senator Booker. OK. Any other thoughts of the child that it 
could be creating or something we should worry about?
    Mr. Charney. Well, we have had to grapple with this problem 
post the Snowden disclosures where government and customers all 
over the world have expressed concern about relying on U.S. 
technology. And we have been very clear that we do defense, not 
offense. We do not put the back doors in products. We do not 
turn over encryption keys.
    Where you can get stuck at the end of that discussion is if 
the U.S. Government does compel the production of data and does 
it with a non-disclosure order, there is some risk to the 
foreign enterprise that their data will be turned over to the 
United States without notice.
    Senator Booker. Right.
    Mr. Charney. And that does worry them. What we have tried 
to do is explain to them, because I think this is true, 
government access is a business risk. It is really what it is. 
I was with a group of chief security officers in France, and I 
knew some of them were running very old technology and were not 
current on their patching and hygiene. And they started talking 
to me about U.S. Government access if they put their data in 
our cloud. And I said, OK, so you have networks that are wide 
open and hackers can get in and steal all your stuff, but you 
are worried about putting it in my more secure cloud because 
the U.S. Government might get it. Who are you more worried 
about--hackers or the U.S. Government? What business are you 
in? I mean, if you are in the terrorism business, you should be 
worried about the U.S. Government. But it still does create 
friction in the system.
    Mr. Nojeim. After the Snowden disclosures, a number of U.S. 
companies said, ``We are not going to voluntarily turn over 
customer information to the National Security Agency (NSA).'' 
OK? Now along comes cybersecurity legislation, and some of the 
iterations of the legislation say it is all voluntary, 
companies will voluntarily share information; some of the 
information is going to be from their customers. So if a 
company is going to play by those rules, how can it promise 
that it is not going to share information with the NSA if the 
legislation says anything you share with a government agency 
for cybersecurity reasons must immediately be shared with all 
these other agencies, including the NSA?
    That was a problem in the CISA bill, the Senate bill that 
never came to the floor, that I do not think you want to 
repeat.
    Mr. Gordon. I come back to the nature of what we are 
sharing, which is attack and threat information, and the 
sharing of that information only enhances our security for our 
customers in the United States and around the world. That is 
how we think about it.
    Chairman Johnson. [presiding]. Thank you for holding down 
the fort there, Senator Booker.
    I do have a number of questions I would like to put forward 
until the next vote is called, and then we will wrap up the 
hearing. So, again, I just want to thank all of you for coming 
here and taking time and really preparing some very thoughtful 
testimony and, I thought, really good responses to questions.
    Mr. Nojeim, let me test my theory in terms of us all 
sharing the same goal. I think it is just true that if we do 
not get this under control, if we allow cyber attacks to 
continue, the threat in terms of loss of privacy really is even 
greater, correct?
    Mr. Nojeim. I think that if there was a major cyber attack 
like the scale of what triggered the attack on--it is the cyber 
equivalent of the attacks on the Twin Towers, that we would end 
up with a cyber PATRIOT Act.
    Chairman Johnson. So we share the same goal. Here in 
government we can pass a law that can help. It is not going to 
be a panacea. It is not going to solve all the problems. But I 
think if everybody on all sides of this issue, if we work 
together, focus on that goal, let us face it, another--I hate 
to single out instances, but another Target instance. Their 
privacy is just destroyed. So we do share that same goal of 
trying to get to a particular result.
    Mr. Nojeim. We do.
    Chairman Johnson. I want to ask all of you this. When you 
take a look at the White House proposal, what is coming out of 
the Senate Intelligence Committee, that is what we are going to 
be dealing with here in the Senate, either of those two 
proposals or some kind of combination.
    What is going to be the biggest threat in terms of us 
crossing the goal line with a piece of legislation? I will 
start with you, Mr. Nojeim.
    Mr. Nojeim. The biggest threat that you are trying to avoid 
or the biggest problem in the bill?
