[Senate Hearing 114-76]
[From the U.S. Government Publishing Office]
S. Hrg. 114-76
CYBERSECURITY: SETTING THE RULES FOR
RESPONSIBLE GLOBAL CYBER BEHAVIOR
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON EAST ASIA, THE PACIFIC, AND
INTERNATIONAL CYBERSECURITY POLICY
OF THE
COMMITTEE ON FOREIGN RELATIONS
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
MAY 14, 2015
__________
Printed for the use of the Committee on Foreign Relations
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
U.S. GOVERNMENT PUBLISHING OFFICE
96-851 PDF WASHINGTON : 2015
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON FOREIGN RELATIONS
BOB CORKER, TENNESSE, Chairman
JAMES E. RISCH, Idaho BENJAMIN L. CARDIN, Maryland
MARCO RUBIO, Florida BARBARA BOXER, California
RON JOHNSON, Wisconsin ROBERT MENENDEZ, New Jersey
JEFF FLAKE, Arizona JEANNE SHAHEEN, New Hampshire
CORY GARDNER, Colorado CHRISTOPHER A. COONS, Delaware
DAVID PERDUE, Georgia TOM UDALL, New Mexico
JOHNNY ISAKSON, Georgia CHRISTOPHER MURPHY, Connecticut
RAND PAUL, Kentucky TIM KAINE, Virginia
JOHN BARRASSO, Wyoming EDWARD J. MARKEY, Massachusetts
Lester E. Munson III, Staff Director
Jodi B. Herman, Democratic Staff Director
------------
SUBCOMMITTEE ON EAST ASIA, THE PACIFIC, AND
INTERNATIONAL CYBERSECURITY POLICY
CORY GARDNER, Colorado, Chairman
MARCO RUBIO, Florida BENJAMIN L. CARDIN, Maryland
RON JOHNSON, Wisconsin BARBARA BOXER, California
JOHNNY ISAKSON, Georgia CHRISTOPHER A. COONS, Delaware
JEFF FLAKE, Arizona TOM UDALL, New Mexico
(ii)
C O N T E N T S
----------
Page
Cardin, Hon. Benjamin L., U.S. Senator from Maryland, opening
statement...................................................... 2
Gardner, Hon. Cory, U.S. Senator from Colorado, opening statement 1
Greenberger, Michael, founder and director, University of
Maryland Center for Health and Homeland Security; professor,
University of Maryland Francis King Carey School of Law,
Baltimore, MD.................................................. 37
Prepared statement........................................... 38
Lewis, James Andrew, director and senior fellow, Strategic
Technologies Program, Center for Strategic and International
Studies, Washington, DC........................................ 29
Prepared statement........................................... 30
Responses to questions submitted for the record by Senator
Benjamin L. Cardin......................................... 52
Painter, Christopher, Coordinator for Cyber Issues, U.S.
Department of State, Washington, DC............................ 5
Prepared statement........................................... 7
Responses to questions submitted for the record by Senator
Benjamin L. Cardin......................................... 50
(iii)
CYBERSECURITY: SETTING THE RULES FOR RESPONSIBLE GLOBAL CYBER BEHAVIOR
----------
THURSDAY, MAY 14, 2015
U.S. Senate,
Subcommittee on East Asia, The Pacific, and
International Cybersecurity Policy,
Committee on Foreign Relations,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:02 a.m., in
room SD-419, Dirksen Senate Office Building, Hon. Cory Gardner
(chairman of the subcommittee) presiding.
Present: Senators Gardner and Cardin.
OPENING STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. All right, the committee will be in order.
Thank you very much for the opportunity to be here today.
And welcome to the first hearing for the Senate Foreign
Relations Committee, Subcommittee on East Asia, The Pacific,
and International Cybersecurity Policy.
I want to thank Chairman Corker for his cooperation as this
committee is starting its important responsibilities here in
the 114th Congress. Of course, we have had numerous hearings on
matters relating to East Asia--just yesterday, of course,
related to China and other issues--but this is the first
dedicated subcommittee hearing.
I want to thank Senator Cardin, the distinguished ranking
member of not only this subcommittee, but your plate is now
fully full with the full committee. So, thank you very much for
being here and taking the time to make this a priority of
yours, as well.
Today's hearing is timely, for a multitude of reasons.
Cybersecurity is a new area of jurisdiction for this committee
which reflects the critical importance this issue has come to
play in the foreign affairs of our Nation. Facing a host of
known and emerging threats in cyberspace that threatens not
only our Nation's critical national security infrastructure,
but our economic stability and the privacy of our citizens.
The President's 2011 International Strategy for Cyberspace,
which serves as the guide for our Nation's policy, lays out the
following strategic goal: The United States will work
internationally to promote an open interoperable, secure, and
reliable information and communications infrastructure that
supports international trade in commerce, strengthens
international security, and fosters free expression and
innovation. To achieve that goal, we will build and sustain an
environment in which norms of responsible behavior guides
states' actions, sustain partnership, and support the rule of
law in cyberspace.
Yet, we know that there are state actors in the field--most
prominently, Russia, China, North Korea, and Iran--that have
conducted cyber activities that are fundamentally at odds with
these goals. As the title of our hearing suggests, how
successful has United States policy been in building of a
reliable international framework to enforce responsible
behavior in cyberspace? How assertive is U.S. diplomacy in both
deterring these known threats, but also building viable
coalitions with our partners around the world that share our
vision of open, interoperable, secure, and reliable information
and communication infrastructure?
We also know the President has punitive U.S. measures at
his disposal, as demonstrated by the sanctions imposed by the
U.S. Department of Justice and when it indicted five Chinese
military members in May 2014 for malicious cyber activities
directed against our Nation.
On April 1, 2015, the President issued Executive Order
13694 that would impose U.S. sanctions on entities that are,
``engaging in significant malicious cyber-enabled activities.''
So, the question is: How effective have these sanctions been to
date in deterring bad actors and encouraging responsible cyber
behavior?
We also know that the cyber field is rapidly developing. As
technology becomes increasingly sophisticated, so does the task
of deterring bad actors and promoting good global cyber
governance. It is been 4 years since the President's Strategy
for International Cyberspace was put forward. As we know, in
technology terms, 4 years might as well be four centuries. And
is it time to review an update to that strategy?
So, I hope to explore these and other questions today with
our distinguished witnesses on both panels. And, with that, of
course, I would like to turn to our distinguished ranking
member, Senator Cardin, for his comments.
STATEMENT OF HON. BENJAMIN L. CARDIN,
U.S. SENATOR FROM MARYLAND
Senator Cardin. Well, Senator Gardner, first of all, thank
you, and congratulations on your position as the Chair of the
East Asia and Pacific Subcommittee. I had the honor of chairing
the committee in the last Congress, and the jurisdiction of
this committee is critically important to our country. And I
know it is in good hands. So, I thank you for doing that.
We know about the President's rebalance to Asia and the
importance of the Asia region in regards to our economic and
security issues. I know this subcommittee is going to be very,
very busy. But, to add to your responsibilities, you now have
cybersecurity. I know there are a lot of committees that deal
with cybersecurity, but, I must tell you, the international
impact and our international coordination is critically
important to the security of this country. So, this
subcommittee has a particularly important function within not
just the Senate Foreign Relations Committee, but within the
entire United States Senate and Government. So, good luck, and
I look forward to working with you. And I know we are going to
work together for our country. So, I look forward to that.
We always knew that we had cyber criminals that were out
there. It costs industry a lot of money, costs people a lot of
money all the time. We also knew that we are at risk of cyber
terrorists, people who want to cause harm to our country. And
we knew that was an increased risk. But, I think North Korea's
cyber attack on Sony Pictures Entertainment last November was a
turning point. We now recognize that we are under direct attack
by cyber soldiers organized by government to attack our
country--that really changes the whole dynamics of
cybersecurity. So, it is a critically important field.
Last month, media reported that Russia has increased its
cyber attacks against the United States since sanctions were
put in place over Russia's intervention in Ukraine--targeting
the most senior levels of the United States Government, as well
as a number of U.S. companies--in an attempt to regain the
upper hand for Russia's industries adversely impacted by
international sanctions. And just last Friday, the State
Department expressed United States concerns that China has used
a new offensive cyber weapon, referred to as ``The Great
Cannon,'' to target foreign and Chinese activist Web sites
hosting content banned by China. Mainly, this represents a new
level of information censorship by the Chinese.
Price Waterhouse Cooper's study, released last October,
found that the number of detected cyber attacks--detected cyber
attacks--worldwide escalated dramatically in 2014 to
approximately 43 million--up 48 percent in 2013--amounting to
about 117,000 attacks every day. So, this is a huge problem
that we have to deal with. The global nature of cyber threats
requires the United States to bring to bear all of our
expertise and resources to ensure that we are doing all we can
to protect our Nation's strategic, economic, and security
interests, as well as those of our international partners and
allies. But, we must do so in a way that preserves Internet
freedom--so that people across the world have free and
unfettered access to the Internet as a medium through which
they can learn, connect, and express themselves. We must uphold
our values of openness and respect for human rights in an
increasingly digitized world.
I commend the Obama administration for releasing the
International Strategy for Cyberspace and strengthening the
United States Government's capabilities, particularly in terms
of organization and expertise. In February of this year, the
President directed the Director of National Intelligence to
establish the Cyber Threat Intelligence Integration Center,
whose mission is to ``connect the dots.'' That is very, very
important. We have a lot of information. We do need to connect
the dots. And I hope we will have a chance to get an update on
that during this hearing as to what is affecting national
interests. The President also issued two new cyber-related
Executive orders this year.
As the United States moves forward with these initiatives,
we must ensure that the wide array of federal departments and
agencies involved in cybersecurity avoid duplicating efforts or
overlapping in authorities. We must also continue to reevaluate
our current diplomatic strategy and government structure to
ensure that we are postured to adapt to the new threats.
One area that I believe holds great promise is public-
private partnership. In this respect, Maryland is at the center
of our Nation's cybersecurity efforts. In Maryland, we have
several federal facilities charged with defending U.S. military
networks and assisting our combat commanders and soldiers who
work in cyberspace. And I have had a chance to visit these
agencies. At Fort Meade, the U.S. Cyber Command plans,
coordinates, and conducts full spectrum of military cyberspace
operations. That is located just a few miles from where we are.
And the National Security Agency and the Central Security
Service, also colocated at Fort Meade, work to exploit signal
intelligence to collect information on our adversaries and
protect U.S. military networks from cyber attack.
In Gaithersburg, MD, the National Institute of Standards
and Technology has conducted cybersecurity research for decades
and leads the government in standards development and protocol
for cybersecurity operations, testings, and certifications.
And, Mr. Chairman, I could tell you all about our
universities, which are specialized in cybersecurity. I am very
happy that Professor Michael Greenberger is here from the
University of Maryland's Center of Health and Homeland
Security, a professor at University of Maryland Francis King
Carey School of Law. I mention that because I am a graduate of
that law school, so we will give plugs whenever we can.
[Laughter.]
And I am proud of the fact that the State of Maryland and
our local governments have all made cybersecurity a top
priority for our State. And I will confess that we do that, in
part, because it is good for our business, our jobs, our
economy. We have a lot of highly trained people that are
getting great jobs in our State. But, we are also doing it
because we can perform a mission to this country that is
critically important, and we are proud of what the people of
Maryland are doing, working on behalf of our national security
in cybersecurity.
So, Mr. Chairman, as we start this hearing, we know that we
have to engage the private sector. The government cannot do
this alone. We really have no choice but to work closely with
the private sector. And when I was on the Judiciary Committee,
I chaired a subcommittee that had jurisdiction over
cybersecurity. I introduced legislation that was incorporated
in the Commerce Committee legislation that dealt with trying to
harmonize how the private sector deals with their cybersecurity
needs. We have started down this path, but we need to do more.
We have got to work together on this. What concerns me is that
there are a lot of cyber attacks out there in the private
sector that we never hear about because they are embarrassed to
tell us about it, and we need to make sure that we have the
protocols in place so we can protect the security of our
country. I think that this hearing today and the work of this
subcommittee can help us achieve those objectives for the
people of this country.
Senator Gardner. Thank you, Senator Cardin.
We will begin with our first panel and welcome the
Honorable Christopher Painter, who serves as the State
Department's Coordinator for Cyber Issues. In this capacity,
Mr. Painter coordinates and leads the United States diplomatic
efforts to implement the President's International Strategy for
Cyberspace. He works closely with components across the
Department, other agencies, the White House, the private
sector, and civil society. Prior to joining the State
Department, Mr. Painter served in the White House as Senior
Director for Cybersecurity Policy in the National Security
Staff. During his 2 years at the White House, Mr. Painter was a
senior member of the team that conducted the President's
Cyberspace Policy Review and subsequently served as the Acting
Cybersecurity Coordinator. He coordinated the development of
the President's 2011 International Strategy for Cyberspace
which both Senator Cardin and I have already spoken about.
So, welcome, Mr. Painter. Thank you for your service, and
look forward to hearing your testimony today.
STATEMENT OF CHRISTOPHER PAINTER, COORDINATOR FOR CYBER ISSUES,
U.S. DEPARTMENT OF STATE, WASHINGTON, DC
Mr. Painter. Thank you very much, Senator.
Chairman Gardner, Ranking Member Cardin, members of the
Senate Foreign Relations Committee's Subcommittee on East Asia,
the Pacific, and International Cybersecurity Policy, it is a
real pleasure to be here today to speak with you about our
cyber foreign policy, particularly as this, as you mentioned,
is your first hearing since the subcommittee took on the
important international cybersecurity policy portfolio.
On behalf of my office and the State Department, I look
forward to working with you. And I should say that, having been
involved in this area now for about 24 years, I am very happy--
and this really exemplifies how important this has become as a
policy issue, as a national security, economic, human rights,
and, ultimately, a foreign policy issue.
We live today in an environment of growing threats, both
technical and policy related, to the global Internet we seek to
preserve and expand. Our work to respond to these threats is
guided by the vision of the U.S. International Strategy for
Cyberspace, which seeks to promote an Internet that is open,
interoperable, secure, and reliable. The State Department works
across a range of interconnected cyber policy issues to achieve
this vision through our diplomatic efforts. These issues
include promoting cyber stability among States through norms
and confidence-building measures; building the domestic
cybersecurity capacity of our partners and channels for
international cooperation on incident response; fighting cyber
crime; advancing human rights online; promoting the
continuation of an effective multistakeholder model of Internet
governance; and working to address Internet access and
affordability issues.
Given time constraints, I am going to focus my oral
testimony now primarily on a few security concerns, but I am
happy to address questions on this full range of cyber issues.
Let me start with our long-term goal. We are striving for a
state of international cyber stability, an environment where
all states are able to enjoy the benefits of cyber space, where
there are benefits for states to cooperate and avoid conflict,
and where there is little incentive for states to attack one
another. We are pursuing efforts along two lines to achieve
this goal.
First, we are working to develop a shared understanding
about norms and responsible state behavior in cyberspace. We
believe that developing shared norms will enhance stability,
ground foreign and defense policies, guide international
partnerships, and help prevent the misunderstandings that can
lead to conflict. In recent years, we have had tangible success
in developing these norms. Notably, a landmark consensus in
2013 that international law applies to state conduct in
cyberspace. We are now working to expand this consensus and
look more closely exactly how international law applies. In
addition, because cyber tools can be used across the spectrum
of conflict, most notably below the threshold of the use of
force, the U.S. Government has also been working to identify
some voluntary norms of responsible state behavior during
peacetime that would be universally appropriate and would keep
all of us safer if states adopt them. I have included these
norms in my written testimony, but I am happy to discuss them
further if you have questions.
In addition to promoting norms, we have also worked to
establish practical cyber risk-reduction and confidence-
building measures among states. WE believe that effective CBMs
can reduce the risk of escalation due to misunderstanding or
miscalculation regarding a cyber incident. For example, in
December 2013, we achieved an agreement at the Organization for
Security and Cooperation in Europe for the first-ever cyber
CBMs among members of a multinational security organization. We
are now working to implement the current CBMs and develop them
in other regional organizations, such as the ASEAN Regional
Forum.
Alongside these efforts with a shorter term focus, we are
working to strengthen the ability of the U.S. Government as
well as our foreign partners to respond to cyber events as they
occur. We strongly support increased direct international
cooperation among computer security incident response teams and
law enforcement entities to respond to and investigate cyber
incidents, and we use our diplomatic engagements to help our
interagency partners at DHS and DOJ build those ties.
Among our foreign partners, we encourage the development of
whole-of-government national strategies and cooperation with
the private sector on cybersecurity matters. We have placed a
major emphasis on providing capacity-building support to
countries that need it so that they are better prepared to do
their part when an incident occurs. We also stand ready to
support whole-of-government responses to cyber events as they
occur, supporting interagency deliberations on major cyber
events, and engaging diplomatic channels when needed. For
example, during the 2012-2013 distributed denial-of-service
attacks against our financial institutions, State used
diplomatic channels as a supplement to incident response
efforts through more technical channels. State also works
closely with DOJ colleagues to strengthen international
cooperation to combat transnational cyber crime and other forms
of high-tech crime. We support the Budapest Convention on
Cybercrime, as well as the G7 24/7 network, which allows
national police to request rapid assistance in significant
investigations involving digital evidence. State also works
with our colleagues in DOJ to provide capacity-building
assistance on investigation and prosecuting cyber crimes.
I should, finally, note that all of our work to promote
security takes place in the context of our broader commitment
to an open and interoperable global Internet. That is why
states' work on Internet governance, Internet freedom, and
promoting ICTs as an engine for development is so closely tied
to our work in promoting security.
I am now happy to take any questions.
[The prepared statement of Mr. Painter follows:]
Prepared Statement of Christopher M.E. Painter
Chairman Gardner, Ranking Member Cardin, members of the Senate
Foreign Relations Committee Subcommittee on East Asia, the Pacific, and
International Cybersecurity Policy, it is a pleasure to be here today
to speak about our cyber foreign policy.
Before I begin, I would like to commend your subcommittee for
recently taking on ``International Cybersecurity Policy'' as a part of
your portfolio. This development is yet another important step in our
government's efforts to strengthen our foreign policy on cyber issues.
It is also further recognition of the growing importance of cyber
policy to our national security, foreign policy, economy, values, and
way of life. Moreover, the fact that cyber policy is the subject of the
subcommittee's first hearing during the legislative session indicates
the importance you place on this new role. On behalf of my office and
the State Department, I look forward to working with you.
cyber issues: a new foreign policy imperative
When it comes to the foreign policy implications of cyber issues,
it is important to begin with the recognition that this subcommittee
and the State Department are working in a still-nascent policy space.
While the Internet has been growing and evolving for a few decades now,
the international community has only more recently begun to fully grasp
cyber issues as a foreign policy priority.
Only 4 years ago this month, the White House issued its
International Strategy for Cyberspace, leading the world in recognizing
the need for a comprehensive and crosscutting strategic approach to
this key area. We were also the first country to establish a foreign
ministry office like the one I lead--the State Department's Office of
the Coordinator for Cyber Issues--to coordinate diplomatic efforts
across the full range of international cyber policy issues.
The world has changed dramatically even since then. Now there are
offices like ours in foreign ministries throughout the world, and new
ones are steadily being created as more countries look to engage in the
global cyber policy dialogue. Cyber issues have become central topics
of discussion in virtually every international venue, and cyber
diplomacy is increasingly viewed by governments as a foreign policy
imperative.
Nonetheless, cyber issues remain in many respects an emerging area
of foreign and national security policy. The global community is still
in an early stage of tackling these challenging issues and building
consensus toward solutions that are consistent with the core values of
democracy and human rights. In the United States, we have made great
strides in articulating our strategic vision for cyberspace, but we are
still working to fully develop the necessary capabilities to ensure we
can continue to lead in this dynamic policy area and respond to crises
as they emerge.
