b'<html>\n<title> - BUILDING A MORE SECURE CYBER FUTURE: EXAMINING PRIVATE SECTOR EXPERIENCE WITH THE NIST FRAMEWORK</title>\n<body><pre>[Senate Hearing 114-86]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 114-86\n\n                  BUILDING A MORE SECURE CYBER FUTURE:\n               EXAMINING PRIVATE SECTOR EXPERIENCE WITH  \n                         THE NIST FRAMEWORK\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n                               \n                         COMMITTEE ON COMMERCE,\n                      SCIENCE, AND TRANSPORTATION\n                          UNITED STATES SENATE\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            FEBRUARY 4, 2015\n\n                               __________\n\n    Printed for the use of the Committee on Commerce, Science, and \n                             Transportation\n                             \n                             \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                           U.S. GOVERNMENT PUBLISHING OFFICE\n96-958 PDF                     WASHINGTON : 2015                           \n___________________________________________________________________________________       \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="97f0e7f8d7f4e2e4e3fff2fbe7b9f4f8fab9">[email&#160;protected]</a>  \n      \n       \n       \n       \n       \n       \n       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                   JOHN THUNE, South Dakota, Chairman\nROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking\nROY BLUNT, Missouri                  MARIA CANTWELL, Washington\nMARCO RUBIO, Florida                 CLAIRE McCASKILL, Missouri\nKELLY AYOTTE, New Hampshire          AMY KLOBUCHAR, Minnesota\nTED CRUZ, Texas                      RICHARD BLUMENTHAL, Connecticut\nDEB FISCHER, Nebraska                BRIAN SCHATZ, Hawaii\nJERRY MORAN, Kansas                  EDWARD MARKEY, Massachusetts\nDAN SULLIVAN, Alaska                 CORY BOOKER, New Jersey\nRON JOHNSON, Wisconsin               TOM UDALL, New Mexico\nDEAN HELLER, Nevada                  JOE MANCHIN III, West Virginia\nCORY GARDNER, Colorado               GARY PETERS, Michigan\nSTEVE DAINES, Montana\n                    David Schwietert, Staff Director\n                   Nick Rossi, Deputy Staff Director\n                    Rebecca Seidel, General Counsel\n                 Jason Van Beek, Deputy General Counsel\n                 Kim Lipsky, Democratic Staff Director\n              Chris Day, Democratic Deputy Staff Director\n       Clint Odom, Democratic General Counsel and Policy Director\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on February 4, 2015.................................     1\nStatement of Senator Thune.......................................     1\nStatement of Senator Nelson......................................     3\nStatement of Senator Moran.......................................    35\nStatement of Senator Peters......................................    37\nStatement of Senator Schatz......................................    39\nStatement of Senator Daines......................................    41\nStatement of Senator Klobuchar...................................    43\nStatement of Senator Manchin.....................................    45\nStatement of Senator Udall.......................................    47\nStatement of Senator Gardner.....................................    48\nStatement of Senator Blumenthal..................................    51\n\n                               Witnesses\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology, \n  U.S. Department of Commerce....................................     4\n    Prepared statement...........................................     6\nAnn M. Beauchesne, Vice President, National Security and \n  Emergency Preparedness, U.S. Chamber of Commerce...............    11\n    Prepared statement...........................................    12\nPaul N. Smocer, President of BITS, Financial Services Roundtable.    18\n    Prepared statement...........................................    20\nJefferson H. England, Chief Financial Officer, Silver Star \n  Communications.................................................    25\n    Prepared statement...........................................    26\nDr. James Lewis, Director and Senior Fellow, Strategic \n  Technologies Program, Center for Strategic and International \n  Studies........................................................    27\n    Prepared statement...........................................    28\n\n                                Appendix\n\nJoshua J. Pauli, Ph.D., Associate Professor of Cyber Security, \n  Dakota State University, prepared statement....................    55\nLetter dated February 18, 2014 to Hon. John Thune and Hon. Bill \n  Nelson from Peter M. Cleveland, Vice President, Global Public \n  Policy Group, Intel Corporation................................    56\nLetter dated February 4, 2015 to Hon. John Thune and Hon. Bill \n  Nelson from Jennifer M. Safavian, Executive Vice President, \n  Government Affairs, Retail Industry Leaders Association (RILA).    68\nIndependent Community Bankers of America (ICBA), prepared \n  statement......................................................    69\nResponse to written questions submitted to Dr. Charles H. Romine \n  by:\n    Hon. John Thune..............................................    70\n    Hon. Roy Blunt...............................................    72\nResponse to written questions submitted to Ann M. Beauchesne by:\n    Hon. John Thune..............................................    73\n    Hon. Roy Blunt...............................................    75\n    Hon. Bill Nelson.............................................    77\nResponse to written questions submitted to Paul N. Smocer by:\n    Hon. John Thune..............................................    79\n    Hon. Roy Blunt...............................................    81\n    Hon. Bill Nelson.............................................    82\nResponse to written questions submitted to Jefferson H. England \n  by:\n    Hon. John Thune..............................................    83\nResponse to written question submitted to Dr. James A. Lewis by:\n    Hon. Roy Blunt...............................................    84\n    Hon. Bill Nelson.............................................    85\n\n \n     BUILDING A MORE SECURE CYBER FUTURE: EXAMINING PRIVATE SECTOR \n                   EXPERIENCE WITH THE NIST FRAMEWORK\n\n                              ----------                              \n\n\n                      WEDNESDAY, FEBRUARY 4, 2015\n\n                                       U.S. Senate,\n        Committee on Commerce, Science, and Transportation,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 9:59 a.m. in room \nSR-253, Russell Senate Office Building, Hon. John Thune, \nChairman of the Committee, presiding.\n    Present: Senators Thune [presiding], Blunt, Ayotte, Moran, \nGardner, Daines, Nelson, Cantwell, Klobuchar, Blumenthal, \nSchatz, Udall, and Peters.\n\n             OPENING STATEMENT OF HON. JOHN THUNE, \n                 U.S. SENATOR FROM SOUTH DAKOTA\n\n    The Chairman. This hearing will come to order.\n    Good morning and welcome.\n    We are here today to examine the private sector\'s \nexperience working with the National Institute of Standards and \nTechnology to develop and utilize the Framework for Improving \nCritical Infrastructure Cybersecurity and also to look forward \nto additional steps that can be taken to help improve our \nNation\'s cybersecurity.\n    No country, company, or consumer is immune to cybersecurity \nthreats. The United States faces a growing array of threats \nfrom hackers, from criminals, terrorists, and nation states who \nseek to gain access to sensitive or classified information. \nThis also includes efforts to steal intellectual property or \nconsumers\' personal information, deny the availability of \nnormally accessible online services, or potentially sabotage \nthe networks and control systems of critical infrastructure.\n    While cyber threats are not new, we saw a number of notable \ncyber events last year. In 2014, security flaws such as \nSandworm, Shellshock, POODLE, and Heartbleed compromised \nmillions of servers and systems. Attacks on point of sale \nsystems sent ripples through the retail industry, not to \nmention the significant cyber hack of Sony Pictures.\n    In 2014, after a decade without passage of major \ncybersecurity legislation, Congress passed five cybersecurity \nbills that were signed into law. I am especially pleased that \nour committee\'s work on the Cybersecurity Enhancement Act of \n2014, which I worked on with former Chairman Rockefeller, was \none of those bills the President signed into law.\n    Our Committee\'s bill ensures the continuation of a \nvoluntary and industry-led process for identifying \ncybersecurity standards and best practices for critical \ninfrastructure, codifying elements of the successful process \nthat NIST undertook to create its Cybersecurity Framework and \nensuring NIST\'s continued involvement in this public-private \ncollaboration.\n    The law also included important provisions for research and \ndevelopment, workforce development, and increased public \nawareness. It will help to protect the public and private \nsectors against the growing number of cyber threats from around \nthe world by, among other things, strengthening and directing \nbetter cooperation across Federal agencies in research and \ndevelopment, improving our test beds and cloud computing \nsecurity, and authorizing the National Science Foundation\'s \nsuccessful Cybercorps scholarships.\n    I am proud to note that Dakota State University in my home \nstate is a leading institution of higher education in the area \nof cybersecurity. I appreciate that Dr. Josh Pauli, an \nAssociate Professor of Cyber Security at DSU, has provided \nwritten remarks discussing that work, and I will submit those \nas a part of the record.\n    I called today\'s hearing primarily to hear from \nstakeholders about their experience with the NIST Framework. \nReleased almost one year ago today, the Framework provides a \ncommon language regarding security issues to facilitate \ndiscussions within a company between the technical IT security \nmanagers and senior management. While the Framework targets \norganizations that own or operate critical infrastructure, \nbusinesses across all sectors may find use of the Framework \nbeneficial.\n    The success of the Framework thus far is due in large part \nto NIST\'s collaborative relationship and engagement with the \nprivate sector. As a non-regulatory agency dedicated to \npromoting U.S. innovation and industrial competitiveness in \nways that enhance economic security, NIST has been a genuine \npartner and has successfully combined its technical expertise \nin standards with the know-how of the private sector to help \nadvance the Nation\'s technology infrastructure.\n    Congress is now tasked with important questions about what \nactions the Federal Government should take next. Included among \nthose questions is: one, how do we assess the effectiveness of \nthe Framework going forward? What incentives do businesses and \nconsumers need to improve their cyber defenses? What type of \ncyber threat information sharing legislation is needed to help \nindustry defend against more sophisticated cyber attacks? What \nshould we do to better secure our supply chain? And what more \ncan be done in related areas?\n    These questions are relevant to both the private and public \nsectors. According to the U.S. Government Accountability \nOffice, ``Federal agencies have significant weaknesses in \ninformation security controls . . .\'\' Last year, I along with \nSenator Rockefeller sent letters to every agency under our \ncommittee\'s jurisdiction asking targeted questions about the \nmeasures being taken to protect systems using unsupported \noperating systems, as well as compliance with the Federal \nInformation Security Management Act. As chairman, I will be \ncontinuing to conduct such oversight of agencies\' information \nsecurity management.\n    While I am pleased that Congress took a positive step to \nimproving our cybersecurity posture by passing a number of \nbills in December, I believe an absolutely missing piece for \nthis Congress is finally passing legislation to spur greater \ncyber threat information sharing. It is my hope that the Senate \ncan find a path forward in this area soon. The hearing being \nheld today underscores the seriousness of the threat and our \ncommitment to passing information sharing legislation that did \nnot get done in the last Congress.\n    I now yield to my distinguished Ranking Member, the Senator \nfrom Florida, Senator Nelson.\n\n                STATEMENT OF HON. BILL NELSON, \n                   U.S. SENATOR FROM FLORIDA\n\n    Senator Nelson. Thank you, Mr. Chairman. And that is music \nto my ears because that is exactly what we need, greater \nsharing, because cyber attacks and data breaches have real \nconsequences on the lives of everyday Americans. They are \npainful for the American family that has to juggle their \nresponsibilities while trying to replace their credit card or \nget back the money that was taken from them because of a \ncompromised bank account, or reclaim his or her identity, which \nis a nightmare when it gets stolen.\n    And they are costly for businesses that have been hacked. \nThe estimate for Sony is something like $100 million. Some \nstudies estimate that cyber attacks are costing American \nbusiness as much as $400 billion a year. That is extraordinary. \nI see you nodding your head; I want you to testify about that.\n    These cyber attacks also threaten the national security. \nNow, if a saboteur came and blew up an electric plant here, \nthat would be an attack upon America. Well, a cyber attack can \ndo the same thing. And it is coming whether it is in the form \nof an electrical plant or a business grid, or a water system--\nwhatever is going to try to inject economic pain and terror \ninto the American people. Those attacks are upon us right now, \nand sooner or later, they are going to be successful. So it is \nnot a question of if. It is a question of when is the attack \ngoing to be successful like it was with Sony.\n    Now, fortunately, we have got some things on our side. \nEverybody\'s awareness is being heightened. We have got a great \nNational Institute of Standards and Technology that is \nconstantly working. You mentioned the stuff in your home state. \nNIST just had their Cybersecurity Framework Workshop down in my \nstate.\n    We have really got to figure out how we are going to come \ntogether, whether it be entirely voluntarily or whether there \nbe some kind of mandate, because the necessity for all of us \ncoming together, both government and the private sector, is \nupon us because of the threat to our way of life and our \nstandard of living.\n    And so, Mr. Chairman, thank you. I take this very \nseriously. I had the privilege of serving as the Chairman of \nthe Subcommittee in Armed Services, where I just came from, \ncalled Emerging Threats, which has as its jurisdiction \ncybersecurity and the national security interests. I am, \nneedless to say, quite interested in this subject, and I \nappreciate your attention in calling this hearing.\n    The Chairman. Thank you, Senator Nelson. You are right. \nThis has some tremendous national security implications, not to \nmention the enormous economic harm that you alluded to and the \nimpact that can have on our country\'s economic interests.\n    We have a great panel with us today. We look forward to \nhearing from them. First off is going to be Dr. Charles Romine. \nHe is the Director of the Information Technology Laboratory at \nthe National Institute of Standards and Technology under the \nU.S. Department of Commerce. That is a long thing to put on a \nbusiness card right there.\n    Ms. Ann Beauchesne. Ms. Beauchesne is the Vice President of \nNational Security & Emergency Preparedness at the United States \nChamber of Commerce.\n    Dr. Paul Smocer. Mr. Smocer is the President of BITS, the \nTechnology Policy Division of the Financial Services \nRoundtable.\n    Mr. Jefferson England. Mr. England is the Chief Financial \nOfficer for Silver Star Communications.\n    And Dr. James Lewis. Dr. Lewis is the Director and Senior \nFellow of the Strategic Technologies Program at the Center for \nStrategic and International Studies, CSIS.\n    So we will look forward to hearing from all of you. We will \nstart at my left and your right with Dr. Romine.\n\n         STATEMENT OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n          INFORMATION TECHNOLOGY LABORATORY, NATIONAL\n\n             INSTITUTE OF STANDARDS AND TECHNOLOGY,\n\n                  U.S. DEPARTMENT OF COMMERCE\n\n    Dr. Romine. Thank you, Chairman Thune, Ranking Member \nNelson, and members of the Committee. I am Dr. Charles Romine, \nthe Director of the Information Technology Laboratory at NIST. \nThank you for the opportunity to appear before you today to \ndiscuss our work in cybersecurity.\n    NIST has worked in cybersecurity with Federal agencies, \nindustry, and academia since 1972. Our role to research, \ndevelop, and deploy information security standards and \ntechnology to protect information systems against threats to \nthe confidentiality, integrity, and availability of information \nand services was strengthened through the Computer Security Act \nof 1987, broadened through the Federal Information Security \nManagement Act of 2002, and reaffirmed in the Federal \nInformation Security Modernization Act of 2014. The \nCybersecurity Enhancement Act of 2014 also authorizes NIST to \nfacilitate and support the development of voluntary, industry-\nled cybersecurity standards and best practices for critical \ninfrastructure.\n    NIST accomplishes its mission in cybersecurity through \ncollaborative partnerships with our national and international \nstakeholders in industry, government, academia, standards \nbodies, and consortia.\n    A prime example of these collaborations is the Framework \nfor Improving Critical Infrastructure Cybersecurity, or just \nthe Framework, in response to Executive Order 13636. The \nFramework consists of standards, guidelines, and practices to \npromote the protection of critical infrastructure. The \nprioritized, flexible, repeatable, and cost-effective approach \nof the Framework helps owners and operators of critical \ninfrastructure align their policies, technologies, and day-to-\nday business operations to better protect their data and their \ninformation technology and industrial control systems and \ntailor it to individual needs.\n    The fact that the Framework is and will remain voluntary \nallows us to bring the maximum number of stakeholders to the \ntable.\n    The Framework was always designed to be a living document, \nshaped by the experiences of those using it. Based on recent \nfeedback, I would like to share some thoughts about where we \nare now almost a year since the release of the Framework.\n    Organizations are using the Framework in a variety of ways, \nsuch as raising awareness within their organization, including \nwith executive leadership, improving communications of \ncybersecurity expectations with business partners, suppliers, \nand across and among sectors, and demonstrating alignment with \nstandards, guidelines, and best practices. We have been \nencouraged by seeing expanding networks within and across \nsectors of the economy utilizing the Framework, making it more \nrelevant to their stakeholders.\n    For example, technology companies are developing products \nand services tied to the Framework. The auditing community is \nleveraging the Framework to provide a consistent auditable \nstandard, and many states are leveraging the Framework to \nimprove the security of their critical infrastructure.\n    As the Framework incorporates globally recognized standards \nfor cybersecurity, it is also serving as a model for other \ncountries.\n    Current feedback indicates widespread agreement that it is \ntoo early to update the Framework. Waiting will allow for tools \nand services to be built and implemented. In the meantime, NIST \nwill continue the open, transparent, and inclusive process as \nit considers producing guidance on the challenging aspects of \nimplementation. NIST will work on areas singled out by the \nRoadmap for Improving Critical Infrastructure Cybersecurity and \nwill continue exploring options for future governance of the \nFramework, understanding the benefits of this being a private \nsector-maintained process in the future.\n    NIST recognizes our essential role in helping industry, \nconsumers, and government manage cybersecurity risks. We are \nextremely proud of our role in establishing and improving the \ncomprehensive set of cybersecurity technical solutions, \nstandards, guidelines, and best practices and the robust \ncollaborations with our Federal Government partners, private \nsector collaborators, and international colleagues.\n    But there is still much to do. A sustained dialogue between \ngovernment and the private sector is critical to ensuring we \ncan respond to those growing challenges, and we appreciate the \nsupport of the Committee in this effort.\n    Thank you for the opportunity to testify today on NIST\'s \nwork in cybersecurity, and I would be happy to answer any \nquestions you may have.\n    [The prepared statement of Dr. Romine follows:]\n\n  Prepared Statement of Dr. Charles H. Romine, Director, Information \n      Technology Laboratory, National Institute of Standards and \n            Technology, United States Department of Commerce\nIntroduction\n    Chairman Thune, Ranking Member Nelson and Members of the Committee, \nI am Dr. Charles Romine, the Director of the Information Technology \nLaboratory (ITL) at the Department of Commerce\'s National Institute of \nStandards and Technology (NIST). Thank you for the opportunity to \nappear before you today to discuss NIST\'s work in cybersecurity.\nThe Role of NIST in Cybersecurity\n    With programs focused on national priorities from the Smart Grid \nand electronic health records to forensics, atomic clocks, advanced \nnanomaterials, and computer chips and more, NIST\'s overall mission is \nto promote U.S. innovation and industrial competitiveness by advancing \nmeasurement science, standards, and technology in ways that enhance \neconomic security and improve the quality of life.\n    In the area of cybersecurity, NIST has worked with Federal \nagencies, industry, and academia since 1972, starting with the \ndevelopment of the Data Encryption Standard, when the potential \ncommercial benefit of this technology became clear. NIST\'s role, to \nresearch, develop and deploy information security standards and \ntechnology to protect the Federal Government\'s information systems \nagainst threats to the confidentiality, integrity and availability of \ninformation and services, was strengthened through the Computer \nSecurity Act of 1987 (Public Law 100-235), broadened through the \nFederal Information Security Management Act of 2002 (FISMA; 44 U.S.C. \nSec. 3541 \\1\\) and recently reaffirmed in the Federal Information \nSecurity Modernization Act of 2014 (Public Law 113-283). Importantly, \nthe Cybersecurity Enhancement Act of 2014 (Public Law 113-274) \nauthorizes NIST to facilitate and support the development of voluntary, \nindustry-led cybersecurity standards and best practices for critical \ninfrastructure--consistent with NIST\'s role in implementation of \nExecutive Order 13636, ``Improving Critical Infrastructure \nCybersecurity\'\'.\n---------------------------------------------------------------------------\n    \\1\\ FISMA was enacted as Title III of the E-Government Act of 2002 \n(Public Law 107-347; 116 Stat. 2899).\n---------------------------------------------------------------------------\n    NIST accomplishes its mission in cybersecurity through \ncollaborative partnerships with its customers and stakeholders in \nindustry, government, academia, standards bodies, consortia and \ninternational partners.\nNIST Engagement with Industry\n    Beyond NIST\'s responsibilities under FISMA, under the provisions of \nthe National Technology Transfer and Advancement Act (PL 104-113) and \nrelated OMB Circular A-119, NIST is tasked with the key role of \nencouraging and coordinating Federal agency use of voluntary consensus \nstandards and participation in the development of relevant standards, \nas well as promoting coordination between the public and private \nsectors in the development of standards and in conformity assessment \nactivities. NIST works with other agencies, such as the Department of \nState, to coordinate standards issues and priorities with the private \nsector through consensus standards organizations such as the American \nNational Standards Institute (ANSI), the International Organization for \nStandardization (ISO), the Institute of Electrical and Electronics \nEngineers (IEEE), the Internet Engineering Task Force (IETF), and the \nInternational Telecommunications Union (ITU).\n    Partnership with industry to develop, maintain, and implement \nvoluntary consensus standards related to cybersecurity best ensures the \ninteroperability, security and resiliency of the global infrastructure \nneeded to make us all more secure. It also allows this infrastructure \nto evolve in a way that embraces both security and innovation--allowing \na market to flourish to create new types of secure products for the \nbenefit of all Americans.\n    NIST believes further development of cybersecurity standards will \nbe needed to improve the security and resiliency of critical U.S. \ninformation and communication infrastructure. The availability of \ncybersecurity standards and associated conformity assessment schemes is \nessential in these efforts, which NIST supports to help enhance the \ndeployment of sound security solutions and build trust among those \ncreating and those using the solutions throughout the country.