    Chairman Johnson. I would say the biggest problem in the 
bill as well as the outside interests in terms of attacking 
whatever is presented. In other words, what are the poison 
pills in some of these bills? What do we need to be worried 
about? What do we need to work on?
    Mr. Nojeim. Here is what I think you need to work on:
    First is ensuring that you properly define the information 
that can be shared and that you ensure that any irrelevant 
personally identifiable information is removed prior to the 
share.
    Second, make sure that whatever legislation, whatever rules 
govern the sharing of information within agencies of the 
government, that those procedures are clear and that they are 
strong and that they protect privacy.
    Third, I think you should prioritize company-to-company 
sharing--do more on that score. And I think also that you have 
to be mindful of the role that the intelligence agencies are 
going to play in the information-sharing scheme.
    I think you want to ensure civilian control, and the best 
way to do that is to ensure that the shares, the initial 
information shares, go from the private sector to DHS, and that 
DHS then applies privacy procedures to the data before any of 
it is reshared with any other agency.
    Chairman Johnson. OK. Well, thank you.
    Mr. Charney, I will give everybody a chance to answer that 
question, but we had an interesting conversation in terms of 
the necessity of sharing personal information in terms of what 
information we are talking about sharing. And you said there is 
no need whatsoever in terms of sharing personal information if 
we are just trying to prevent attacks. In other words, if we 
are sharing those threat signatures, no personal information is 
required. But if you want to go solve the crime, if you want to 
go find the bad actors, that is where you might need personal 
information. Is that correct?
    Mr. Charney. Yes, that is correct, and also just to be 
clear, sometimes an attack indicator is an IP address, like 
attacks are coming from this IP address, so we will go look at 
our network to see if that IP address is reaching out to us. 
And in some places, IP addresses alone are considered 
personally identifiable information.
    I think in the United States we more try to focus not on 
the IP address, but does it combine with other information to 
point to a person. And I think the way to solve this problem 
generally about using PII is to make sure that when the 
government wants to get personally identifiable information, it 
uses the transparent, judicial procedures already in place with 
which we are all familiar and balance the competing interests 
between government access to PII and privacy.
    Chairman Johnson. In other words, you go to the court 
system, you get a warrant in order to do that. Mr. Nojeim, does 
that----
    Mr. Gordon. There is----
    Chairman Johnson. I just want to ask Mr. Nojeim, does that 
comport with what you would be willing to do or agree to?
    Mr. Nojeim. You do not need a warrant for the IP addresses. 
It is a lesser process.
    Scott, I am not sure that it is going to work that way. At 
the end of the day, IP addresses are often needed to 
investigate a cyber attack to find out where it is coming from. 
Companies are going to want to do that. The private sector 
information-sharing entities that the White House envisions, I 
think they are going to get IP addresses that are relevant to 
the cyber attacks.
    Mr. Charney. They are going to get the IP address, and you 
can do an IP lookup and open source. But if we turn over 
information about an attack and the government says, OK, we now 
want to see account information and subscriber information, we 
require a judicial process. It may be a subpoena, it may be a 
2703(d) court order, or it may be a search warrant. My point is 
it reached a point where the government wants more, and we 
require a legal process to be followed so that our customers 
know we are protecting their privacy and not just giving away 
the data voluntarily.
    Mr. Nojeim. I agree.
    Chairman Johnson. Mr. Gordon.
    Mr. Gordon. I think there is an important subtlety with IP 
addresses because that does tend to be the place that this 
conversation converges, and an IP address in the context in 
which we see it is not a customer's IP address. It is not 
affiliated in any shape or form with a customer. When we see an 
IP address in the context of sharing, it is a place from which 
an attack is unfolding, or it is a place from which stolen data 
has been sent. That is all we know and, frankly, all in our 
context we care to know.
    And so sharing that would enable someone else to in turn 
block an attack from that same location without ever knowing 
who it is on the other end. I think the law enforcement 
attribution, that is where there are other dimensions to this, 
but I do not think it is a yes-no. I think there is a context 
to sharing. We would never share information related to our 
customers. This is information related to an attack.