These efforts occur in a context of growing threats--both technical
and policy related--to the open and interoperable global Internet we
seek to preserve and expand. On the technical side, we face increasing
risks from state and nonstate actors that conduct malicious cyber
activity for the purpose of stealing trade secrets or personal
information for commercial or financial gain, suppressing freedom of
expression, destroying data, harming our critical infrastructure, or
causing various other types of harm. North Korea's cyber attack on Sony
Pictures Entertainment demonstrated the potential coercive effects of
such activity. The more recent targeting of Github highlights a new and
worrying trend of cyber capabilities being used from abroad to
influence public expression within the United States. While, as the
Director of National Intelligence recently noted, the ``likelihood of a
catastrophic attack from any particular actor is remote at this time,''
we are likely to see ``an ongoing series of low-to-moderate level cyber
attacks from a variety of sources'' that will, over time, ``impose
costs on U.S. economic competitiveness and national security.''
In the policy context, we face significant and growing challenges,
especially from China, Russia, and other authoritarian governments that
seek increased sovereign control over the Internet and its content.
These challenges surface in a variety of fora and across a range of
policy issues. Internet governance is a prime example of a challenging
cyber policy area. Here, we see governments that are more concerned
with regime stability than with economic and social development pushing
to shift from the long-standing and successful multistakeholder model--
one that involves active participation by governments, the private
sector, civil society, and academia in an inclusive and bottom-up
process--to an intergovernmental and exclusive system that could
fundamentally undermine the future growth and potential of the
Internet. The fight against transnational cyber crime is another area
where we face a policy challenge. China and Russia are aggressively
advocating for a new global cyber-crime agreement that would serve as a
vehicle for controlling speech and undermining civil and political
rights, while at the same time criticizing the effectiveness of
existing international instruments like the Council of Europe
Convention on Cybercrime, or Budapest Convention.
Our work to respond to these threats is guided by the vision of the
U.S. International Strategy for Cyberspace, which seeks ``to promote an
open, interoperable, secure, and reliable information and
communications infrastructure that supports international trade and
commerce, strengthens international security, and fosters free
expression and innovation.'' The State Department--not just my office,
but the full complement of security, economic, human rights, law
enforcement and regionally focused bureaus and offices throughout the
Department--works across a range of interconnected cyber policy issues
to achieve this vision through our diplomatic efforts. This includes
promoting cyber stability among states through norms and confidence
building measures, building the domestic cyber security capacity of our
partners and channels for international cooperation on incident
response, fighting cyber crime, advancing human rights online,
promoting the continuation of an effective multistakeholder model of
Internet governance, and, in cooperation with our colleagues at USAID
among others, promoting capacity building, technical assistance, and
development programs to tackle security challenges and address Internet
access and affordability issues.
Accordingly, my office works closely with offices and officials
across the Department--including Under Secretary for Economic Growth,
Energy, and the Environment, Catherine Novelli, who serves as the
Senior Coordinator for International Information Technology Diplomacy;
the Bureau of Democracy, Human Rights and Labor; the Bureau of
International Narcotics and Law Enforcement; the Bureau of Economics
and Business Affairs Office of International Communications and
Information Policy; the Bureau of Counterterrorism; the Bureau of Arms
Control and Verification; among other functional components, and every
regional bureau. We also coordinate our work with colleagues throughout
the Federal Government, including at the Departments of Defense,
Justice, Homeland Security, Commerce, and Treasury.
The State Department is a key player in all U.S. Government
interagency cyber policy processes, ensuring that timely and pertinent
foreign policy guidance is provided to decision makers at all levels.
Given the global nature of the Internet, even ostensibly domestic cyber
policy decisions typically have a foreign policy or diplomatic
dimension. We also leverage State's global diplomatic corps, including
our growing cadre of cyber officers, to support the vision articulated
in the U.S. International Strategy for Cyberspace, and respond to
growing threats.
review of the global cyber landscape
Before describing our international priorities in detail, it is
useful to review some of the most recent cyber developments from around
the world to better frame the kinds of challenges and opportunities
that we face. We can call it a short ``cyber policy world tour.''
Given the subcommittee's focus on East Asia and the Pacific, I will
begin there. As you know, this dynamic region is playing an
increasingly important role in the world, particularly in the area of
cyber policy. Within the region, there is much focus on China's role in
cyberspace. In recent years, China has become more assertive in
promoting its vision for cyberspace--government-controlled, with an
absolutist conception of sovereignty over technology and content--that
stands in stark contrast to our own policy priorities. As we push back
against these repressive concepts, we also continue to engage China on
areas of potential cooperation, such as network defense and other
practical measures that could reduce the risk of conflict in
cyberspace. At the same time, the administration has been clear,
consistent, and direct in raising our concerns with the Chinese
regarding issues such as state-sponsored cyber-enabled theft of
intellectual property for commercial gain. We have also been concerned
by recent reports that China has used a new cyber capability to
interfere with the ability of worldwide Internet users to access
content hosted outside of China, including the web developer site
Github. Although we regret China's decision to suspend the activities
of the U.S.-China Cyber Working Group, we have continued to engage
Chinese cyber experts on areas of concern. We remain committed to
expanding our cooperation with the Chinese Government on cyber matters
where we have common ground and to candidly and constructively
addressing differences.
The United States maintains strong and ongoing diplomatic relations
on cyber issues with a number of other countries in the region. We work
very closely across the range of cyber policy topics with our friends
in Japan, South Korea, Australia, and New Zealand, with whom we share a
common vision for cyberspace. During Prime Minister Shinzo Abe's visit
to Washington in April 2015, both the United States and Japan
reaffirmed their commitment to working together ``to ensure the safe
and stable use of cyberspace based on the free flow of information and
an open Internet.'' The United States also engages on regional security
issues in the ASEAN Regional Forum, where we are actively promoting the
development of regional cyber confidence-building measures. We are
seeking to expand our bilateral engagement with several ASEAN states,
including Indonesia, Singapore, and Malaysia, and actively promoting
cyber crime capacity-building efforts in the region in partnership with
Japan and Australia.
Finally, the region includes North Korea, which was responsible for
the November 2014 cyber attack on Sony Pictures Entertainment. The
destructiveness of that cyber attack, coupled with its coercive nature,
sets it apart from other malicious cyber activity we have observed in
recent years. This is why the President publicly attributed the cyber
attack to North Korea and vowed that we would ``respond proportionally
. . . in a place and time and manner that we choose.'' In January 2015,
the President signed a new Executive order, increasing our ability to
apply sanctions pressure in response to the provocative, destabilizing,
and repressive actions and policies of the Government of North Korea,
such as the destructive and coercive Sony Pictures cyber attack.
Next, we can turn to Europe, which largely shares our vision for an
open and secure Internet, but which still contains security and policy
challenges. The United States has very close relations with much of
Europe and our cooperation in the region on cyber issues is increasing.
We engage directly with the European institutions on cyber, notably the
European External Action Service (EAS). Working with the EAS, we have
launched a U.S.-EU Cyber Dialogue to address the cyber foreign policy
matters of mutual concern and align our foreign policy posture on key
issues in international fora.
My office leads regular bilateral engagements on cyber policy with
individual countries like the United Kingdom, Germany, and France and
has built regional collaborative engagements with the Nordic and Baltic
countries, including a cyber partnership statement with Estonia. We
have emerging engagements, including increased outreach from our
embassies, with Spain, Portugal, and Italy, among others, as they have
increasingly joined in global cyber policy discussions. Our bilateral
engagements with some countries, primarily Germany, have been
punctuated by continued reactions to unauthorized disclosures and
allegations of NSA electronic surveillance activities. We continue to
work closely with the administration and our colleagues within the
Department to address the concerns we hear from our foreign partners.
While Eastern Europe has traditionally been the source--or
conduit--for significant online criminal activity, there are numerous
efforts underway at our embassies, and through other channels, to help
build constructive engagement with a number of countries. This includes
utilizing resources such as the International Visitor Leadership
Program on one hand, and law enforcement capacity-building and liaison
programs on the other. As a result, we are starting to see some
positive changes in national attitudes, most notably in Ukraine.
Russia is obviously an important cyber actor on the international
stage, where it continues to assert its repressive agenda on a wide
range of cyber issues. We are closely watching and working to counter
their efforts to impose greater state control over the Internet and
undermine security and human rights online. Given Russia's ongoing
violation of Ukraine's sovereignty and territorial integrity, the
United States has suspended our bilateral cyber dialogue with Russia.
Nevertheless, we continue to interact with Russia on multilateral
efforts in the United Nations and the Organization for Security and
Cooperation in Europe (OSCE) to build greater stability and reduce the
risk of conflict among states in cyberspace, through the development of
norms of responsible state behavior and cyber confidence-building
measures. As long as Russia advocates an antidemocratic world view on
cyber policy issues, we must work with our international partners to
counter its destabilizing policies and activities.
The Middle East is a complex place, and we can see cyber issues
becoming an increasingly important feature of the already multifaceted
security and human rights challenges facing the region. There are real
dangers of malicious cyber activity becoming enmeshed within--and
potentially escalating--existing regional rivalries, and we have seen
groups like ISIL harness the Internet as a tool for terrorist purposes.
To guard against these threats, we are committed to working with our
international partners in the region, including Israel and the Gulf
States, to build a shared understanding of the threat, develop
effective strategies and policy, and shore up vulnerabilities,
especially in critical infrastructure. Through all of our efforts, we
will help protect key U.S. interests and promote regional stability. Of
course, promoting cybersecurity cannot come at the expense of the open
Internet, which provides a tremendous set of opportunities for economic
growth in a region that will be key to long-term development and
stability.
South and Central Asia is a region where, despite challenges in
some countries, we see new opportunities for engagement and growth.
India is pursuing an exciting ``Digital India'' agenda and is making
progress on developing its cybersecurity capabilities. Its dynamic
civil society, private industry, and technology sectors are
increasingly playing leadership roles in cyber policy issues, such as
Internet governance. With our shared democratic values, robust economic
relationship, and people-to-people ties, the United States is primed
for close strategic cooperation with India on the full range of cyber
issues, and we are eager to strengthen our engagement. When Prime
Minister Modi visited the United States in September 2014, we agreed to
develop closer cybersecurity cooperation and to reinitiate our whole-
of-government Cyber Consultations, which we look forward to pursuing
this summer. We are also seeing leadership on cyber issues elsewhere in
the region--for instance, Sri Lanka is taking important steps toward
becoming the first state in the region to join the Budapest Convention,
which will enable it to be a strong partner in combating global cyber
crime. Other states are still figuring out how to grapple with
cybersecurity and cyber crime challenges, but they are increasingly
aware of the economic opportunities an open and interoperable Internet
brings and increasingly paying attention.
Closer to home, within the Western Hemisphere we are presented with
numerous opportunities to build stronger partnerships on the range of
cyber issues, working bilaterally, within regional bodies like the
Organization of American States (OAS), with civil society and with the
private sector. The United States has had long-standing relationships
with important actors in this region, including Canada with which we
have a shared perspective on cyber policy. Brazil is another important
actor on cyber policy, and I colead a bilateral whole-of-government
working group with the Brazilians on Internet and ICT policy. As more
people within the region gain reliable access to the Internet, more
governments are recognizing the need to develop a coordinated strategic
approach to cyber policy. With support from the United States and other
partners in the region, the OAS has successfully trained law
enforcement, judicial experts, and policymakers on the importance of
increasing cybersecurity and combating cyber crime. We believe that the
OAS work, along with our long-standing efforts to engage bilaterally in
the hemisphere, have contributed to the fact that nine Latin American
countries are now in various stages of joining the Budapest Convention.
Countries like Jamaica, Colombia, Costa Rica, and Chile are making a
concerted effort to consult across ministries and to include experts
from a variety of local sectors as they develop new legislation, update
digital agendas, and craft cybersecurity strategies. Countries like
Argentina and Uruguay are honing the skills of their workforce and
working to expand their community of cyber experts from urban centers
to rural areas. Taken as a whole, our friends in the region are working
toward a truly cyber-savvy citizenry, and we are supporting that growth
by strengthening existing partnerships and seeking new opportunities
for engagement.
The final region on our tour, but certainly not last in our list of
priorities, is Africa, a region with relatively low but fast-growing
Internet penetration and a strong incentive to build an open, secure,
and interoperable Internet as an engine for economic growth. As the use
of the Internet and mobile phones expands throughout sub-Saharan
Africa, nations are faced with a corresponding increase in the number
of cyber threats. Vulnerable networks erode the development benefits of
ICTs and pose economic and security challenges to individuals, nations,
and the international community. Yet this same technology is
contributing to stronger democratic institutions, boosting broad-based
economic growth through trade and investment, advancing peace and
prosperity, and promoting opportunity and development. This is why
African nations have been a significant focus of my office's Foreign
Assistance programming. We are working with African leaders and
citizens in an enduring, multifaceted partnership on cyber issues--one
that is not about overnight solutions or one-off deals, but instead
focuses on long-term collaborative efforts among all stakeholders. We
are bringing key partners together bilaterally, while working
multilaterally with the African Union Commission (AUC) and key Regional
Economic Communities to help our partners build and shape effective and
sustainable cyber architecture that serves Africa on a regional and
global scale. This includes continuing our tradition of training and
engagement on cybersecurity best practices, building the requisite
legal frameworks for states and individuals to combat the threat of
cyber crime, working to maintain open and unfettered access for all
Africans, and encouraging African voices and perspectives in the very
relevant conversation we are having on how states should work together
to prevent cyber conflict. These were the topics of utmost interest to
African officials I met in June 2014 when I joined colleagues from
across the Southern African Development Community for a 4-day cyber
policy training session--the fourth regional workshop in a series that
we have presented across the continent--and they will continue to be
the focus of our work on the continent in 2015.
Lastly, our cyber world tour would not be complete without
discussing the cyber policy debates that are currently taking place in
multilateral venues. Here the picture is complicated by the fact that
there is a multitude of fora that address the range of cyber issues.
For our work in promoting international security and stability in
cyberspace, we look to the United Nations and within regional security
organizations like the OSCE and the ASEAN Regional Forum. Issues around
cyber crime are dealt with in fora like the Council of Europe and the
United Nations Office of Drugs and Crime (UNODC). However, cyber issues
do not only arise in traditional international fora. Dynamic and
decentralized multistakeholder venues that include representation from
the private sector and civil society as well as states play a key role
in Internet governance, and we work with this range of stakeholders to
promote our vision for the Internet.
It is within multilateral venues that we most frequently encounter
the types of policy threats that I noted earlier. Countries like Russia
and China use these venues to press for greater government control over
the Internet, for example, by advocating that the International
Telecommunication Union take a greater role in Internet governance and
pushing for a United Nations cyber treaty. To date, the United States
has worked very effectively with likeminded countries to stave off the
challenges in these venues. At the same time, there have been a number
of successes in multilateral fora, particularly on security issues, as
discussed below.
cyber policy priorities
This is the world that we face. I am optimistic about our ability
to respond to the threats, build cyber stability and resilience, and
ultimately continue to capitalize on the rich economic and expressive
opportunities that the Internet offers us. But there is much work to be
done. I want to spend some time now talking about what the State
Department is doing to support whole-of-government efforts to engage
the world that we have just toured on cyber policy issues.
1. Security and Cyber Crime
With respect to security issues, our long-term vision is to strive
for a state of ``international cyber stability'': a more peaceful
environment where all states are able to enjoy the benefits of
cyberspace; where there are benefits to state-to-state cooperation and
avoiding conflict; and where there is little incentive for states to
attack one another. We are pursuing efforts along two lines to achieve
this longer term goal.
First, we are working to develop a shared understanding about norms
of responsible state behavior in cyberspace, which will help enhance
stability, ground foreign and defense policies, guide international
partnerships, and help prevent the misunderstandings that can lead to
conflict. In recent years, we have had tangible successes in developing
these norms. The 2013 U.N. Group of Governmental Experts on
Developments in the Field of Information and Telecommunications in the
Context of International Security (GGE)--a group of 15 countries that
included the United States as well as countries like Russia and China--
reached a landmark consensus that international law applies to state
conduct in cyberspace. In the current round of the GGE, we are working
to build on this important consensus with an even broader group and
look more closely at how international law applies to state conduct in
cyberspace.
As part of these efforts, the United States has also been
considering what voluntary measures of self-restraint states should
implement, since cyber tools can be used across the spectrum of
conflict, most notably below the threshold of the use of force.
Accordingly we have sought to identify some voluntary norms of
responsible state behavior during peacetime that would be universally
appropriate and that will keep all of us safer if states adopt them.
They include:
A State should not conduct or knowingly support online
activity that intentionally damages critical infrastructure or
otherwise impairs the use of critical infrastructure to provide
services to the public.
A State should not conduct or knowingly support activity
intended to prevent national CSIRTs from responding to cyber
incidents. A State should also not use CSIRTs to enable online
activity that is intended to do harm.
A State should cooperate, in a manner consistent with its
domestic law and international obligations, with requests for
assistance from other States in investigating cyber crimes,
collecting electronic evidence, and mitigating malicious cyber
activity emanating from its territory. States must take robust
and co-operative action to investigate criminal activity by
nonState actors.
A State should not conduct or knowingly support cyber-
enabled theft of intellectual property, including trade secrets
or other confidential business information, with the intent of
providing competitive advantages to its companies or commercial
sectors.
These voluntary measures are beginning to gain traction
internationally. During the current round of the GGE, we proposed the
inclusion of several of these norms in the group's draft report and
many states have spoken positively about their inclusion. In addition,
on the occasion of Prime Minister Abe's recent visit to Washington,
Japan, and the United States released a leaders-level statement that
affirmed that states should uphold additional, voluntary norms of state
behavior in cyberspace during peacetime, noting that wide affirmation
among states would contribute to international stability in cyberspace.
Australia's Foreign Minister also affirmed some of these concepts in
recent remarks.
Second, in addition to promoting norms, our international security
work has also focused on the establishment of practical cyber risk-
reduction and confidence-building measures (CBMs), which are intended
to reduce the risk of escalation due to misunderstanding or
miscalculation regarding a cyber incident of national security concern
emanating from U.S. or another country's territory. The first ever
bilateral cyber CBMs were announced by President Obama and President
Putin in June 2013. And in December 2013, at the ministerial of the
OSCE, we achieved an agreement among the 57 participating states for
the first ever cyber CBMs for a multinational security organization. We
are now working to implement the current CBMs, and we are also pursuing
the development of cyber CBMs in other regional organizations, such as
the ASEAN Regional Forum.
Alongside these efforts, and with a shorter term focus, we are
working to strengthen the ability of the U.S. Government as well as our
foreign partners to respond to cyber events as they occur. We strongly
favor increased direct international cooperation among Computer
Security Incident Response Teams (CSIRTs) and law enforcement entities
to respond to and investigate cyber incidents, and we use our
diplomatic engagements to support the building of those ties. Among our
foreign partners, we encourage the development of whole-of-government
national strategies as well as cooperation with the private sector on
cybersecurity matters.
When incidents occur, we stand ready to support the whole-of-
government response. State, as the lead foreign policy agency, plays a
key role in interagency deliberations on major cyber events, and it
engages diplomatic channels where needed. For example, during the 2012-
2013 distributed denial of service attacks against financial
institutions, State used diplomatic channels as a supplement to
incident response efforts through more technical channels, ensuring
that policymakers in foreign governments were aware of U.S. requests
for assistance. More recently, in response to the cyber attack on Sony
Pictures Entertainment, we were pleased to see a number of foreign
partners come to our support in condemning North Korea's actions. We
have also used diplomatic channels to raise concerns regarding the
cyber-enabled theft of trade secrets for commercial gain.
Beyond these efforts, State has supported the administration's
ongoing efforts to fully develop its toolkit for deterring and
responding to cyber threats. For example, we participated in the
development and release of the recently announced Executive Order
13694, which allows for the targeted imposition of financial sanctions
against persons engaging in certain significant malicious cyber-enabled
activities that are reasonably likely to result in, or have materially
contributed to, a significant threat to the national security, foreign
policy, or economic health or financial stability of the United States.