\nCybersecurity Framework: Current Status\n    Almost one year ago, NIST issued The Framework for Improving \nCritical Infrastructure Cybersecurity (Framework) in accordance with \nSection 7 of Executive Order 13636, ``Improving Critical Infrastructure \nCybersecurity\'\' (Executive Order). The Framework, created through \ncollaboration between industry and government, consists of standards, \nguidelines, and practices to promote the protection of critical \ninfrastructure. The prioritized, flexible, repeatable, and cost-\neffective approach of the Framework helps owners and operators of \ncritical infrastructure to manage cybersecurity-related risk.\n    Executive Order 13636 was designed to increase protection across \nthe full range of Critical Infrastructure--those systems and assets \nthat the Nation\'s economic and national security rely upon. Under \nExecutive Order 13636, Federal Government security agencies were \ncharged to increase the flow of valuable threat information to \nindustry, and NIST was charged to play a convener and facilitator role \nin supporting the private sector\'s efforts to develop the Cybersecurity \nFramework.\n    The goal of the Framework is to help organizations align their \npolicies, technologies, and day-to-day business operations to better \nprotect their data and their information technology (IT) and industrial \ncontrol systems.\n    The Framework also was designed to assess the capacity of the \nmarket to deliver better cybersecurity protection. During the \ndevelopment process for the Framework, NIST asked industry to \ncontribute ideas about what standards, guidelines, and best practices \ncould be used more widely to better manage cybersecurity risks, and \nthen what steps should be taken to develop the next set of tools in \nthese public-private partnerships.\n    In the course of developing the Framework document published in \nFebruary of 2014, NIST estimates that more than 3,000 people from \nindustry, academia, and government came to participate in workshops and \nwebinars, while providing hundreds of detailed comments on drafts. The \nNIST approach was premised on the understanding that a Framework \ndesigned by industry would gain greater adoption throughout the private \nsector, and could support a vibrant market for IT security products and \nservices.\n    The result of this effort is a dynamic tool that has two main \nparts.\n    First, the Framework is a collection of existing standards and best \npractices that proved to be helpful in protecting systems from cyber \nthreats and ensuring business confidentiality, while protecting \nindividual privacy and civil liberties.\n    Second, the Framework sets out basic guidelines that organizations \ncan use in adopting those practices, providing them with a coherent \nstructure to consider the many, varied approaches to cybersecurity that \nhave proliferated in recent years.\n    NIST heard over and over that a key challenge facing information \nsecurity professionals, senior business leaders, and company executives \nand boards of directors striving to address cybersecurity, was the lack \nof a common vocabulary and approach. As a result, the Framework starts \nwith general guidance, and cascades to the more technical and specific, \nto help facilitate that dialogue with and within an organization.\n    The fact that the Framework is--and will remain--voluntary has \nallowed NIST to continue to bring the maximum number of stakeholders to \nthe table. And the inherent flexibility of the Framework allows each \norganization to tailor it to individual needs.\n    Since the release of the Framework, NIST has strengthened its \ncollaboration with critical infrastructure owners and operators, \nindustry leaders, government partners, and other stakeholders to raise \nawareness about the Framework, encourage use by organizations across \nand supporting the critical infrastructure, and develop implementation \nguides and resources.\n    NIST, along with its partners across government, has focused on \nbuilding on that initial awareness and on working arm-in-arm with the \nprivate sector as the Framework begins to be used within organizations, \nand as those organizations develop supporting products and services.\n    The Framework was designed to be a ``living\'\' document, shaped by \nthe experiences of those using it. To learn more about these \nexperiences, NIST released a Request for Information (RFI) \\2\\ on \nAugust 26, 2014, and held its 6th Cybersecurity Framework Workshop at \nthe University of South Florida in Tampa, Florida, on October 29 and \n30, 2014. Responses to the RFI came from industry, academia and \ngovernment organizations at multiple levels, as well as organizations \nrepresenting large constituencies and key stakeholders in critical \ninfrastructure sectors.\n---------------------------------------------------------------------------\n    \\2\\ RFI--Experience with the Framework for Improving Critical \nInfrastructure Cybersecurity, August 26, 2014, https://\nfederalregister.gov/a/2014-20315\n---------------------------------------------------------------------------\n    Based on that feedback, and NIST\'s continued work, I\'d like to \nshare some thoughts about where NIST is now--almost a year since the \nrelease of the Framework.\n    NIST found that organizations are using the Framework in a variety \nof ways. Many users have found the Framework helpful in raising \nawareness and communicating with stakeholders within their \norganization, including executive leadership. It is also being used to \nimprove communications across organizations, allowing cybersecurity \nexpectations to be shared with business partners, suppliers, and among \nsectors. The Framework is being used to demonstrate alignment with \nstandards, guidelines, and best practices. The Framework is also being \nused as a strategic planning tool to assess risks and current \npractices.\n    In addition to those ``users,\'\' we have been encouraged by seeing \nexpanding networks--within and across sectors of the economy--beginning \nto learn about and take advantage of the Framework, making it more \nrelevant to their stakeholders.\n    This includes:\n\n  <bullet> Technology companies have been developing products and \n        services aligned with the Framework.\n\n  <bullet> Communities of interest and associations have been sharing \n        practical advice to help organizations to optimize their use of \n        the Framework.\n\n  <bullet> The auditing community has begun to leverage the Framework \n        to provide a consistent auditable standard.\n\n  <bullet> Major insurance providers have begun to offer policies tied \n        to the Framework and are promoting it among their policy-\n        holders.\n\n  <bullet> States have begun to leverage the Framework to improve the \n        security of their infrastructure, including as a foundation for \n        their work in cybersecurity for state emergency management \n        agencies.\n\n    And, in part because the Framework incorporates globally recognized \nvoluntary standards for cybersecurity, it is serving as a model for \nother countries, allowing them to match their business\' perspectives \nwith their governments\' needs. In other words, this is not a ``U.S.-\nonly\'\' Framework.\nCybersecurity Framework: Next Steps\n    NIST is continuing its outreach and awareness program through \ndiscussions with international partners, global companies and other \ninterested governments, while NIST continues the primary outreach \nefforts to U.S. industries and organizations. This includes outreach to \nregulatory agencies, to facilitate a consistent understanding of the \nFramework across the Federal Government, and to reinforce that the \nFramework is not designed or intended to create additional requirements \nfor owners and operators of critical infrastructure, who are otherwise \nsubject to regulatory requirements.\n    As NIST learns from individual organizations about their \nexperiences with the Framework--good or otherwise--NIST hopes to share \nthat knowledge and insight with others so that they may gain confidence \nin using the Framework. NIST also hopes to provide specifics, for \nexample, through appropriate ``case studies,\'\' for those who are \nseeking more information on how to build or improve their own \ncybersecurity programs.\n    The data that is collected and reflected will be the source \ninformation for any determinations or suggestions for changes that \nmight be needed to the Framework going forward. The Framework is \nenvisioned as a ``living document.\'\' At this point, however, there is \nrather widespread agreement among workshop participants that it is too \nsoon to consider updating the Framework, and that NIST should continue \nefforts to promote understanding and use of the current version. This \nwill allow industry the time to implement, for tools and service to be \nbuilt and offered, as well as for the common vocabulary of the \nFramework to become established. In any event, any changes that might \nbe made to the Framework will be made through the same open, \ntransparent and inclusive process that was used in the initial creation \nof the Framework.\n    In the months ahead, NIST will focus on the challenging aspects of \nimplementation and will consider producing guidance that will help \norganizations address these challenges. No modifications or new \nversions of the Framework are anticipated within the next year, \nalthough NIST will continue to work on areas singled out in the Roadmap \nfor Improving Critical Infrastructure Cybersecurity, \\3\\ released the \nsame time as the Framework. NIST also will continue to explore options \nfor future governance of the Framework, based on NIST\'s appreciation of \nthe long-term benefits of the Framework becoming a private-sector \nmaintained process in the future.\n---------------------------------------------------------------------------\n    \\3\\ http://www.nist.gov/cyberframework/upload/roadmap-021214.pdf\n---------------------------------------------------------------------------\n    NIST will continue, and increase, its efforts to raise awareness of \nthe Framework, including through partnerships with other organizations. \nNIST\'s efforts will be carried out in the same open and collaborative \nmanner which was the hallmark of the Framework\'s development. One \npriority will be to develop and disseminate information and training \nmaterials that advance use of the Framework, such as actual or \nexemplary illustrations of how organizations of varying sizes, types, \nand cybersecurity capabilities can practically employ the Framework to \nmake themselves more secure.\nNational Initiative for Cybersecurity Education\n    I would like to provide you now with an update on NIST\'s work to \nsupport building a capable cybersecurity workforce--a workforce that is \nagile and can adapt to meet the national need to design, develop, \nimplement, maintain and continuously improve cybersecurity, consistent \nwith the relevant provisions of the Cybersecurity Enhancement Act of \n2014.\n    In 2010, the National Initiative for Cybersecurity Education (NICE) \nwas established to enhance the overall cybersecurity posture of the \nUnited States by accelerating the availability of educational, \ntraining, and workforce development resources designed to improve the \ncybersecurity behavior, skills, and knowledge of every segment of the \npopulation. As the lead agency for this initiative, NIST works with \nmore than 20 Federal departments and agencies, as well as with industry \nand academia, to raise national awareness about risks in cyberspace, \nbroaden the pool of individuals prepared to enter the cybersecurity \nprofession, and cultivate a globally competitive cybersecurity \nworkforce.\n    NICE has also aligned with the President\'s Job-Driven Training \nInitiative to increase the number of individuals who complete high-\nquality cybersecurity training and education programs and attain the \nskills most needed to provide a pipeline of skilled workers for \nindustry and government.\nAdditional Research Areas\n    NIST performs research and development in related technologies, \nsuch as the usability of systems including electronic health records, \nvoting machines, biometrics and software interfaces. NIST is performing \nbasic research on the mathematical foundations needed to determine the \nsecurity of information systems. In the areas of digital forensics, \nNIST is enabling improvements in forensic analysis through the National \nSoftware Reference Library and computer forensics tool testing. \nSoftware assurance metrics, tools, and evaluations developed at NIST \nare being implemented by industry to help strengthen software against \nhackers. NIST responds to government and market requirements for \nbiometric standards by collaborating with other Federal agencies, \nacademia, and industry partners to develop and implement biometrics \nevaluations, enable usability, and develop standards (fingerprint, \nface, iris, voice/speaker, and multimodal biometrics). NIST plays a \ncentral role in defining and advancing standards, and collaborating \nwith customers and stakeholders to identify and reach consensus on \ncloud computing standards.\nConclusion\n    NIST recognizes that it has been entrusted with an essential role \nin helping industry, consumers and government to manage cybersecurity \nrisks.\n    NIST is extremely committed to fulfilling that role; it is \ncommitted to improving on existing cybersecurity technical solutions, \nstandards, guidelines, and best practices, through robust \ncollaborations with our Federal Government partners, private sector \ncollaborators, and international colleagues; and NIST is committed to \nhelping to ensure that government needs stay aligned with, and are \ninformed by, the needs of American industry.\n    But let us be clear, and here I am not telling this Committee \nanything it does not know well: even with the body of work that is now \nbehind us, there is still much to do. NIST will continue a sustained \ndialogue between government and the private sector to ensure it can be \nresponsive to ever-evolving cybersecurity challenges, and in this NIST \nhas appreciated the support of the Committee.\n    Thank you for the opportunity to testify today on NIST\'s work in \ncybersecurity. I would be happy to answer any questions you may have.\n                               Attachment\n                           Charles H. Romine\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Charles Romine is Director of the Information Technology Laboratory \n(ITL). ITL, one of seven research Laboratories within the National \nInstitute of Standards and Technology (NIST), has an annual budget of \n$150 million, more than 350 employees, and about 160 guest researchers \nfrom industry, universities, and foreign laboratories. Dr. Romine \noversees a research program designed to promote U.S. innovation and \nindustrial competitiveness by developing and disseminating standards, \nmeasurements, and testing for interoperability, security, usability, \nand reliability of information systems, including cybersecurity \nstandards and guidelines for Federal agencies and U.S. industry, \nsupporting these and measurement science at NIST through fundamental \nand applied research in computer science, mathematics, and statistics. \nThrough its efforts, ITL supports NIST\'s mission, to promote U.S. \ninnovation and industrial competitiveness by advancing measurement \nscience, standards, and technology in ways that enhance economic \nsecurity and improve our quality of life. Within NIST\'s traditional \nrole as the overseer of the National Measurement System, ITL is \nconducting research addressing measurement challenges in information \ntechnology as well as issues of information and software quality, \nintegrity, and usability. ITL is also charged with leading the Nation \nin using existing and emerging IT to help meet national priorities, \nincluding developing cybersecurity standards, guidelines, and \nassociated methods and techniques, cloud computing, electronic voting, \nsmart grid, homeland security applications, and health information \ntechnology.\nEducation\n\nPh.D. in Applied Mathematics from the University of Virginia\n\nB.A. in Mathematics from the University of Virginia\n\n    The Chairman. Thank you, Dr. Romine.\n    Ms. Beauchesne?\n\n        STATEMENT OF ANN M. BEAUCHESNE, VICE PRESIDENT,\n\n         NATIONAL SECURITY AND EMERGENCY PREPAREDNESS,\n\n                    U.S. CHAMBER OF COMMERCE\n\n    Ms. Beauchesne. Thank you. Good morning, Chairman Thune, \nRanking Member Nelson, and members of the Committee. My name is \nAnn Beauchesne. I am the Vice President of the U.S. Chamber\'s \nNational Security and Emergency Preparedness Department. On \nbehalf of the Chamber, I welcome the opportunity to testify \nbefore the Senate Commerce Committee regarding the business \ncommunity\'s experience with NIST\'s Framework for Improving \nCritical Infrastructure Cybersecurity.\n    I want to thank the Committee for holding today\'s hearing. \nRecent cyber incidents underscore the need to keep building \ntoward a more secure and resilient cyber future at home and \nglobally.\n    The good news is that addressing sophisticated cyber \nthreats against American businesses has gone from an IT issue \nto a top priority for company executives and boards of \ndirectors. My statement will focus on the successful rollout of \nthe Framework and the positive collaboration that many \nbusinesses and government entities have developed over the past \nseveral months.\n    The Chamber\'s promotion of the Framework through our \nCybersecurity Campaign, as well as the urgent need for \ncybersecurity information sharing legislation. It is \nencouraging to see that the administration has put forward its \nown views on cybersecurity information sharing legislation as \nwell. Legislation is needed to help businesses improve their \nawareness of cyber threats, as well as to enhance their \nprotection and response capabilities.\n    The Chamber believes that the development and rollout of \nthe Framework has been a success. We view the Framework as one \nof the best examples of a public-private partnership in action. \nFrom conception to release, the Chamber, trade associations, \nand companies of all sizes and sectors collaborated closely \nwith the administration, NIST, and the Department of Homeland \nSecurity in developing the Framework. Much of industry\'s \nfavorable reaction is owed in large measure to NIST. They have \ntreated the business community as a genuine partner and tackled \na tough assignment in ways that ought to serve as a model for \nother agencies.\n    Last spring, the administration sent the business community \na powerful message, saying that the Framework should remain \ncollaborative, voluntary, and innovative over the long term, in \na word, ``non-regulatory.\'\' Businesses need flexible solutions \nto respond to the rapidly changing threat environment. As \nthreats continue to evolve, businesses must be able to adapt \naccordingly.\n    I appreciate the comments of Silver Star Communications\' \nJeff England who notes in his written testimony that a \nregulatory approach to cybersecurity distracts policymakers\' \nattention from the root problem, that is, attacks coming from \norganized criminals and state-sponsored groups.\n    Since the Framework\'s release last February, industry has \ndemonstrated its commitment to using it. Critical \ninfrastructure are keenly aware and supportive of the \nFramework.\n    In my written testimony, I have outlined how numerous \nassociations and trade groups are creating tools and resources \nfor their members and holding events around the country to \npromote cybersecurity awareness and education of the Framework. \nGoing forward, we urge policymakers to commit even greater \nresources over the next several years to grow awareness of the \nFramework and risk-based tools for cybersecurity.\n    The Chamber has launched its own cybersecurity campaign \nunder the banner of Improving Today, Protecting Tomorrow. Last \nyear, we organized roundtable events with State and local \nchambers in Chicago, Austin, Everett, and Phoenix in the run-up \nto our third annual cybersecurity summit in October. Each \nroundtable featured cybersecurity principles from the White \nHouse, DHS, NIST, as well as local FBI and Secret Service \nofficials. At these roundtables, the Chamber and our Federal \npartners have urged businesses of all sizes and sectors to \nadopt fundamental security practices to reduce network and \nsystem weaknesses. The Chamber is planning to hold more \ncybersecurity roundtables this year with our Federal partners, \nas well as our fourth annual cybersecurity summit on October 6.\n    The Framework is a good start, but more work is needed to \npush back against skilled attackers. No single tool or approach \ncan prevent advanced and persistent threats or state-sponsored \ncyber attacks. Most small and mid-sized businesses tend to lack \nthe money and personnel to beat back highly advanced and \nnefarious actors.\n    Despite the Chamber\'s strong support for the Framework, the \neffort will be incomplete without getting information sharing \nlegislation done. While the Chamber recognizes that the \nCommerce Committee does not have jurisdiction over \ncybersecurity information sharing legislation, we continue to \npush Congress to pass a bill that includes robust safeguards \nsuch as liability, regulatory, FOIA, and antitrust protections \nfor businesses that voluntarily exchange threat data with their \npeers and with the Government.\n    Last week, 35 associations, including the Chamber, sent the \nSenate a letter urging lawmakers to quickly pass a cyber \ninformation sharing bill.\n    The Senate Intelligence Committee passed a smart and \nworkable bill last year which earned broad bipartisan support.\n    Cyber attacks aimed at U.S. businesses and government \nentities are being launched from various sources, including \nsophisticated hackers, organized crime, and state-sponsored \ngroups. Congressional action on information sharing cannot come \nquickly enough.\n    Again, I want to thank you for inviting me to be here. The \nChamber looks forward to working with you and your staff, and I \nwould be happy to answer any questions.\n    [The prepared statement of Ms. Beauchesne follows:]\n\n   Prepared Statement of Ann M. Beauchesne, Vice President, National \n     Security and Emergency Preparedness, U.S. Chamber of Commerce\n    Good morning, Chairman Thune, Ranking Member Nelson, and other \ndistinguished members of the Committee. My name is Ann Beauchesne, and \nI serve as vice president of the U.S. Chamber\'s National Security and \nEmergency Preparedness Department. On behalf of the Chamber, I welcome \nthe opportunity to testify before the Senate Commerce committee \nregarding the business community\'s experience with the National \nInstitute of Standards and Technology\'s (NIST\'s) Framework for \nImproving Critical Infrastructure Cybersecurity (the framework).\\1\\\n---------------------------------------------------------------------------\n    \\1\\ See www.nist.gov/cyberframework.\n---------------------------------------------------------------------------\n    The National Security and Emergency Preparedness Department was \nestablished in 2003 to develop and implement the Chamber\'s homeland and \nnational security policies. The department works through the National \nSecurity Task Force, a policy committee composed of roughly 200 Chamber \nmembers representing practically every sector of the American economy. \nThe task force\'s Cybersecurity Working Group identifies current and \nemerging issues, crafts policies and positions, and provides analysis \nand direct advocacy to government and business leaders.\n    The need to address increasingly sophisticated threats against U.S. \nand global businesses has gone from an IT issue to a top priority for \nthe C-suite and the boardroom. Chamber President and CEO Thomas J. \nDonohue recently said, ``In an interconnected world, economic security \nand national security are linked. To maintain a strong and resilient \neconomy, we must protect against the threat of cyberattacks.\'\'\n    My statement focuses on the successful rollout of the framework and \nthe positive collaboration that many businesses and government entities \nhave developed over the past several months, including our new \ncybersecurity campaign--Improving Today, Protecting \nTomorrow<SUP>TM</SUP>. I am also going to highlight policy issues--\ninformation-sharing legislation being the top legislative priority--\nthat lawmakers and the administration need to diligently address. The \ninformation-sharing discussion puts too little emphasis on improving \ngovernment-to-business sharing. The Chamber wants to expand government-\nto-business information sharing, which is progressing but needs \nimprovement.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ The Chamber submitted in October 2014 similar comments to \nNational Institute of Standards and Technology (NIST) related to \nbusinesses\' awareness and use of the framework. See http://\ncsrc.nist.gov/cyberframework/rfi_comments_10_2014.html.\n---------------------------------------------------------------------------\n    The framework is a good start, but more work is needed to push back \nagainst skilled attackers. Most small and midsize businesses (SMBs) \ntend to lack the money and personnel to beat back highly advanced and \nnefarious actors, such as organized criminal gangs and groups carrying \nout state-sponsored attacks. No single strategy can prevent advanced \nand persistent threats--popularly known as APTs in cybersecurity \njargon--from breaching an organization\'s cyber defenses.\n    Policymakers have not sufficiently acknowledged this expensive, \npractical reality. American companies should not be expected to \nshoulder the substantial costs of cyberattacks emanating from well-\nresourced bad actors such as criminal syndicates or nation-states--\ncosts typically absorbed by national governments. Nation-states or \ntheir proxies and other sophisticated actors are apparently hacking \nbusinesses with impunity--and that has got to stop.