    Chairman Johnson. Mr. Charney, real quick.
    Mr. Charney. Yes, that is true for you, and it is true for 
us. But if one of us was with a phone company or a cable 
provider that provided the Internet access and the government 
said here is the IP address, who is the customer, for them IP 
address is more than just an attack factor. It might be a 
customer's name and address.
    Mr. Gordon. Sure, but they would require a subpoena for 
that.
    Chairman Johnson. Now you almost start answering another 
question I had. Does the White House proposal contain adequate 
liability protection to induce the private sector to share with 
the government, to induce the private sector to share within 
the private sector? I think a number of you have testified that 
is really one of the primary information-sharing platforms we 
want.
    Mr. Gordon. From what I understand, it does not cover 
company-to-company sharing at all, so it will not incentivize 
that.
    Likewise, it does not cover, as I understand it, the acting 
from the sharing, even within your own network. And I think 
those appear to be two gaps.
    Chairman Johnson. So how important is the company-to-
company? And what level are we at right now? What level do we 
want to be at?
    Mr. Gordon. I think it is very important. I think there is 
a tremendous amount of company-to-company sharing that happens 
today, and this essentially would potentially incent us away 
from that and toward this more structured into the government 
sharing. And there are numerous instances that I have been 
involved in where we have information that pertains only to a 
single company, it is very specific. And so sharing that 
through some hub-and-spoke context I think would be 
inappropriate.
    Mr. Nojeim. To be fair to the White House proposal, it does 
allow for the sharing--you could call this private-to-private, 
right? You can share to a private hub, and then that hub can 
share out back to the private sector. It does not allow the 
company-to-company sharing. It does not incentivize the 
company-to-company sharing that we all think is necessary. But 
it does allow the sharing to the hub.
    The trick with the company-to-company sharing is to create 
a mechanism that ensures that the companies are playing by the 
information-sharing rules. So far, the mechanisms that have 
been discussed have all been rejected by the companies. They 
include things like creating a private right of action if the 
company does not play by the rules, and things like audits. 
They have all been rejected. So the question is: How do you 
ensure that the companies play by the rules? I do not think 
that we have gotten to that point yet, and I think that is why 
the White House went with this hub-and-spoke model.
    Chairman Johnson. Mr. Beshar, I am intrigued by the role 
that insurance can play and quite honestly, being a 
manufacturer, having been ISO certified, I can see a role that 
things like ISO certification can play, just simply private 
sector, here are the standards that can be created, that can be 
revised and updated very rapidly. Can you just kind of speak to 
that?
    Mr. Beshar. Sure. I think that is really the power of 
insurance, Mr. Chairman, that it can drive behavior change 
across large swaths of the people that is not driven by the 
government. It is just because there is a creation of the 
appropriate set of incentives that each one of these actors--
large companies, small, mid-sized companies, even individuals--
they take it upon themselves to say here are the steps that I 
can take to position myself as a better risk or I just think 
are prudent under the circumstances. So I think it has a 
tremendous power.
    I think the Administration's proposal has actually struck 
quite a nice compromise that there are clear liability 
protections from civil and criminal exposure. There is the idea 
that it will not be used, the information, for extraneous 
purposes by regulators, and it will not be subject to FOIA 
requests or similar State laws. But then at the same time, 
there is an obligation on the companies to try to take out and 
strip out the personally identifiable information. So I think 
that is the path to go down.
    Chairman Johnson. Mr. Bejtlich, can you kind of chime in on 
this? I was really struck by your testimony in terms of really 
what percentage of companies do not even know they have been 
hacked. So can you just speak to me in terms of where you think 
the hole is there?
    Mr. Bejtlich. Well, Senator, I think part of the problem is 
that many companies measure the wrong things. The example I 
like to use is you have a football team, and imagine if the way 
you determined how you were doing was to measure how tall all 
your players were, how fast they ran the 40, where they went to 
college, and then you took a look at them on paper and said, 
``Oh, that is how good we are,'' when really you need to find 
out how they play in a game. And that is where these metrics of 
how long has it been since someone broke in and to when you 
discovered it, and what steps can you take--technology 
diagnostic, process diagnostic, what are the steps you can take 
to reduce that count?