State also works closely with Department of Justice colleagues to
strengthen international cooperation to combat transnational cyber
crime and other forms of high-tech crime. The continued expansion of
the Budapest Cybercrime Convention--which has 45 parties representing
the Americas, Europe, Asia, the Pacific, and Africa, and more than a
dozen additional countries in the final stages of joining--demonstrates
the growing realization by governments around the world that cyber
crime must be tackled head on, using a consistent and proven legal
framework, in order to eliminate criminal safe-havens. Another key tool
in our arsenal to counter high-tech crime is the G7 24/7 Network which
allows the national police in 70 countries to request rapid assistance
in significant investigations involving digital evidence. The State
Department is committed to working with like-minded partners around the
globe to build both the will and capacity to effectively counter cyber
crime, and we will continue to devote significant resources to that
goal.
2. Internet Governance and Internet Freedom
We have also seen some recent successes in the areas of Internet
governance and promoting human rights online, and we continue to take
those efforts forward. In 2014, our work to maintain the current
multistakeholder system was bolstered by the U.S. Government
announcement of the intent to transfer key Internet domain name
functions to the global multistakeholder community; the strong,
multistakeholder, consensus-based outcome of the NETmundial conference
in Brazil; and the successful completion of the ITU Plenipotentiary
Conference in Busan, South Korea, where, with the leadership of my
colleague, Ambassador Daniel Sepulveda, we achieved a consensus that
avoided expanding or establishing any new mandates for the ITU related
to Internet governance or cybersecurity.
This year, we are looking forward to the 10th annual Internet
Governance Forum, which will take place in Brazil. The IGF continues to
provide a venue for global, multistakeholder dialogue on Internet
policy issues that alleviates the need for a more centralized,
intergovernmental approach to decisions about how the Internet works
and the policies surrounding it. A decision about whether to extend the
IGF's mandate will be taken later this year by the U.N. General
Assembly as part of their 10-Year Review of the World Summit on the
Information Society--the so called WSIS+10 review. The focus of this
year's review will be on the growth of the Information Society,
essentially ICTs for development, over the last 10 years. We believe
there has been tremendous progress, as shown by the exceptional growth
of the Internet around the world. Nonetheless, going forward, we will
focus our attention and collective efforts on practical measures to
close the remaining gaps in access and capacity.
The United States can also count successes in our efforts to
promote Internet freedom and human rights online, thanks in large part
to the efforts of State's Bureau of Democracy, Human Rights, and Labor
(DRL). At the core of our policy approach is the maxim that the same
human rights that people have offline also apply online--a view that
was adopted by the U.N. Human Rights Council in a 2012 resolution and
reaffirmed again in 2014--and this position is mainstreamed across all
of State's work, including our efforts to promote cybersecurity and
fight cyber crime. Together with my colleague Tom Malinowski, Assistant
Secretary of State for DRL, I have just returned from this year's
meeting in Ulaanbaatar, Mongolia, of the Freedom Online Coalition, a
group of now 26 governments committed to taking concrete action in
support of Internet freedom. Programmatically, DRL works with USAID,
our Near East Asia bureau and others, to support advocates who promote
freedom online, as well as the development of technologies that assist
in those efforts.
3. Bilateral Engagements
State's cyber diplomacy also focuses specifically on our bilateral
relationships with a number of key countries. Bilateral engagements, or
engagements with smaller groupings of countries, provide a valuable
opportunity to share views with partners, identify areas of agreement,
address differences of opinion, and develop areas for cooperation.
State has pioneered a whole-of-government model for conducting
bilateral engagements on cyber policy issues, which brings together
cyber policy experts from across our government (for example, from DOD,
Justice, DHS, and Commerce) to engage simultaneously with foreign
government counterparts. We find that this approach helps avoid
uncoordinated discussions between individual agencies on certain topics
and at times has the added benefit of encouraging interagency
cooperation among our partners.
We are currently conducting formal whole-of-government cyber
dialogues with Germany, the Republic of Korea, Japan, the European
Union, and the eight Nordic-Baltic States, and we are in the process of
reinvigorating dialogues with Brazil and India. As mentioned earlier,
we also have official dialogues with China and Russia, both of which
are presently suspended. We also regularly engage with Australia,
Canada, New Zealand, and the United Kingdom in both formal and informal
settings, consistent with our close relationship across the spectrum of
security issues. In addition, the State Department conducts less formal
cyber bilateral engagements with a number of countries and multilateral
organizations. Finally, it should be noted that there are a number of
other State policy dialogues that complement our efforts, such as the
ICT policy dialogues that Ambassador Sepulveda's office in the Bureau
of Economic and Business Affairs leads with key economic partners as
well as the human rights dialogues led by DRL.
4. Capacity Building
The State Department and USAID are actively working to build the
capacity of foreign governments across a range of interconnected cyber
policy issues--with a principal focus on expanding Internet access
through innovation, improving domestic cybersecurity through the
development of CSIRTs and national strategies, improving the ability to
fight cyber crime and other forms of high-tech crime, and ensuring the
ability to cooperate with global partners to address shared threats.
Recently, the United States became a founding member of the Global
Forum for Cyber Expertise, which was launched on April 16, 2015, during
the Dutch-hosted Global Conference on Cyberspace in The Hague,
reaffirming our commitment to cyber capacity-building.
In particular, recognizing that our ability to fight transnational
cyber crime and respond to foreign cyber threats is greatly impacted by
the strength of our international partners, State, including our Bureau
for International Narcotics and Law Enforcement Affairs, is working
with colleagues at the Departments of Justice and Homeland Security to
build the capacity of foreign governments to secure their own networks
as well as investigate and prosecute cyber criminals within their
borders. Working with multilateral organizations like the AUC, the
UNODC (via its Global Cybercrime Capacity Building Program), the
Council of Europe, the European Union, the G7, and the OAS, we promote
cyber crime policies in line with the Budapest Convention and share
cybersecurity best practices, such as writing national cyber
strategies, forming cybersecurity incident response teams, and
promoting public awareness campaigns on good cybersecurity practice.
Most recently, at the end of fiscal year 2014, my office obligated over
$1 million of our limited foreign assistance funds to Carnegie Mellon
University's Software Engineering Institute, a federally funded
research and development center, to begin a project in sub-Saharan
Africa on cybersecurity incident response and incident management
capabilities and coordination. We are hopeful that this and related
efforts can expand and serve as a model for future capacity-building
assistance programs.
We believe that cyber crime and cybersecurity capacity-building
overall must be a priority for the U.S. Government going forward. If
they are not adequately addressed by the United States and key
partners, then we run the risk that as the Internet continues to expand
in the developing world, it will do so without necessary cybersecurity
safeguards, creating global risks and undermining the conditions
necessary to realize the economic and social benefits offered by
expanded broadband access.
5. Mainstreaming Cyber Policy at State
Last, we are working to mainstream cyber policy issues across State
and USAID, so that we can more effectively leverage both personnel and
budget resources as tools for implementing our cyber policies. Nearly
every bureau within the Department--whether regional or functional--now
plays some role in cyber policymaking. To prioritize our engagements
and resources, we have worked with our regional bureaus to develop
cyber-specific regional strategies focusing on key partners in each
part of the world. To better leverage our embassies in implementing
these regional strategies, we have brought 163 State Foreign Service
officers and USAID employees from 121 missions together with U.S.
Government experts through an innovative new training program created
by my office to train diplomatic officers and support them in their own
local cyber engagements. To identify resources and needs, we worked to
incorporate cyber priorities into Department budget planning efforts.
While this line of work does not involve actual engagement with foreign
partners, it is an important part of building our government's
capabilities to advance cyber policy issues going forward.
conclusion
Thank you for the opportunity to provide State's perspective on
global cyber issues and on our international cyber priorities. We look
forward to working with the subcommittee toward protecting our security
here at home and ensuring that all of us can continue to benefit from
an open, interoperable, secure, and reliable global Internet.
Senator Gardner. And thank you for your comments.
And I think we have plenty of time to go back and forth in
the question period. So, I will go ahead and start with my
questions, Mr. Painter. And I thank you, again.
So, I just want to walk through a hypothetical scenario for
what your actions would be, and the U.S. diplomatic response to
a hypothetical--again, hypothetical--cyber attack. Let us say
your office receives notification that our Nation's sensitive
cyber networks have been penetrated, and you determine that the
attack originated from the great political-science-founded
nation of Ruritania. We also know that this nation has been
hostile to U.S. interests in the past, and its leadership has
prioritized advancing its cyber capabilities to counter U.S.
interests. Basically, walk us through. I mean, what are your
steps? How does the escalation work, if there is any, across
State Department? How do you work with other U.S. Government
agencies? And then, what would be your diplomatic response put
in place?
Mr. Painter. Thank you, Senator.
Let me first start in the larger frame. We are a key part
of the interagency process to respond to cyber attacks and
cyber intrusions. We work with our interagency to support both
the whole-of-government responses, what the law enforcement and
technical community would do, and also what the White House and
other parts of our government would do, including our
Department of Defense. And we build those bridges over time. I
would say that one thing I have seen that is a marked
difference over the last 5 or 6 years is the amount of
coordination among Federal agencies is far better than it has
ever been before.
On this particular hypothetical, there would be a couple of
things that we would do. First, we would be part of something
called the Cyber Response Group, which is a group led by the
White House, but it has all the key agencies in it. And we
would be discussing this, likely, what the actual facts were,
with the technical agencies and the other agencies, to find out
what the ground truth is and also to determine how the State
Department could contribute its core expertise, which is its
diplomatic expertise or also, sometimes, its expertise with
partnerships around the world.
Now, stepping back, this really--you know, we have done a
lot of prep work before you even get to this point. One thing
we would do, and one thing we have done over the last 4 years,
is build partnerships with a number of countries around the
world. So, it used to be, when my office was started, we were
the first office in the Foreign Ministry that did this. Now
there are over 20 offices around the world, so I have policy
counterparts that I can very quickly get in touch with if we
have a cyber incident like this.
But, we supplement that with our other work with our other
agencies. And we are also part of what is called the National
Cyberincident Response Plan that is led by DHS but also looks
at these issues.
So, if this came up, we would--there are a number of things
we could do. We would participate in these interagency
discussions. We would look at all the tools that we had as an
interagency--law enforcement tools, technical tools, tools like
sanctions, for instance. We would have a range of tools, and we
are trying to develop new ones. And then we would see how our
diplomatic tools could play into that.
So, to give you a couple of quick examples, based on the
real world, that I think are helpful, when we had--and I
mentioned this in my testimony--we had the denial-of-service
attack back in 2012-2013. These were botnets. These were
compromised computers all over the world. And so, they were in
countries all over the world, and they can shift from day to
day. Our technical people were reaching out to all those
countries, trying to mitigate that threat. What we did, as the
State Department, is, we reached out to--using demarches,
diplomatic demarches--to governments, over 20, around the
world, which raised the level of concern. It was not just the
normal technical request that the Federal Government often
makes. We said, ``This is really important to us, and we are
trying to build this collection--this collective action against
shared threats.'' And we got a lot of assistance from
governments, because they understood it was not just a
technical issue, it was more of a policy issue, and it was
elevated in their governments.
Another good example is during the North Korea Sony attack
that was mentioned by Senator Cardin. Again, there was a number
of responses to that, and we participated in looking at those
responses. But, part of what we did is, when it was clear what
the attribution was, and that the President was going to make
this attribution, I reached out to counterparts in a number of
countries around the world. And a number of those countries
condemned the action. And that also shows that that kind of
activity is unacceptable--it is a norm that is unacceptable.
So, there are a number of things we can do, both using our
direct outreach with counterparts and sometimes we will have
relationships with governments that other agencies do not have.
Many countries now have CERTs, or C-CERTs. Some countries do
not, so maybe we can draw those connections. But, we do it as
part of a team.
Senator Gardner. Thank you. And you talk about the
demarches and you talk about some of the other actions taken
against some of the actors responsible for a cyber attack--
suspected cyber, I guess, threat or vandalism, however it is
classified. When we are talking about our Foreign Service
officers, we are talking about our Ambassadors and work that we
are doing around the globe. If you look at the U.S. Army, for
instance, they realized that they had certain threats that they
needed to recognize at a higher responsibility. The
veterinarian--the Veterinary Corps--Veterinarian Corps of the
U.S. Army went from being a colonel that they elevated to the
rank of general because they believed it was something they
needed to pay more attention as the threat of anthrax and other
attacks were exposed here in the United States. Do we need to
raise the level of concern, raise the level of responsibility,
raise the level of priority through our Foreign Service
officers in a similar manner?
Mr. Painter. So, I actually think we have anticipated that.
One of the things when my office was founded--and I think it
showed a lot of vision, in saying this really is a priority
issue. And having an office like this in the Secretary's
office, reporting to the Secretary, indicated that. But, what
we then set about doing is making sure that we had cyber-
trained officers in all of our relevant posts around the world.
We also worked with each--and this is part of the mainstreaming
of this issue at the State Department. So, this is a new issue.
It is a technical issue, as both of you know. Many people view
as a technical issue. I view it as much more than a technical
issue, and people now understand that.
But, one of the key things we have done is say, How can we
mainstream this issue so it is not just important to us, but
important across the State Department and, indeed, across the
Government? So, we have done that by having each of our
regional bureaus do specific regional cyber strategies across
all these buckets I talked about earlier, including the
security buckets. We have then taken those regional strategies
and we have done training for these post officers in the field,
where--we have just completed the last one of these--where we
brought, regionally, all the officers in, we had private-sector
people, we had other interagency people from DHS and DOJ and
DOD come in, and we really tried to bring them up to speed. So,
we are, indeed, trying to raise this and create this cadre, as
you mentioned--cadre of cyber-trained officers who can be the
pointy end of the spear so they can go and actually do the
diplomatic efforts in the field and work with my office.
Senator Gardner. We have developed, 4 years ago, the
International Strategy for Cyberspace. It is now 4 years old.
And I guess some people are starting to talk about doing some
kind of a review, update. Do you believe that that is
necessary? And is that something that you can commit to the
committee that we would be able to pursue?
Mr. Painter. So, I actually--if you look at the
international strategy--and I was deeply involved in it, as you
know--that was really a high-level vision document. It really
laid out what the U.S.'s goals were in this area on a very high
level. We have been spending the last number of years--not just
my office, but across the government--implementing that
strategy. Indeed, my written testimony, I think, goes into
quite a bit of detail about how we have been doing that over
time.
Even looking at that, I would say I do not think that
strategy needs to be rewritten or updated. I think we have a
strategy. We do not want to spend our time rewriting
strategies. We want to make sure we are actually executing on
those strategies. And, just looking at the various buckets in
that strategy, if you look at everything in that last chapter
about our goals, we have been making some significant progress:
protecting our networks--for instance, the State Department has
been working on making sure the international law is applicable
in cyberspace; working on confidence-building measures; working
on norms. In law enforcement, we have 14 additional countries
that have now joined the Budapest Convention. And that is
significant. In Internet governance, we had a very successful
meeting in Brazil, the NETmundial meeting, which reaffirmed the
idea of multistakeholder governance, and we fended off attempts
to really impose U.N. control in that area. In international
development, we have done--my office has done quite a bit of
capacity-building work in Africa and other regions to try to
bring countries up to speed, because the weakest link hurts us
as well as them. And then, in Internet freedom, we have
launched the Coalition for Freedom Online, which recently had a
meeting, which has 26 governments now. We have made significant
progress in funding some of those efforts.
So, across the board, if you look at those categories,
there has been a lot of work by us, but also a lot of work by
interagency partners. I would certainly be happy to spend more
time and come back and talk to you about what specific areas of
progress we made, but I do not think we need to write a new
strategy at this point.
Senator Gardner. Thank you.
Senator Cardin.
Senator Cardin. Well, I am not going to get theoretical.
And I know this is very, very tough. I am not trying to
simplify these problems. They are hard to define, and it is
hard to find consistent applications.
But, there is no question that our allies, and the United
States, have been attacked by other countries through cyber,
and that their efforts have been to compromise our economy and
our infrastructure. So, my first question is--and, of course,
the United States has the greatest capacity to deal with cyber
attacks, of any country in the world. I believe the work that
we do is second to none, and our technology is second to none.
So, would it be appropriate if a NATO ally, who has been
attacked, would call upon article 4 for consultation, or
article 5 for help--would that be appropriate, since we are
talking about a cyber attack against a NATO ally?
Mr. Painter. Well, I should say a couple of things about
that.
First, I think it is significant that NATO, not too long
ago, during the Lisbon summit, determined that cyber was part
of its core mission. And that is really important. I think that
it shows an understanding of the threat. They also determined--
and this makes a lot of sense--that NATO needs to spend time
making sure its own networks are secure. And they have spent a
lot of time doing that recently. But, significantly, in the
last summit that just occurred in Wales, there were two things
in the communique that I think go to your point. One talked
about the applicability of international law in cyberspace. And
so, it was not just this group that was in the group of
government experts in the U.N., but also all the NATO members
affirming that. And they also said that article 5 could apply
in a cyber environment, but it would apply on a case-by-case
basis. You know, how it would apply, when it would apply, we
would look at it case by case.
And certainly article 4, when you are doing consultations,
you know, that, I think, will and has happened. We had the
Estonia attacks, back in 2007, for instance, which is, I think,
in many ways, a wake-up call for people, because people had not
thought about that before. And Estonia is one of the
connected--most connected countries in the world, and one of
our close partners, as well.
So, I think NATO clearly has a role, and it is a developing
role, in how we respond to this, but we also want to make sure
that that is integrated with a lot of our civilian efforts,
especially with our European and other allies who are building
better cybersecurity strategies and capabilities.
Senator Cardin. So, how far are we away, timewise, from
having a policy in NATO that we will feel comfortable with in
regards to how cyber fits into the traditional defense posture
of NATO?
I ask that because technology is changing every day, so, by
the time we get an agreement, we will be up to the next level
of technology, and we will have to start all over again.
Mr. Painter. Well, and one of the things I have found in my
career is that, yes, technology moves very, very quickly. But,
there are also some core concepts. For instance, when I was at
the Justice Department and we were updating cyber crime laws,
you try to write those laws so they are technology-neutral. You
have seen new developments of technology, but the core concepts
of how you apply it would be the same.
For NATO, the same, I think, applies. Cyber is a new area
for NATO. Cyber had--they spent a lot of time making sure they
had the right policies to secure their systems. They have.
People in NATO, who are very dedicated to this and very good,
who I have met with on a number of occasions, and--you know,
and they have done a lot of thinking about, for instance, how
these things will apply.
The fact that article 5 would apply on a case-by-case basis
is not really surprising, because article 5 has only really
been invoked once, as you know. And so, how you apply it and
when you apply it, you know, that has to be a factual basis.
I would also say that that goes really beyond NATO. And one
of the things that we see is--even in an existing defense
agreements, for instance--cyber is a new attack. It does not
specify, in those defense agreements, whether or not----
Senator Cardin. So, I want----
Mr. Painter [continuing]. It is some sort of----
Senator Cardin [continuing]. I want to stop you for a
moment, because, in your testimony, you come up with a good
recommendation that there be voluntary norms of responsible----
Mr. Painter. Right.
Senator Cardin [continuing]. State behavior during
peacetime that would be universally----
Mr. Painter. Yes.
Senator Cardin [continuing]. Appropriate, and that we will
keep us all safer if the states adopt it. And then you go on to
say that the states should not conduct or knowingly support,
online activity that intentionally damages critical
infrastructure, et cetera.
All right. Now, let us try and see whether that works.
Mr. Painter. Right.
Senator Cardin. Because there have been efforts to prevent
countries from violating international agreements. There have
been reports that there has been Internet use to do that. The
United States may say, ``Well, that does not fit under that
definition.'' Then we talk to a country like Russia or China,
and say, ``Wait, why does it not fit into that definition?''