\n    In addition to having policymakers acknowledge cost concerns, the \nChamber would welcome working with the administration and Congress on \nestablishing an intelligent and forceful deterrence strategy, which the \nUnited States currently lacks. U.S. policymakers need to focus on \npushing back against illicit actors and not on blaming the victims of \ncybersecurity incidents.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ The Chamber submitted comments to the Department of Homeland \nSecurity (DHS) on cybersecurity solutions for small and midsize \nbusinesses (SMBs) in April 2014.\n---------------------------------------------------------------------------\nThe Framework Is an Excellent Example of an Effective Public-Private \n        Partnership; Critical Infrastructure Awareness of the Framework \n        Is Strong, and Sector Activities Are Robust and Maturing\n    The Chamber believes that the framework--which was released last \nFebruary--has been a success. The framework represents one of the best \nexamples of public-private partnerships in action. NIST and \nstakeholders in the public and private sectors should have a great \nsense of accomplishment. The Chamber, sector-based coordinating \ncouncils and associations, companies, and other entities collaborated \nclosely with NIST in developing the framework since the first workshop \nwas held in April 2013.\n    Critical infrastructure sectors are keenly aware of and supportive \nof the framework. The Chamber understands that critical infrastructures \nat ``greatest risk\'\' have been identified and engaged by administration \nofficials under the terms of the cyber executive order (EO).\\4\\ \nGovernment officials ought to ensure that all resources, particularly \nthe latest cyber threat indicators, are available to these enterprises \nto counter increasing and advanced threats.\n---------------------------------------------------------------------------\n    \\4\\ Executive Order (EO) 13636, Improving Critical Infrastructure \nCybersecurity, is available at www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/\n2013-03915.pdf.\n---------------------------------------------------------------------------\n    Further, important elements of U.S. industry are aware of the \nframework and are using it or similar risk management tools. Indeed, \nthe Chamber welcomed an assessment from Michael Daniel, White House \nspecial assistant to the president and cybersecurity coordinator, who \nremarked on September 23, 2014, at the Chamber\'s third cyber roundtable \nin Everett, Washington, that industry\'s response to the framework has \nbeen ``phenomenal.\'\'\n    A second White House official, Ari Schwartz, senior director for \ncybersecurity, noted on October 1, 2014, that business support for the \nframework has ``exceeded expectations.\'\' Such recognition is \nconstructive and helps keep the private sector engaged in using the \nframework and promoting it with business partners.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ See ``At eight-month mark, industry praises framework and eyes \nnext steps,\'\' Inside Cybersecurity, October 6, 2014, http://\ninsidecybersecurity.com/Cyber-Daily-News/Daily-News/at-eight-month-\nmark-industry-praises-framework-and-eyes-next-steps/menu-id-1075.html.\n---------------------------------------------------------------------------\n    Much of industry\'s favorable reaction is owed in large measure to \nNIST, which tackled the framework\'s development in ways that ought to \nserve as a model for other agencies and departments. In May 2014, the \nadministration sent the business community a powerful message, saying \nthat the framework should remain collaborative, voluntary, and \ninnovative over the long term.\\6\\ Interestingly, public focus on the \nframework has created visibility into industry\'s long-standing efforts \nto address cyber risks and threats--constant, dedicated, and (mostly) \nsilent efforts that preceded the creation of the framework.\\7\\\n---------------------------------------------------------------------------\n    \\6\\ The Chamber agrees with Michael Daniel\'s May 22 blog, Assessing \nCybersecurity Regulations, at www.whitehouse.gov/blog/2014/05/22/\nassessing-cybersecurity-regulations. The blog says that business and \ngovernment ``must build equally agile and responsive capabilities not \nbound by outdated and inflexible rules and procedures.\'\' The Chamber \nand industry partners especially urge independent agencies and Congress \nto adhere to the dynamic approach advocated by the administration and \nthat is embodied in the nonregulatory, public-private framework. See \nJune 11, 2014 letter, available at www.uschamber.com/sites/default/\nfiles/documents/files/11June14GroupLetterT-\nYReplytoDanielCyberBlog_Final_0.pdf.\n    \\7\\ The online publication Inside Cybersecurity provides an \nexcellent catalog of industry initiatives to implement data-and \nnetwork-security best practices. See http://insidecyber\nsecurity.com/Sectors/menu-id-1149.html.\n---------------------------------------------------------------------------\n    Most notable, since the framework\'s release, industry has \ndemonstrated its commitment to using it. Many associations are creating \nresources for their members and holding events across the country and \ntaking other initiatives to promote cybersecurity education and \nawareness of the framework. Some examples are listed here. Associations \nare planning and exploring additional activities as well.\n\n  <bullet> The Alliance of Automobile Manufacturers and the Association \n        of Global Automakers have initiated a process to establish an \n        automobile industry sector information-sharing and analysis \n        center (Auto-ISAC) to voluntarily collect and share information \n        about existing or potential threats to the cybersecurity of \n        motor vehicle electronics and in-vehicle networks.\n\n  <bullet> The American Chemistry Council (ACC) is developing sector-\n        specific guidance based on the NIST cyber framework to further \n        enhance and implement the council\'s Responsible Care\x04 Security \n        Code. ACC\'s Chemical Information Technology Center (ChemITC) is \n        also piloting an ISAC for the chemical sector.\n\n  <bullet> The American Gas Association (AGA) has hosted a series of \n        webinars on control system cybersecurity, is collaborating with \n        small utilities to develop robust cybersecurity programs, and \n        is working with companies to review and enhance their \n        cybersecurity posture using the Oil and Natural Gas Subsector \n        Cybersecurity Capability Maturity Model (ONG-C2M2) from the \n        Department of Energy (DOE). Among other activities, AGA has \n        stood up the Downstream Natural Gas Information and Analysis \n        Center (DNG-ISAC), an ISAC designed to help support the \n        information-sharing interests of downstream natural gas \n        utilities.\n\n  <bullet> The American Hotel & Lodging Association (AH&LA) has \n        conducted a series of widely attended cyber and data security \n        webinars to assist small, medium, and large hotel and lodging \n        businesses with implementing key information security measures \n        and risk assessments.\n\n  <bullet> The American Water Works Association (AWWA) has created \n        cybersecurity guidance and a use-case tool to aid water and \n        wastewater utilities\' implementation of the framework. The \n        guidance is cross-referenced to the framework. This tool is \n        serving as implementation guidance for the framework in the \n        water and wastewater systems sector.\n\n  <bullet> Members of the Communications Sector Coordinating Council \n        (CSCC)--made up of broadcasting, cable, wireline, wireless, and \n        satellite segments--have participated in multiple NIST, \n        Department of Homeland Security (DHS), and industry \n        association-sponsored programs, webinars, and panels. The \n        sector is completing a year-long effort within the Federal \n        Communication Commission\'s (FCC\'s) Communications Security \n        Reliability and Interoperability Council (CSRIC) that involves \n        more than 100 professionals who have worked to adapt the NIST \n        framework to the sector segments and provide guidance to the \n        industry.\n\n  <bullet> The Electricity Subsector Coordinating Council has worked \n        with DOE to develop sector-specific guidance for using the \n        framework. The guidance leverages existing subsector-specific \n        approaches to cybersecurity, including DOE\'s Electricity \n        Subsector Cybersecurity Risk Management Process Guideline, the \n        Electricity Subsector Cybersecurity Capability Maturity Model, \n        NIST\'s Guidelines for Smart Grid Cyber Security, and the North \n        American Electric Reliability Corporation\'s (NERC) Critical \n        Infrastructure Protection Cybersecurity Standards.\n\n  <bullet> The mutual fund industry, represented by the Investment \n        Company Institute (ICI), has added to its committee roster a \n        Chief Information Security Officer Advisory Committee. The \n        committee\'s mission is to collaborate on cybersecurity issues \n        and information sharing in the financial services industry and \n        provide a cyber threat protection resource for ICI members.\n\n  <bullet> The Information Technology Industry Council (ITI) visited \n        Korea and Japan in May 2014 and shared with these countries\' \n        governments and business leaders the benefits of a public-\n        private partnership-based approach to developing globally \n        workable cybersecurity policies. ITI highlighted the framework \n        as an example of an effective policy developed in this manner, \n        reflecting global standards and industry-driven practices. ITI \n        principals also spoke at a U.S.-European Union (EU) workshop in \n        Brussels in November 2014, comparing U.S. and EU policy \n        approaches to cybersecurity and highlighting the positive \n        attributes of the framework and its development.\n\n  <bullet> The National Association of Manufacturers (NAM) has \n        spearheaded the D.A.T.A. (Driving the Agenda for Technology \n        Advancement) Policy Center, providing manufacturers with a \n        forum to understand the latest cybersecurity policy trends, \n        threats, and best practices. The D.A.T.A. Center focuses on \n        working with small and medium-size manufacturers to help them \n        secure their assets.\n\n  <bullet> Through the American Petroleum Institute (API), the oil and \n        natural gas sector has worked with DOE to complete the Oil and \n        Natural Gas Subsector Cybersecurity Capability Maturity Model \n        (ONG-C2M2). The oil and natural gas sector in 2014 established \n        a new Oil and Natural Gas Information Sharing and Analysis \n        Center (ONG-ISAC) to provide shared intelligence on cyber \n        incidents, threats, vulnerabilities, and responses throughout \n        the industry.\n\n  <bullet> The Retail Industry Leaders Association (RILA), in \n        partnership with the National Retail Federation (NRF), has \n        created the Retail Cyber Intelligence Sharing Center (R-CISC), \n        featuring information sharing, research, and education and \n        training. This ISAC enables retailers to share threat data \n        among themselves and to receive threat information from \n        government and law enforcement partners.\n\n  <bullet> The U.S. Chamber of Commerce has launched its national \n        roundtable series, Improving Today, Protecting Tomorrow \n        <SUP>TM</SUP>, recommending that businesses of all sizes and \n        sectors adopt fundamental Internet security practices.\nThe Chamber\'s New Cybersecurity Campaign Enters Its Second Year; \n        Policymakers Need to Focus on Passing Information-Sharing \n        Legislation and Deterring Foreign Attackers\n    The NIST framework is designed to help s start a cybersecurity \nprogram or improve an existing one. The framework puts cybersecurity \ninto a common language for organizations to better understand their \ncybersecurity posture, set goals for cybersecurity improvements, \nmonitor their progress, and foster communications with internal and \nexternal stakeholders.\n    Looking ahead to 2015, the Chamber\'s cybersecurity campaign intends \nto focus on several areas, including the following:\n\n  <bullet> Organizing roundtables with local chambers and growing \n        market solutions. The Chamber is planning more cyber \n        roundtables in 2015. Last year, the Chamber organized \n        roundtable events with state and local chambers in Chicago, \n        Illinois (May 22); Austin, Texas (July 10); Everett, Washington \n        (September 23); and Phoenix, Arizona (October 8) prior to the \n        Chamber\'s Third Annual Cybersecurity Summit on October 28.\n\n    Leading member sponsors of the campaign were American Express, \n        Dell, and Splunk. Other sponsors were the American Gas \n        Association, Boeing, the Edison Electric Institute, Exelon, HID \n        Global, Microsoft, Oracle, and Pepco Holdings, Inc., and The \n        Wall Street Journal.\n\n    Each roundtable featured cybersecurity principals from the White \n        House, DHS, NIST, and local FBI and U.S. Secret Service \n        officials. The Chamber and our partners urged businesses to \n        adopt fundamental Internet security practices to reduce network \n        and system weaknesses and make the price of successful hacking \n        increasingly steep. The Chamber also urged businesses to \n        improve their cyber risk management processes. All businesses \n        should understand common online threats that can lead them to \n        become victims of cybercrime. Using the framework and similar \n        risk management tools, such as the Chamber\'s Internet Security \n        Essentials for Business 2.0 guidebook,\\8\\ is ultimately about \n        making your business more secure and resilient. The Chamber \n        encouraged businesses to report cyber incidents. Perfect online \n        security is unattainable, even for large businesses. Innovative \n        solutions are regularly being brought to market because cyber \n        threats are always changing. Businesses should report cyber \n        incidents and online crime to their FBI or U.S. Secret Service \n        field offices.\n---------------------------------------------------------------------------\n    \\8\\ The booklet is available free for downloading at \nwww.uschamber.com/issue-brief/internet-security-essentials-business-20.\n\n  <bullet> Increasing public awareness of the framework. The Chamber \n        urges policymakers to commit greater resources over the next \n        several years to growing awareness of the framework and risk-\n        based solutions through a national education campaign. A broad-\n        based campaign involving federal, state, and local governments \n        and multiple sectors of the U.S. economy would spur greater \n        awareness of cyber threats and aggregate demand for market-\n---------------------------------------------------------------------------\n        driven cyber solutions.\n\n    The Chamber believes that government--particularly independent \n        agencies--should devote their limited time and resources to \n        assisting resource-strapped enterprises, not trying to flex \n        their existing regulatory authority. After all, while \n        businesses are working to detect, prevent, and mitigate \n        cyberattacks originating from sophisticated criminal syndicates \n        or foreign powers, they shouldn\'t have to worry about \n        regulatory or legal sanctions.\n\n  <bullet> Improving information-sharing is job No. 1. The framework \n        would be incomplete without enacting information-sharing \n        legislation that removes legal and regulatory penalties to \n        quickly exchange data about threats to U.S. companies.\n\n    <ctr-circle> Passing legislation this year. Last week, 35 \n            associations, including the Chamber, strongly urged the \n            Senate to quickly pass a cybersecurity information-sharing \n            bill.\\9\\ The Senate Intelligence committee passed a smart \n            and workable bill in July 2014, which earned broad \n            bipartisan support. Recent cyber incidents underscore the \n            need for legislation to help businesses improve their \n            awareness of cyber threats and enhance their protection and \n            response capabilities.\n---------------------------------------------------------------------------\n    \\9\\ The coalition letter is available at www.uschamber.com/sites/\ndefault/files/150127_multi-association_cyber_info-\nsharing_legislation_senate.pdf.\n\n      Above all, the Chamber urges Congress to send a bill to the \n            president that gives businesses legal certainty that they \n            have safe harbor against frivolous lawsuits when \n            voluntarily sharing and receiving threat indicators and \n            countermeasures in real time and taking actions to mitigate \n            cyberattacks. The legislation also needs to offer \n            protections related to public disclosure, regulatory, and \n            antitrust matters in order to increase the timely exchange \n---------------------------------------------------------------------------\n            of information among public and private entities.\n\n      The Chamber also believes that legislation needs to safeguard \n            privacy and civil liberties and establish appropriate roles \n            for civilian and intelligence agencies. The cybersecurity \n            measure approved in July 2014 by the Senate Intelligence \n            committee reflected practical compromises among many \n            stakeholders on these issues.\n\n      Cyberattacks aimed at U.S. businesses and government entities are \n            being launched from various sources, including \n            sophisticated hackers, organized crime, and state-sponsored \n            groups. These attacks are advancing in scope and \n            complexity. Congressional action cannot come quickly \n            enough.\n\n    <ctr-circle> Helping SMBs mitigate attacks. The cybersecurity EO \n            elevates the importance of bidirectional information \n            sharing and calls for expanding the public-private Enhanced \n            Cybersecurity Services (ECS) program to critical \n            infrastructure. The administration should consider \n            developing an ECS program that is affordable to SMBs. On \n            the one hand, some businesses would be well equipped \n            internally or in partnership with third-party providers to \n            make use of cyber threat information. On the other hand, \n            the Chamber believes that, depending on their size and \n            abilities, most SMBs would need significant guidance and \n            perhaps additional assistance with incorporating threat \n            information and risk management strategies into their \n            organizations.\n\n  <bullet> Engaging law enforcement. The Chamber plans to continue its \n        close contact with the FBI and the U.S. Secret Service to build \n        trusted public-private relationships, which are essential to \n        confirming a crime and beginning criminal investigations. We \n        are encouraging businesses to partner with law enforcement \n        before, during, and after a cyber incident. FBI and U.S. Secret \n        Service officials have participated in each of the Chamber\'s \n        roundtables.\n\n  <bullet> Harmonizing cybersecurity regulations. Information-security \n        requirements should not be cumulative. The Chamber believes it \n        is valuable that agencies and departments are urged under the \n        EO to report to the Office of Management and Budget any \n        critical infrastructure subject to ``ineffective, conflicting, \n        or excessively burdensome cybersecurity requirements.\'\' We urge \n        the administration and Congress to prioritize eliminating \n        burdensome regulations on businesses. One solution could entail \n        giving businesses credit for information security regimes that \n        exist in their respective sectors that they have adopted.\\10\\ \n        It is positive that Michael Daniel, the administration\'s lead \n        cyber official, has made harmonizing existing cyber regulations \n        with the framework a priority.\n---------------------------------------------------------------------------\n    \\10\\ The business community already complies with multiple \ninformation security rules. Among the regulatory requirements impacting \nbusinesses of all sizes are the Chemical Facilities Anti-Terrorism \nStandards (CFATS), the Federal Energy Regulatory Commission-North \nAmerican Reliability Corporation Critical Information Protection (FERC-\nNERC CIP) standards, the Gramm-Leach-Bliley Act (GLBA), the Health \nInsurance Portability and Accountability Act (HIPAA), and the Sarbanes-\nOxley (SO<INF>X</INF>) Act. The Securities and Exchange Commission \n(SEC) issued guidance in October 2011 outlining how and when companies \nshould report hacking incidents and cybersecurity risks. Corporations \nalso comply with many non-U.S. requirements, which add to the \nregulatory mix.\n\n  <bullet> Raising adversaries\' costs through deterrence. The Chamber \n        is reviewing actions that businesses and government can take to \n        deter nefarious actors that threaten to empty bank accounts, \n        steal trade secrets, or damage vital infrastructures. While we \n        have not formally endorsed the report, the U.S. Department of \n        State\'s International Security Advisory Board (ISAB) issued in \n        July draft recommendations regarding cooperation and deterrence \n---------------------------------------------------------------------------\n        in cyberspace.\n\n    The ISAB\'s recommendations--including cooperating on crime as a \n        first step, exploring global consensus on the rules of the \n        road, enhancing governments\' situational awareness through \n        information sharing, combating IP theft, expanding education \n        and capacity building, promoting attribution and prosecution, \n        and leading by example--are sensible and worthy of further \n        review by cybersecurity stakeholders.\\11\\\n---------------------------------------------------------------------------\n    \\11\\ The ISAB report is available at www.state.gov/documents/\norganization/229235.pdf.\n\n    The Chamber believes that the United States needs to coherently \n        shift the costs associated with cyberattacks in ways that are \n        legal, swift, and proportionate relative to the risks and \n        threats. Policymakers need to help the law enforcement \n        community, which is a key asset to the business community but \n        numerically overmatched compared with illicit hackers.\\12\\\n---------------------------------------------------------------------------\n    \\12\\ The Chamber argues for a clear cyber deterrence strategy in \nits December 2013 letter to NIST on the framework. See http://\ncsrc.nist.gov/cyberframework/framework_comments/2013\n1213_ann_beauchesne_uschamber.pdf.\n\n  <bullet> Making incentives work. In an April 2013 letter to NIST \n        regarding businesses\' use of the framework and the role of \n        incentives, the Chamber provides its views on extending \n        liability protections related to information-sharing \n        legislation (see p. 6 of this statement), extending a safe \n        harbor related to using the framework, extending SAFETY Act \n        applicability to the framework, eliminating cybersecurity \n        regulations, leveraging Federal procurement, and making the \n        research and development (R&D) tax credit permanent.\\13\\\n---------------------------------------------------------------------------\n    \\13\\ The letter is available at www.ntia.doc.gov/files/ntia/\n29apr13_chamber_comments.pdf.\n\n    The Chamber appreciates that the administration is assessing a mix \n        of incentives that could induce businesses to use the \n        framework.\\14\\ However, in the Chamber\'s view, it is imperative \n        that the administration, independent agencies, and lawmakers \n        extend to companies the assurance that the cybersecurity \n        framework and any actions taken in relation to it remain \n        collaborative, flexible, and innovative over the long term. The \n        Chamber believes that the presence of these qualities, or the \n        lack thereof, would be a key determinant to use of the \n        framework by U.S. critical infrastructure as well as businesses \n        generally.\n---------------------------------------------------------------------------\n    \\14\\ See www.whitehouse.gov/blog/2013/08/06/incentives-support-\nadoption-cybersecurity-framework.\n---------------------------------------------------------------------------\nRoadmap for the Future of the Cybersecurity Framework\n    In February 2014, NIST released a Roadmap to accompany the \nframework. The Roadmap outlines further areas for possible \n``development, alignment, and collaboration.\'\' \\15\\ The Chamber noted \nin an October 2014 letter to NIST some key areas that we see as needing \nmore attention. The Chamber would highlight for the Committee the \nimportance of aligning international cybersecurity regimes with the \nframework.\n---------------------------------------------------------------------------\n    \\15\\ The Roadmap is available at www.nist.gov/cyberframework/\nupload/roadmap-021214.pdf.\n---------------------------------------------------------------------------\n    Many Chamber members operate globally. We appreciate that NIST has \nbeen actively meeting with foreign governments to urge them to embrace \nthe framework. Like NIST, the Chamber believes that efforts to improve \nthe cybersecurity of the public and private sectors should reflect the \nborderless and interconnected nature of our digital environment.