    I see this in the Federal Government. With the continuous 
diagnostic monitoring, all the emphasis is on make sure we are 
patched, make sure we are configured properly. That is all 
great, but that is hygiene. That does not tell you what the 
score is going to be when you get on the field and you 
encounter the adversary.
    Chairman Johnson. Let us continue going down the row here 
just in terms of looking at these proposals that are out there. 
What are going to be the impediments to putting something 
together and actually get it passed? I will start with you, 
again, Mr. Bejtlich.
    Mr. Bejtlich. Senator, one of the biggest issues I see is 
the deficit of trust in the security community. The security 
community up to the Snowden revelations, things were getting 
better. I mean, you had General Alexander appear at a hacker 
conference, DEF CON. There was real good will being built 
there. And then the Snowden revelations came out, and now we 
have this real trust deficit.
    I think one of the ways to perhaps address that would be to 
take a look at the Computer Fraud and Abuse Act. Some of the 
changes that have been proposed to that have really scared the 
security community into thinking that just being a researcher 
and trying to do the right thing and find vulnerabilities and 
report them so that they can be fixed could be a prosecutable 
event in and of itself.
    So maybe one of the ways to approach this is to pair 
reforming the CFAA so that it is friendlier to good hackers 
with this information sharing and try to address that trust 
deficit.
    Chairman Johnson. OK. Mr. Beshar.
    Mr. Beshar. I think the focus, Senator, should really be on 
information sharing and the rebuilding of trust between 
industry and government. Personally, I think the intercompany 
issues should be pushed somewhat to the side.
    Chairman Johnson. Mr. Charney.
    Mr. Charney. I agree that industry and government sharing 
is important. The other party I would think about is the 
customers, because the privacy concerns stem from the customers 
who want to entrust their information to third parties, and I 
think the discussion we have had today about how could we 
provide privacy protections for the data that is shared but 
ensure that the data could be used with less risk of liability 
is the right formulation.
    Chairman Johnson. Mr. Gordon.
    Mr. Gordon. I agree. I think that is the one issue that 
looms around this. Otherwise, I think there is, at least for 
the private sector, tremendous support for this. And I think 
the conversation about removing PII in the way that we share 
information is a very reasonable approach that really would 
solve this.
    Chairman Johnson. That is a real critical aspect of this. 
One thing we really have not talked too much about--unless it 
was asked when I was gone--is really breach notification. Can 
you just kind of speak to the necessity for that and what 
problems that creates for any organization that is going to be 
required to do so? We will start with you, Mr. Gordon.
    Mr. Gordon. I think that having a national breach 
notification standard is appropriate and would actually be 
helpful, and especially one that supersedes because, as you 
know, every State has a version of it and it is very 
complicated to navigate. I think it is appropriate and we 
should do it.
    Chairman Johnson. Is that the only level we are at right 
now, is just State? Have there been smaller jurisdictions that 
have offered any?
    Mr. Gordon. I am only aware of State at this point.
    Chairman Johnson. OK, Mr. Charney.
    Mr. Charney. I agree with that. The only other thing I 
would pay attention to is when breach notification has to be 
given. There have been some proposals, for example, that there 
should be a definitive timeline. But very often when you are 
investigating these cases, it takes awhile to figure out 
exactly what has happened and who has been breached, and you do 
not want to give out partial notifications. You want to 
understand the scope of the adversary's activity and whether he 
is still in. And once you start giving notification, you have 
told the adversary that you are on to them.
    So there should be some reasonable time to give breach 
notification, but a time fixed in stone, like 48 hours, is not 
flexible enough.
    Chairman Johnson. What would be a reasonable timeframe? 
And, again, that looks to me like any kind of timeframe is 
somewhat of a conundrum.