How do you get an agreement as to when it is appropriate and
when it is not appropriate to use the Internet to defend your
country?
Mr. Painter. So, this is obviously a long-term effort. We
are still in the beginning of a lot of these discussions. But,
with respect to the peacetime norms that you mentioned, norms
like----
Senator Cardin. We are at peace with Russia, we are at
peace with China.
Mr. Painter. Right. So, these are norms that the United
States is promoting. And, quite frankly, they are norms that
have already received some endorsement in the international
community. These are things that we have proposed in this GGE
session in New York. The Australians recently were at the
Australian Foreign Minister talked about some of these norms
for--using her own language. We have had the Estonians and
others beginning to adopt them.
The way norms get adopted over time is, it takes time to
build a consensus of more and more like-minded----
Senator Cardin. So, you are not----
Mr. Painter [continuing]. Countries----
Senator Cardin. Can you answer my question about whether
the United States is prepared to enter into a definitive
standard that could jeopardize our security needs in using the
Internet to defend America?
Mr. Painter. No, not at all. I mean, I think these norms
were very carefully and importantly drafted----
Senator Cardin. And how do you justify a Russian
interpretation or a Chinese interpretation that, under national
security, they are doing things that clearly violate our
understanding of international law?
Mr. Painter. Well, and that is exactly it. I mean, that is
why we are trying to build this consensus about what these
international norms are. Below the threshold of armed conflict,
which is a very high threshold where international law applies,
and we are trying to determine exactly how it applies in this
space. These are norms that are, I think, more applicable,
because this is the kind of thing we see every day. They are
not universally accepted yet. These are new norms that we are
putting out there and we are trying to get a consensus of
countries around. This is very similar to other areas. And one
of the examples I have used in the past is the Proliferation
Security Initiative, as a model.
Senator Cardin. I was going to give that example----
Mr. Painter. Well----
Senator Cardin. Is it all right for us--I mean, will----
Mr. Painter. Well, so----
Senator Cardin. There will be disagreements as to whether
we can use the Internet and cyber to enforce proliferation
commitments.
Mr. Painter. Well, this is exactly--you know, this is the
kind of process you undertake so that you build a greater
consensus around these norms, which--you know, these norms are
not written just to protect the United States. These norms are
written because they are universally applicable. They are
attractive to
all countries, including countries we may disagree with on a
lot
of substantive areas. Not attacking critical infrastructures
that provide services to the public when you are at peacetime
is one that is pretty--it should be pretty acceptable to many
countries.
The second part of the question, I think, is then: How do
you enforce them, assuming you get that agreement? And I think
that is where I use as an example the Proliferation Security
Initiative, where you have a group of like-minded countries,
and if people are outside that group, you can use a number of
ways to try to enforce those actions. And that is pretty far
down the road, I admit. I would say our efforts--there is a
number of parts of our effort. Part of it is the technical and
the other ways that we are trying to meet these threats now.
Part of it is to shape the international environment, which is
what the norms are. And part of it is confidence-building
measures, which are more short term, to build more transparency
and understanding, and even things like hotlines so we can try
to head some of these off.
But, none of these, on their own, is a complete solution.
They have to be put together.
Senator Cardin. Thank you.
Senator Gardner. I think, if you do not mind, we will just
go back, another round, if you do not mind, just----
Mr. Painter. Sure, go ahead.
Senator Gardner [continuing]. Just to follow up on the
question of these norms that we are talking about, because I
think it is difficult to say that we have certain redlines. I
do not think you can say--are there any redlines that we have
in cyber? That is what the norms are trying to get to. But, is
there any--can we, right now, say that there is a redline in
cyber that somebody could cross and we would have a response?
Mr. Painter. Well, I mean, I think, just like in the
physical realm, there are things that are--you do not create
strict redlines for deterrence, for instance, because you do
not want to say people--you do not want people creeping up to
that redline and then not acting.
I think, just like in the physical world, there is
interpretation that you would do. On some of these issues,
though, these are things that we would say should be condemned.
So, if you are at peacetime, and you attack the critical
infrastructure of another country that is being used to provide
services to the public, we would say that that is something
that should not be allowed, that the international community
could work against--should sanction that and work against that.
We would say that the theft of intellectual property to benefit
your commercial sector is something that we do not do, it
should not be allowed. We would say that, you know, if you
attack the CCERT of another country, the Computer Emergency
Response Team, that is inherently destabilizing. That should
not be allowed. So, we are trying to create that framework.
When you get to the higher level of international law that
applies to conflict, of course there are different rules there.
There is the U.N. Charter, there is the Law of Armed Conflict.
There has been a lot of work, and it is continuing. And how
that actually applies, our Department, in concert with our DOD
and other Departments throughout the government, have been
putting some thoughts forward on how it would apply, but that
is still an ongoing process.
Senator Gardner. And how much of these conversations are
drawn to something around what is a use of force when it comes
to a cyber threat or attack?
Mr. Painter. That certainly is one of the things that is
being discussed. But, you know, even in the physical world, you
do not necessarily define exactly what a use of force is. I
mean, sometimes it will depend on the factual elements. And
some of the things that we put forth in our submission, which I
am happy to share with you, talk about some of the factors you
may look at.
Senator Gardner. And then North Korea, I think, was taken
off of the State Sponsor of Terror List in around 2008. What in
the cyber world would elevate to the point that it is
reconsidered
for being put back on that list? Cyber vandalism, I think, was
described--the President described the Sony attack. What would
rise to the level of a relisting of a nation like North Korea?
Mr. Painter. Well, I think it is important to note that the
administration took some pretty strong action in the North
Korea case. First of all, really, in an unprecedented way, the
President came out and condemned the attack and named North
Korea as the actor. And a number of other countries also
condemned that attack. And that was very significant.
Secondly, the President issued a sanctions order--a North
Korea-specific sanctions order--that dealt with North Korea
more broadly, not just for the cyber activity, but also for a
range of destabilizing activity they have been involved in.
With respect to listing a terrorism, that is a very--you
know, that is a specified issue, and there are certain criteria
that are used as that is being considered. As I understand it,
as a matter of law, to be designated, the Secretary of State
has to determine that the government of that country has
repeatedly provided support for acts of international
terrorism, and they are made after very careful review, and
there is a process for that. And, of course, we regularly
review available intelligence on North Korea to determine
whether the facts indicate that it should be designated as a
state sponsor of terrorism.
So, that said, I think we have to look at the larger
context, not just in the cyber world, but more generally.
Senator Gardner. But, I mean, obviously, cyber is going to
be more and more a part of those kinds of conversations.
Mr. Painter. I think it will be. I shy away from using the
term, frankly, ``cyber terrorism,'' because I do not know what
that term means, often. There is terrorist use of the Internet
to plan----
Senator Gardner. Should we develop a meaning for it,
though? Should we know what it is?
Mr. Painter. No. I mean, I think we just use specificity
when we are talking about these issues. I use ``cyber attacks''
or ``cyber intrusions.'' That is one. And they could be
terrorist sponsored. We have not really seen a lot of cyber
attacks by terrorists. We really have not seen that. We
certainly have seen terrorists use the Internet to plan, to
promote, to raise money, all of those things. That is more
terrorist use of the Internet. I think we just need to be
careful in how we are using the terms, because people--you
know, there are other states--Russia and China sometimes will
use cyber terrorism to mean far different things than we mean,
meaning, you know, groups that disagree with the government.
And that is not what a cyber terrorist is.
Senator Gardner. On April 1, 2015, the President did issue
his Executive order establishing punitive tools to deal with
cyber crime. It is good for a start. We have significant
threats, though, from other actors out there, a precedent for--
and we have well-known threats--setting precedent for imposing
previous financial penalties against bad actors, like
designations of the PLA hackers, lots of opportunities for us
to impose such actions. Why did the President's Executive order
not couple actual designation of entities? And has the State
Department and the Treasury Department--do you have a belief
that there are people who meet the criteria for imposing such
penalties?
Mr. Painter. So, the point of the Executive order--and
again, having been at this for a long time in different
capacities--was to make sure we had a new tool, to make sure we
had a new arrow in our quiver to deal with these various
threats out there. Certainly, we have criminal law that is out
there now. We have other capabilities. We have diplomatic
tools. But, we recognized, especially when those tools were
inadequate and we had a very significant threat, we needed to
have and develop this new tool. And it is important that actual
deals within a range of different actions, significant
actions--and the threshold is pretty high--cyber activity,
including destructive attacks, including intrusions, including
theft of intellectual property, and the receipt of stolen
intellectual property.
So, it was important to get that framework in place before
we start thinking about what the designations are. Now, I would
say that that order is not limited--I mean, it is targeted, so
it is individuals or entities, but it is not limited to, you
know, criminal groups or nation-states. It could be any group
or individual within that category. And we are looking very
carefully at what designations we will make under that order
now that we have that tool in place. That is something that the
State Department is involved in, Treasury is involved in,
Justice is involved in; and, frankly, other agencies are, too.
Senator Gardner. Okay. And can you share with the committee
right now any considerations that you are making for either
entities or individual designations?
Mr. Painter. I really cannot right now. This is an ongoing
process. It is something we take very seriously. We obviously
developed this tool because it is a tool we thought was
necessary, and we are looking at how to apply it.
But, I would say, again, that it is one of the tools we
have. We have other tools, too. And we have used some of those
other tools, like the law enforcement tool that you mentioned.
And we certainly used the diplomatic tool, for instance, when
we called out North Korea and we have called out China for
theft of intellectual property.
Senator Gardner. Senator Cardin.
Senator Cardin. Let me make a suggestion to you. On page 11
of your written report and during your presentation, near the
end, you mentioned the work that we are doing in regards to
promoting Internet freedom and human rights online. And I
appreciate that. You also mentioned the fact that you and Tom
Malinowski just returned from a Freedom Online Coalition
meeting in Mongolia. And I very much appreciate that issue.
But, on page 8, where you list international norms that we
are striving for, you do not mention the human rights, freedom-
of-information dimension. If the United States does not mention
it, it will not get mentioned. We are the leader on this. And,
recognizing what is happening in China today on this ``Great
Cannon,'' which really has me greatly concerned, where they are
trying to conduct censorship through the use of cyber, it seems
to me that the United States must be the leader on promoting
Internet freedom and access to information. And I just would
hope you would make that a more visible part of your
presentation.
Mr. Painter. Let me just say that that is a core part of
our policy. Not only is it a core part of our policy, it is
reflected in the international strategy. It is a very important
part of the international strategy. As we look at all of these
different security issues, we make sure we are looking at that,
too. We should never use security as a proxy for controlling
speech. And we are being very careful about that. And that is
one of the reasons that my office and the office that Tom
Malinowski heads really work hand in glove on these issues.
I should say, the norms you mentioned back in that
particular paragraph, those were norms that were political
military norms for cyber stability. We are champions of
Internet freedom, particularly on very important norms that
dealt with--there was a Human Rights Commission--or committee
resolution a couple of years ago that said that, at core, you
have the same rights online as you do offline. That is
something that we have advanced, that is something we have
worked with our colleagues around the world for. Internet
freedom really is--and I assure you--a core part of our policy
that is reflected in, really, everything we do. So, this is not
something that is a sideline for us.
Senator Cardin. I am going to take issue with you. You
mentioned, on page 9, the work of the OSCE. And I appreciate
that. The OSCE's principles are that human rights and economic
security is all part of the security of a country, and very
much part of a defense posture. I would argue that Internet
freedom and human rights issues are very much a matter for the
military to be concerned about, because it does lead to
violence, and it does lead to the use of our military. So, I
would hope that it would be showcased in all of our portfolios
on cybersecurity.
Mr. Painter. And, Senator, I assure you it is. In the OSCE,
as you know, there is a portion that deals with some of the
political military issues. The Law of Armed Conflict and
international humanitarian law deals with a lot of these issues
when you get to conflict. And that is why it is important to
say there are rules in cyberspace. It is not a lawless area.
And this is something that really, in a very strong way, we
have promoted everywhere.
One of the things we have done is, we have worked with our
colleagues at DRL to make sure that more countries are joining
this Freedom Online Coalition. When I go out and talk to other
countries, when I have my bilaterals with other countries, I
conduct these all-of-government bilaterals. One of the people
at the table with me is from our human rights shop. One of the
things that we advance is, ``Please join this coalition, look
at these different issues together. Do not think about security
in a silo, so you are just doing security. Think about the
issues that relate to freedom online and the free flow of
information.'' That is really core to what we do.
Senator Cardin. All I am suggesting is, make it more
visible, because, if you do not do it, no other country will.
This is----
Mr. Painter. We are----
Senator Cardin [continuing]. The United States----
Mr. Painter. We are the champions and the leaders on this,
and we will continue to be, yes.
Senator Cardin. I appreciate that.
Now, let me ask you about your working with the private
sector. My own experiences in trying to figure out how we can
deal with legislation here--you know, on the Hill--it is very
difficult, with the private sector. They are not that anxious
to harmonize with government on how their information is
protected. They are not interested in reporting to us
violations that have occurred to them, because they are either
somewhat embarrassed or worried that it could be used against
them from a commercial point of view. So, do you have any
suggestions on how we are going to be able to develop the type
of working relationship with the private sector, which is
critically important, to advance our common goals?
Mr. Painter. Yes. So, I have had a long history with the
private sector. First of all, the private sector, as you know,
is not monolithic, it is not ``the private sector.'' It is lots
of different entities, just like government's not monolithic.
And one of the core things that we did when I was at the White
House, when I was at Justice, and certainly at State, is that
we worked very closely with the private sector. We recognized
that we do not see every opportunity or, frankly, every risk
that is out there when we do these diplomatic outreach efforts,
when we try to build these groups. So, in a number of different
ways, we have consulted with the private sector, even with
respect to the international strategy. This is something I
briefed to them before we finalized it. And we include them in
a lot of our different policies.
We also included them, as I mentioned, when we did the
training for all the officers around the world. We had private-
sector people there and panels who talked to them about this
part of the equation. And when we have done a lot of the
training for other countries, especially in Africa, we have had
a private-sector component. So, the private sector has been--
and civil society, as well--have been a key component to this.
I do think that there has been a lot of efforts--and I know
there is a lot of legislation on the Hill now, including
legislation that the administration has been pushing, in terms
of more sharing of vulnerability information between the
private sector and the government--I think that is heading in
the right direction. I think we want to make sure that we can
get that and we can share it. Private-sector information-
sharing has been an issue for as long as I have been doing
this, and I think I have seen a real uptick on that. I have
seen some good collaborative efforts. For instance, the
Department of Homeland Security has their floor, their response
floor, and the private sector participates in that. When we did
the National Cyber Incident Response Plan, the private sector
helped build that from the beginning.
So, I think there are real important partners in all of
this. And, yes, there are different voices in the private
sector, but I think we are moving in the right direction now to
get the kind of information-sharing we need.
I do think that is critical. I think, without information-
sharing, it is going to be very difficult for government to do
its job, not just in the United States, but around the world.
Senator Cardin. Thank you.
Thank you, Mr. Chairman.
Senator Gardner. Thank you, Mr. Painter. And I have got
just a couple of more questions for you. I do not want to keep
you here all day, because I know we have another panel and we
have got votes coming up at noon, so I do not want to keep you
here too long.
Just a couple of questions on China. You know, I think, in
a report in 2013, Admiral Blair, Ambassador Huntsman cited a
number--I think it was pretty stunning--$300 billion a year,
they believe, in terms of theft through cyber--cyber theft
around the globe annually to the United States--$300 billion.
And I think, under their estimates, 50 to 80 percent is--broad
range, but still a very high number--actually, they believe
could be directed or attributed to China as a result of that
$300 billion. And so, how do you, as the State Department,
then, following up on this conversation with the private
sector--how do you work with China to address these theft
concerns?
Mr. Painter. So, again, it is an all-of-government
solution. We look at a lot of different--or problem--and we
look at a lot of different tools. I think, you know, the United
States has had serious concerns about Chinese state-sponsored
cyber-enabled theft of trade secrets and commercial gain for
some time. As part of our response to this threat, we have
worked with industry to encourage the strengthening of their
own defenses, so, essentially, hardening the targets and make
sure they have the information and share the information they
need to prevent these attacks and intrusions.
We have also directly confronted the Chinese about this
activity and the threats they pose to the bilateral
relationship with the United States and U.S. economic
competitiveness and, frankly, China's global reputation and
their own economic competitiveness in the long term. This was
done at the highest level. As you know, the President has
called this out, and the National Security Advisor--many senior
Department officials. And we have raised this with them in
things like the strategic security dialogue, in the S&ED, as
part of our overall relationship, as something that is an
important thing to consider.
And we are also working with a number of like-minded
governments, because we are not the only victims of these kinds
of intrusions, and we want to make sure the governments
understand the scope of this problem and are taking it
seriously, as well.
I would note that the recent meeting of Prime Minister Abe
with the President when he was here--if you look at the
statement, there is a pretty hefty part of that statement that
deals with cyber, including norms and how we are going to work
together on norms, but also how we are going to share
information to better protect against the theft of intellectual
property. So, that is another thing we are doing.
You mentioned the indictment--the five--you know, the
indictment of the five PLA officers. That is another tool we
can use. And, of course, we are going to look at all the tools
we have. But, this is something that we are going to continue
to press. We need to continue to press this issue, because it
is important to the United States and important to other
economies around the world. At the same time, we have to also
try to find ways to work with the Chinese productively, because
they are the other--you know, they are one of the biggest
actors in cyberspace. And when we are talking about issues like
fearing miscalculation or a misperception in escalation in
cyberspace, it is important for them and us to be--you know,
for them to be responsible members of the world community. And
that is why we are putting forth these norms and trying to
advance these confidence-building measures. We had a cyber
working group, which, you know, I think was unfortunate that it
was suspended by the Chinese after the indictments. I led that
group. It is important to have these conversations so we can
express these concerns clearly, but, at the same time, deal
with issues where we need to build collaboration, including
exchange of technical information from CERTs, in cybersecurity.
You know, I think when--I want to pivot it for a second to
the--one of the norms we have talked about, which is the norm
against cyber-enabled intellectual property theft. That is
going--that is part of the longer term effort, getting more and
more countries to say that that is something that we support,
that is something that really, if you are acting outside of
that, you are outside of the world norm on that. So, that is
part of these efforts, too.
But, this is going to be something we are going to continue
to press, quite frankly.
Senator Gardner. And just, quickly, what are your thoughts
on the Russia-China cyber pact last week?
Mr. Painter. Well, you know, I think there are a couple of
interesting things about that. We are looking at that,
certainly, but I would say that it evidences some things that
are not too surprising in terms of the way Russia and China
look at cyberspace. They have a very absolutist view of
sovereignty in cyberspace, that, essentially, you can draw a
sovereign boundary around cyberspace, and it applies to
everything that goes on within that boundary. And I think it is
indicated in that agreement. And we hold a different view. We
believe that sovereignty does apply in cyberspace, to an
extent, but it does not transcend things--to go to Senator
Cardin's question--like the Universal Declaration of Human
Rights. That is a norm. The Universal Declaration of Human
Rights guarantees human rights and speech across borders, and
it does not matter--you cannot draw a sovereign boundary around
that. So, it indicates a very different view of them versus us.
It also--they use the term ``information security'' vice
``cybersecurity.'' We talked about protecting networks. They
are worried about the destabilizing nature of information.
So, I would say, you know, that is the way we analyze it.
More broadly, this indicates why we need to be very active,
diplomatically, around the world, because certainly there are
many countries that adopt the vision that we put in the
international strategy, the vision of an open Internet with
security, interoperability, all together. You do not have to
trade one off for the other. But, there are many other
countries, particularly in the developing world, that are
struggling, they are on the fence, they see the benefits of
stability, and they are worried about that. And we need to work
with those countries--and this is why capacity-building is so
important--to make sure that they understand that the vision
that we are putting forth is good for them. It is good for them
economically, it is good for them socially. And so, as we go
forward in all these different international organizations--
cyber is being debated everywhere around the world now, in
every organization you can think about--we need to make sure
that we are reaching out to the countries who are not the
traditional allies, who are the countries who are now just
getting Internet access and who are dealing with some of these
issues.