\n    Standards, guidance, and best practices relevant to cybersecurity \nare typically industry driven and adopted on a voluntary basis; they \nare most effective when developed and recognized globally. Such an \napproach would avoid burdening multinational enterprises with the \nrequirements of multiple, and often conflicting, jurisdictions.\\16\\ The \nadministration should organize opportunities for stakeholders to \nparticipate in multinational discussions. The Chamber encourages the \nFederal Government to work with international partners and believes \nthat these discussions should be stakeholder driven and occur on a \nroutine basis.\n---------------------------------------------------------------------------\n    \\16\\ The Chamber sent a letter in September 2013 to Dr. Andreas \nSchwab, member of the European Parliament\'s Internal Market and \nConsumer Protection Committee, recommending amendments to the proposed \nEuropean Union (EU) cybersecurity directive. The Chamber argues that \ncybersecurity and resilience are best achieved when organizations \nfollow voluntary global standards and industry-driven practices.\n---------------------------------------------------------------------------\nThe Public and Private Sectors Need to Increase the Framework\'s Success \n        by Improving Collaboration and Eliminating Barriers to Smart \n        and \n        Efficient Cybersecurity\n    NIST and multiple stakeholders produced a smart framework that \nparticipants can take pride in. But more work lies ahead. The Chamber \nlooks forward to working with policymakers to ensure that preexisting \nregulations are harmonized with the collaborative and voluntary nature \nof the framework. Businesses also seek the enactment of information-\nsharing legislation to achieve timely and actionable situational \nawareness to improve detection, mitigation, and response capabilities.\n    The Chamber is committed to protecting America\'s business community \nand enhancing the Nation\'s resilience against an array of physical and \ncyber threats. Government and business entities need to continue \nleveraging the framework to strengthen collective resilience and \nsecurity and make ongoing improvements. We look forward to working with \nCongress and the administration to build on the progress that we--\nindustry and government--have made together.\n\n    The Chairman. Thank you, Ms. Beauchesne.\n    Mr. Smocer?\n\n   STATEMENT OF PAUL N. SMOCER, PRESIDENT OF BITS, FINANCIAL \n                      SERVICES ROUNDTABLE\n\n    Mr. Smocer. Thank you, Mr. Chairman. Last year, with this \ncommittee\'s stewardship, Congress passed the Cybersecurity \nEnhancement Act of 2014. The Act\'s focus on an open, voluntary \ncybersecurity framework development process and its emphasis on \ncybersecurity R&D, career development, awareness, and education \nimprove the information security of our country\'s cyber \necosystem. The act\'s passage signaled Congress\' commitment to \ncultivate the public-private partnership so essential to our \nNation\'s security.\n    Now we are witnessing a new era of attacks by organized \ncrime syndicates and nation states. These attacks threaten the \navailability of services and threaten individual\'s privacy and \neven the accuracy of their information through data \nmanipulation or destruction. This growing threat endangers all \ninstitutions in our sector and companies in other sectors.\n    The financial sector has historically made huge investments \nin security and in driving collaboration across industries and \nwith government. Our institutions invest because they recognize \ntheir customers trust them, but individual institution\'s \ninvestments can only do so much as the cyber ecosystem extends \nbeyond any one company. Companies connect with sectors, across \nsectors, and with the government. The reliance on each other \ngives us all a critical role in the cyber landscape and \nrequires coordinated action for the most effective response.\n    Recognizing the necessity for collaboration, our sector has \nfacilitated a series of collaborative activities, as I note in \nmy written testimony, including a significant effort around the \ndevelopment of the NIST Cybersecurity Framework. Let me spend \nsome time on the Framework.\n    As a leader in cybersecurity, our sector wanted to be \nengaged in the Framework\'s development. From the onset, BITS, \nas an organization and as a representative for the Financial \nSector Coordinating Council, participated with NIST. We took \npart in all the workshops, providing our diverse membership\'s \nperspectives. We appreciated the opportunity to be a major \ncontributor. We wanted to ensure the Framework addressed our \nsector\'s attributes, and we wanted to understand how it would \nharmonize with our existing requirements. We applaud the NIST \ndevelopment engaged so many other sectors. NIST\'s inclusive \napproach is reflected in today\'s broad embrace of the \nFramework.\n    Our members use the Framework to communicate ideas and \nachieve buy-in for various cybersecurity initiatives. They use \nit to communicate expectations and requirements to their \nvendors.\n    Given its age, the Framework\'s uses are still evolving. One \nevolution we see is its use as a baseline for cyber insurance \nunderwriting. A critical next step in the Framework\'s evolution \nwill involve ways independent regulators align their \nexpectations with it. We are concerned with a lack of a uniform \napproach across all regulators. Last week, BITS provided input \nto the Cybersecurity Forum for Independent and executive branch \nRegulators urging harmonization of regulatory requirements. \nSome agencies have charted divergent paths not aligning with \nthe Framework or its collaborative process. Consequently, \ncompanies will need to devote time to manage a patchwork of \nincompatible agency requirements and invest funding in \npotentially duplicative efforts. This strains already taxed \nsecurity resources. We ask this committee as part of its \noversight to encourage agencies to focus on coordination and \nharmonization.\n    The NIST Cybersecurity Framework is very helpful in \nmitigating cyber risk, but we need to do more to end the cyber \nthreat and Congress can help. We strongly believe passing \neffective cyber threat information sharing legislation would \nbolster the Framework. Our sector has worked with prior \nCongresses toward the development of a bipartisan bill. We hope \nin this Congress we witness the enactment of legislation that \nincentivizes the real-time sharing of cyber threat indicators \namongst companies within and between sectors and with the \nGovernment and provides a targeted level of liability and \ndisclosure protection, offers a good faith defense for sharing, \nand includes appropriate levels of privacy and civil liberties \nprotections.\n    Protecting consumers, companies, and the Nation must remain \nour collaborative focus. The ability to share information is at \nthe core of our Nation\'s response to the current cyber threat. \nWe are encouraged by the recent bipartisan progress and will \ncontinue to advocate for effective legislation.\n    In conclusion, the NIST Cybersecurity Framework benefits \nand strengthens the overall cybersecurity of organizations \nacross the cyber ecosystem. It is important in combating the \ngrowing threat of cyber attacks. With that said, we can do more \nto encourage its voluntary adoption, particularly encouraging \nagencies to coordinate and harmonize their cybersecurity \nguidance to avoid duplicative requirements.\n    Thank you again for inviting me to testify on this critical \nissue. Chairman Thune, Ranking Member Nelson, we look forward \nto working closely with you and the rest of the Committee on \nthis important issue.\n    [The prepared statement of Mr. Smocer follows:]\n\n       Prepared Statement of Paul N. Smocer, President of BITS, \n                     Financial Services Roundtable\n    Chairman Thune, Ranking Member Nelson, Members of the Committee, \nthank you for this opportunity to appear before you today to address \nthe important topic of cybersecurity and the evolution of public and \nprivate efforts to protect critical infrastructure from cyber threats.\n    My name is Paul Smocer, and I am the President of BITS, the \ntechnology policy division of the Financial Services Roundtable (FSR). \nFSR is a trade association representing the country\'s leading financial \nservice companies. Our members include banking, insurance, asset \nmanagement, finance, and payment companies. Cybersecurity has been a \nkey focus area for FSR and our companies for decades. Since 1996, BITS \nhas played an important leadership role in cybersecurity, fraud \nreduction, third-party vendor management, payments and emerging \ntechnologies. BITS addresses issues at the intersection of financial \nservices, technology, and public policy.\nCyber Threat Environment\n    Late last year, with this Committee\'s stewardship, Congress passed \nthe Cybersecurity Enhancement Act of 2014 (Public Law No: 113-274). We \nbelieve the Act\'s focus on supporting and facilitating an open and \nvoluntary cybersecurity standards development process is an important \nstep in improving the overall information security of our country\'s \ncyber ecosystem. Moreover, we applaud the Act\'s emphasis on \ncybersecurity research and development, cybersecurity career \ndevelopment, and cyber awareness and education. Indeed, with the \npassage of this Act, Congress has signaled its commitment to cultivate \nthe public-private partnership--a partnership that is essential to our \nNation\'s security.\n    Even with these improvements, more needs to be done. The current \ncyber threat environment is grim. Each day, cyber risk grows as attacks \nincrease in number, pace, and complexity. We are no longer in the days \nwherein the threat was confined to individual hacktivists and \nfraudsters. We are now in an era of attacks by not only organized crime \nsyndicates, but also nation-states. Correspondingly, the attacks have \ngrown beyond webpage vandalism and fraud into large-scale attacks that \nthreaten the availability of services to citizens and threaten the \nprivacy and accuracy of their information. Our sector is increasingly \nconcerned with these threats, particularly with the potential for \nattacks that could undermine the integrity of the financial system \nthrough data manipulation or destruction. This growing threat affects \nall institutions in our sector regardless of size or type of financial \ninstitution including large and small, banks, credit unions, insurers \nand investment firms. Increasingly, and as we have recently witnessed, \nother sectors face these same threats.\n    As mentioned, with each day that passes, the cyber threat against \nour Nation\'s critical infrastructure, private sector companies, and \nindividuals\' privacy intensifies. According to Symantec\'s 2014 \n``Internet Security Threat Report,\'\' the number of targeted spear-\nphishing campaigns in 2013 rose by 91 percent over the previous year. \nThese campaigns are a key method used by cyber attackers to infiltrate \nvictim\'s systems and gather information. In recent years, we have also \nwitnessed serious and significant attacks from various nation-state \nactors and organized criminals on the Estonian, Georgian, and Ukrainian \ntelecommunications systems;\\1\\ European power plants;\\2\\ a U.S. public \nutility;\\3\\ the NASDAQ;\\4\\ Target and other major retailers and their \ncustomers.\\5\\ Moreover, a recent report reveals that of the estimated \n$2-3 trillion generated annually from the ``internet economy,\'\' \ncybercrime alone extracts between 15 percent and 20 percent of that \ntotal value.\\6\\ In response, the private sector has increased its \nspending on cybersecurity, with one financial services firm spending as \nmuch as $250 million a year.\n---------------------------------------------------------------------------\n    \\1\\ Reuters, ``Ukraine: Cyberattack on communications, MPs phones \nblocked,\'\' http://www\n.cnbc.com/id/101465198, (March 4, 2014).\n    \\2\\ Symantec Security Response, ``Dragonfly: Western Energy \nCompanies Under Sabotage Threat,\'\' http://www.symantec.com/connect/\nblogs/dragonfly-western-energy-companies-under-sabotage-threat, (June \n30, 2014).\n    \\3\\ ICS-CERT Monitor, ``Internet Accessible Control Systems At \nRisk,\'\' https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-\nCERT_Monitor_%20Jan-April2014.pdf, (January-April 2014).\n    \\4\\ Michael Riley, ``How Russian Hackers Stole the Nasdaq,\'\' http:/\n/www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-\nthe-nasdaq, (July 17, 2014).\n    \\5\\ Symantec Corporation, \'\' Internet Security Threat Report \n2014,\'\' http://www.symantec.com/content/en/us/enterprise/\nother_resources/b-istr_main_report_v19_21291018.en-us.pdf, (April \n2014).\n    \\6\\ Center for Strategic and International Studies, ``Net Losses: \nEstimating the Global Cost of Cybercrime Economic impact of cybercrime \nII, http://www.mcafee.com/us/resources/reports/rp-economic-impact-\ncybercrime2.pdf, (June 2014).\n---------------------------------------------------------------------------\n    The quote often attributed to Willie Sutton that he robbed banks \n``because that\'s where the money is\'\' reminds us as to why financial \ninstitutions are often the subject of cyber-attacks. Being a focus of \nthe attacks is certainly one reason why the financial sector has \nhistorically led the way in making huge investments in not only \nsecurity infrastructure and the best-qualified people to maintain the \nsystems, but also in driving collaboration across industries and with \nthe government. The primary reason for these investments though is the \nrecognition that our customers trust us to protect them--to protect \ntheir investments, their records and their information. Individual \nfinancial institutions invest in personnel, infrastructure, services, \nand top of the line security protocols to protect their customers and \nthemselves and to respond to cyber-attacks. These investments protect \nthe individual institutions and their customers, but on its own, an \nindividual institution generally only has the ability to protect what \nis within its ``four walls of the company\'\'. However, as we all know, \ncompanies do not exist only within those walls. We are connected within \nour sector, across sectors, and with the government. This reliance on \neach other gives all of us a unique and critical role in the cyber \nlandscape and requires coordinated action for the most effective \nresponse. Recognizing the cyber threat environment continues to expand \nin complexity and frequency and that individual institution efforts \nalone will not be enough, executives from the financial services sector \nhave stepped up efforts to work together.\nFinancial Sector Collaborations\n    Our sector has facilitated a series of collaborations that resulted \nin a number of achievements, such as:\n\n  <bullet> The development of the Financial Services Information \n        Sharing and Analysis Center (FS-ISAC) in 1999, which has grown \n        in membership and capabilities since then, and significantly \n        helped the sector response to the 2012-2013 distributed denial \n        of service attacks (DDoS) preventing wide-scale outages;\n\n  <bullet> Creation of Soltra Edge, an initiative that will help \n        standardize and automate the flow of real-time cyber threat \n        information;\n\n  <bullet> Collaborating with the merchant and retail community to \n        share best practices on cybersecurity, information sharing and \n        payments security; and\n\n  <bullet> The significant and coordinated financial services industry \n        effort during the development of the NIST Cybersecurity \n        Framework.\nThe NIST Cybersecurity Framework\n    Almost two years ago, President Obama issued Executive Order 13636, \ncalling for the development of a voluntary cybersecurity framework by \nthe National Institute of Standards and Technology (NIST). The \nexecutive order directed NIST to seek private sector input through a \ncollaborative process. From the outset, BITS/FSR--both as an \norganization and as a sector representative for the Financial Services \nSector Coordinating Council (FSSCC)--participated in the NIST \nCybersecurity Framework\'s development by taking part in all six NIST-\nfacilitated workshops, providing the perspective of our uniquely \ndiverse membership to this important effort. We appreciated the \nopportunity to be one of the major contributors to NIST\'s hard work \nthat almost a year ago today, resulted in NIST\'s release of the \nFramework for Improving Critical Infrastructure Cybersecurity.\n    The financial services sector is often credited, and rightly so, as \nbeing one of leaders in cybersecurity. That is why we wanted to be a \npart of the Framework\'s development. We wanted to ensure the eventual \nframework addressed our unique sector attributes, and we wanted to \nunderstand how it would harmonize our existing requirements. We \nrecognized too that in an interconnected world, we as a sector are not \nan island unto ourselves. We need and rely on entities that provide us \nwith information technology, power, telecommunications and other \ncritical services. We applaud that NIST\'s process for developing the \nFramework engaged these other sectors during the Framework\'s drafting. \nNIST\'s successful approach at inclusion of so many essential parties is \nreflected in how broadly embraced the Framework has become across so \nmany sectors.\n    With respect to the Framework, its true value is that it \nsynthesizes a process for cyber risk management that is accessible from \nthe boardroom to the operations floor, across not only individual \nenterprises but also entire sectors. It relies on international \nstandards and is consistent with the regulatory requirements that have \nbeen in place for our sector for more than a decade. It is a ``Rosetta \nStone\'\' in that it provides a common lexicon for categorizing and \nmanaging cyber risks across sectors and enterprises for various \nunifying risk management jargons and creates a common understanding \naround various risk management terms, methodologies, ideas and \nlanguage.\n    As a result, we have heard from member financial institutions that \nin terms of internal enterprise usage, Chief Information Security \nOfficers (CISOs) are using the Framework to communicate ideas and \nachieve ``buy-in\'\' for various cybersecurity initiatives. Externally, \nfirms are beginning to use it to communicate expectations and \nrequirements to vendors. That said the Framework has only been in \ncirculation for a relatively short time. This is an important fact for \nthis Committee to keep in mind as it reviews the Framework at its \nanniversary. Because it has been only one year--one budget cycle for \nmost firms--usage from institution to institution varies. \nAppropriately, the number of institutions that are aware and use the \nFramework, and the ways in which the Framework will be used, will \nevolve over time. An example of how the Framework continues to permeate \nnew industries is its progressing role in the insurance space. The \npotential for the Framework to act as a baseline standard for cyber-\ninsurance underwriters shows a new level of possibility and versatility \nfor the voluntary standards.\n    Regarding the Framework development process, it was a success due \nin large part to its transparency and because it sought to harmonize \nvarious views into a cohesive whole. Indeed, BITS/FSR continues to \nparticipate in the evolution and maturation of the Framework through \nNIST\'s ongoing activities. For example, later this month we will be \nparticipating as a sector representative at NIST\'s ``Cybersecurity and \nConsumer Protection Summit: Executive Technical Workshop on Improving \nCybersecurity and Consumer Privacy\'\' at Stanford University.\n    Just last week, BITS provided input to the Cybersecurity Forum for \nIndependent and Executive Branch Regulators, which is comprised of all \nthe independent regulators that are looking at ways to align and \nharmonize with the Framework and thus increase overall effectiveness \nand consistency of regulatory authorities\' cybersecurity efforts \npertaining to critical infrastructure. BITS reviewed how financial \ninstitutions manage cybersecurity risks, comply with comprehensive \nregulatory requirements, and collaborate to mitigate cyber risks. We \nurged the regulators to focus on harmonizing regulatory requirements to \nreduce regulatory compliance burdens and to focus resources on \nmitigating cyber risk.\n    However, the process has not been uniform across all stakeholders. \nIn the year since the Framework\'s release, some Federal and state \nagencies have charted similar yet divergent paths to enhancing \ncybersecurity that do not embrace the Framework\'s open and \ncollaborative process, instead favoring agency-unique approaches that \noften do not align with the Framework. As a result, information \nsecurity practitioners have had to devote their time to managing a \npatchwork of conflicting agency efforts and organizations have to \ninvest funding in potentially duplicative efforts, which are \nsignificant drains on available resources. While some may say that is \nthe ``cost of doing business\'\', such a statement ignores the current \nreality: There is already a recognized shortage of security \nprofessionals and money needing to be increasingly invested in \ncybersecurity limits investment in new products to serve consumers.\n    Thus, we would urge this Committee, as part of its oversight \nfunction, to encourage agencies to focus more on coordination and \nharmonization.\nFinancial Top Level Domains\n    Like the process behind the NIST Framework, the financial services \nindustry is no stranger to voluntary processes designed to benefit the \ngreater good. I would like to highlight two of our most recent \nsuccesses: .BANK and .INSURANCE, and Soltra Edge.\n    As background, in 2008, the Internet Corporation for Assigned Names \nand Numbers (ICANN) approved its new generic Top-Level Domains Program. \nThis program in 2013 opened the door to a land rush on new top-level \ndomains--the top-level domains we were accustomed to such as .COM and \n.ORG are no longer the only suffixes available. For a time we advocated \nagainst this domain name expansion especially as it related to \nfinancial services oriented domains out of concern for customer \nconfusion, potential for increased malicious activity and ultimately \nincreased costs to brand holders. When it became clear our concerns \nwould not be addressed, the Financial Services Roundtable/BITS and the \nAmerican Bankers Association, along with other financial services \norganizations, partnered to create a new registry operator dedicated \nspecifically to the financial services sector--fTLD Registry Services, \nLLC.\n    This newly created organization submitted community-based \napplications for .BANK and .INSURANCE. I say community because unlike \nsome entrepreneurs who have entered this space with little or no \nconcern for protecting financial institutions or their customers, fTLD \nis dedicated to serving and protecting the global financial services \nindustry. This is evidenced by the more than 120 financial services \ndomestic and international entities who directly or through others \nendorsed our applications on behalf of the industry.\n    Besides being a financial services\' owned, operated and governed \nregistry, fTLD\'s domains of BANK and .INSURANCE will go beyond being \nsimply an alternative to the legacy domains of .COM and .ORG. These \ndomains will have robust operational requirements including \neligibility, verification and name selection standards as well as \nenhanced technical requirements including, but not limited to, Domain \nName Security Extensions (DNSSEC), strong encryption standards and e-\nmail authentication requirements to mitigate for example phishing and \nspoofing activities. fTLD is also planning other innovative uses that \nwill be announced at a later date. All of these enhanced requirements \nand capabilities could only happen when individual organizations \nvoluntarily came together to work towards a better and safer Internet.\n    Secondly, I want to highlight Soltra Edge, a threat intelligence-\nsharing platform created by a joint venture between FS-ISAC and the \nDepository Trust and Clearing Corporation and voluntarily funded by \ncontributions from the financial services community. Soltra Edge is a \nsoftware solution that supercharges the current information-sharing \nmodel to make it more automated and collaborative so that trusted, \nactionable intelligence from disparate sources can be uniformly \ndisseminated in near real time to defend more effectively against cyber \nthreats. The software for Soltra Edge only takes a few minutes to \ndownload and install with the basic license completely free, making \nthis solution accessible to the largest and smallest financial \ninstitutions.\n    While this effort started in the financial services sector, we \nexpect the technology behind Soltra Edge to be adopted broadly by other \ncritical sectors including healthcare, energy, transportation, retail \nand others.\n    Though Soltra Edge represents significant progress in closing the \ngap between threat intelligence sharing and implementing mitigating \ncontrols, a platform like this is still constrained by legal \nlimitations on what information can be shared. Congress has an \nimportant role to play in filling this gap. The passage of effective \ncyber threat information sharing legislation is a critical step to \nenabling optimal sharing capability.\nThe Public-Private Partnership: How Congress Can Help\n    While the NIST Cybersecurity Framework is a helpful tool, it is not \nthe silver bullet that puts an end to the cyber threat. As such, an \ninstitution could use the NIST Cybersecurity Framework fully and it \ncould still be compromised. Thus, more is needed, and Congress can \nhelp. At a basic level, policymakers can help by recognizing that the \nfirm that experiences the cyber-attack--be it a bank, retailer, or an \nentertainment firm--is a victim. Political leaders and regulators \nshould work to de-stigmatize attacks and encourage companies to come \nforward and share threat information that could help other companies \nprotect themselves, their employees and their customers.