    Mr. Charney. It is a little bit of a conundrum, and it 
certainly should not be open ended. But in all sorts of places, 
the law requires reasonableness and a reasonable-man standard, 
so to speak. And the reality is these cases can be very 
complex, and it can take awhile to figure out exactly what 
happened and who should be notified. And what you do not want 
to end up is notifying too soon and actually compromising the 
investigation, and maybe even a law enforcement investigation.
    Chairman Johnson. I am assuming you are not going to give 
me a timeframe.
    Mr. Charney. I am not going to give you----
    Chairman Johnson. And that is actually reasonable. Mr. 
Beshar----
    Mr. Gordon. I would completely support that. I think 
putting any time against it is nonsensical, because every 
instance is different, and I think reasonable is the right 
standard.
    Mr. Beshar. We strongly support a uniform Federal breach 
notification standard, and our hope, Mr. Chairman, would be 
that it preempts the State regimes.
    Chairman Johnson. OK. Mr. Bejtlich.
    Mr. Bejtlich. Mr. Chairman, the one thing--I would concur 
with my colleagues, but the one caution I would add is that 
breach has to be properly defined. There are many low-level 
things that get caught, stopped, and so forth. If you had to 
somehow report on all of those, it would be a disaster.
    Chairman Johnson. Can you kind of typify some sort of 
level? We were talking about data breach. Now you are talking 
about when personal information is lost and people really need 
to understand that so they can either cancel your credit card 
or----
    Mr. Bejtlich. That is right. You would not want to define a 
breach as someone broke into a computer. You would want to 
define it as they stole PII, something that the person who is 
affected would not know otherwise and they need to----
    Chairman Johnson. Going back to your testimony, where 67 
percent of the businesses that you are potentially auditing do 
not even know they have been breached.
    Mr. Bejtlich. That is right.
    Chairman Johnson. So how do you account for that? Is it the 
point where they actually are aware of it? Is that when the 
data breach notification requirement would hit in? I mean, you 
also have to account for that as well, right?
    Mr. Bejtlich. Right. There needs to be some time--because 
you can receive a notification and it may not actually 
represent a real problem. I have been involved with some of 
those as well. You do need some time to identify yes, this 
notification does point to something real and--for example, if 
someone stole dummy data that was not actually real and the 
bureau noticed it, there is no problem there. It was dummy data 
for testing or whatever. But if you get the notification, you 
see this is real data, now I have to report.
    Chairman Johnson. Mr. Nojeim.
    Mr. Nojeim. So the biggest obstacle to passing information-
sharing legislation is failure to pass legislation to deal with 
the NSA's bulk collection program. I think you have to do that 
before you get to cybersecurity information sharing, because 
everybody knows that some of this information shared under the 
cybersecurity program is going to end up at the NSA. Unless you 
do something to reform NSA, I do not think you can do the cyber 
first.
    The biggest obstacle to the data breach notification 
legislation is the way, for example, the White House bill 
preempts State laws that protect data that the White House bill 
does not protect. So, for example, California protects health 
information, but the White House bill explicitly carves that 
protection out. But it would preempt that California protection 
anyway. I think that is a problem that needs to be fixed.
    Chairman Johnson. OK. We have the second vote called, so I 
am going to have to be closing this hearing. But I want to ask 
one more question because I want to go back to the data breach 
notification.
    When you are not even aware that you have been hacked and 
some of that information is already flowing, I mean, how do we 
address that to make sure that companies are not unfairly 
penalized?
    Mr. Beshar. I would just say, Mr. Chairman, it has to flow 
from discovery.
    Chairman Johnson. Discovery, OK. Very good. Well, again, I 
just want to thank all the witnesses for your, again, 
thoughtful testimony and answers to our questions.
    The hearing record will remain open for 15 days until 
February 12 at 5 p.m. for the submission of statements and 
questions for the record.
    This hearing is adjourned.
    [Whereupon, at 3:07 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------     
                              
                              
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]