Senator Gardner. Thank you, Mr. Painter. Thank you for your
service and your testimony today.
And, Senator Cardin, I do not think you have anything else?
Senator Cardin. Thank you.
Senator Gardner. Thank you.
And if I could ask the--we are finished with the first
panel now, and if I could ask the witnesses to the second
panel, please come forward.
On our second panel, we have two distinguished witnesses
from the private sector to give us outside perspective on U.S.
Government efforts and our policies.
Our first witness is Mr. Jim Lewis, who serves as the
senior fellow and program director of the Strategic
Technologies Program at the Center for Strategic and
International Studies. Before joining CSIS, he worked at the
Department of State and Commerce as a Foreign Service officer
and as a member of the Senior Executive Service. His government
experience includes work on Asian political military issues as
a negotiator on conventional arms and technology transfers, and
on military and intelligence-related technologies.
Welcome, Mr. Lewis. Thank you for being here.
And our second witness today is Prof. Michael Greenberger,
who is founder and director of the University of Maryland's
Center for Health and Homeland Security and a professor at the
University of Maryland Francis King Carey School of Law, where
I think Senator Cardin admitted he may still have a student
loan. [Laughter.]
He is currently----
Senator Cardin. It was a lot cheaper--I am embarrassed at
what the fees were when I went to law school compared to today.
I think my law-school books were more expensive than tuition.
That has changed.
Senator Gardner. He is currently a member of the Baltimore-
Washington Cyber Task Force, serves on the Commission on
Maryland Cybersecurity Innovation and Excellence, is a member
of the American Bar Association's Law and National Security
Advisory Committee and a member of the National Academy's
Committee on Science, Technology, and Law. Previously,
Professor Greenberger also served in the Department of Justice
and the Commodity Futures Trading Commission.
Welcome, Professor Greenberger.
And I would ask, Mr. Lewis, if you would begin, 5 minutes,
then we will turn to you, Professor Greenberger. But, thank you
very much for your testimony today. And your full statement, of
course, will be entered into the record.
With that, Mr. Lewis, recognize you for testimony.
STATEMENT OF JAMES ANDREW LEWIS, DIRECTOR AND SENIOR FELLOW,
STRATEGIC TECHNOLOGIES PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES, WASHINGTON, DC
Mr. Lewis. Thank you, Chairman Gardner and Senator Cardin.
I would like to thank the committee for this opportunity to
testify.
Cybersecurity is a new challenge for foreign policy. It has
reshaped economies--the Internet and other cyber technologies
have reshaped economies and accelerated growth, providing
immense benefit. But, they can also be used for malicious
purposes. Digital networks provide countries with new ways to
grow and to trade with each other, but they are also a means of
influence, coercion, and attack.
Four countries--Russia, Iran, North Korea, and China--are
our principal rivals in cyberspace. To constrain them, we need
better defenses, we need penalties for malicious action, and we
need international agreement on the rules for responsible state
behavior. Getting these rules requires the support of our
allies and new regional powers, like India and Brazil.
The U.S. approach to international cybersecurity is to seek
agreement on norms and to create confidence-building measures
and build mechanisms for cooperation. Norms and CBMs are really
the best approach available. A cyber treaty would be
unenforceable. We cannot deter our adversaries. Deterrence does
not work against espionage or crime. And it may not work at all
against state actors like ISIS or other terrorist groups.
The United States is, as you heard, involved in many
discussions on cybersecurity in the U.N. and in regional
groups, such as the OSCE, but progress has been slow. The
United States has had more success in revising its mutual
security treaties with our allies in Asia and with NATO to make
cybersecurity a part of collective defense.
Cyberspace is a man-made environment operated by commercial
companies. This complicates the efforts to reach agreement on
security. And, while there is international agreement that the
private sector should play a role in cybersecurity and that
this role should reflect private-sector competencies in
technology and business, many countries would still prefer that
nation-states lead in any negotiation.
This administration issued an international cyber strategy
in 2011. I believe it is time to rethink this strategy, in
light of a very different international situation. This is a
much more difficult negotiating environment than we faced 4
years ago, and we have much more vigorous rivals who have, as
you pointed out with the recent agreement between Russia and
China, come up with an alternate approach that challenges the
United States.
The principal issue for reconsideration in the U.S.
strategy is whether to seek agreement first among like-minded
countries or to continue to wait for some broad global
agreement. The United States has been reluctant to adopt a
like-minded approach, although that is what we used in
proliferation and arms control, fearing that we will lose the
support of important countries like India or Brazil. But, the
difference now is that we face a determined effort by Russia
and China to dismantle American leadership in international
affairs, not just cybersecurity, but across the board, and it
will be difficult to reach agreement with these rivals on any
cybersecurity issue.
The Department of State also needs to rethink how it is
organized for cybersecurity. They were the leaders in creating
a coordinator. The rest of the world has copied them. Now it is
time to think if we need a more formal and permanent
organization within the Department.
In the last decade, cybersecurity has become a central
issue for international security and diplomacy. Given its
importance for our economy, for trade, for national security, I
think the committee is doing exactly the right thing by picking
this up. And cybersecurity should be part of the foreign policy
agenda for this Congress.
Now I am going to do one thing that I had not written in my
remarks, but I am going to give you a simple measure for
success. That measure is that Russia and China, between the two
of them, are probably responsible for more than two-thirds of
the malicious cyber actions we see undertaken against the
United States. They are, by and far, our largest rivals, they
are the most active, they do the most damage. And a good
measure for success is: Is the Russian and Chinese share of
malicious cyberactions decreasing? If the answer is no, what we
are doing is not working. With that, Mr. Chairman, that happy,
positive finish----
[Laughter.]
Mr. Lewis [continuing]. Thank you for the opportunity to
testify, and I will be happy to take any questions.
[The prepared statement of Mr. Lewis follows:]
Prepared Statement of James Andrew Lewis
I would like to thank the committee of this opportunity to testify.
Cybersecurity is a new challenge for foreign policy. The Internet
and other cyber technologies have reshaped economies and accelerated
growth, providing immense benefit, but like any tool it can be used for
purposes good or bad. Digital connections provide countries with new
ways to grow and trade, but they are also a means of coercion,
influence, and attack. Exploiting computer networks has become another
tool for state power and competition. Countries use the Internet and
cyberspace to gain advantage over others. The use of cyber tools and
techniques as an instrument of national power is now the norm. Getting
international agreement on how states should behave in cyberspace is
essential, but it will also be difficult.
The first known examples of what we would now call cyber espionage
occurred in the early 1980s, when the KGB hired German hackers to break
into U.S. military research computer networks. The first use of cyber
attack for military purposes occurred in the mid 1990s, when the U.S.
used primitive cyber attack tools against Serbia. In the late 1990s,
Chinese military writings discussed cyber attack as a means to gain
asymmetric advantage over the United States. Perhaps this flurry of
military activity led Russia in 1998 to introduce in the U.N. a treaty
to limit the development and use of cyber weapons.
The draft treaty drew extensively on Russia's experience with
strategic arms control. One precedent may have been the 1960's Outer
Space Treaty, which establish principles of state responsibility and
banned nuclear and other weapons of mass destruction from space. The
analogy between space and outer space is inexact however, despite
rhetoric about there being no borders in cyberspace. It is difficult to
gain access to space and the technology, particularity in the 1960s,
was expensive and limited to only a handful of nations. In contrast,
the technologies needed for malicious action in cyberspace are
ubiquitous and easily acquired. Clandestine operations are particularly
easy in cyberspace. Nor do cyber attacks pose the risk of horrific
effect similar to nuclear weapons, which created a shared desire for
restraint even among opponents.
The very covertness of cyber action works against international
agreements on security, and until 2010, there was no progress on
international agreement. There was too much distrust among competing
nations for a treaty. The technology was also very new, and there was a
general unfamiliarity in the international community with cybersecurity
as a national security issue. The U.S. only began to consider
diplomatic solutions in the last few years.
Some of this slow start reflects a too-great reliance on the
technical community to manage cybersecurity. The problems we face are
not technical; they are political and requires policy and diplomatic
skills to make progress. Some of the slow start reflects the millennial
beliefs of the 1990s about the Internet and the future of international
relations. It seems hard to believe, but in the 1990s people believed
that with the end of the cold war, the world would become one big
market democracy with shared values and no borders. Governments would
play a smaller role in global affairs and could be replaced by a
collection of civil society organizations and multinational
corporations in some multistakeholder process. Those who believed this
dream had a rude awakening in 2001 and while things have not gotten
better since then, many in the Internet community cling to these
shattered beliefs.
opponents
For the U.S., better cybersecurity requires changing the behavior
of four countries. Russia is the principle source of cyber crime and
extremely active in political-military espionage, and is the most
skilled opponent we face. China leads in economic cyber espionage. Iran
has developed significant cyber capabilities and uses them to apply
political pressure on the U.S. It has also done the network
reconnaissance necessary to launch cyber attacks against critical
infrastructures, as have China and Russia. North Korea has invested for
decades in building cyber attack capabilities. There are also jihadist
groups who have rudimentary cyber capabilities. Hezbollah and the
Syrian Electronic Army are connected to Iran and through Iran, perhaps
to Russia. ISIS, with its sophisticated Internet skill, bears watching
carefully as a group that could develop the capability for low-level
attack.
Dealing with these countries also requires a broad diplomatic
strategy to win support from key allies and from emerging new powers,
like Brazil, India, and others. These new powers from a middle ground
between western democracies and authoritarian regimes, and the policies
these countries choose to pursue will determine the future of the
Internet and cybersecurity. Most of the new powers support fundamental
human rights, and in particular freedom of speech and free access to
information. This puts them at odds with the authoritarian view of
cyberspace, but they also believe that national sovereignty and
government must play a larger role in Internet matters, and they were
troubled by the NSA revelations, factors that work against U.S.
influence. To win the global support, the U.S. needs persuasive
arguments on privacy, Internet governance, and the use of force in
cyberspace. We do not now have these persuasive arguments and some of
what we say now about the Internet is seen as duplicitous. The NSA
leaks of the last 2 years, whose selective release is used
intentionally to damage the U.S., have not helped us.
Cybersecurity is a military and intelligence contest with dangerous
opponents. There are significant trade issues. The Internet has immense
political effect that threatens authoritarian regimes and has led them
to mount significant challenges to market and democratic ideals and the
international institutions created to support them. The focal point of
this challenge is to reduce U.S. influence, not just over the Internet
but also in trade, security, and finance. We face a determined effort
to dismantle American leadership in international affairs.
deterrence
There is a hope that the U.S. could use military force to deter
malicious cyber activity, but this has not been effective. Deterrence
was the linchpin of U.S. strategy for decades, but the political and
military context for deterrence has changed significantly. Instead of a
single, near-peer opponent, the U.S. faces an array of possible foes,
each with differing capabilities and tolerances for risk. Deterrence is
of much less utility as a guide for policy in this new environment.
Deterrence requires opponents to compare the benefits of an action
against the potential cost and assess the likelihood that such costs
will actually be imposed. There must be credible threats that if a
threshold or ``redline'' is crossed, it will lead to unacceptable loss.
In the cold war, the threat of nuclear war deterred the Soviets from
invading Western Europe and Japan or launching strategic attacks
against the U.S. While it was often a subject of debate, the nuclear
``umbrella'' set redlines the Soviets could understand and found
credible because they were linked to core American interests. The U.S.
has thresholds or declaratory policies, but they are surrounded by a
mass of caveats. This is sometimes lauded as ``strategic ambiguity,''
but in fact, our adversaries just find it confusing. If opponents do
not know what lines they should not cross, or do not believe that we
will penalize them for crossing those lines, it will be hard to deter
them.
Our most active opponents also seek to circumvent deterrence. They
look for tactics that stay below this ill-defined threshold that allow
them to damage the U.S. without triggering retaliation. They believe
that the U.S. will also build new weapons, including cyber weapons that
will allow it to circumvent their own deterrent forces and strike them
with impunity. While we can be confident that our nuclear and
conventional forces will deter major attacks on the U.S. and it
sallies, it will not deter challenges in Crimea or he South China Sea,
terrorism, or malicious cyber activities. Even nuclear threats in the
cold war did not stop Soviet espionage or regional adventures and we
cannot deter cyber espionage or cyber crime. A different approach is
required to bring security and stability to cyberspace. This is
important because deterrence, if it works, if unilateral and does not
require international agreement. The ineffectiveness of unilateral
deterrence increases the need for international agreement.
u.s. diplomatic strategy
Getting international agreement is what the 2011 International
Strategy for Cyberspace tries to do. This administration is the first
to have a published international strategy for cyberspace, which it
released in 2011. That strategy now needs significant reconsideration
since we are now in a very different political environment, less
peaceful, more challenging, and with overt opposition.
The U.S. diplomatic strategy for cybersecurity is based on the
building cooperation among countries and reaching agreement on norms
and confidence-building measures (CBMs). Its starting point is
recognition that a cybersecurity treaty is not possible. The core of
the strategy is agreement on norms for responsible state behavior in
cyberspace. Unlike a treaty, norms are not legally binding. They
reflect instead international expectations about state behavior. The
normative builds on the experience of nonproliferation. With the
Missile Technology Control regime, for example, a few like-minded
nations (NATO, Japan, and Australia) agreed that responsible states do
not transfer ballistic missile technology. Eventually the number of
adherent nations grew and there was acceptance of a new global norm of
behavior, including, after several decades, a measure of formal
agreement. A similar process helped to create norms for chemical and
biological weapons.
There are already implicit norms governing cyber conflict that are
derived from existing international law and practice. Making these
norms explicit and expanding, their scope would increase stability. The
argument that norms are too weak can be dismissed as there is no
serious alternative. Legally binding commitments have serious
drawbacks. Our most likely adversaries will just ignore treaties.
Treaties face serious implementation problems involving compliance and
verification. Nonstate actors have limited influence over major states,
cannot themselves commit their country to an agreement, and lack legal
standing under international law. The existing ``state of nature'' is
too Hobbesian to be sustained as the Internet and other digital
networks become the most essential of global infrastructures. A norms
based approach offers the greatest chance for progress.
There is now agreement among most countries that existing internal
commitments apply in cyberspace as they did in the physical domain.
Gaining this agreement has been a multifaceted effort, with work in the
Organization for Security Cooperation in Europe (OSCE), the ASEAN
Regional Forum (ARF), and the Organization of American States (OAS),
the forum for Asia-Pacific Economic Cooperation (APEC), the ``London
Process,'' and the U.N. to develop confidence-building measures and
norms. Work to win greater acceptance of the Budapest Convention on
cyber crime reinforces the central concept of ``normalizing''
cyberspace by defining state responsibilities toward other states and
their citizens. While there are regional differences (certainly in
pace, if not substance), there is an emerging consensus about
responsible state behavior in cyberspace that is consistent with
existing norms and commitments among states.
The 2010 and 2013 Reports of the U.N. Group of Governmental Experts
(GGE) has been foundational. Russia first proposed GGEs in the early
2000s. The first GGE failed to reach agreement. The second GGE (2010)
produced a short report that called on the international community to
further develop norms and CBMs (as well as to build capacity in
developing countries). While short, this 2010 report laid out the
agenda for international discussion of cybersecurity, identifying the
application of international law, the development of norms and CBMS,
and measures to promote capacity-building, as the core elements of an
international approach to stability and security in cyberspace.
The third GGE-produced agreement among countries as diverse as the
major NATO allies, Russia, India, and China (albeit reluctantly) that
the principle of sovereignty applied to cyberspace, that the
commitments to the U.N. Charter, existing international law (including
the laws of armed conflict) and commitments to protect universal human
rights all applied in cyberspace. While the implications of sovereignty
for cyberspace are complex, the physical infrastructure that supports
cyber activities is generally located in sovereign territory and is
subject to the State's territorial jurisdiction. The agreement on the
applicability of sovereignty and international law has fundamentally
changed the political landscape for the discussion of cybersecurity,
but it is only an initial step in defining how States will act in
cyberspace. A fourth GGE is currently underway.
To increase trust, the U.S. has also promoted agreement on a series
of confidence-building measures (CBMs). CBMs are a normal diplomatic
measure to reduce tension and suspicion. CBMs strengthen international
peace and security. They can increase transparency, cooperation, and
stability. Building confidence through greater transparency in
doctrine, either bilaterally or in multilateral exchanges, could reduce
the chance of miscalculation or inadvertent escalation. The lack of
transparency makes it more difficult to reach agreement on norms for
responsible state behavior or to limit cyber conflict.
The development and agreement on CBMS have had the most success in
the OSCE, where cold war precedents and participant experience with
arms control created familiarity with such measures. In other regions
of the world, where there is less experience with security
negotiations, there has been less progress, but there are significant
efforts to develop CBMs underway in the ASEAN Regional Forum and the
Organization of American States.
Work by the OSCE has been foundational in defining CBMs. These CBMs
focus on transparency and coordination. Voluntarily measures agreed ad
ref in the OSCE include the provision of national views on cyber
doctrine, strategy, and threats. OSCE members will also share
information on national organizations, programs, or strategies relevant
to cybersecurity, identify a contact point to facilitate communications
and dialogue on ICT-security matters, and establish links between
national CERTS. OSCE members discussed how existing OSCE mechanisms,
such as the OSCE Communications Network, could be used to facilitate
communications on cybersecurity incidents and develop additional
measures to reduce the risk of misunderstanding.
The U.S. has worked in the U.N. and regional forums to promote
agreement on cybersecurity. It also plays a leading role in the London
Process, launched by U.K. Foreign Secretary William Hague, is a series
of informal international meetings whose aim is to generate a consensus
on responsible behavior in cyberspace. Initially the London process was
seen as the vehicle for gathering like-minded nations to agree on
norms, but its goals have become more diffuse. There have been four
meetings, the last of which (in The Hague), produced a robust
Chairman's Report. The next meeting is scheduled for 2017 in Mexico.
The U.S. also worked closely with its allies to make cybersecurity
part of its defensive alliances. It has modified it collective defense
arrangements with Australia, Korea, and Japan to include cybersecurity.
NATO, in its 2014 summit, agreed on when a cyber incident could trigger
the collective defence provision of article 5 of the North Atlantic
Treaty. The key changes have been to create mechanisms for greater
cooperation with allies and to agree that damaging cyber attacks fall
under collective defense.
the role of the private sector
There is international agreement to involve the private sector in
cybersecurity ``as appropriate.'' These last two words--``as
appropriate'' are the key. The role of the private sector varies by
issue. For some issues, such as security negotiations, there is very
little the private sector can do. Some countries, particularly China
and Russia, do not see private sector actors as equals and believe that
companies are tools of U.S. policy, something that says much about how
they see their own national companies.
For issues like Internet governance, the private sector is vital.
There are three broad sets of actors in Internet governance--states,
companies, and civil society organizations. In the past, states played
a small role by design. This is changing as states assert their
traditional roles. Internet governance is in transition, and what we
will end up with, if this is well managed, is something like
international finance, where private banks, Finance Ministries, and
international institutions make decision about governance. This means
that the influence of governments over the Internet will increase and
the influence of civil society organizations will shrink.
It can be hard to parse through the rhetoric that surrounds
cybersecurity, but one way to think of this is that the Internet is not
that different from anything else and people should play the roles they
usually play in guiding and securing it. Companies should be
responsible for innovation in technology and providing services.
Governments cannot do as well. Governments should play their
traditional roles, ensuring public safety and law enforcement
(including enforcement of contracts, defending citizens, and
negotiating with other nations on trade, human rights, and all the
other issues. Companies cannot do this, nor should we want them to--
their job is to generate return to their shareholder.
The idea of formal cooperation among governments on Internet issues
is anathema to the old-school internet community. They fear that rules
will harm the ``free and open Internet'' to which all kinds of
miraculous economic powers are ascribed. It is true that the global
network has brought us immense economic benefits and offers still more.