\n    Despite the success of the information-sharing model used by the \nfinancial services sector, more can be done. We believe the Framework \nwould be bolstered by the passage of effective cyber threat information \nsharing legislation. Our sector has been focused on this effort for \nmany years and has continued to work closely with key committees in \nboth the House and Senate. The legislation should not be delayed. BITS/\nFSR has supported several pieces of information sharing legislation \ndeveloped by both the House and Senate. Most recently BITS/FSR has \nsupported the cyber threat information sharing legislation passed by \nthe Senate Intelligence Committee last year, the Cybersecurity \nInformation Sharing Act of 2014 (CISA). BITS/FSR worked closely with \nformer Chair Chambliss, Vice Chair Feinstein and their staff to develop \nthe bipartisan bill. In our view, that bill encompassed key components \nto help enhance the volume and scope of threat information sharing. \nFurthermore, the legislation had the support of not only the financial \nservices sector but also a wide range of critical infrastructure \nsectors. Congress must enact legislation that incentivizes the sharing \nand receiving of cyber threat indicators amongst companies within \nsectors, between sectors, and with the government. BITS/FSR believes \nthat for legislation to be truly effective it must include the \nfollowing provisions:\n\n  <bullet> Facilitate real-time sharing to enable institutions and \n        government to act quickly;\n\n  <bullet> Provide a targeted level of liability and disclosure \n        protections for cyber threat information sharing and receiving \n        between individual institutions, through existing sharing \n        mechanisms such as our FS-ISAC, private to government, and \n        government to private;\n\n  <bullet> Offer a good faith defense for the sharing of threat \n        information and data;\n\n  <bullet> Provide protection from disclosure through the Freedom of \n        Information Act or to prudential regulators;\n\n  <bullet> Facilitate the appropriate declassification of information \n        by the intelligence agencies and expedites the issuance of \n        clearances to appropriate private sector individuals; and\n\n  <bullet> Include appropriate levels of privacy and civil liberties \n        requirements.\n\n    BITS/FSR is encouraged by recent bipartisan progress and will \ncontinue to advocate for legislation that will allow our members to \nshare cyber threat information with each other, various business \nsectors, the government, and law enforcement, to protect their \ncustomers.\nConclusion\n    In conclusion, the NIST Cybersecurity Framework benefits and \nstrengthens the overall cybersecurity posture of critical \ninfrastructure organizations, including those sectors on which \nfinancial institutions rely. The Framework will continue to play an \nimportant role as we continue to combat the growing threat of cyber-\nattacks. With that said, more can be done to encourage adoption of this \nvoluntary Framework. This Committee should use its oversight \nauthorities to encourage agencies to coordinate and harmonize \ncybersecurity requests, examinations, and guidance. Security \nprofessionals and investment dollars are constrained. When different \nregulators place duplicative burdens on security, that takes away from \nresources that could be devoted to preventing cyber-attacks. That, in \nturn, does not help any company and ultimately weakens our ability to \nprotect the Nation\'s critical infrastructure.\n    The risks associated with cyber-attacks and threats are vitally \nimportant to the private and public sectors. Protecting consumers, \ncompanies, and the Nation must remain the focus. The ability to share \ninformation is at the core for our Nation\'s response to the current \ncyber threat.\n    Thank you again for inviting me to testify on this critical issue. \nChairman Thune and Ranking Member Nelson, we look forward to working \nclosely with you and the rest of the Committee on this important issue.\n\n    The Chairman. Thank you, Mr. Smocer.\n    Mr. England?\n\n  STATEMENT OF JEFFERSON H. ENGLAND, CHIEF FINANCIAL OFFICER, \n                   SILVER STAR COMMUNICATIONS\n\n    Mr. England. Chairman Thune, Ranking Member Nelson, members \nof the Committee, thank you very much for inviting me to be \nhere and share with you some of my experiences as we have used \nthe Cybersecurity Framework that NIST developed in our own \norganization.\n    In February 2013, when President Obama issued an Executive \nOrder calling upon critical infrastructure industries to \nvoluntarily take measures to improve their cybersecurity \nposture, I had just accepted this position as the Chief \nFinancial Officer at Silver Star Communications. I am new to \ntelecom. And as a risk manager in our organization, I knew that \nI had a responsibility to figure out ways to address, among \nother things, cybersecurity risk in our organization.\n    Shortly after that, I had an opportunity to visit with some \nof our friends at U.S. Telecom.\n    And as NIST had released their initial draft of the \nFramework, they had called upon industry representatives to \nprovide some feedback regarding the initial draft copy of that \nFramework. We chose, as an organization, to go through and \nbegin using it as best as we felt like we could as a way of \nproviding some feedback. One of the items that we had passed \nalong was this utilization of a gap analysis, which we know has \nbeen included in the final version of the Framework that was \nreleased, as you say, Chairman Thune, almost a year ago.\n    We found that the Framework has been extremely beneficial \nin our organization. Not only did it give our IT staff and \nmanagers a framework whereupon we could exercise disciplined \ncybersecurity improvements in our organization, but it forced \nwithin us an opportunity to communicate at all levels within \nour organization, at level that had not previously existed \nbefore. We found, as we have gone through and used this, that \nvoluntary adoption is key to the success within our \norganization. First off, we felt like the ability to adapt the \nFramework to use within our organization--we are a small \nbusiness. We have roughly 9,500 access lines in western \nWyoming. We found that the ability to adapt and use it as best \nmet our need is one of the great strengths of the Framework.\n    Ranking Member Nelson, you had mentioned the NIST Framework \nmeeting that was taking place in February. I had an opportunity \nto speak at that conference. And in that meeting, I \ndemonstrated some ways in which we had taken the Framework, as \nit exists, and used the information to build management tools \nwhere we could provide visibility within our organization \nregarding our progress and our activities on our cybersecurity \npractices in our organization.\n    We believe that due to the voluntary nature of the \nFramework, it allows us to build ourselves as an organization \nupon having a stronger, competitive advantage amongst our \npeers, and we have found, as we have adapted the use of the \nFramework internally that it has created opportunities for us \nto discuss cybersecurity risk with our customers and with our \nvendors in a way that we had not previously done. We were \nsurprised, as we began using this. We called upon some of our \nlarger suppliers to get some feedback. We were hoping to \nfranchise from them and their policies to implement without \norganization, and we were surprised, as we did so, that a \nnumber of our vendors did not have written policies and \nprocedures in place regarding cybersecurity practices. And so \nit created a dialogue between us and them, and we found that to \nbe very beneficial.\n    And then we also found, as we have gone through and \nutilized the framework internally within our organization--just \nanecdotally I can tell you when I visited with our IT staff \ninitially, they looked at the complete Framework. And it is \nvoluminous. It is a wealth of information. But my IT staff \nimmediately said this is going to take an additional one-and-a-\nhalf full-time resources to go through and complete this thing. \nAnd since we believed it was a voluntary adoption and not a \nchecklist, I turned around to my IT staff and I said, look, you \nare looking at this all wrong. We are not adding work upon you. \nThis Framework is designed to help shape how you do the work \nyou are already doing. When we had that perspective internally \nand we could consider the facts that we were exposing our view \ninto a number of areas regarding cybersecurity that we \npreviously had not done, it had made some big improvements for \nus in our organization.\n    Finally, I would just like to go on record and make a case \nagainst regulation. We believe that regulation creates a \nminimum standards environment where a checklist approach is \nundesirable in this space. I have concern that whether it be in \nour organization or others, if it were a regulated requirement, \nit would be far easier for me to hand over the checklist to my \nIT staff and say complete this and turn in a report, and it \nwould have bypassed all of the meaningful conversations that we \nhave had within our organization.\n    We also believe that having a minimum set of standards puts \nperpetrators on alert as to where they should be focusing their \nattentions.\n    And finally, as we commented earlier by Ms. Beauchesne, we \nbelieve that going about it on a regulated approach alone is a \nmisguided attempt by government. It has the opportunity to \ndistract attention from the real perpetrators which are the \ncriminals who are attacking our system. And we believe that \nthrough information sharing and other practices, that we can \nhelp focus Government attention on bringing justice to the \nperpetrators.\n    [The prepared statement of Mr. England follows:]\n\n Prepared Statement of Jefferson H. England, Chief Financial Officer, \n                       Silver Star Communications\n    Silver Star Communications, located in Freedom, WY, has been using \nthe NIST Cyber Security Framework since it was originally released in \ndraft form. Our initial intent was to review the framework and provide \ncomment and feedback to NIST regarding its value to us as a rural \ntelephone and Internet service provider. Our initial impressions were \npositive and some of our comments, including the incorporation of a gap \nanalysis, ware included in the official released version of the \nframework.\n    We have found that the framework has created an environment that \nencourages discussion, both internal and external, regarding its \napplication in our organization. But above all, the greatest benefit \nfrom the framework has been the ability to use and adapt it within our \norganization such that it has become a meaningful management tool for \nimproved cybersecurity practices.\n    The framework helped provide us with a disciplined approach to \nreviewing cybersecurity practices within our organization. In the \ncourse of completing a self assessment, there were many processes and \nprocedures identified that we had not previously considered. The focus \non current state relative to desired state in the context of acceptable \nrisk provided meaningful focus and direction to IT staff and \nmanagement. Additionally, since the framework allowed for \norganizational specific adaptation, we developed an internal reporting \nmechanism that provided executive visibility into our progress on \nhighest priorities.\n    The voluntary nature of the framework has been the key to success \nfor use within our organization.\n    We believe cybersecurity to be a competitive advantage whereby we \ndifferentiate ourselves from our competitors and make ourselves more \nattractive to our suppliers and those we serve. Because of this, we are \nself driven toward improvement and have begun sharing our cybersecurity \npractice with those we serve more openly. Curious as to whether or not \nour suppliers have used the framework, we began asking them to share \nwith us their cybersecurity practices. These conversations have been \nextremely valuable in helping us identify customers and suppliers who \nshare similar cybersecurity risk tolerances to our own and has become \nan important part of our vendor selection process.\n    We also believe that a regulatory mandate requiring the use of the \nframework creates a minimum standard environment. We believe this to be \nproblematic because minimum standards are more likely to be treated as \na checklist that can be delegated without having the necessary \ninterdepartmental conversations regarding exposure and acceptable risk \ntolerance. There is also risk that minimum standards would put \nperpetrators on alert as to where they should focus their attentions \nfor exploitation potentially placing organizations at additional \ncybersecurity risk than before.\n    Finally, we believe that a regulated approach to cybersecurity may, \nat least in part, misplace government attention away from the root \nproblem. Cyber attackers are criminals and state sponsored cyber \nattacks are acts of war. Government action regarding cybersecurity \nshould place primary emphasis on tracking down and bringing cyber \ncriminals to justice.\n\n    The Chairman. Thank you, Mr. England.\n    Dr. Lewis?\n\n STATEMENT OF DR. JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW, \n   STRATEGIC TECHNOLOGIES PROGRAM, CENTER FOR STRATEGIC AND \n                     INTERNATIONAL STUDIES\n\n    Dr. Lewis. Thank you, Mr. Chairman, and I thank the \nCommittee for the opportunity to testify.\n    Executive Order 13636, Improving Critical Infrastructure \nCybersecurity, released in 2013 was a major shift in U.S. \npolicy on cybersecurity. One of the flaws in the 2012 \ncomprehensive Senate legislation was it tried to give a single \nagency the authority to regulate cyberspace. The EO, by tasking \nsector-specific agencies to use the Framework for better \ncybersecurity, is a better approach. The executive order \ninstructed NIST to develop a Cybersecurity Framework to guide \ncompanies in securing critical infrastructure. The process is \nvoluntary, as you have heard. This executive order is likely to \nbe followed by another on information sharing in early 2015.\n    These executive actions are the building blocks for better \ncybersecurity. But what we want to think about is are they \nadequate. And the primary measurement for adequacy is are we \nstopping opponents from getting in. Adoption is not a good \nmeasure for success. Even if all companies adopt the Framework, \nit does not mean better cybersecurity. The only way to measure \neffectiveness is to ask if the number of successful \npenetrations in the outflow of data has decreased. If hackers \nstill get in and data still flows out, the Framework needs to \nbe further amended.\n    In 2013, the FBI notified 3,000 companies that they had \nbeen hacked and lost data. There may have been more. If this \nnumber declines in 2015, it says the Framework is working.\n    Judging from the news, however, the number of successful \nattacks against U.S. companies has not decreased. We do not \nknow if this is because companies have not adopted the \nFramework or if they have been unable to implement it or if it \nis because the Framework is in itself ineffective.\n    For example, it appears that Sony had not implemented the \nNIST Framework, but even if it had, the North Koreans still \nwould have gotten in. And North Korea is the least skilled of \nour likely opponents.\n    Implementing the NIST Framework is not easy. Many small and \nmedium-sized companies lack the manpower, training, and \nresources to implement the Framework.\n    Cost is an important issue for companies of all sizes. \nImproving cybersecurity asks a business to spend money on \nthings it will not generate a return on investment, and we do \nnot have a mechanism for them to recoup costs.\n    This means that cybersecurity involves a business decision \nby companies about how much risk they will take and how much \nthey are willing to spend to lower that risk. Many companies \nstill underestimate risk, and the Framework provides a good way \nfor them to rethink their approach to cybersecurity.\n    The Framework could be seen as part of an emerging national \napproach to cybersecurity, shaped by Government action and \neconomic incentives. These incentives come from regulation, \nmarket risk, and civil liability. The Framework helps \nregulators and companies manage risk in critical \ninfrastructure. Federal Trade Commission actions and consumer \nreaction will incentivize companies to better protect personal \ninformation.\n    The Federal Government needs to do more to discourage cyber \nespionage, but companies need to do better at defense. The \nmarket will penalize companies that have under-prioritized \ncybersecurity, and companies face the risk of civil liability \nbecause a case could be made that a company that has not \nimplemented the NIST Framework has failed to exercise due \ndiligence. And I think this will have a powerful shaping effect \nover the next couple of years.\n    Now, is all of this enough for better cybersecurity? \nProbably not. But it is a good start, and the NIST Framework is \na step forward in what is going to be a long process to make \nthis Nation more secure.\n    With that, I thank you and I am happy to take your \nquestions.\n    [The prepared statement of Dr. Lewis follows:]\n\n Prepared Statement of Dr. James A. Lewis, Director and Senior Fellow, \nStrategic Technologies Program, Center for Strategic and International \n                                Studies\n    I thank the Committee for the opportunity to testify on private \nsector experience with the National Institute of Standard\'s (NIST) \nCybersecurity framework. The Framework provides a list of measures \ncompanies can take it improve their cybersecurity. I will discuss three \nissues: what we know about the Framework\'s adoption, how effective it \nis, and where it can be improved.\n    An initial conclusion is we lack sufficient data to say \ndefinitively whether the Framework is working or not to build a more \nsecure cyber future. The Framework itself was released relatively \nrecently, in February 2014. It will take more time for the Framework to \nbe implemented, adjusted and to see if it what effect it has on \ncybersecurity. My comments on the Framework are best seen as \npreliminary until we have gained further experience and data on its \nimplementation. On the larger issue of building a more secure cyber \nfuture, in which the NIST Framework may play a part, there is \nsufficient data and experience to describe the situation and to make \ngeneral recommendations for improvement,\n    Executive Order (EO) 13636, ``Improving Critical Infrastructure \nCybersecurity,\'\' released in February 2013 was a major shift in U.S. \npolicy on cybersecurity. Instead of making a single agency responsible \nfor cybersecurity, it assigned responsibility to existing, sector-\nspecific regulatory agencies. The EO instructed the National Institutes \nof Standards and Technology to develop a ``Cybersecurity Framework\'\' \nreleased in February 2014, that companies could use to guide their \ndefensive efforts and that agencies could use to measure if the \ncritical infrastructure companies they regulated were doing an adequate \njob. The process is voluntary. In addition, approximately 200 critical \ninfrastructure companies were notified by the White House that they \nwould be held to a higher level of scrutiny given their strategic \nimportance. This Executive Order is likely to be followed by another \nexecutive action in early 2015 on information sharing. The executive \nactions and the NIST Framework are building blocks for better \ncybersecurity, but while they are good first steps, the U.S. remains \nvulnerable.\n    We should, if the Framework is effective in improving \ncybersecurity, see changes in the attacker population, with the less \nskilled attackers dropping out and the more skilled (or better \nresourced) changing attack techniques. Even if the Framework is \neffective now, if it is not dynamic and evolve along with the threats \nwe face, it might not produce a lasting decrease in the rate of data \nexfiltration, as skilled opponents adjusts to improved defenses. This \noutcome is possible if the attacker seeking to exfiltrate data is an \nintelligence agency or foreign military who have the resources and \ndedication to wage a persistent campaign.\n    For example, and judging from public sources, it appears that Sony \nhad not implemented most of the NIST Framework recommendations, but it \nis not clear that even if it had, North Korea would have been prevented \nfrom gaining access and doing damage. The defenses needed for \ndetermined State opponents like Iran and North Korea lie outside the \nNIST Framework.\n    One way to think about critical infrastructure is from the \nperspective of an enemy ``targeteer,\'\' planning what American targets \nto strike with cyber attacks in order to achieve the desired military \neffect. For these opponents, America is a target rich environment, with \nthousand of potential targets, many of which are poorly defended. If \nthe opponent wishes to make a political statement, it will look for a \nsingle poorly defended target with symbolic or political value. If the \ndesired effect is temporary military advantage, it might strike a few \ndozen civilian targets--logistics systems and perhaps critical \ninfrastructure in the areas that would support deployed U.S. forces, in \nHawaii and the West Coast, for example, if the conflict was with forces \nunder PACCOM. If the desired effect was extensive damage to the U.S. \neconomy and military capabilities, a broad campaign with hundreds of \ncivilian targets would need to be attacked. Fortunately, this attack \nscenario is very unlikely and only one or two countries have this \ncapability.\n    The EO 13636 process attempted to identify some of these critical \ncivilian targets, but in general we have no idea whether the Framework \ncomplicates opponent planning for cyber attack. The dilemma for cyber \nsecurity is that, unlike other possible attacks against the U.S., we \nhave not found an effective defensive strategy. Our military forces \ndeter truly damaging attacks--no country willingly seeks war with the \nU.S.--but they did not deter North Korea from damaging Sony or Iran \nfrom attempting to damage banks. We need a blend of adequate defenses \nat the company level and robust Federal efforts to dissuade opponents \nif we are to build a secure cyber future and while the right formula \nhas not been found, the NIST strategy could form a useful part of an \neffective national approach to cybersecurity.\n    A compliance approach to security lists actions taken; a better \napproach is to ask to see the results of those actions. Good data on \nresults is unavailable, and much of the discussion of cybersecurity is \nstrangely disconnected from fact. The primary categories for \nmeasurement are the number of companies adopting of the Framework and \nits effectiveness in thwarting opponents.\n    But adoption is not an adequate measurement for success. Even if \nall companies were to voluntarily implement the NIST Framework, it does \nnot necessarily mean that there will be an improvement in \ncybersecurity. The measures listed by NIST are likely to improve \nsecurity if implemented correctly, but to what degree there will be \nimprovement is unknown, nor do we have any idea of how many companies \nhave implemented the Framework recommendations, or how well they have \ndone so. For example, if there was widespread adoption of the framework \nbut little effect on penetration and exfiltration, it would be \npremature to say that the tide has turned in cyberspace. The difficulty \nin linking recommendation and effect strongly affects how we manage \nrisk, and the lack of data hampers a range of initiatives, from \ncreating a cyber insurance market to applying the NIST Framework.\n    The only way to accurately measure effectiveness is to ask if the \nnumber of successful penetrations and the outflow of data have \ndecreased. If hackers still get in and data still flows out, the \nFramework is not working. These are result-based measures, fundamental \nfor determining the return on investment in cybersecurity. Many things \ncan be asserted or even measured, but they are useful only to the \nextent they can be correlated with effects.\n    Judging from the news, the number of successful computer breaches \nagainst U.S. companies and agencies has not decreased. We do not know \nif this is because companies have not adopted the framework, have been \nunable to implement it, or if it is because the Framework is \nineffective. An initial estimate is that all three of these estimates \nare likely true, but to guide policy and legislation we need to \nunderstand whether which is the most likely cause for the absence of a \nvisible improvement in U.S. cybersecurity.\n    The success rate of opponents, determined by their ability to \npenetrate target computer networks and to exfiltrate data from these \nnetworks, is the only true measure of the Framework\'s effectiveness. In \n2013, press reports state that the FBI notified 3000 companies that \nthey had been hacked--and there may have been more that we do not know \nabout. If this number declines in 2015, it indicates that the Framework \nis successful.\n    NIST did put out a Request for Information (RFI) on the private \nsector\'s experience so far with using the agency\'s cybersecurity \nframework and in October it received more than fifty responses form \ncompanies and associations. A majority of respondents were supportive \nof the Framework and acknowledged its increasing adoption in various \nsectors. Other comments included support for the Framework\'s easily \nunderstood guidance, worries that small and medium size enterprises \nwere not capable of meeting the guidelines due to costs, and confusion \nabout the voluntary nature of the Framework. A majority of respondents \ncalled for continued support for the Framework.\n    A Request for Information is not the best approach to assessment, \nbecause companies that report ``self-select,\'\' with only those with \ngood stories to tell providing a response. There will be a desire to \nsay that the Framework is working well, as this would remove the \nimpetus for further cybersecurity measures. These are normal problems \nwith survey data, but they could skew responses to produce an overly \nrosy picture. An alternative approach would be to use Commerce \nDepartment (of which NIST is a part) authorities under the Defense \nProduction Act (DPA) to require companies to respond. Using the DPA \nwould allow Commerce to devise an adequate sample of companies that \nwould allow it to estimate adoption rates by sector and company size. \nOther agencies also can collect information for sector specific groups. \nThere may be some resistance to conducting a survey. This resistance in \nitself would be a good indication of intent regarding the Framework.\n    There have been only few efforts, such as DHS\'s continuous \nmonitoring effort and the Australian Signals Directorate work on its \n``Strategies to Mitigate Targeted Cyber Intrusions,\'\' to show that \nimplementing a measure produces an observable reduction in successful \nattacks. These efforts allow us to say that some measures drastically \nreduce opponent success rate. Many of these measures are included in \nthe Framework, along with a quantity of other.\n    Several issues complicate the implementation of the NIST Framework. \nMany small and medium sized companies lack the manpower, training and \nresources to fully implement the Framework. Straightforward measures, \nsuch as the ASD mitigation strategies, are appropriate from small and \nmedium companies but may not work as well in the complicated networks \nof large companies. Cost is an important issue for companies of all \nsizes--essentially cyber security requires a business to allocate \nresources to purposes that will not generate a return on investment. In \ncybersecurity, we are asking companies to spend money on activities \nthat do not generate a return and we have not offered any mechanisms \nfor them to recoup this cost. Of course, a good way for companies to \nthink about spending on cyber security is that it is like insurance, \nwhere a company spends money to reduce and manage risk.\n    This means that at the level of the firm, cyber security involves \nbusiness decisions where companies should decide how much risk they are \nwilling to take, what mitigation efforts (like insurance) best manage \nrisk, and then spend accordingly on protection. Anecdotal evidence \nsuggests that many companies still underestimate cyber security risks, \nbut this is changing and the recent series of events, in particular the \nTarget breach (which led to the resignation of the Chief Executive \nOfficer and a dramatic decline in revenue), have helped to focus \nattention and raise awareness in company management and boards.\n    The Framework provides a useful focal point for company discussions \nof cybersecurity, and a commonly held view is that it is a good first \nstep. Over time, it is likely that as companies implement the \nFramework, they will modify it and identify measures that best fit \ntheir own purposes, as they experiment with different approaches and \nfind what works best. Each critical infrastructure sector may find that \nsome parts of the framework are more important for their business than \nothers and modify implementation in ways that works best for them.\n    The effect of the Framework on reducing cybersecurity risk might be \ndifferent for critical infrastructure than for intellectual property. \nSurvey data on penetration and exfiltration success rates will show \nwhere individual defense are inadequate and where collective action is \nneeded, through increased international engagement in diplomacy and law \nenforcement cooperation to reduce cyber risks. To continue the \ninsurance analogy, we want to take governmental actions that reduce \nsystemic risk so that companies can spend less on ``insurance,\'\' e.g., \ncybersecurity.\n    One of the most valuable lessons of EO 13636 is that one size does \nnot fit all. In retrospect, one of the most serious flaws of the 2012 \ndraft Senate legislation was its efforts to assign a single agency the \nauthorities to regulate cyberspace. The EO, by tasking regulatory \nagencies to ensure that their existing regulations adequately take the \nFramework into account, better reflects the diversity of the economy.\n    What is emerging is a structure for national cybersecurity shaped \nby the different incentives (or lack thereof) that companies faces in \nmaking business decisions about cybersecurity. These incentives are \ncreated by are regulatory authority, business risk, and civil \nliability.\n\n  <bullet> Critical infrastructure: improved cybersecurity will be the \n        result of partnerships between companies and their sector \n        regulators. This is the area where the Framework and the \n        Executive Order have made the most valuable contributions, \n        since it provides a basic template against which company \n        actions can be measured.\n\n  <bullet> Personally identifiable information: Federal Trade \n        Commission (FTC) actions and market penalties can incentivize \n        companies to better protect personally identifiable \n        information, but the level of cybersecurity at major companies \n        holding PII is has been inadequate.\n\n  <bullet> Intellectual property: there is no regulatory mechanism to \n        penalize companies for the loss of IP, nor should there be. \n        When a company is hacked and loses IP, a part of the \n        responsibility is shared by the Federal Government, which needs \n        to do more to discourage economic espionage by foreign actors, \n        but the bulk of the responsibility is held by the company, \n        which has made bad business decisions to under-prioritized \n        cybersecurity. Increasingly, the market will penalize such \n        companies, at least temporarily, and these companies face \n        increased risk of civil liability. Shareholders and customers \n        can now ask if a company had implemented the NIST Framework; if \n        it had not, a case could reasonably be made that the management \n        had failed to exercise due diligence.\n\n    From one perspective, cobbling together measures like the \nFramework, FTC rules, and some yet-undefined set of mechanisms for \ninformation sharing might seem like a ramshackle approach to one of the \nprinciple security problems of our time. There is some truth to this, \nbut another perspective is that the complexity of the problem, the \ndeeply ingrained problems with the technology, and the consequences of \nany cyber action for security and economics at both the global and \nnational level, militates against any single solution that can be \neasily and rapidly adopted. Federal action can accelerate progress and \nprovide structures for collective action, and from this perspective, \nthe NIST Framework is a valuable step forward in what will be a long \nand uncertain process to make cyberspace more secure.\n    I again thank the Committee for the opportunity to Testify and \nwould be happy to answer any questions.\n\n    The Chairman. Thank you, Dr. Lewis. You all did an \nexceptionally good job of staying within the 5-minute sort of \nnot requirement, but suggestion that we have.\n    We will do 5-minute rounds of questions for members of the \nCommittee who are here.\n    And I will start it off, Mr. England, by pointing out--I \nthink this is your first time testifying before Congress. Is \nthat correct?\n    Mr. England. It is.\n    The Chairman. Welcome.\n    And your company, as I understand it, was formed by a bunch \nof ranchers in Wyoming back in the early 1900s.\n    Mr. England. That is correct. Initially our telephone line \nwas the top wire on a barbed wire fence.\n    The Chairman. I suspect in western Wyoming in the early \n1900s, forming your own communications company was born out of \nnecessity probably.\n    Mr. England. Pretty much so.\n    The Chairman. Well, anyway, the point I want to make is \nthat yours is a small rural business, and does not have the \nendless resources, as you mentioned, to address cybersecurity \nrisk. And as the CFO for Silver Star, the question is, how have \nyou been able to use the Framework in a cost effective way to \nguide how you protect your networks? And a follow up would be, \nhas the common language helped you make business decisions and \nbetter communicate with your IT managers and your outside \nsuppliers?\n    Mr. England. Yes. Thank you, Chairman Thune.\n    To answer the first part of your question regarding the \ncost effectiveness, it is true that making improvements \nidentified within the Framework costs money. That is just \nunavoidable. However, using the Framework within our \norganization did not create additional cost for us as a \nbusiness. And so, as an example, when my IT staff came in and \ndiscussed with me the fact that there was a lot of information \nin that Framework and how are they going to dedicate time to \nreviewing that in addition to their regular job functions, I \nexplained to them that they were looking about it all wrong. \nThe Framework was a way of providing some structure to the way \nthat they were already doing their jobs that kept it in the \nframework of cybersecurity improvements. So we found some very \neasy things that we were able to do.\n    As an example, one of the things that the Framework invites \nmembers to do is to consider cybersecurity risk as part of a \nrisk management meeting. And when we looked through our whole \nstrategic planning process internally, we knew that we were \ndoing a risk assessment meeting to talk about any and all other \nrisks. We had not previously considered cybersecurity risk as \npart of that meeting. And so in making an improvement \ninternally, based on the suggestions provided in the Framework, \nwe were able to add this discussion item at no cost to us, and \nyet it helped shape the whole way that we did the rest of our \ncapital budgeting and everything else internally. So we found \nsome very good benefits at minimal cost initially.\n    And then the second part of your question about the common \nlanguage of the Framework. I think that our experience was that \nthe Framework has five functional areas. It ranges from the \nbeginning of identifying and responding and recover at the end. \nWe found that on the front end, the identify, the respond and \nrecover at the back end--these were very common understandable \nthings for executive leaders and directors in our organization \nbecause these are things we are already trying to do as it is.\n    The middle sections of detect and protect were more IT \nfocused. And so we did have to rely on our IT staff and sitting \ndown and having conversations with them. But where the real \nvalue was is that I was able to turn to my IT staff and ask \nthem to help me identify where our current tier assignment was, \nand then as an executive leader in our organization, I was able \nto help provide direction where our target tier, our acceptable \nrisk levels would be.\n    And so this dialogue that we had between executive and IT \nmanagers regarding overall cybersecurity risk in the \norganization was an extreme benefit for us. And we felt that \nthe language contained within the Framework was conducive for \nthat type of conversation.\n    The Chairman. The first impulse of Government is often to \nregulate. I think you make a good point, Mr. England, that \ncybersecurity mandates can lead to minimum checklists and \nsignal to hackers potential areas for exploitation.\n    Dr. Romine, you stated that NIST has reached out to \nregulatory agencies to reinforce the fact that the Framework is \nnot designed or intended to create additional regulatory \nrequirements for critical infrastructure owners and operators. \nAnd that is a principle we really worked hard to incorporate \ninto the legislation that moved last year.\n    And I just want to ask you the question, why is a voluntary \nFramework the best approach, given the severity of the threat, \nand what kind of feedback have you received from other \nagencies?\n    Dr. Romine. Thank you, Mr. Chairman. And I appreciate the \nsupport of the Committee for all of the work that we are doing.\n    Our approach is to try to make sure that there is an \nunderstanding that a voluntary program does not equate to a \nweak program. In fact, voluntary programs for cybersecurity can \nbe highly effective. The reason the voluntary approach I think \nmakes the most sense is that it maintains the conversation. It \nmaintains the engagement across sectors and provides the \nmechanism, as Mr. England pointed out, to incorporate the \ncybersecurity risk as part of the overall risk management of \nthe enterprise whereas, as he pointed out, anything that would \nrequire adhering to regulation in this particular space--the \ntendency would be to push that to the IT component of the \norganization and just assume that that is being taken care of. \nAnd I think that is going to be far less effective.\n    The Chairman. Thank you.\n    Senator Nelson?\n    Senator Nelson. Mr. Romine, the voluntary program works as \nlong as everybody is volunteering.\n    I look at this through two portals: data security, personal \nprivacy; and national security.\n    Mr. England, I think you are right that the market will \nshape the requirements because if people are having their \npersonal privacy taken away, and they go through all of that \nharassment, they are going to demand of the company. Now, \ncompanies naturally have a reluctance to come forward by \ntelling that they have been invaded, and perhaps some of that \nloss can be taken care of by insurance, as you all have \ntestified.\n    But when you get to the question of national security, the \nterrorist is not likely going to attack your operation, Mr. \nEngland. They are going to go for the bigger spectacular thing.\n    So this morning, we had six or seven people killed on the \nNew York railroad system. All signs are that it was just a \ntrain crash into a vehicle. But how about a cyber attack on a \ntransportation system that may shut down the railroad or cause \ntwo trains to run together? What about Target? 70 million \nshoppers\' data taken. How about Yahoo? Passwords and user names \nin a cyber attack. How about EBay changing the passwords \nbecause of a cyber attack? Several banks, including J.P. \nMorgan, 76 million households and 7 million small businesses \naffected. Home Depot, 56 million accounts, $62 million to cover \nthe cost. Sony, we already talked about, $100 million, directly \na cyber attack for its intended purpose to intimidate.\n    So, Ms. Beauchesne, how can you say that everything is \nworking, as you testified?\n    Ms. Beauchesne. Thank you, sir.\n    Well, I would say that we do not want to have mandates on \nthe private sector. The bad guys do not have mandates and \nregulations. The threat is evolving quickly. We need to have \nthe private sector be able to evolve quickly and continue to \nevolve their defenses. I think the strongest incentive for the \nprivate sector is that they want to protect their information. \nThey want to protect their customers. It is in their best \ninterests for them to stay in business to do that. That is the \nincentive.\n    Senator Nelson. Well, as I said in the opening comments, if \na terrorist comes in and with a satchel charge blows up a major \nelectrical grid, sewer plant, water plant, that is obviously a \nterrorist attack. But they can do the same thing with a cyber \nattack where the effect even is more extensive.\n    Can you tell us what percent of the companies represented \non your task force have actually implemented this Framework, \nthis voluntary Framework?\n    Ms. Beauchesne. No, sir. We have not surveyed them. I do \nnot have an exact number for you.\n    But I will tell you that through our campaign that we have \ndone around the country, all of the companies are highly \ninterested in adopting the Framework and using the Framework. \nAnd this is not new. The Framework is a new tool but it is made \nup of best practices and standards and guidelines that \ncompanies have been using for several years now.\n    Senator Nelson. Would you submit for the Committee\'s \nconsideration the percentage of that, as well as the percentage \nof your general membership implementing the Framework?\n    And, Mr. Smocer, among the publicly traded companies \nrepresented by the Business Roundtable, have any of your \nmembers identified cyber attacks as the reason for declining \nearnings?\n    Mr. Smocer. Within the Financial Services Roundtable, to \nthe best of my knowledge, no, not at this point.\n    Senator Nelson. Do they consistently report, in their SEC \nfilings, cyber attacks?\n    Mr. Smocer. With regard to the SEC filings, obviously cyber \nrisk is one of the risks they need to consider, and if there \nare indications under SEC rules that that risk has importance, \nthen yes, they are reporting it, sir.\n    Senator Nelson. Mr. Moran?\n\n                STATEMENT OF HON. JERRY MORAN, \n                    U.S. SENATOR FROM KANSAS\n\n    Senator Moran [presiding]. Thank you very much.\n    Senator Thune indicated he was departing for a few minutes \nfor a Finance Committee meeting, and next on the list is Mr. \nPeters after me.\n    Ms. Beauchesne, you indicated in your testimony that the \nNIST Framework has been a helpful tool, but then you also \npromoted needing to go further with information sharing. You \nindicated that is not the jurisdiction of this committee. But I \nwant to explore what we can learn from NIST and the partnership \nthat is created there to encourage that information sharing.\n    I probably will ask Mr. England a similar question. But how \ndo we get the smallest businesses? What is the incentive for \nthem to participate today, and what barriers need to be \novercome to see that they do participate potentially on \ninformation sharing?\n    Ms. Beauchesne. Thank you.\n    First of all, I think take a look at the Framework. It is \nonly a year old. Right? So we are still socializing it. We are \nstill getting people to be aware of that, and that is part of \nthe Chamber\'s job, working with NIST. It has been a terrific \npartnership because the private sector was involved in every \nstep of the development of the Framework. So they had a big \nstake in this working.\n    As far as getting smaller companies to adopt the Framework, \nthe more that people are using it, the cost of adoption will go \ndown. Right?\n    Senator Moran. So the cost of participation will be----\n    Ms. Beauchesne. A market influence, yes, sir.\n    Not everyone, especially the small or medium-sized \nbusinesses, can afford to go out and hire a FireEye, a \nMandiant. So we want everyone to use this tool. And again, the \nFramework is one tool in the toolbox. It is a process. It is a \ngreat one. Everyone is talking the same language. Everyone is \nlooking at the same kind of process.\n    But as you said, more needs to be done. And that is the \ninformation sharing piece, and that is the Chamber\'s number one \ncybersecurity priority this year. We really need to get that \nlegislation done. If we are going to get to the next level so \nthat the Federal Government shares information with the private \nsector, that we are seeing the threats at the same time, that \nwe are sharing information in real time, not 6 months later \nwhen the FBI comes knocking on your door.\n    Senator Moran. Do you know the description of the \nbusinesses, the kind of demographic or size, revenue, number of \nemployees, kind of the description of the typical business that \nparticipates in the industry information sharing and analysis \ncenters or a number of fusion centers across the country, \nincluding one in Topeka, Kansas that gets great national \nreviews? Is there an indication that small business is able and \ninterested to participate?\n    Ms. Beauchesne. I actually will defer to my colleague here \non the ISAC participation. My understanding, though, is it is \nprobably more mid-sized and large-sized companies. The smaller \nones frankly do not have the staff or time that is my \nunderstanding.\n    Mr. Smocer. Our experience within the Financial Services \nInformation Sharing and Analysis Center is that it does run the \ngamut from large to small. I would say the smaller \norganizations typically tend to be more consumers of the shared \ninformation. So in terms of protecting themselves, they tend to \nget the information that the larger institutions are witnessing \nin terms of attempted attacks, the nature of those attacks, \nconsume that information, and then prepare to defend themselves \nbetter from that information.\n    I think one thing to recognize too is a lot of smaller \ninstitutions or organizations, be they in financial services or \notherwise, are often supported by outside IT service providers. \nSo I think one thing that is critical too in the information \nsharing debate is to make sure that those kind of service \nproviders are engaged because they will help protect small \ninstitutions that they service.\n    Senator Moran. That is a good point. The business that \nconducts business with a smaller business needs to be insistent \nupon the right framework in place for who they are contracting \nwith.\n    Mr. Smocer. And one of the advantages of the Framework for \nsmaller businesses too is that in gauging the effectiveness of \ntheir service providers, they can use the Framework to ask the \nright questions of their service providers in a kind of lexicon \nthat is common. We tend to think of the Framework as almost a \nRosetta Stone in terms of taking a lot of disparate language \naround technology and cybersecurity and placing it in a common \nlexicon that service providers, customers, clients can \nunderstand.\n    Senator Moran. And I would point out that while it may be \nan IT company that you are subcontracting or contracting with, \na business contracts with lots of other businesses unrelated in \na sense to IT, and there is an opportunity for the attack to \noccur there. And I do not know if this is demonstrated by facts \nyet today, but I assume that it may come to the point in which \nit is easier to attack the smaller business that contracts with \na larger business and you arrive at the same point of very \ndamaging occurrences. Does that make sense?\n    Mr. Smocer. It does. And certainly in some of the examples \nthat Senator Nelson was giving, in particular, one large \nretailer that was ostensibly attacked through a small HVAC \nprovider.\n    Senator Moran. Mr. England, just let me ask you why your \ncompany has the incentive to do what you are doing?\n    Mr. England. It is a business imperative. You know, we talk \nabout insurance as a protection against liability, but I like \nto think of the example of life insurance. It really does not \nbenefit me if I am dead. And as a small business, I am \ndependent on the trust of my customers and being able to \ndeliver them services in a secure environment. And as a small \nbusiness, we could sustain probably just a small number of \nattacks before we would be--as a business entity, our going \nconcern, would be in jeopardy. So there is a strong incentive \nto do that.\n    And I echo the comments that have been shared already that \nthis is why we view it as a competitive advantage for us. We \nhave had open conversations with larger companies that we are \nconnecting to, and we have had open conversations with people \nwho are providing services to us because it is a great risk.\n    Senator Moran. Thank you very much.\n    Mr. Peters?\n\n                STATEMENT OF HON. GARY PETERS, \n                   U.S. SENATOR FROM MICHIGAN\n\n    Senator Peters. Thank you, Mr. Moran.\n    I really have enjoyed the testimony here and what is going \nto be an increasingly important discussion in the years ahead. \nAnd so I appreciate all of your involvement in this issue.\n    Mr. Lewis, if I can start with a question for you. In your \ntestimony you, I think, very wisely said that the question is \nnot how many folks are adopting the Framework. It is whether or \nnot it is actually effective. And I think the jury is still \nout. It is still new. We are in the process of implementing it \nand companies are adopting it. So we will have more data points \nas we go forward. If you can kind of elaborate how we would \nassess that.\n    And in particular, you mentioned at the very end of your \ntestimony too that you think this is a good start, but you also \nbelieve it is not enough. So where do you think we are going to \nbe? We are going to have data points, obviously, to assess \nthis. But where do we have to go that is even further than this \nFramework? What were you implying in your testimony?\n    Dr. Lewis. Well, and thank you for the question.\n    The administration has chosen a voluntary approach, backed \nup by the implicit threat of regulatory action if companies do \nnot do anything. And the jury is still out, as you said.\n    For me, the easiest way would be to just look at the number \nof incidents that we see, the losses that we see, and whether \nit is going up or down. And one of the ways I think about this \nis we have four or five primary opponents in cyberspace: the \nRussians who can pretty much do whatever they want, the Chinese \nwho have a massive amount of resources, Iran and North Korea \nwho have really improved in recent years, and the groups that \nIran supports, some of the terrorist groups that Senator Nelson \nmight be talking about. These are pros. Let us see how they \nreact. Right? If their success rate goes down--and they have \nhad an unbroken string of successes for more than a decade--\nthen we can say we have done enough. But we do not have the \ndata to say that.\n    If it is not enough, then we need to think where is it we \nwant to take action to harden critical infrastructure and where \nis it we want to take action as a Government to work with these \nnation state opponents to get them to change their behavior.