However, the free and open Internet is long gone. To make cyberspace
safe, we need transnational rules, norms, and institutions to manage
and reduce risk, using international agreement on a collective approach
to reduce risk and increase stability. Some countries will balk at
cybersecurity norms, as they balked at norms against nuclear
proliferation or money-laundering--but the right blend of incentives
and penalties (like indictments in U.S. courts) will help change their
minds.
The conflict in this lies between those countries like Russia and
China that would like to see governments play a dominant role in
cyberspace, in order to control information and minimize the political
risk to undemocratic regimes, and those few governments that continue
to insists that the informal arrangements for security and governance
developed in the 1990s are still adequate. Neither approach is
desirable but we have not yet identified an adequate replacement that
does not diminish the private sectors role in those areas where their
leadership is crucial.
There are several areas for partnership between companies and the
government in international cybersecurity. At a company level,
cybersecurity is a business decision about how much risk a company is
willing to accept and how much they are willing to spend to mitigate
this risk. Such decisions are best left to individual companies. In the
foreign relations context, this largely involves company decisions
about the risk of cyber espionage. Where the government can play an
essential role is in helping companies adequately assess risk by
providing relevant information and by developing penalties and
sanctions for cyber economic espionage.
Similarly, American companies and the government must cooperate in
rebuilding trust in American products and services. American
information technology companies are often caught in the middle of an
awkward debate, as foreign government fear to trust U.S. products while
at the same time asking U.S. companies to cooperate with them in
providing information. Rebuilding international trust requires a longer
discussion that involves new ideas on data protection, encryption,
localization, and related issues. These issues fall outside the scope
of cybersecurity when it is narrowly defined, but no major decision
about cybersecurity can be made without reference to them, but the
touchstone should be that our national interest is best served by
foreign policies that keep American companies strong, competitive, and
secure in cyberspace.
The most difficult question for the role of companies in
cybersecurity involves hacking back or active defense. Companies can do
what they want on their own networks. Companies can do what their
national laws allow on national networks. However, they cannot take
action on networks in another country. This is illegal and poses
serious political risk, even if a U.S. company uses a third party in
countries like Israel.
Remember that Russia and China believe that U.S. companies are a
tool of the government. They will interpret hacking back as an attack
by the U.S. This poses real risk of retaliation and escalation into
armed conflict. Our opponents include the Russian FSB and the Iranian
Revolutionary Guard. They are unscrupulous, have a taste for violence,
and will not hesitate to use force against an attacker. Cyber attacks
can have unpredictable effects. The U.S. has led the way in seeking to
have countries observe the rule of law in cyberspace. Hacking back not
only undercuts this effort, but could put an American company in an
awkward position. What if China, for example, was to ask the FBI to
cooperate in an investigation of a hack-back or took out Interpol
warrants for U.S. executives? If we say no, it ends any effort to get
China to cooperate when we request investigations (as we did with the
Sony incident). If we say yes, American executives will go to jail. I
understand
the frustration with the slow pace of reducing cyber crime, and U.S.
efforts could usefully be accelerated, but we do not want amateur
mistakes to lead to war or retaliation.
cybersecurity at the state department
The U.S. strategy has helped shape the diplomatic strategies of
other Western democracies. The global challenge to Western institutions
and to U.S.-centric Internet governance from authoritarian states and
the effect of the NSA leaks--mean that we must reconsider this strategy
and strengthen the organization framework that supports it.
The fundamental point for reconsideration is one that has been
discussed for years. Should the U.S. try to win global agreement on
cybersecurity norms for responsible state behavior, or should it begin
with agreement among like-minded national and then seek to broaden
this. Of course, it is possible to pursue both strategies
simultaneously, but we now need to recognize that Russia and China are
unlikely to agree with us on political issues in any meaningful way.
The announcement of a cybersecurity agreement between Russia and China
is an example of new and more oppositional policies (as are the recent
maneuvers by their tiny flotilla of ships in the Mediterranean). The
bilateral cyber agreement itself is largely for show, to annoy the
Americans and the West, so we do not want to overstate it, but we also
should not expect them to defer to American policy the way they did in
the 1990s.
The counter argument against a like-minded approach is that we will
lose the ``fence sitters,'' the new powers who are in neither in the
Western or the authoritarian camp. This fear results in paralysis. The
counterexample used against a like-minded approach is the Budapest
Convention on cyber crime, which was negotiated among Western countries
and now faces opposition from new powers like India who say that since
they were not involved in the negotiation, they cannot accept the
agreement. It is also very likely that some of the new powers would
refuse to participate if Russia and China are not involved. However, if
progress in cybersecurity is held hostage to winning the agreement of
authoritarian states, we will not get anywhere anytime soon.
A good way to think about this is to ask what would happen if the
U.S. were to agree to condition any action by NATO on winning agreement
from Russia or China, or from powerful nonaligned nations. This would
be the end of collective security; we would hobble ourselves. While we
need to engage with Russia and China, and perhaps some initial arms-
control style agreements on cyber warfare are possible, and while we
need to engage with, and be respectful of, the view of new powers like
India, Brazil, and others, we should not refrain from action until we
have their consent.
The NSA leaks had little effect on Russia and China, who either
suspected or knew of NSA activities, but they have skillfully exploited
them to try and divide the U.S. and key Western allies. Crimea has
caused far more damage to international negotiations on cybersecurity.
The Russians have suspended the bilateral cybersecurity discussions
that drove diplomatic progress, and their evaluation of the usefulness
of an agreement limiting cyber attack may have changed as they move
into a more militant posture vis-a-vis NATO. Crimea has sharpened
interstate conflict, albeit in a hybrid rather than conventional venue,
and has greatly reduced the chances for international agreement.
Russian strategy has successfully made that country the focal point for
agreement on cybersecurity.
A new strategy will need to be complex in that it would require
differing kinds of engagements with other countries and a broader range
of tools to win progress. It would continue to pursuit of global
agreement but seek immediate agreement among like-minded nations on
responsible behavior in cyberspace. These understandings should be
reinforced by the use of financial sanctions and technological
restraints to encourage better behavior and strengthen the rule of law
in cyberspace. Precedents from the financial sector are particularly
useful, where governments and leading banks work together to develop
and follow principles and practices to increase stability and fight
crime, suggest a new direction for cyber diplomacy.
A new strategy also requires an institutional underpinning.
Cybersecurity is still an appendage within the Department. It is not
incorporated into the structure of Bureaus and Under Secretaries State
uses for most issues. In an ideal world, cybersecurity would be part of
the politico-military Bureau and part of the portfolio of the Under
Secretary for International Security Affairs. Arguments could be made
that this issue should be placed within the Economics or Global Affairs
portfolios, but having sat in many negotiation sessions on
cybersecurity, I can affirm that this is a politic-military issue and
the negotiators who have done best in negotiations re from an arms
control or international law enforcement background.
The U.S. pioneered the creation of cyber coordinators at the White
House and at the State Department, an organizational approach many
other countries have also copied, and while State has expanded the
office of the cyber coordinator, it needs to further embed
cybersecurity into the fabric of our diplomacy. Any speech by a senior
official on security or trade must mention cybersecurity, and while
these officials may not be comfortable with the issue or fluent in its
details, they cannot afford to avoid it. The best example of a missed
opportunity is the negotiations on Russian entry to the WTO, completed
in 2006, when the U.S. secured agreement on tariffs but signally failed
to even mention cyber crime. This was a lost opportunity. We know from
public examples that the President cares about this issue and has
engaged foreign leaders, but there should be some thing between the
President and Chris Painter. The Chinese, for example, watch this very
closely and if a Cabinet Secretary appears in Beijing and does not
mention cybersecurity, they judge it to mean that America is not
serious.
You sometimes hear that the issue is too technical or too arcane
for senior leaders to discuss. This is not true. Cybersecurity is now a
central element of the larger international security agenda, the same
way that nonproliferation was a new element 25 years ago, and it is
important to embed cybersecurity into American foreign policy the same
way that nonproliferation moved from being a technical issue to
something of central importance. The Internet is not going to get any
less important for economies and security. This is not peripheral
issue, particularly as the Internet grows more and more important for
our economic life and for international trade and security.
next steps
This is a much more difficult negotiating environment, but the
biggest obstacle to progress is not recalcitrant authoritarians or
skeptical new powers, but what some have called an era of ``strategic
timidity'' in the West. If we are afraid of offending Russia, China, or
the new powers, we should just accept that while cybersecurity can be
improved though better technology and greater attention by companies,
it will not be secure against our most effective opponents.
There is always a temptation in American foreign policy to explain
the international environment by saying that we are in a ``new cold
war'' or to invoke elderly strategies like deterrence or containment to
deal with the new challenges we face. We are not in a new cold war.
What we face is a more insidious challenge with countries who are our
political and military opponents at the same time that they are our
economic partners. In an interconnected world, they cannot be contained
nor will they be deterred from challenging us. We can no longer
blithely assume that we have the moral high ground--China, Russia, and
others will challenge our leadership. This is a new kind of contest and
we must craft new foreign policies to advance our national interest,
the interests of our allies, and of the world. Cybersecurity is among
the most salient of these new challenges for American foreign policy
and while there has been good progress in the last few years, we need a
new a new approach to international agreement on cybersecurity.
In the last decade, cybersecurity has moved from being a peripheral
issue or an issue confined to the classified world to one that is
central for the internal security and diplomatic agenda. Given its
importance for national security, public safety, trade, and
development, cybersecurity is the right for the committee to turn its
attention to cybersecurity as it thinks about the foreign policy agenda
for this Congress.
Thank you for the opportunity to testify and I would be happy to
take any questions.
Senator Gardner. Thank you.
Mr. Greenberger.
STATEMENT OF MICHAEL GREENBERGER, FOUNDER AND DIRECTOR,
UNIVERSITY OF MARYLAND CENTER FOR HEALTH AND HOMELAND SECURITY;
PROFESSOR, UNIVERSITY OF MARYLAND FRANCIS KING CAREY SCHOOL OF
LAW, BALTIMORE, MD
Mr. Greenberger. Thank you, Chairman Gardner, Ranking
Member Cardin. I am delighted to be here today. The first thing
I want to say is, this is a very tough-going area, and it is
easy to second-guess and criticize. And I do have suggestions,
but by no means do I want to be seen as criticizing the efforts
of the State Department or any other Federal agencies. I think
sincere good-faith efforts are being made.
But, I would draw an analogy to the train accident in
Philadelphia. The train went off the tracks, and there could be
a lot of different ways to look at that problem. Was the
engineer negligent? Was the engineer criminally negligent? Do
we need more laws?
The real thing, I think, needs to be focused on an
international basis is, How do we stop the bad things that are
happening? I think we can worry later about whether the bad
things trigger title 5 of NATO or trigger the laws of war, et
cetera, et cetera. What we really have got to do is get a
handle on stopping what is going on, and identifying who the
perpetrators are.
With regard to international organization, as recently as
February 2015, the White House held a summit, and there, there
was an echo that is repeated throughout the literature: We need
better international cooperation. We have cited the Atlantic
Council paper from November 2014 as sort of a model of our
concern, but we have adduced certain key principles from that
paper that we would suggest be advocated for. And when I say
``advocated for,'' I do not think there needs to be
legislation. I do think there needs to be strong congressional
oversight to make it clear to the administration what further
steps need to be taken to improve international coordination.
The Atlantic Council's number-one priority is
collaboration, collaboration on an international basis. My view
is that we should not worry about treaties, we should not worry
about memos of understanding, but we should go forward and
convene the parties who are sympathetic to what we are trying
to do to create what I would refer to in the crisis management
area, an emergency operations center. Who would the candidates
be for cooperation in that? NATO, the European Union, the
Atlantic Council, OSCE, OECD, the Organization of American
States, and the Organizations of the Pacific Nations. They are
all interested in cybersecurity, and I have no doubt the State
Department--and I applaud the State Department for everything
it is doing--but, we need to bring those groups to the table.
It does not need to be an official summit. It just needs to be
a convening, on a regular basis, of those groups to exchange
information. And, as has been said here, you cannot do this
with governmental institutions alone. And there are many active
organizations--I would say, for example, the Internet
Engineering Task Force, which has laid down norms for
preventing cyber attacks--groups of that sort should also be
brought to the table. And, in terms of the private parties, the
President has identified the critical infrastructure sectors--
financial, transportation, health--those parties should be
brought to the table, too, on an international basis.
And then, when you sit at the table, what do you do? Number
one, Senator Cardin talked about NIST, that we are so pleased
to have in Maryland, which has set up a framework for
developing defenses to prevent cyber attacks. Is it going to be
perfect? No. But, it is better than doing nothing. NIST itself
has said that its framework needs to be put into the
international sector and discussed among all nations. It has
received a lot of high praise for its efforts. And we should
make every effort to internationalize it. And that would be the
internationalization of norms that are a defense to cyber
attacks.
Secondly, the technical organizations that I referred to
could be helpful. The biggest problem we have is identifying
who is doing the attacking. Now, we can say, generally, Russia
and China. But, if you cannot pinpoint where the attack is
coming from, it is irrelevant whether we can go after those
people with criminal laws or whether we have treaties. The
biggest problem in this area is authenticating who is doing the
damage. There are other norms that we have suggested.
The final thing I would say is, these are all referred to
as confidence-building measures. Traditional confidence-
building measures are working with your enemy to build a
bonding process so they no longer become your enemy. The
hotline with Russia is the foremost example. The confidence-
building measures we need now is that the international
community--and when I say ``international community,'' let us
forget Russia and China and Iran; it is those that are
sympathetic to what we are doing--join together to develop
norms, methods of identifying perpetrators, identifying
infrastructure--the priority of infrastructure that needs to be
protected.
We deal, on a daily basis, with responses to crisis
management. And I can tell you--look at the Boston Marathon,
for example. In the response to that attack, you had the FBI,
State police, city police working hand in glove together. That
came out of an emphasis by Congress and the various
administrations to create these fusions within the State. We
have it in Maryland.
The process of just bonding, in and of itself, is
therapeutic, because you start discussing things that you can
do together. You start learning--city police and FBI never
worked well together. In that situation, they worked
beautifully together. Why? It is the bonding process of the
collaboration.
Thank you.
[The prepared statement of Mr. Greenberger follows:]
Prepared Statement of Michael Greenberger
introduction
My name is Michael Greenberger. I am the Founder and Director of
the University of Maryland Center for Health and Homeland Security
(CHHS). I have been assisted in the preparation of this statement by
Markus Rauschecker, Senior Law and Policy Analyst at CHHS. I am very
pleased to have the opportunity to provide this statement to the Senate
Foreign Relations Subcommittee on East Asia, the Pacific, and
International Cybersecurity Policy on the very important topic of
``Cybersecurity: Setting the Rules of the Road for Responsible Global
Cyber Behavior.''
CHHS is an academic consulting institution that provides guidance
in planning, training, and exercises relating to the prevention of, and
response to, both man-made and natural catastrophes. CHHS consists of
over 50 professionals working on over 90 contracts worldwide. Among
CHHS' areas of expertise is the law and policy of cybersecurity. We are
involved in academic programs \1\ and provide advisory services on
legal and policy issues relating to cybersecurity.
the problem
Cybersecurity presents a unique policy challenge given the
Internet's interconnected global reach and infrastructure.
Cybersecurity cannot be ensured through measures based on individual
sovereignty or within traditional borders. It is widely recognized that
the worldwide scope of the Internet makes dealing with the threat of
cyber disruption self-evidently international in nature. Solutions to
cyber vulnerability are therefore not only substantive in scope, but
require international organization, cooperation, and response.
Unfortunately, the conventional approaches to the solution of other
international vulnerabilities do not accommodate themselves to
cyberspace. It has been recognized that presently there is not adequate
knowledge or agreement on solutions to respond to cyber
vulnerabilities, which makes negotiation of effective bilateral or
multilateral treaties premature. As our fellow panelist Chris Painter,
Coordinator for Cyber Issues at the Department of State, recently
stated, the international community is still trying to develop the
norms that would be the basis for such treaties.\2\
Disparities in perspectives, as well in the domestic laws of
nations in this area, only further complicate the problem. While the
temptation exists to find a ``silver bullet'' response, a global
solution of this sort is available neither procedurally or
substantively. For example, the oft discussed recommendation of
implementing ``arms control'' in cyberspace is widely recognized as
unworkable given the uncertainties in the methods of control.\3\
Moreover, it is clear that the problems of cybersecurity not only
involve state actors, but private sector actors as well, because much
of the world's cyber infrastructure is privately owned and/or operated.
Therefore, the solution cannot be limited to either state actors or
private stakeholders alone, but must include a multitude of
stakeholders. As the White House has correctly asserted, ``the world
must collectively recognize the challenges posed by malevolent actors'
entry into cyberspace, and update and strengthen our national and
international policies accordingly.'' \4\
While the need for international cooperation to combat cyber
threats is widely recognized, it is universally acknowledged that much
work needs to be done to promote international solutions. Indeed,
enhancing international engagement is a top priority for the Obama
administration.\5\ Federal officials are calling for greater
international cooperation in cyberspace, with the need being especially
evident in the area of cyber crime. For example, national law
enforcement agencies need to increase information-sharing with
international partners to combat international crimes and countries
must work together to build up crime fighting capacities.\6\
So, in the face of an overwhelming need and inadequate solutions,
the ancient Chinese proverb is apt: a journey of 1,000 miles begins
with a single step. We therefore advocate that the U.S. State
Department lead a cooperative effort working with sympathetic countries
and private stakeholders to begin the development of international
crisis management protocols and otherwise establish effective norms to
combat international cyber vulnerabilities.
the solution
We endorse the suggestion of prominent cyber experts that a step by
step approach should be applied to develop highly recommended
international confidence-building measures (CBMs) to create an
international infrastructure to address cyber vulnerabilities. These
CBMs may be created with the support of existing cooperative
international entities and private international stakeholder
organizations. As a general matter, the United Nations has issued a
report endorsing the CBM approach.\7\ But, the most detailed outline or
plan for the CBM international approach comes from the Atlantic
Council's recent November 2014 report on this subject.\8\
We agree with the Atlantic Council report's suggestions of the
international stakeholders who are likely allies to this U.S.-directed
CBM approach. It may not be possible to engage each of these
stakeholder institutions in the first instance, but we think the U.S.
State Department should turn to these organizations to see if it can
find significant cooperation on all suggested CBM approaches or whether
alliances should be formed to address individual-recommended CBMs.
Whatever approach is taken, the organizing effort must begin promptly.
We agree that even if the organizing structure is not ``prefect,''
i.e., getting cooperation of all stakeholders, whatever organizing
structure that can be assembled will generate by its example and
effectiveness greater worldwide support.
As suggested above, the international organizational format must be
developed by engaging both sympathetic governmental as well as
nongovernmental organizations. Examples of international governmental
organizations that could promote the CBM approach, would include NATO,
the Association of Southeast Asian Nations Regional Forum, the Asia
Pacific Economic Cooperation Forum, the Council of Europe, the European
Union, the Organization of American States, and the Organization for
Security and Cooperation in Europe, each of which has expressed at
least a need for international cooperation in this area. Examples of
nongovernmental organizations that should be consulted include the
Internet Society, Internet Engineering Taskforce, and World Wide Web
Consortium.
Additionally, as the Atlantic Council report correctly advises, in
cyberspace, important ``private-sector actors like the financial
system, telecommunications, power grids, and energy infrastructure or
critical cybersecurity and information technology companies'' must be
included in the development of international CBMs.\9\ Each of these
sectors ``has a critical role to play in defending against cyber
attacks, so the concept of CBMs must be expanded to include the private
sector.'' \10\
In its November 2014 report, the Atlantic Council has outlined a
series of CBMs in four different areas: (1) Collaboration; (2) Crisis
Management; (3) Restraint; (4) Engagement. We agree with each of the
recommendations made in the report; however, we would give immediate
priority to four measures within the aforementioned areas. These four
measures are given priority based on the limited obstacles they face in
successful implementation and their relative low funding requirements.