\n    So I think those are the two areas.\n    Watch the Framework. People have said they wanted to do \nvoluntary stuff for a long time. Now is their chance. Prove \nthat it works. If it does, great. But even if it works, there \nwill still be a class of opponents who can only respond to \nGovernment action, and that is where we need to think.\n    Senator Peters. Especially with the state actors is where \nwe are going to need to do it.\n    Dr. Lewis. Right.\n    Senator Peters. Mr. Smocer, you mentioned in your testimony \nthat you think that we could see a baseline of activity from \ncompanies based on insurance and insurance standards. And I \nalso heard a number of folks comment that with regulation, you \nbasically have a checklist process that you are going to go \nthrough.\n    How is it fundamentally different if it is an insurance \ncompany? Would an insurance company basically give you a \nchecklist, say if you do these things, you will be insured? If \nyou do not--what is the difference between those two approaches \nas you see it?\n    Mr. Smocer. I would say that the way the Framework will be \nused is less about the checklist and more about underwriting \nthe risk that the company faces. So I think as in any \ninsurance, you need to have some level of standard underwriting \nand some lexicon that provides that to be able to get the \nactuary numbers to figure out the risk and figure out the \npremiums therefore that you are going to charge.\n    I think what the Framework does is it provides a really \ngood risk framework that, as many of my colleagues have pointed \nout, is understandable from the board room down to the \noperations floor. And therefore, I think the insurance \ncompanies see this as an opportunity potentially to say this is \nthe tool that we have been looking for to give us some standard \nunderwriting guidance to be able to figure out our premiums and \nrisk scenarios.\n    Senator Peters. Thank you.\n    Mr. Romine, in your testimony you talked about your NICE \ninitiative which deals with education because for us to \neffectively deal with this problem, we need folks who are \nhighly skilled and trained in cybersecurity. Could you \nelaborate a little bit on what you talked about and how the \ninitiative is progressing and what we need to do to make sure \nthat we have the training programs in place to train folks who \ncan deal with some of the threats from China and Russia and the \nothers that are coming at us?\n    Dr. Romine. Certainly. Thank you, sir.\n    The NICE program that NIST is privileged to lead housing \nthe national program office for NICE is actually a broad \ninteragency activity. And it is focused on three things. One is \ncybersecurity awareness. One is fundamental education from K \nthrough postgraduate. And then related to that one is the \ndevelopment of a cybersecurity workforce, capable workforce.\n    And so the last one I think is the one that you are \nspecifically interested in. And I would say a lot has been done \nin that space. There is a lot left to do. We have collaborated \nwith the Department of Labor and the Office of Personnel \nManagement, OPM, and others, the Department of Education, the \nNational Science Foundation, and many of our other partners. \nAnd I think we are addressing some of the shortcomings \nassociated with sort of understanding the needs, the \nrequirements of that cybersecurity work force, the STEM \neducation that is required to underpin a professional workforce \nin cybersecurity.\n    And so I think there is more to come. We still have a \nshortfall. This is, I think, well known. We need more capable \ncybersecurity actors. But we are making progress.\n    Senator Moran. Mr. Schatz?\n\n                STATEMENT OF HON. BRIAN SCHATZ, \n                    U.S. SENATOR FROM HAWAII\n\n    Senator Schatz. Thank you.\n    It seems all of the panelists emphasize--or at least most \nof the panelists emphasize that the voluntary nature of the \nFramework was key to its initial success. But I still believe \nthere need to be quantifiable metrics to determine adoption \namong companies.\n    Can each of you briefly suggest more rigorous and precise \nways to measure the adoption of the Framework beyond the \nOctober RFI?\n    Dr. Romine. I can start briefly and say that from NIST\'s \nperspective, it is the ongoing engagement with our industry \npartners. This is something that we did not deliver this to the \nPresident and walk away. We are actually continuing to engage. \nAnd what we are seeing is a shift in the conversation. The \nmomentum is building.\n    Senator Schatz. But you are a data person. So what are \ngoing to be the metrics? I mean, that sounds like me talking. \nLet us talk about what are the metrics for success for those \nprograms.\n    Dr. Romine. I represent a measurement institute, and so \nthis is something that we take very, very seriously. Of course, \none of the problems that you have to worry about is you can \nsometimes get what you measure if you are not careful about \ndesigning the measurements.\n    We are still trying to figure out exactly the appropriate \napproach for measuring the rate or the level of use of the \nFramework. But I think----\n    Senator Schatz. So we do not have metrics yet.\n    Dr. Romine. We do not yet. The Framework is still--as we \nhave pointed out, it is kind of in its infancy. It is less than \na year old, and I think the amount of momentum is pretty \nstriking given that fact of its youth. But we are working on \nways that we can try to assess this.\n    Senator Schatz. What is your time-frame for developing \nmetrics and reporting back to the Congress on progress?\n    Dr. Romine. I would be reluctant to give you a very \nspecific time, but I can tell you we are diligently working on \ntrying to determine the best approach for measuring that.\n    Senator Schatz. Ms. Beauchesne?\n    Ms. Beauchesne. Well, I am not from a metrics institute. \nBut I will tell you I would think about it this way. Everyone \nwears seatbelts now. People do not smoke now. I think we need a \ncampaign like that. And when we start to see people around the \ncountry understanding we are talking about the cyber Framework, \nthat it is not just a big news story when they hit a Federal \ndepartment or one of our big retailers, everyone understands \nwhat it means to protect your networks and what good cyber \nhygiene means, then that will be success.\n    Mr. Smocer. And I approach it from a slightly different \nperspective coming from an industry that already has a fair \namount of cybersecurity regulation associated with it. I mean, \nour concern is primarily around assuring that our members are \naware of it. And part of the way we are doing that, by the way, \nis through some survey information that we are doing. So \nthrough the FSISAC, the Information Sharing and Analysis \nCenter, through the sector coordinating council that we have, \nwe have done an awareness survey, and we know that the \ninstitutions are very aware of it. We are then probably going \nto move on to kind of what the usage is.\n    Our big concern, though, is reconciling the Framework with \nthe existing regulatory structure that we have.\n    Mr. England. I do not have the same kind of national reach \nthat my colleagues do here to get that kind of visibility. But \nI can just share with you my own personal experience.\n    This year, we have, independent from all this, gone through \na review of our whole vendor management process. And as we have \ngone through that, we realized that this would perhaps be an \nideal opportunity to ask some critical questions about \ncybersecurity. And in particular, we have included a question \nas to whether or not our vendors and suppliers, those we \npartner with, are using the NIST Cybersecurity Framework.\n    I think, as Ms. Beauchesne pointed out, the more \nconversations that we are having about this, the more dialogues \nthat we are having with those that we interface with on our \nsystems--and we are seeing more interest growing in it and more \nconversations surrounding it as a result. And so I think it is \nan organic growth.\n    Senator Schatz. Dr. Lewis?\n    Dr. Lewis. Thank you.\n    I would call everyone\'s attention to section 10 of the \nExecutive Order which says that if the voluntary measures do \nnot work, the White House reserves the right to do more in a \nregulatory fashion. They did an assessment of the effectiveness \nof the Framework a few months after it came out. Amazingly \nenough, they found that it was succeeding. I do not know how \nthey figured that out.\n    We have multiple data sources and we need to use them all. \nThe sector-specific agencies that oversee critical \ninfrastructure sectors need to collect data on the status of \nthese companies and how many times they have been hacked.\n    Senator Schatz. And is it NIST\'s job to aggregate all of \nthose data, or is there a lead Government agency? You mentioned \nthe FBI going to a company. But is there a point agency on \naggregating all of these data?\n    Dr. Lewis. There is not, and that might be a useful thing. \nI think NIST is not really the aggregator here. NIST could come \nup with standards for aggregation. FBI statistics are useful. \nJust the number of times they have sent people out to notify \ncompanies, which was in the thousands in the last 2 years.\n    Senator Schatz. But right now there is no lead Federal \nGovernment agency in terms of getting our arms around the \nproblem.\n    Dr. Lewis. No. DHS does not have the authority nor do they \nhave the sources. The intelligence community collects data on \nforeign success rates. That data is classified, but I would \nsuggest that we are not doing so well. DOD collects information \non the defense industrial base. And finally, Commerce has some \nauthorities they have not taken advantage of.\n    Senator Schatz. OK. Thank you. My time is up.\n    The Chairman [presiding]. Senator Daines?\n\n                STATEMENT OF HON. STEVE DAINES, \n                   U.S. SENATOR FROM MONTANA\n\n    Senator Daines. Thank you, Mr. Chairman.\n    Prior to coming up here and starting this new day job, I \nspent 28 years in the private sector. So I am always one that \nhopes to see more private sector-led solutions here. In fact, I \nwas 12 years as exec in a cloud computing company, and it was \nalways in our best interest to make sure we had our networks \nhardened and always had the best practices on cybersecurity \nbecause if we failed to do so, we did not have a business any \nlonger.\n    Mr. Romine, a question for you. This Framework was released \nabout a year ago, February 12, 2014, version 1.0. How long did \nit take from kind of the beginnings of the process to put \ntogether V1.0 here before it released?\n    Dr. Romine. It took the full year. We were given a year by \nthe executive order. The first request for information that we \nasked the private sector to react was immediately after the \nrelease of the executive order. We subsequently needed to \nengage all of the stakeholders, private sector, Government \nregulators, industry associations, and international community \nover the course of the next year in five separate workshops \nthat were held geographically distributed around the country. \nOn the basis of that feedback, after an initial release of a \ndraft, we subsequently amended the draft, and the version that \nyou see that was given to the President on schedule, I am proud \nto say, was the culmination of that year\'s effort.\n    Senator Daines. So round numbers, it is about 2 years old I \nguess as we sit here today, from the beginning of the process \nto where we are at today.\n    Dr. Romine. That is correct.\n    Senator Daines. You probably had your beta release, and \nthen you have got your version 1.0 here.\n    Dr. Romine. Yes, sir.\n    Senator Daines. I know as we were building our company--one \nof our strategic advantages--we could run faster than anybody \nelse. That is how we won in the technology space. And we grew a \nlarge company. We capitalized nearly $2 billion from virtually \nstarting up from nowhere. I mean, I have lived in the world \nhere of data and cloud computing.\n    But I am just wondering how current now, given the speed at \nwhich the bad guys are moving, given the start about 2 years \nago--you know, when is version 2.0 to come out, and how often \ndo you see updating the standard?\n    Dr. Romine. Thank you, sir.\n    I think it is important to note that the Framework is not \ntechnology-specific. That is, we are not trying to institute \nspecific technologies that are going to be out of date almost \nas soon as a document appears. Instead, it describes a process, \na framework that you can use to communicate your cybersecurity \nneeds both internally, as well as with external stakeholders. \nAnd so I do not think that is something that will--even though \nthis is a fast-moving area, I----\n    Senator Daines. I see that. It is clearly a framework and a \nprocess that is laid out here in terms of assessing risk and so \nforth.\n    Dr. Romine. That is right.\n    Senator Daines. One thing I also notice about D.C.--this is \na town that seems to reward activity and not results. How do \nyou help companies try to quantify this process in terms of \neventually the outcome? We have moved this process here, but \nthey have got to put, I think, some kind of quantitative \nassessment whether it is a 0 to 100 scale, whether it is a \nletter scale to say--and I have a question for Mr. England too. \nIf you say are they complying with NIST, what does that mean?\n    Dr. Romine. I can just start by saying as part of the \nFramework, in fact, there is an evaluation of the level of \nassurance that an organization has that they are responding to \nthe various functions that are listed in the Framework, the so-\ncalled tiers that we have developed. And so there is an \ninternal assessment capability already.\n    With regard to helping businesses, particularly small and \nmedium businesses, we have active engagement. We have outreach \nthat predates the development of the Framework, and we are now \nusing those outreach mechanisms with trade associations, with \nsmall businesses throughout the country to socialize the \nFramework, to increase awareness.\n    Senator Daines. One thing I think is helpful, I guess, is, \nis there a way to try to grade, assess, quantify what it means \nto have adopted this Framework, I think moving in that \ndirection, so there is a way to have a comparative analysis \nbetween company A or company B?\n    Dr. Romine. I think it depends. It is a little bit \ndangerous to go that route principally because the companies \nface different contexts of use, and so comparing across is \ngoing to be very challenging. I think the internal assessment \nof how effective your cybersecurity enterprise or your risk \nmanagement approach is----\n    Senator Daines. That is probably the better question in \nterms of looking--it is a continuum here in a rapidly very \ndynamic--you know, rapidly changing environment. If we start \nhere, we do this assessment, 6 months later or a year later, we \ncan see if we are making progress or not. I think it probably \nis some value add.\n    And last, what I see too--I will know when these are being \nused when something like this has got its--you can tell it is \nnot just sitting on the shelf and gathering dust. I am just \nalways a little skeptical of this town where they just want to \ncreate some activity. We got a standard and here it is. And the \nreal question will be adoption and focusing whether we want \nmore of this. It is like bread. If it is fresh, they are going \nto want it. If it gets stale, it will just be another binder on \nthe bookshelf.\n    Dr. Romine. I could not agree more. We heard universally \nfrom all of our stakeholders that more shelf-ware was not what \nwas needed, and I think we took that into account in engaging \nbroadly across the stakeholder interests and listening to their \nconcerns and developing, in conjunction with the stakeholders, \na document that is actually usable.\n    Senator Daines. All right. Thank you. I am out of time.\n    The Chairman. Thank you, Senator Daines.\n    Senator Klobuchar?\n\n               STATEMENT OF HON. AMY KLOBUCHAR, \n                  U.S. SENATOR FROM MINNESOTA\n\n    Senator Klobuchar. Thank you very much, Mr. Chairman.\n    Thank you everyone. Mr. Smocer, please say hello to \nGovernor Pawlenty, my friend, who I know is, I guess, your \nboss.\n    Mr. Smocer. He is in fact my boss.\n    Senator Klobuchar. Is he doing OK?\n    Mr. Smocer. Yes.\n    [Laughter.]\n    Mr. Smocer. No. He is doing very well.\n    Senator Klobuchar. All right. Very good.\n    And then also I think you mentioned the major retailer who \nwas attacked, and of course, I think everyone knows that was \nTarget out of Minnesota. So we have seen firsthand the \ndevastating effect this can have even though there was not a \nlot of actual damage to consumers, but what happened to Target \nbecause of that, even though they were in fact victims of \ntheft. And we are proud that they have come back from that.\n    But I think we all know the effect that this has on \ncompanies and on consumers. And I just think there is a moment \nhere, maybe because of what happened with Sony and other \nthings, where there might be a space to actually move forward \non some legislation which, as we all know, crosses many \ncommittees. And I happen to be on two of them, Commerce as well \nas Judiciary, where I think we can move forward.\n    I was going to ask you, Mr. Romine, just if you could \nanswer briefly, if there are any industries you think are ahead \nof this that are doing better jobs than others in terms of \ntaking this on.\n    Dr. Romine. We have certainly had active engagement from a \nnumber of sectors. The ones who are the most, I think, \ncritically dependent upon information technology have had kind \nof a head start on cybersecurity issues, and so the financial \nservices sector certainly is a leading sector in that area. I \nthink the energy sector--some of the regulated industries, \nindustries that have had to cope with regulation overall, I \nthink have also kind of had a little bit of a head start.\n    Senator Klobuchar. And could you explain how the Framework \nis going to be technology-neutral? I know there have been some \nconcerns raised about overly complex regulations.\n    Dr. Romine. That is right.\n    Senator Klobuchar. Can you explain in a not complex way?\n    Dr. Romine. I will do my best.\n    The Framework itself is completely technology agnostic. It \ndoes not specify any particular technologies. It just talks \nabout standards and best practices. And I should point out that \nthe Framework is actually predicated on use of existing bodies \nof standards, many of them international. And I think it is an \nimportant thing to note that that gives greater opportunity to \nharmonize things, particularly for multinational corporations \nwho have a difficult time responding to different regulatory \nenvironments in different parts of the globe.\n    Senator Klobuchar. Ms. Beauchesne, I know the Chamber has \nbeen working with law enforcement, you know, FBI, Secret \nService, cops on the beat. I used to be a prosecutor for 8 \nyears, and at the beginnings of this, I cannot tell you what \nthis was like. We had line officers that would show up at a \nhouse that had some cyber problem and turn on the computer and \nall the evidence would vanish because someone had set it up \nthat way. And I know there has been more training in law \nenforcement, and certainly as you get to the upper levels, \nthere is more training.\n    Is the working relationship good? How do you think this can \nmove forward in terms of making sure we are doing a better job \nin being as sophisticated as the crooks that are taking our \nprivate data?\n    Ms. Beauchesne. That is a very good question. Thank you.\n    I think that, again, keeping this Framework flexible, \nkeeping it non-regulatory so that we can move at the speed of \nthe bad guys is essential.\n    As far as law enforcement, I think the relationship is very \ngood. When we have gone around the country doing the Chamber\'s \nCyber Campaign, we have included the local FBI and the local \nSecret Service person so that our members in Austin, Texas, for \ninstance, get to meet them, get to have face time with them so \nthat when something does happen, they know where to go.\n    And I would also say at the Bureau, we now have a private \nsector office, a private sector lead there. So our members have \none-stop shopping and know where to go. So I think it is a good \nrelationship.\n    Senator Klobuchar. Very good.\n    My last question is actually for anyone that wants to chime \nin. Senator Blunt and I successfully included an amendment to \nmake sure that NIST was accountable in the process in terms of \ngetting us information on what is happening.\n    But my question is the President talked about information \nsharing and liability protection legislation as an important \nincentive to encourage further participation in both the NIST \nFramework and other cybersecurity efforts. I guess I would ask \nthe panel, especially from the private sector side, how \nimportant is this for moving forward.\n    Mr. Smocer. Sure. I think we were certainly very encouraged \nby the comments because I think the liability protection is a \nkey component that we have been looking for. I think we would \nlove to see that extended. In the Framework, the \nrecommendation--it was mainly private-to-government that would \nbe covered by the liability protection. We think that needs to \nextend a bit to the private-to-private sharing models as well. \nYou know, a lot of times----\n    Senator Klobuchar. Are there like antitrust concerns? You \nknow, if you start giving data to your competitors saying \nsomething is happening in terms of the liability issues you are \nworried about.\n    Mr. Smocer. Well, I think if I were a GC, that might be one \nof the reasons I would discourage information sharing. But I \nthink in reality the recognition is this--when it comes to \ncybersecurity, this largely has to be a noncompetitive issue \nbecause the reality is that any institution that gets attacked \nis probably witnessing the next victim\'s circumstance. So if we \ncan share that information more freely with the right \nprotections in place, I think that is very important.\n    Senator Klobuchar. Anyone else?\n    Ms. Beauchesne. If I could just add on the information \nsharing piece. Absolutely, the liability protections are \nabsolutely essential for the private sector. Whether it is \nFOIA, whether it is regulatory, the antitrust, businesses need \nthose safeguards in order to share that information. We do not \nwant to be blaming the victim. We want the companies to be able \nto share that information with impunity.\n    Senator Klobuchar. All right. Thank you very much.\n    The Chairman. Thank you, Senator Klobuchar.\n    Senator Manchin has returned.\n\n                STATEMENT OF HON. JOE MANCHIN, \n                U.S. SENATOR FROM WEST VIRGINIA\n\n    Senator Manchin. Thank you so much, Mr. Chairman. I am so \nsorry because we\'ve got two or three meetings going on. I would \nhate to look like it is being rude, but we are not. We are just \ntrying to make all of our meetings.\n    Let me just say this to all of you. I want to thank you all \nfor your service and also being here and helping us through \nthese most difficult situations.\n    To Mr. Romine, you first, sir. The West Virginia National \nGuard is partnering with the University of Charleston and the \nBlue Ridge Technical College on a cyber training program that \nwill help address the workforce shortage issues that are \nhighlighted in the roadmap for improving critical \ninfrastructure cybersecurity. The West Virginia National Guard \nand the University of Charleston have also developed \nundergraduate and graduate-level cybersecurity certificate \nprograms based on the national training standards.\n    How is your office and the National Initiative for \nCybersecurity Education coordinating with the West Virginia \nNational Guard on this program and what can we do, all of us \nand yourself, better to support innovative partnerships like \nthis?\n    Dr. Romine. Thank you, Senator. We are certainly always \npleased when there are organizations that are taking this very \nseriously and developing curricula and contributing to solving \nthe workforce issue. I do not have any specifics about that \nparticular case except that I would say we would be delighted \nto engage and have discussion.\n    Senator Manchin. Do you all have the ability to partner up \nwith them to help them take these programs to higher levels, or \nhow does that work?\n    Dr. Romine. We certainly have the ability to contribute and \nshare ideas under our program.\n    Senator Manchin. So I can get them in contact with you to \nmake sure we can hook up?\n    Dr. Romine. I would welcome that.\n    Senator Manchin. Ms. Beauchesne, banks and other financial \ninstitutions are already responsible for following a variety of \nregulations related to cybersecurity. They have requirements to \nprotect against breaches, as well as requirements about how to \nrespond in the event of a breach. They could be responsible for \ncyber theft that occurs through a third party even if the \nthreat was not the fault of the bank.\n    If financial institutions continue to bear the financial \nliability for cyber attacks, what incentive will other \nindustries, such as retail, have to invest in voluntary \ncybersecurity protections?\n    And they are starting to move a piece of legislation \nsaying, listen, somebody else has to have skin in the game. If \nit is not my fault and you will not invest, whether it be--I am \nusing Target, and maybe they have done everything possible. But \nit was a tremendous breach. But basically it fell on the \nresponsibility of the banks.\n    I have been called personally. They said your credit card \nhas been jeopardized, and we want you to cut it up. We will \nsend you a new one. I have had that done twice now.\n    So with all that being done, the banks are saying we would \nnot have to have this if they are doing everything possible.