We believe that important work has been started in each of these areas
we focus upon, yet the full accomplishment of these measures would
serve as a backbone to international cooperation and responsiveness.
The four measures we see as priorities are as follows:
1. Promulgating and Implementing Cybersecurity Best-Practices
Internationally
As the cyber threat has grown, many security measures have already
been developed to strengthen cybersecurity across sectors. These
measures must be better promoted and more widely implemented. Technical
regimes may be leveraged to agree and codify best-practices that should
be internationally adopted. It is important to note that the
international community would not need to establish entirely new
practices, but simply adopt and, where necessary modify, existing
practices that are generally accepted. Efforts such as the development
of the National Institute of Standards and Technology (NIST)
Cybersecurity Framework \11\ provide evidence of best-practices that
have been well received internationally across the public and private
cyber sectors.
Technical regimes may also be called on to identify the
international entities that are already implementing existing best-
practices. These findings should be publicized in order to praise
entities meeting objectives, but also to demonstrate a lack of
compliance by others. Essentially, noncomplying entities would be
``named-and-shamed'' and we believe they would thus be motivated to
adopt generally accepted cybersecurity practices.\12\
2. Joint Investigations of Cyber Incidents
The problem of correctly attributing malicious cyber activity is
daunting. Determining who was responsible for a cyber attack is very
difficult for many reasons, often including a lack of technical
identification capacity. Thus, any international mechanism for
collaboration and sharing of identification resources would be highly
advantageous.
For this CBM, an international group of technical experts could
conduct and oversee joint multinational investigations to determine
proper attribution for an attack. These joint investigations will not
only foster continued international collaboration on a general level
(beyond the specifics of each investigation), but also serve as a
deterrent to malicious cyber activity. Malicious cyber activity is
often motivated by an attacker's belief that they will remain
anonymous. If, however, these proposed joint investigations lead to
determinations and methods of attribution, the anonymity is diminished
and an attacker may reconsider their intended action.\13\
3. Promoting Collaboration and Communication of Cyber Crisis Response
Teams
Given the international scope of cyberspace and cyber
vulnerabilities, cyber crisis response teams must be able to quickly
and securely communicate with their counterparts in other countries.
Interstate and multinational mechanisms must exist for cyber crisis
response teams to quickly communicate and share situational awareness.
Communication must not only be between state actors, but must also
include private sector entities. Basic contact lists and data sharing
protocols are part of establishing this CBM.\14\
To test these communications capabilities, periodic exercises
should be conducted.\15\ At CHHS, we have conducted hundreds of
emergency exercises for our clients. Not only do exercises provide a
strong foundation to enable effective responses to real crises, but it
is our experience that working through exercises establishes bonding
connections among responders that serve to reinforce cooperative
relationships and responses.
4. Establishment of a Norm to Restrict Certain Targets from Cyber
Attack
International law establishes critical cyber targets to be focused
upon for protection from attack. This proposed CBM would develop an
international norm that on which parts of the cyber infrastructure need
heightened protection from attack. As the Atlantic Council states,
``the desired end-state of this CBM would be the acceptance of
restrictions, akin to those contained in [international humanitarian
law] rules, on disruptive attacks on specific assets and entities
during peacetime--including but not limited to Internet backbone, major
IXPs, finance, aviation, and undersea cables--that would aim to prevent
the `breaking' of the Internet.'' \16\ International actors should
collaboratively develop a common understanding of what constitutes
critical cyber infrastructure and how those assets should be granted
heightened protected status from malicious cyber activity.\17\
Starting on this path of CBM development, allows for a steady
progression toward greater stability and security. If these CBM steps
are effective and successful, others in the international community
will not only adopt the norms established, but likely join in the
establishment of the norms. As stated earlier, the U.S. should not wait
to establish the perfect international cyber protection organization.
It should quickly do what it can on an international basis and rely on
successes to further develop international solutions.
No legislation needed
Finally, we believe that the recommendations we are making do not
require (indeed may not lend themselves to) legislation; nor do they
require anything other than de minimis appropriations. We see
aggressive congressional oversight of relevant U.S. international
agencies as the best method of starting and effectively implementing
solutions recommended herein. As to the individual recommendations
above, the Atlantic Council emphasizes, and we agree that funds for
implementation would be de minimus.
----------------
End Notes
\1\ CHHS is responsible for teaching ``The Law and Policy of
Cybersecurity'' and ``Cybercrimes'' at the University of Maryland
Francis King Carey School of Law; and it has developed cyber
specializations for Masters of Science in Law (MSL) and Masters of Law
(LLM) degrees.
\2\ Comments made during a panel discussion at the International
Conference on Cyber Engagement 2015, Georgetown University, April 27,
2015.
\3\ Christopher Bronk and Dan Wallach, "Cyber Arms Control? Forget
About It," March 26, 2013.
\4\ The White House, International Strategy for Cyberspace:
Prosperity, Security, and Openness in a Networked World, May 2011, p.
3.
\5\ See Five Things to Know: The Administration's Priorities on
Cybersecurity.
\6\ ``Federal officials call for more international cooperation in
dealing with cyber crimes,'' Peninsula Press, February 2014.
\7\ See, ``Group of Governmental Experts on Developments in the
Field of Information and Telecommunications in the Context of
International Security,'' June 24, 2013.
\8\ Healey J., Mallery, J., Jordan, K., and Youd N., Confidence-
Building Measures in Cyberspace--A Multistakeholder Approach for
Stability and Security, Atlantic Council, November 2014, [hereto forth
Atlantic Council Report].
\9\ Atlantic Council Report, Foreword.
\10\ Atlantic Council Report, Foreword.
\11\ For more information on the NIST Framework, see http://
www.nist.gov/cyberframework/ndex.cfm.
\12\ Atlantic Council Report, pages 4 and 16.
\13\ Atlantic Council Report, p. 4.
\14\ Atlantic Council Report, p. 7.
\15\ Atlantic Council Report, p. 8
\16\ Atlantic Council Report, p. 13.
\17\ Atlantic Council Report, p. 134.
Senator Gardner. Thank you, Mr. Greenberger.
And I will begin with my questions. In response to Mr.
Painter, and in your written statement, Mr. Lewis, you stated--
and I will quote--it is talking about the International
Strategy for Cyberspace, the 2011 International Strategy--you
said, ``That strategy now needs significant reconsideration,
since we are now in a very different political environment,
less peaceful, more challenging, and with overt opposition.''
You just heard Mr. Painter say that we do not really need to
redo the 2011 strategy. That is our strategy. We have done a
lot of--you know, had a lot of progress underneath that to fill
in the buckets created by the strategy. Do you agree with him?
And how would you differ? And what ought--in your opinion,
ought to be done?
Mr. Lewis. Well, I do think it was a good strategy. And I
still think it lays out the basic direction that we should
take. The issue is--and this gets to Professor Greenberger's
remarks--we have been trying to get everyone to agree. And
having sat in the room for many days with Russian and Chinese
diplomats and military officials, we are not going to get them
to agree anytime soon. So, is it time to take a step back and
say maybe we need to agree on rules among those countries who
are like-minded, among those countries who are democracies, who
share values? Because I just do not think the Russians and the
Chinese are that eager to agree with us on anything at the
moment.
Senator Gardner. And so, is that not--I mean, we hear about
the Budapest Convention, we hear about the different working
groups, and we talk about, you know, this group of people
working on cyber issues here and this dialogue that is been
entered there and the norms that we need to talk about. And Mr.
Painter talked about norms that we have created. Mr.
Greenberger talks about how we have all these groups out here
that are doing these things. I mean, is it as simple as saying,
``All right, get all these groups to one big group''? I mean,
what are we missing out on? Why have these norms not taken
place? Because every time you read something on cybersecurity,
it points to another organization that is working on
cybersecurity or it was created to help deal with that. So,
what are we missing, and why have not we developed, with like-
minded--at least starting there--the norms that we keep talking
about?
Mr. Lewis. Well, everyone and their dog is doing
cybersecurity now. And I guess that is a good thing.
Senator Gardner. Including the Foreign Relations Committee.
Mr. Lewis. Well, no, and I--but, your doing it is a really
good thing, though. It is time for you guys to get into this
business, so I am really happy to see you doing this. It is on
the international security agenda. I think I said that at least
twice. So, it is important that you play a guiding role in
this.
With that pitch, one of the big problems is--the Budapest
Convention is a classic example. This was a convention--it
started out being the Council of Europe Cybercrime Convention,
and the United States, Japan, Australia, a few non-European
countries were also members of it. Right? And we agreed to this
more than a decade ago. It is taken a while to get it endorsed
by these countries. But, what you see is places like India,
China, Brazil stepping back and saying, ``Hey, wait a minute.
This is no longer the 1990s, where you guys can just write
something and then hand it to us and say, `Here, sign on the
dotted line.' Anything we agree to, we have to participate
in.'' So, there is a real fear that, if we move in a like-
minded direction, we will lose the Indias and the Brazils in
this world. And that is a legitimate problem. It is something
that needs to be considered when we do things.
But, it has been a long time that we have been trying to
negotiate these things. And I think it is worth taking a step
back and saying--the proliferation example, where you did get
like-minded countries together, they did agree on norms, and
eventually the rest of the world adopted those norms. You know,
the missile technology control regime. So, we have a
fundamental decision here about, when is it time to move ahead
without letting other countries have sort of a de facto veto on
agreement?
Senator Gardner. Mr. Greenberger, did you want to add to
that?
Mr. Greenberger. Well, I am sympathetic to your concern
that so many things are happening and, what impact are they
having? And my measure of success is: Are we increasing the
ability to stop cyber attacks? And the way you do that is to
prepare both the public sector and private sector to adopt
practices that make cyber attacks more difficult. That is what
NIST has laid out for us. And my view would be, look, it--you
can talk about 9/11 and say, What penalty should the
perpetrators have paid?--et cetera, et cetera. But, what the
American people really wanted is, stop those terrorist attacks.
I am not saying that is the end of everything, or I am not
saying that doing the Budapest Convention is not worthwhile.
They are all worthwhile. But, when you are measuring--when you
are starting with a massive problem, limited resources--and we
have got to start measuring, Are we stopping things? The NIST
protocols will stop things. There are other technical protocols
that are out there that will stop things. If they do not stop
things, they will identify who the perpetrators are. By the
way, the five Chinese are still in China that we have indicted.
We do not have them back here. We need to stop these things,
and a secondary purpose is to name and shame. And, to the
extent we can attribute succinctly and clearly, I believe that
naming and shaming process will work.
And finally, look at NATO. NATO started out with European
countries and the United States. But, the success of it caused
people to want to join it. And I think that the Brazils and
India and what have you, if they see somebody starting, as we
said in our testimony, a single step on a 1,000-mile journey,
and those single steps are effective, worthwhile, stopping
attacks, people will want to come to the table. Trying to start
out with a global thing of getting an agreement with everybody,
I agree, is futile. We have got to start somewhere. And I would
suggest these baby steps toward collaboration, norms are the
way to go.
Senator Gardner. And, Mr. Lewis--thank you, Mr.
Greenberger--Mr. Lewis, just to follow up on that question. I
mean, so you still think, in spite of Mr. Painter--just to get
a clear answer--that a progress review of the 2011 report would
be a good idea.
Mr. Lewis. That a----
Senator Gardner. That a progress report of the 2011
strategy would be a good start.
Mr. Lewis. Oh, I think that would be very valuable. We have
done some good things, but there are many issues that are
unfinished.
Senator Gardner. Okay. And, in my conversation with Mr.
Painter, I talked about elevating the importance of cyber
issues amongst our diplomatic corps. He responded with the
efforts that they are undertaking. We talked about his
coordination with other departments--Department of Defense,
Homeland Security, and others--in their cybersecurity
conversations, in their cyber conversations. Going to the
structure of the cyber agencies, are we adequately
communicating? How could we restructure to make sure that
that--number one, the importance of the issue is elevated, but,
number two, coordinating to a sufficient level and creating the
kind of framework we need to respond to these kind of efforts
from a diplomatic point of view?
Mr. Lewis. Well, one of the successes of this
administration has been developing a more coordinated
interagency process. And so, I think Chris Painter mentioned
that. I have seen that, too. If you--this is a new problem, and
so the--this is only the third administration that is had to
confront it, honestly. And the White House Coordinator, the
White House coordination process through the NSC has been very
effective.
At the Department level, there is still room for
improvement. And the most obvious example of that might be DHS.
DOD is making a stupendous effort to organize appropriately for
cybersecurity. State did lead the way in creating a Cyber
Coordinator position. It is attached to the Secretary's office.
The question now is: Do you want to embed it in the normal
operations of the Department, where you have a responsible
Under Secretary, a Bureau led by an Assistant Secretary, you
know, an office structure below that? We have done it as kind
of an ad hoc thing appended to the Secretary. Now it might be
time to make that a more formal structure.
Senator Gardner. Senator Cardin.
Senator Cardin. Well, let me thank both of you. I find your
testimony to be very, very helpful. And it does underscore the
point that it is complicated. There are no simple answers.
So, Professor Greenberger, you have said our objective
should be judged by preventing the bad actors from doing what
they are doing. Of course, we have to define ``bad actors and
what they are doing'' as being bad. But, some of this stuff is
pretty obvious to us. It may not be obvious to the other side.
Just pointing that out. I will get to that in one moment.
And then you said you need international collaboration. I
heard you mention a couple of specifics: authenticating who is
doing the business. You also mentioned developing international
protocols and cooperation. But, I am not exactly sure what
international collaboration would mean in stopping the bad
actors. So, can you connect the dots for me a little bit better
on that?
Mr. Greenberger. Yes. Yes. First of all, I do not think it
is important to define who a bad actor is. I am reminded of
Potter Stewart's famous statement----
Senator Cardin. Yes.
Mr. Greenberger [continuing]. ``I cannot define
pornography, but I know it when I see it.'' And when we have
these attacks, we know--we do not have to have a definition of
``bad actor.'' We know we are in trouble, and we are angry.
In terms of collaboration--for example, in crisis
management scenarios, you always have emergency operations
centers communicating with each other when you have got multi-
State Superstorm-Sandy kind of events. One of the
recommendations of the Atlantic Council is to ensure that we
have identified who the responders to the cyber crisis is in
each of the countries who are like-minded with us, and that we
develop a continuing working relationship with them. Another
thing is to identify a priority of what infrastructures should
be protected. Now, it is true, that may vary from country to
country. But, there is some consensus that we can make a
meaningful start in that.
Thirdly is just taking NIST and, as NIST itself has asked,
internationalize their framework, or at least try to see if it
can be internationalized. It is been very widely praised. There
is virtually no critics to it. But, it has not been adopted
elsewhere in the international sphere.
And again, I turn back to--we have hit--there is no silver
bullet for this. We cannot wake up tomorrow and have the
problem solved. We have got to take the first step. And the
first step, to me, is gathering the like-minded together, not
only nation-states, but there are very important technical
institutions that are highly recognized in the United States,
like the Internet Engineering Task Force, and key members,
internationally, of the critical infrastructure sectors. And I
believe having communications with those people, you can
develop norms on how to prevent cyber attacks. You can have
collaboration between countries to respond to cyber attacks.
You can identify what the priorities of protection are. And, by
the way, as we see in crisis management scenarios, you do not
wait for a real attack; you have training, you have exercises.
I would just emphasis, Senator Cardin, as you know well,
the Baltimore unfortunate situation with Freddie Gray in the
last few weeks. The University of Maryland in Baltimore adopted
a whole panoply of responses to ensure the safety of faculty
and students. The week before the Freddie Gray event, we had an
on-campus field exercise that emphasized things like shelter in
place, that, a week later, were adopted in the real world. And
we need to have those kinds of experiences.
The Clinton administration started with the famous ``top
off exercise,'' which I think--there were four of them. I think
they hardened our domestic response to catastrophic events. We
need to start thinking that way, in terms of responses to
crisis events. And some of those responses are not dependent on
knowing who did it. What they are responsive to is, how do we
minimize the effect of an attack?
Senator Cardin. I think that those are good suggestions. I
agree that the technology at NIST needs to be better
understood. Some of our frustrations in dealing--in the United
States, in the private sector--is trying to get uniform
technology so that we can help each other from cyber thefts. We
are having difficulty in doing that. I agree with you on having
protocols on how to respond--it makes a great deal of sense.
Mr. Lewis, let me just ask--one of the challenges is that
like-minded countries may differ on some strategies dealing
with cybersecurity. The United States may take a pretty strong
view of the need to be aggressive in stopping proliferation.
Some of our like-minded countries may disagree with that type
of use of the Internet and cyber in order to advance our goals.
How do you reconcile homeland security issues within an
aggressive use of all the tools at our disposal and still able
to get like-minded protocols in place?
Mr. Lewis. Well, one of the things that has helped us, of
course--and we owe them a deep vote of thanks--is Vladimir
Putin, because he has helped persuade the Europeans that maybe
we are not so bad after all. So----
Senator Cardin. I was looking for some reason to----
[Laughter.]
Mr. Lewis. The silver lining. It is here.
It is worth noting that we cannot stop determined state
actors. Right? And that is why we need international agreement,
particularly the Russians, who are among the best in the world.
If they want to get into your network, they are going to get
into your network. And the fact that we have seen them in DOD,
State, and the White House, at least at the unclassified level,
is indicative of their skills. Our allies know this. And so,
there are a couple levels at which we can build cooperation.
The first one, as you know, is what is sometimes referred
to in the press as the ``Five Eyes''--the five countries that
have a very deep intelligence relationship. They are
cooperating on cybersecurity. They are thinking about how to
better defend themselves. The second level is NATO and our
other allies, particularly Japan, Australia, Korea. These
countries have begun to work closely with the United States on
better cybersecurity. The European Union is an opportunity with
their work in DHS. These people all share values, and they all
share agreement on norms. So, while individual practices may
differ--you know, France, of course, has a much more regulatory
system; the Germans give a lot more attention to the privacy--
but, within that, in the norm space about what responsible
state behavior is, there is strong agreement among these
countries, and perhaps with others. I do not mean to exclude
countries like Kenya, which has been very active in this field;
Brazil, which has done some good work. We have incipient
partnerships that could be further strengthened, and we have
existing partnerships that provide a basis for moving ahead.
Senator Cardin. Well, let me thank both of our witnesses,
Mr. Chairman. I am going to apologize, because I am being
called to another committee that will be adjourning shortly,
and I want to make sure I get my point in there. But, I really
want to thank both of the witnesses here. I have Professor
Greenberger's advice, whenever I need it, in Baltimore. And I
appreciate what he does in our State. And, Mr. Lewis, I very
much appreciate your contribution to this first hearing of our
committee and the subject that we have.
Cybersecurity crosses many committees' jurisdictions here,
and crosses many agencies in the Federal Government. And we
discovered--prior to the attack on our country on September the
11th--that we were not sharing information. And we try to take
steps to correct that. I think we have come a long way, but we
are not where we need to be. So, in the Congress, we need to
get our act together, from the point of view of the Armed
Services Committee, the Intelligence Committee, the Judiciary
Committee, and the Foreign Relations Committee. I am sure there
are others. And I do think that this committee can play a major
role in trying to make sure that we are all coordinated in our
efforts. And I thought your testimonies were particularly
helpful. So, thank you both very much.
Senator Gardner. And, Senator Cardin, thanks again for
making this happen. I know you are busy, so thank you very much
for participating today.
I want to continue just a few more questions as we discuss
these points today. Continuing the line of thinking and the
line of questioning on international norms and bringing people
to the table about those norms. In your testimony, Mr. Lewis,
you talked a little bit about that some people are going to
fight to enter into any kind of norms, just like they did
proliferation, as we have discussed. You talk about providing a
mix of incentives and penalties. And so, we know the President
has tools. We know the executive branch has tools now to impose
certain penalties. Do you think we have gone far enough
imposing, or not imposing, or should we take more of an
economic sanctions kind of approach to help create the penalty
phase of bringing people to the table on norms?
Mr. Lewis. That is a great question. And I think a way to
think about this--and this is very much built on the experience
that began, really, in the Reagan administration and the Bush
administration, on, how do you move countries like China to
behave more responsibly when it comes to proliferation? And it
has to be--you know, sometimes it is a push, and sometimes it
is a pull. So, having done the indictments, which were very
effective in China--
it upset them a great deal, and that cannot always--that is
probably a good thing. It certainly got their attention. Having
put in place the President's ability now to sanction, with the
April 1 Executive order, we need to see how our rivals react to
this.
In this case, I think there is room, probably, for some
negotiation with the Chinese. The Russians will be much more
difficult. So, one of our--unlike the cold war, where we had
there was one side, and there was the other--we have multiple
potential opponents, and we may need to be different in how we
react to them. It might be time for more aggressive measures,
but we need to wait and see what the reaction is. Again, my
measurement is really simple. Are the number of incidents going
up, or down? And the answer is, they are certainly not going
down.
Senator Gardner. Mr. Greenberger, you talk about
internationalizing the NIST framework and other ideas. You do
not seem to talk much about punitive measures. Is that
something that you could see a use for, or----
Mr. Greenberger. Oh, I absolutely can see a use for it.
But, what I am trying to do is figure out what first steps do
we need to take and get organized? You can have all the
punitive measures in the world, but if you cannot identify the
perpetrator, it does not help. Also, if we indict and--my
colleague says that had an effect, but we cannot bring them to
the United States. We have got all sorts of extradition
problems. I think we should move forward on all these fronts.
Frankly, I think our sanctions, as we sit here now, are enough.
What we need to be able to do is: (a), protect ourselves, from
the attacks. And, as has been pointed out, it is not the United
States protecting itself as the United States, but protecting
our private infrastructure, as well. So, these are difficult
things. But, my view is, the first step is, everything you
read, everything you look at as a proposal, how does it give
immediate relief to the problems we are seeking right now? And
I think punitive damages assumes we know who the perpetrators
are. And I think there is a consensus within the cybersecurity
community that we may be able to say Russia or China, but we
cannot say who. And if it is true that Russia and China are
two-thirds, what about the other one-third who are often
private citizens, hacksters who are causing all this damage? To
the extent we have confidence in our ability to give
attribution, many have said, and I agree, that that, in and of
itself, could be a deterrence, that you cannot hide behind
botnets and everything else, that you will be brought to the
fore.
So, in summary, my view is that we need to look more
carefully at the fundamentals. How do we prevent the attacks?
How do we stop this stuff? How do we coordinate our response to
attacks with other countries? How do we bring the technical
expertise of the private sector to the table? That is what I
think we can build on. And, as we develop that, we can identify
perpetrators better, we may want to refine punitive sanctions.
And also, as to amending the 2011 Obama administration
report, which we all agree was an excellent start, but if you
go back and read that report, ask yourself, What steps are
recommended there to prevent cyber attacks, to respond to cyber
attacks, and to, as a practical matter, internationalize our
response? I think, in that respect, it is 4 years ago--as you
said, four centuries have gone by, in effect--but, just
updating that and having more generalizations without specifics
is not going to be helpful.
Senator Gardner. Mr. Lewis.
Mr. Lewis. Just if I could add on one point, Mr. Chairman,
and thank you.
One of the significant changes in the last few years has
been the ability of the United States to specifically identify
the perpetrators of cyber activity. This is an effort that
began probably in 2006 at the Department of Defense. And you
might have seen a line in the State of the Union Address this
year that hinted at how the United States does this, because
the President said we would build on our experience in the
counterterrorism realm of blending different sources of
intelligence. So, beginning in 2006, DOD and NSA and other
intelligence agencies have put a significant effort into
identifying the tools that foreign opponents would use, so they
could be recognized, identifying the centers that foreign
opponents use, and, since Mr. Snowden has said it, I will say
it, too, in penetrating foreign networks so that we can observe
their activities. And putting those things together, along with
human intelligence, the use of human agents, traditional
signals intelligence, listening in to communications, along
with cyber intelligence, has greatly improved the capabilities
of the United States to specifically attribute. How this will
change, I agree with Professor Greenberger, we do not know what
the effect will be. But, the first time I talked to DOD about
this, 8 years ago, they told me they could identify one out of
three. Now I think it is well over two out of three, and maybe
three out of four.
The indictments should have been a good hint to people. We
have these people's pictures. I have even told some of my
Chinese colleagues they have to get their hackers to dress
better. We have this ability now that is not shared by other
countries. One of the problems is: How do we provide that
information? But, it may be worth the committee--and I know
this falls a little outside of your jurisdiction, but the
intelligence community has made a major effort to improve our
ability to attribute attacks.
Senator Gardner. As I learned from the House Energy and
Commerce Committee, nothing is outside of our jurisdiction.
[Laughter.]
The norms that we have talked about, the redlines that we
have--I talked about with Mr. Painter--Mr. Painter said that
there are clearly certain redlines--if somebody were to go onto
a network and do some damage to a U.S. Government network or
business. Do these norms need to include other redlines that--
and, if so, what are they and how do we push that process?
Mr. Lewis. In 2012, Iran began major denial-of-service
attacks against leading U.S. banks. Iran, China, and Russia
have probed our critical infrastructure to find vulnerabilities
that could be used for a truly damaging attack, one that
disrupted services or caused physical destruction; at least in
the case of the Russians, they have that capability. And so, in
response, then-Secretary of Defense Panetta gave a speech in
New York, where he said that the United States would take
action against cyber attacks that threatened to cost American
lives or do significant economic harm. So, those are the two
thresholds we have set. And they have been more or less
reinforced since then in several statements by then-Chairman
Dempsey, by Secretary Carter, by the President. There is an
implicit understanding that, if people are hurt or if you do
something truly significant to the economy, you face the
potential for a very damaging response.
The dilemma is that everything that falls below that
apparently is okay. And one of the problems we have had in this
year is, we have seen both Iran and North Korea push the
envelope a little bit. They did do destructive attacks against
U.S. companies, against Sony and against a casino in Las Vegas.
Those did destroy data, those did damage computer networks. It
is a gray area, but they came a lot closer to the line. And so,
one of the problems we have now is, How do we remind people,
``There are lines. Do not try and push the envelope. You need
to take a step back''?
Senator Gardner. Thank you.
And I just--to wrap this up--I do not want to keep you any
longer than necessary--the final question I have is--and I know
you have talked a little bit about--Mr. Greenberger, just
before--Professor Greenberger--just before the last question,
about what your updates to the 2011 strategic framework would
look like.
Mr. Lewis, give me two or three things that we ought to
start with on a progress review. And, obviously, Professor
Greenberger, I do not want to cut you off, so if you have
something else that you would like to add, too, and then we
will conclude.
Mr. Lewis. We need to--as we have done in other security
areas, like proliferation--assemble a group of countries that
think like us, and begin to identify the norms that we think
should apply, and reach agreement on them. We need to engage
with the fence-sitters--India, Brazil, Turkey, the big new
powers, South Africa--and keep them comfortable on this, but we
do not want to give them a veto. So, I would say the most
important thing we can do now is say--and as Professor
Greenberger has said--get the like-minded together, get them to
agree, and then get the rest of the world to go along.
Senator Gardner. Professor Greenberger.
Mr. Greenberger. Yes. I agree with that. Basically, I do
want to say that I am not as sanguine about our ability to
identify who the perpetrators are. I think that needs to be
explored. And a further point is, we do not know all the acts
that have been conducted, because, as Senator Cardin said, many
of the private sector do not want to identify that they have
been attacked, for fear of losing the good will. So, I think
that is still something to be--I think the literature, if you
read it, still suggests that authentication is a serious
problem.
Senator Gardner. Yes.
Well, thank you. That concludes today's committee hearing.
I want to thank the witnesses for your testimony, time, and
answers today.
And, for the information of members, the record will remain
open until the close of business next Tuesday, including for
members to submit questions for the record. Here is the fun
part. We ask the witnesses to respond as promptly as possible.
Your responses will also be made a part of the record.
So, with that, thank you. Thanks, to Senator Cardin.
And this committee is adjourned.
[Whereupon, at 11:37 a.m., the hearing was adjourned.]
----------
Additional Material Submitted for the Record
Responses of Christopher Painter to Questions
Submitted by Senator Benjamin L. Cardin
Question. International Standards.--As discussed at the hearing,
the National Institute of Standards and Technology (NIST) has conducted
cybersecurity research for decades, and leads the government in
standards development and protocols for cybersecurity operations,
testing, and certification. NIST's 2014 Framework for Improving
Critical Infrastructure Cybersecurity references globally accepted
standards and protocols, which can be used both in the U.S. and abroad
to operate more efficiently and manage risks. NIST is continuing to
work with foreign governments, federal agency partners, and industry
stakeholders to promote the Framework and encourage alignment of
compatible cybersecurity standards and practices.
To what extent have these NIST standards and protocols been
adopted by foreign governments? In your view, what are the
major impediments for adoption of these standards? In terms of
both preventing cyber attacks and identifying the source of
cyber attacks, which standards should the international
community adopt most quickly?
Answer. Foreign governments are well aware of the National
Institute of Standards and Technology (NIST) Framework, as both U.S.
officials from across the government and industry are sharing lessons
learned about the Framework's development and its use throughout
industry.
We believe broad use of the Framework serves as a model approach to
strengthening critical infrastructure cybersecurity and that it should
be adopted quickly by the international community. The aim is to
promote a universally accepted and applicable approach to cybersecurity
that fosters interoperability and innovation, and enables the efficient
and effective use of resources.
Public-private partnerships, such as the ones being leveraged to
promote the Framework, are essential to improving cybersecurity not
only because the private sector owns the majority of critical
infrastructure, but also because industry is most familiar with the
cybersecurity products and services they develop, manufacture, deploy,
and operate. As a consequence, industry is in a unique position to
offer the technical and monetary resources to manage the cybersecurity
risks associated with their products and services.
We have increased awareness and use of the Framework throughout the
world since its launch in 2014. As two recent examples, in January,
President Obama committed with the U.K. Government to ``work with
industry to promote and align our cybersecurity best practices and
standards, to include the U.S. Cybersecurity Framework and the United
Kingdom's Cyber Essentials scheme,'' and in April, the United States
and Japan committed to ``seek to enhance global resilience of critical
infrastructure through the promotion of principles like those in the
National Institute of Standards and Technology Framework for Improving
Critical Infrastructure Cybersecurity.''
I would refer any further questions regarding the NIST Framework
directly to NIST.
Question. International Competitiveness for American Companies.--In
the wake of the WikiLeaks disclosures, some American companies now
argue they are at a competitive disadvantage when selling their
cybersecurity and information technology products and services to other
countries. Foreign nations have argued that U.S. companies may have to
violate the privacy laws of foreign nations in order to comply with
U.S. law enforcement efforts.
What steps can U.S. Government agencies take in order to
assuage the concerns of foreign governments that may be
reluctant to purchase American cybersecurity and information
technology products and services?
Answer. In a competitive ICT market, firms and service providers
have an interest in providing and procuring secure, trustworthy
products and services that allow customers to build resilient networks.
U.S. technology companies are at the forefront of global innovation,
and provide new and exciting technologies to customers around the
world. Their domestic and international customers recognize and
appreciate these companies' dedication to information security. In
recent years, the U.S. Government, including the President, has engaged
in a series of conversations and initiatives with industry to reinforce
the long-standing reputation of U.S. companies as good stewards of
electronic information. One example is the extensive outreach and
discussions spearheaded in 2014 by then-Counselor to the President John
Podesta that resulted in a detailed and comprehensive assessment and
report that addressed the opportunities and challenges presented by Big
Data. We also engaged industry in developing greater transparency by
companies regarding government information requests. In addition,
during the President's Cybersecurity Summit at Stanford University, on
February 13, 2015, companies discussed key aspects of consumer
protection and cybersecurity and pledged to enhance their efforts in
various areas. We will continue to work with industry on these efforts.
Through our diplomatic efforts, the Department of State has worked
to build trust with specific partners that have raised particular
concerns, as well as with the public more broadly. For example, we
addressed head-on concerns within the international Internet community
in the aftermath of the initial disclosures at several high profile
events, including the Stockholm Internet Forum, the Internet Governance
Forum, and the Munich Security Conference. To help address concerns in
Germany, in June 2014, our governments jointly organized an open,
multistakeholder Cyber Dialogue hosted by German Foreign Minister
Steinmeier, in which John Podesta participated, and where a high level
panel of both German and U.S. experts discussed big data, privacy,
security, economic innovation, and international cyber cooperation. The
United States is also using every available opportunity to impress upon
China our concerns regarding new draft laws and regulations that would
impose restrictions on a wide range of U.S. and other foreign ICT
products and services.
Do these foreign governments' concerns present an
additional hurdle for U.S. Government agencies attempting to
promote and harmonize international cybersecurity standards? If
so, what steps should U.S. Government agencies take to address
and overcome these concerns?
Answer. The U.S. Government believes that using widely accepted
standards helps create competitive markets around cybersecurity needs
through combinations of price, quality, performance, and value to
consumers. This competition then promotes faster diffusion of these
technologies throughout global industry. The U.S. Government promotes
policies built off those cybersecurity standards, as illustrated in the
Framework for Improving Critical Infrastructure Cybersecurity developed
by the National Institute of Standards and Technology (NIST). As such,
we encourage foreign governments as well as partners in the private
sector to evaluate these standards for themselves. We believe that this
transparency serves to address many of the possible concerns foreign
governments might have.
Also, as NIST continues to support and improve the Framework, it is
soliciting input on options for long-term governance of the Framework
including transitioning responsibility for it to a nongovernmental
organization. Any transition must minimize or prevent potential
disruption for organizations that are using the Framework. The ideal
transition partner (or partners) would have the capacity to work
closely and effectively with international organizations, in light of
the importance of aligning cybersecurity standards, guidelines, and
practices within the United States and globally. Transitioning to such
a partner--along with NIST's continued support--would help to ensure
that cybersecurity-related standards and approaches taken by the
Framework avoid creating additional burdens on multinational
organizations wanting to implement them.
Question. USG Interagency Coordination.--The Cyber Threat
Intelligence Integration Center (CTIIC) will be a national intelligence
center focused on ``connecting the dots'' regarding malicious foreign
cyber threats to the nation and cyber incidents affecting U.S. national
interests, and on providing all-source analysis of threats to U.S.
policymakers. The CTIIC will also assist relevant departments and
agencies in their efforts to identify, investigate, and mitigate those
threats.
In terms of government coordination, what do you see as the
most important steps that the newly created Cyber Threat
Intelligence Integration Center must take?
Answer. As noted in the background to the question, a key role for
the Cyber Threat Intelligence Integration Center (CTIIC) will be to
``connect the dots'' regarding malicious foreign cyber threats to the
United States so that relevant departments and agencies are aware of
these threats in as close to real time as possible. As such, the CTIIC
will provide integrated all-source analysis of foreign cyber threats
and cyber incidents affecting U.S. national interests; help ensure that
the U.S. Government centers responsible for cybersecurity and network
defense have access to the intelligence needed to perform their
missions; and facilitate and support efforts by the government to
counter foreign cyber threats.
As part of these efforts, one key role that the CTIIC will take on
will be to integrate and leverage the insight and information already
held by the Federal Government in order to produce a more timely and
holistic understanding of foreign cyber threats. In practice, relevant
information from other areas of government responsibility (e.g.,
investigation and incident response) will be integrated with threat
intelligence at CTIIC. The result should be a unified perspective that
helps decisionmakers more readily understand the magnitude of a
particular threat or incident and helps them ensure that appropriate
actions are taken by the government. Such integration can also give
federal agencies information to enhance their cybersecurity posture and
can provide those federal agencies charged with supporting
cybersecurity more broadly--especially incident prevention, response,
and mitigation--with more timely and actionable threat information to
share with their private sector partners.
I would refer you to the Office for the Director of National
Intelligence for further information on the CTIIC.
______
Responses of James A. Lewis to Questions
Submitted by Senator Benjamin L. Cardin
Question. To what extent have these NIST standards and protocols
been adopted by foreign governments? In your view, what are the major
impediments for adoption of these standards? In terms of both
preventing cyber attacks and identifying the source of cyber attacks,
which standards should the international community adopt most quickly?
Answer. NIST has promoted its standards globally and there is
interest in many countries. Some has taken the Framework as a model or
as the basis for their own work. The chief obstacle to adoption is the
lack of an organizational structure and authorities to implement
standards. In addition to the Framework, you have ISO standards and the
20 Critical Controls as alternatives, but there is a degree of
commonality among all three. The future evolution of the Framework
provides and opportunity for greater engagement with foreign partners.
Question. International Competitiveness for American Companies.--In
the wake of the WikiLeaks disclosures, some American companies now
argue they are at a competitive disadvantage when selling their
cybersecurity and information technology products and services to other
countries. Foreign nations have argued that U.S. companies may have to
violate the privacy laws of foreign nations in order to comply with
U.S. law enforcement efforts.
What steps can U.S. Government agencies take in order to
assuage the concerns of foreign governments that may be
reluctant to purchase American cybersecurity and information
technology products and services?
Answer. Greater transparency on U.S. policy regarding IT and the
relation with companies for key issues like FBI and NSA access to
products and to record held by U.S. companies would help. Foreign
citizens do not understand the constraints the U.S. agencies operate
under, but even if they did, they might not feel more secure. The U.S.
needs to accompany this with by high-level political commitments not to
interfere with U.S. information technology products would help, but it
will take a long time to restore confidence and success will not be
easy or guaranteed. Since the effort to undermine U.S. companies is
being exploited by foreign governments, the U.S. needs to take more
assertive steps to counter this propaganda and expose the dishonesty of
critics like Snowden and his entourage as part of a larger strategy to
rebuild trust.
Question. Do these foreign governments' concerns present an
additional hurdle for U.S. Government agencies attempting to promote
and harmonize international cybersecurity standards? If so, what steps
should U.S. Government agencies take to address and overcome these
concerns?
Answer. U.S. calls for a ``free and open Internet'' are no longer
well received by many countries in light of the NSA leaks. The entire
international cyber strategy needs to take this into account and to
address the concerns of key allies like Germany over data protection.
The pursuit of norms and CBMs is still useful, but not enough. It's
worth noting that these concerns are less those of the governments,
most of whom also engage in espionage and many of whom knew of NSA
activities, and more the concerns of their citizens, who will vote
against politicians not seen as sufficiently assertive against the
United States. The issue for NIST and other agencies is now to restore
credibility and this requires more transparent and inclusive processes.
Question. USG Interagency Coordination.--The Cyber Threat
Intelligence Integration Center (CTIIC) will be a national intelligence
center focused on ``connecting the dots'' regarding malicious foreign
cyber threats to the nation and cyber incidents affecting U.S. national
interests, and on providing all-source analysis of threats to U.S.
policymakers. The CTIIC will also assist relevant departments and
agencies in their efforts to identify, investigate, and mitigate those
threats.
In terms of government coordination, what do you see as the
most important steps that the newly created Cyber Threat
Intelligence Integration Center must take?
Answer. CTIIC's job is to coordinate intelligence on cyber threats,
similar to what NCTC does for terrorism. Coordination among government
agencies is the responsibility of the NSC. CTIIC will need to develop
the capability to acquire more than just ``cyber threat'' intelligence.
To use Sony as an example, the first warning came from the DPRK letter
to the U.N. Secretary General in the summer of 2014. This was not
technical or cyber intelligence. The Center will, in additional to
cyber intelligence, need to track risk in a manner similar to how large
corporations track political risk. This is a significant task and to be
effective, the CTIIC will need to be able to draw on the resources of
the entire intelligence community.
[all]