\n    So two things. What can they do, and do you think that it \nshould be a dual responsibility? Whoever is at fault may have \nnot done what technology would allow them to do. Should the \ninstitution, whether it be commercial or retail, bear the \nbrunt?\n    Ms. Beauchesne. Yes. I think that the brunt should be \nshared by all involved.\n    Senator Manchin. Do you think legislation would be needed \nto share that rather than the financial sector taking the full \nbrunt?\n    Ms. Beauchesne. I am not completely familiar with the \nlegislation, so I will not commit to that.\n    But what I would say is we are----\n    Senator Manchin. It is pretty simple. Who pays? Who did \nwrong and who pays?\n    Ms. Beauchesne. I think we are going to see a sharing of \nwho pays. I think that you are seeing companies step up, and \nhere is why because it is not just about who pays. They want to \nprotect their customers. They want to protect their brand, and \nit is in their interest to do so.\n    Senator Manchin. I know they want to, but when they know \nthat it is not going to cost them anything when it is breached \nand they have not stepped up and bought the latest and greatest \ntechnology to try to develop it and work, what is their \nincentive to do so? And you are going to have to convince all \nof us that we need to step in there and say, OK, you are at \nfault, you pay.\n    Anybody else want to comment on this? I see Mr. Lewis down \nthere shaking his head.\n    Dr. Lewis. So I talked to the head of a major credit card \ncompany, and what he said to me is, you know, it is a problem \nfor us, but if I put a nickel on your credit card bill, are you \ngoing to notice. And that will cover the expenses. So everyone \nin the room who has a credit card, you are paying 5 or 10 cents \na year, and that covers fraud.\n    The debate is over two things. First, the cost is going up, \nand you may start to notice when you are paying more, and that \nis where you are getting companies saying, hey, wait a minute. \nWhy am I holding responsibility for this?\n    Senator Manchin. You are talking about the financial \ncompanies, financial institutions.\n    Dr. Lewis. Yes, because currently they bear the liability, \nand they would like not to.\n    Senator Manchin. I am just saying the innovative and \ncreative ideas will come if you make me responsibility and hold \nme liable. I will push the demographics, if you will, if I know \nthat it could fall back on me. If not, I might be a little \ncomplacent, saying you know what, Mr. Eamon here is going to \nhave to pay it, so I am not worried. I have done all I can. I \ndo not need to do anymore. I am not going to incur that much \nmore expense.\n    Dr. Lewis. We did a study of major breaches and what we \nfound is the first phase is the bad guys get in. The second \nphase is they are discovered, and the third phase is everyone \npoints at everyone else and says they are responsible. So some \nallocation of responsibility would be good.\n    Senator Manchin. Thank you, Mr. Chairman. I am sorry.\n    The Chairman. Thank you, Senator Manchin.\n    Next up as we move west, Senator Udall.\n\n                 STATEMENT OF HON. TOM UDALL, \n                  U.S. SENATOR FROM NEW MEXICO\n\n    Senator Udall. Thank you very much, Chairman Thune, and \ngreat to be back with you on the Commerce Committee. And I am \ngoing to talk a little bit about a couple of things we have \nworked on in the past.\n    Today American citizens, businesses, and government \nagencies face what I think are very serious cyber threats, and \nso I really appreciate this hearing. Everything from personal \ndata, to trade secrets, to national security are at risk from \nintrusion by independent hackers and foreign governments. They \neven tell me our own Senate offices are frequently the subject \nof those kinds of attacks from foreign governments. Cyber \nthreats are real and can cripple our water systems, our oil \npipelines, and hospitals, and I think we need to take these \nthreats very seriously.\n    I have supported cybersecurity legislation in the Senate, \nincluding the Rockefeller and Thune Cybersecurity Enhancement \nAct that became law, I believe in the last Congress. I support \nmeasures to improve our cybersecurity defense, including \nimportant work at two national laboratories in my home state of \nNew Mexico. Los Alamos National Laboratory is a leader in \nquantum cryptography, and Sandia National Laboratory is engaged \nin efforts to secure the national electrical grid from cyber \nattack. Sandia has partnerships with universities and the \nprivate sector. They are helping computer science students \nbecome cyber professionals.\n    And when I look at this field, like many Americans, I also \nhave a lot of concerns about what our own Government is doing \nin terms of domestic surveillance. And I think it is absolutely \nclear we need to strike the right balance between security and \nour civil liberties. But I know that is not the main focus \nhere.\n    So, Dr. Romine, I would like to ask you about the subject \nof cloud computing. Your testimony briefly notes that NIST \nplays a role for advancing standards for cloud computing. \nSenator Moran and I worked on a piece of legislation, which was \nsigned into law last year, called the Federal IT Acquisition \nReform Act. And we know from the GAO that smarter Federal IT \npolicies could lead to billions of dollars in taxpayer savings. \nThis includes greater use of cloud computing across the Federal \nGovernment.\n    So I would like to ask what is NIST\'s vision with respect \nto cloud computing. What does NIST see as the primary \nchallenges for cybersecurity when it comes to cloud computing, \nand how is NIST working with other Federal agencies to support \ntheir transition to the cloud?\n    Dr. Romine. Thank you, Senator.\n    NIST has been involved in cloud computing. We have an \nongoing cloud computing research program and standards program \ntoday in my laboratory, the Information Technology Laboratory. \nWe engaged with other Federal stakeholders during the \ndevelopment of the FedRAMP process which is based on standards \nthat we developed in consultation with the private sector \nagain. Our standard MO is to work with the private sector on \nthese issues. We establish the basic definitions for cloud \ncomputing.\n    With regard to cybersecurity, one of the challenges, of \ncourse--cloud computing has sort of a multi-tendency component \nto it, meaning that multiple people are on the same hardware at \nthe same time, and there is the potential for sort of bleeding \nover. So we have to be careful about that.\n    But another issue and one that we have just issued guidance \nabout has to do with cloud forensics. That is, given that you \nare no longer necessarily just local in your IT space but \nrather using a cloud provider, how do you after the fact figure \nout what happened using forensics techniques. And so we have \ngot some recent guidance that we have issued on that.\n    Senator Udall. I do not know if any of the other panelists \nhave any comment on what he was talking about. You all are good \non that?\n    You noticed and you talked about working with the private \nsector. Is NIST getting the level of cooperation it needs from \nindustry stakeholders?\n    Dr. Romine. I think the level of engagement has been \nastonishing. We have been very pleased at the number of people \nwho have engaged with us both in terms of responding to \nrequests for information in the early processes of Framework \ndevelopment, for example, as well as 6 months after or 8 months \nafter the Framework was released, information about how it is \nbeing used and the lessons that we can learn. That response has \nbeen tremendous. The workshop engagement has been fantastic. So \nwe are very excited.\n    Senator Udall. Thank you very much.\n    And thank you, Chairman Thune.\n    The Chairman. Thank you, Senator Udall.\n    Senator Gardner is up next.\n\n                STATEMENT OF HON. CORY GARDNER, \n                   U.S. SENATOR FROM COLORADO\n\n    Senator Gardner. Thank you, Mr. Chairman. Thanks for \nholding this hearing as well, and thank you to the witnesses \nfor being here today and your testimony.\n    I had an opportunity about 6 months ago to visit one of the \nlargest tech employers in Colorado, manufacturing. They focus a \nlot on security issues, focus a lot on issues dealing with \nservers around the country, around the world really looking \nfor, I guess, attacks, aberrations in terms of what is \nhappening to their systems. And it was an interesting point \nthat they made. They had said something to me to the effect of \nwe no longer are just assuming that we will be able to prevent \nand keep out these attacks, but we have to assume that the \nattacks have been made, that somebody has made it inside. And \nnow we are just trying to figure out how to keep them out of \neverything else and I guess cordon them off, so to speak, into \nan area where it does no harm.\n    Do you think that is an accurate way to look at the world \nof technology today, Dr. Romine?\n    Dr. Romine. I think in most conversations with \ncybersecurity professionals, you will find that there is no \ndiscussion that we will be 100 percent successful at keeping \npeople out of our systems. And so what I think has to happen is \nan understanding of sort of where the crown jewels are \nregardless of, whether you are the Federal Government or \nwhether private sector, what sector that you are in, and then \nseek additional steps to ensure that the very serious--whether \nit is proprietary information, whether it is personally \nidentifiable information, those kinds of assets have to have \nspecial protection.\n    Senator Gardner. And obviously, you do a lot of work at the \nNIST lab, whether it is NTIA work, telecommunications work, the \natomic clock, things like GPS, and other issues. And this \nFramework which you believe is and will always be voluntary--is \nthat correct?\n    Dr. Romine. Yes, sir.\n    Senator Gardner. The other question I have is if you have \nthis Framework, you have set this Framework up, you have \nagreement, how do you define success. What is success 5 years \nout from now with the Framework in place?\n    Dr. Romine. I think one of the perhaps useful analogies \nhere is if you take a look at the evolution of safety programs \nin the private sector, for example, they initiated with let us \ndo the following things. This is a checklist of things in order \nto ensure that we are trying to have a safe environment. And \nthat was sort of all you did.\n    Over the course of decades I think, there has been a move \nfrom that to baking safety into everything that you do \noperationally, and I think the same thing is going to happen \nhere. The culture is going to change. One year into the \nFramework, we are not expecting a complete culture shift, but \nwe are seeing signs that the conversations that need to take \nplace between suppliers and between components of an \norganization and the executives--those conversations are taking \nplace or beginning to take place. So I think the more pervasive \nthat becomes, I think the more we have confidence that people \nare taking seriously the need to secure their networks and \ntheir systems and information.\n    Senator Gardner. Ms. Beauchesne and perhaps Mr. England \nmight be able to address the next question. Ms. Beauchesne, in \nyour testimony you talked about making incentives work. You \ntalked about liability issues. You talked about leveraging \nFederal procurements, making research and development tax \ncredit permanent, those kinds of things. Are there currently \nprivate sector incentives to achieve these cybersecurity needs \nand making sure that we are bolstering and doing everything we \ncan to prevent attacks or vulnerabilities?\n    And I guess what I mean by that is this. Is simply the cost \nof an attack so great that that provides the incentive? Are \nbanks that are looking to make loans to companies looking at \ncybersecurity and saying we believe that you present too much \nof a risk for us to make a loan and therefore the interest rate \nis going to be higher or lower because you have done such a \ngood job. Are there ISO ratings that you could look at and say \nthis is a NIST standard of security that we believe is \nnecessary in order to people to carry out their function \nwithout risk?\n    Ms. Beauchesne. I think what you said is right. They want \nto do the right thing--right--because the risks are so high, \nthe costs of doing business. They have to do the right thing.\n    But the other piece of that I think is we need to look at \nespecially the small and medium-sized companies that are being \nattacked by nation states. I mean, that is costly to protect \nagainst. The Framework is not going to do that. If we had every \ncompany in the country adopt the Framework, that still would \nnot prevent the Chinese or the Russians or whomever from \nattacking our companies. So I do think incentives are out \nthere.\n    That is not our biggest push, if you will. I mean, we want \nthe information sharing legislation. Incentives exist. We are \nlooking at the Safety Act. We are looking at insurance. But the \nbottom line is we want the Framework to remain flexible, non-\nregulatory, and let us get that information sharing piece done.\n    Senator Gardner. And are you satisfied, Dr. Romine--in my \nquestion and answer that it will remain voluntary. Are you \nsatisfied with that?\n    Ms. Beauchesne. From everything I hear, yes.\n    Senator Gardner. Mr. England?\n    Mr. England. I mean, in terms of incentives, we do not \nreally look into the equation in terms of what the cost of a \nbreach might be because with the size of our business as a \nsmall business, our costs are far greater. If we have breaches \nthat displace the trust of our customers and the people that we \nconnect to, our ability to continue as a going concern for a \nbusiness is what our risk is. So the incentives are there \nbecause there is an inherent business imperative to do it.\n    And it is one of the reasons why I have been a big \nproponent of the Framework and the voluntary nature of it \nbecause when you start throwing into it some of these regulated \npieces--as Ms. Beauchesne mentioned, the threat is ever-\nevolving, and so we have to have a tool and a mechanism that is \never-evolving as well and allow for adaptation as we go because \nthe problem with the regulation side of it--and, of course, it \ndepends on how it is written, but it is not a I go through \nthis, I determine that I have met some minimum standard or \nminimum requirement, and I am done because you will never be \ndone.\n    And so for us, our incentive actually is to be here today \nand to petition against the regulation because, to be quite \nhonest with you, anything that would be regulated as minimum \nstandard requirements is not going to be enough. And so we are \ngoing to have to do our own activities above and beyond that \nanyway in order to maintain our systems the way that we want. \nAnd so what is going to happen is it is actually going to be \nmore costly for us to implement cybersecurity activities in our \norganization because we are following a dual track, what the \nregulating body wants and what the market demands.\n    Senator Gardner. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you, Senator Gardner.\n    Senator Blumenthal?\n\n             STATEMENT OF HON. RICHARD BLUMENTHAL, \n                 U.S. SENATOR FROM CONNECTICUT\n\n    Senator Blumenthal. Thank you, Mr. Chairman, and thank you \nfor holding this hearing and making it a priority because, as \nwe know on both sides of the aisle and as one of our military \nleaders has said, and I am sure it has been repeated here, that \nthe next Pearl Harbor may well be a cyber attack. Sony was \ncertainly a sign that we ignore, at our grave peril, that a \ncyberattack may be the method of choice for aggressors who mean \nto do harm to our country.\n    And my view is that we are patently vulnerable at the \nmoment, and I think the testimony this morning has reinforced \nmy view that this Nation must do better. We are susceptible now \nby choice. It is not an accident. It is not something that we \ncannot anticipate. It is by choice that we are, in effect, \nfailing to address this peril before it hits us. And I believe \nthere needs to be greater Government direction and legislative \ninvolvement.\n    For the moment the best and most immediate response is for \nthe private sector to do more with the encouragement and \nincentives that Government can provide. And as you know, as \ndirected by the Government\'s Executive Order on Cybersecurity, \nthe Secretaries of Homeland Security, Commerce, and Treasury \nwere required to provide a report to the White House on how the \nGovernment can best provide those kinds of incentives to \nparticipate in the Framework, especially for smaller \nbusinesses.\n    And I am very concerned about the impact on smaller \nbusinesses because the effect on a Sony eventually becomes an \neffect on smaller businesses; just as the effect on a defense \ncontractor becomes an effect on the suppliers and components \nmakers and so forth that we see in manufacturing submarines or \nthe Joint Strike Fighter or helicopters, which we make in \nConnecticut. So I am interested in what progress has been made \nin developing better incentives.\n    Dr. Lewis, as you alluded to in your testimony, it appears \nthere may have been a lack of incentives on the part of many \ncompanies to make the right decisions about cybersecurity. So \nlet me ask you. What were your thoughts on the recommended \nincentives that agencies made to the President following the \nexecutive order? Did any of these ideas particularly impress \nyou as being effective?\n    Dr. Lewis. Thank you for the question.\n    I would note in general that I think this program will \nremain voluntary until there are too many incidents to ignore. \nAnd we are approaching that. We have got a lot of people who do \nnot like us out there in the world, and they are very active in \ncyberspace because it is so easy.\n    The problem with the incentives is really it has to be \nlegislation. It has to be the Congress that creates incentives \nbecause incentives are either regulatory relief, tax relief, or \nsome kind of money. And if you do not have those three things, \nit really is not that much of an incentive. It is not enough.\n    Senator Blumenthal. So, in effect, what I hear you saying \nis that the President\'s executive order will be a nullity \nunless the Congress acts.\n    Dr. Lewis. I think that legislation of some kind is \nnecessary. I think the White House decided in 2012 to move \nahead because of the problems then with legislation, but I know \nthat they would probably welcome adequate legislation that \nwould strengthen authorities and create incentives such as \nliability protection.\n    Senator Blumenthal. So at a time when, rightly or wrongly, \nthere has been criticism of the President for, in effect, \nusurping authority through executive order, here is an area \nwhere clearly legislation is necessary to accomplish the goals \nthat we all believe are absolutely requisite at this point in \nour history.\n    Dr. Lewis. Having followed the development of the executive \norder pretty closely, I think that everyone would agree that \nthis is an area where Congress has to take the lead. Congress \nhas to legislate.\n    Senator Blumenthal. Dr. Romine, let me ask you in the time \nI have remaining. One idea that has been discussed is that \nFederal agencies develop a ``certificate of compliance\'\' or \nsome other sort of identifier much like the Energy Star system, \nwhich is in a way a seal of approval to recognize the companies \nthat are proven to be observing guidelines laid out in the NIST \nFramework.\n    How could NIST be helpful in a process like that one? Do \nyou think there is anything that would prevent NIST from \nworking with Federal agencies to provide some certificate of \ncompliance, which would be a strong incentive or encouragement \nfor companies, in effect, to protect themselves more \nadequately?\n    Dr. Romine. Thank you, Senator.\n    I am not sure that having NIST play both the role of \nparticipating in partnership with the private sector and then \ncoming behind and doing some sort of an audit would preserve \nour ability to work collaboratively with those folks.\n    The other thing I will say with regard to incentives, \nalthough some of the discussion has surrounded incentives where \nthere are market failures, I think we also have to recognize \nthe inherent market incentives that are being made evident. One \nis, of course, managing the overall risk, in particular your \nreputational risk, and there have been companies that have been \nsingled out here as victims of hacking, and that is problematic \nfor them. When you become known in that way, it is a serious \nreputational risk, and I think there are some incentives to \navoid that.\n    The other incentives involve the burgeoning development of \nthe insurance industry, cybersecurity insurance that is \nbeginning to be underpinned by some of the work that went into \nthe Framework.\n    Senator Blumenthal. Well, I would just say in closing--and \nmy time has expired--they paid a price, a reputational price, \nas well as enormous costs to their business, whether it is \nTarget or Sony, and some of the individuals have paid a \npersonal price, individuals in command of the companies. But \nthat price all too often is one that is shared among innocent \nparties, companies that are linked to that one, consumers who \npay a higher price whether it is through insurance or the \ncharges that are passed on. So eventually failure to protect \nthemselves has a cost that is societal and economic spread \nbroadly throughout the Nation and that is why we are here \ntoday.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you, Senator Blumenthal.\n    I am going to ask a couple of quick questions here. I think \neverybody else--unless we check with my colleagues here if they \nwant to have a second round.\n    Dr. Romine, NIST also plays a role in certain technical \naspects of information sharing under its existing FISMA \nstatutory authority. The NIST draft guide to cyber threat \ninformation sharing released recently provides guidance for an \norganization\'s coordinated computer security incident handling.\n    So question number one is, what feedback has NIST received \nfrom stakeholders regarding the guide and how will the final \nversion recognize the different approaches for cyber threat \ninformation sharing being used in the public and private \nsectors?\n    Dr. Romine. Thank you, Mr. Chairman.\n    The release of Special Publication 800-150, which you refer \nto, has gotten a lot of feedback. The feedback has been robust. \nThe time for feedback I think closed just this past November, \nand we are dispositioning those comments now.\n    I think it is important to note that again the guidance \nthat we have provided is technology agnostic. We talk about \nvarious different approaches. Our role, as you correctly \npointed out, is the sort of standards for the kind of \ninformation exchange that is envisioned, this information \nsharing.\n    And it is important to point out we want to ensure that \nthat information sharing is done in a way that is standard and \ninteroperable principally because we want to have computers be \nable to ingest that information and act on it in sort of \nnetwork speed instead of just sharing information. I think \nsometimes people talk about information sharing currently as \nbeing phone calls from network operators that happen to know \neach other, and I think we want to get well beyond that into a \nmuch more integrated approach.\n    The Chairman. Do you believe NIST ought to have a role in \nproviding additional guidance on cyber threat information \nsharing by non-Federal entities?\n    Dr. Romine. I think we are very comfortable with the role \nthat we have today, the standards and guidelines and best \npractices for information sharing, as well as the work that we \nhave done to underpin security automation, which is what I \nalluded to just now.\n    With regard to the private sector, I think that is much \nmore of a policy issue and something I do not think would be \nnecessarily appropriate for us to engage in.\n    The Chairman. You mentioned in your testimony that tech \ncompanies have been developing products and services aligned \nwith the Framework. Are there any examples of those types of \nproducts and services you can share with us?\n    Dr. Romine. I could do that. I am not prepared to do it \ntoday, but I am happy to provide the Committee with some of \nthese products and services that are beginning to be developed.\n    The Chairman. Senator Gardner, anything else? All right.\n    Well, we have got a few things. We will keep the hearing \nrecord open for a couple weeks for members to submit any \nadditional questions for the record, and I will probably have a \nfew of those myself.\n    But I appreciate very much the great job of our panel \ntoday. Thank you not only for your remarks but also for your \nresponses to our questions. It is an issue of great importance \non so many levels to our country, and it is important that we \nget it right. Your expertise and counsel will be very important \nin helping shape the decisions that we make here. So thank you \nfor that.\n    And with that, this hearing is adjourned.\n    [Whereupon, at 11:46 a.m., the hearing was adjourned.]\n\n                            A P P E N D I X\n\n Prepared Statement of Joshua J. Pauli, Ph.D., Associate Professor of \n                Cyber Security, Dakota State University\n\n  On Implementation of S. 1353: Cybersecurity Enhancement Act of 2014\n\n    It is with great honor that I submit this testimony in support of \nthe Cybersecurity Enhancement Act of 2014 and to share my professional \nopinion on how to best implement specific portions of the Act. As one \nof the lead cybersecurity faculty members at Dakota State University \n(DSU) in Madison, SD, I am deeply interested and invested in any \nlegislation that affects the future of cybersecurity education. Dakota \nState University (DSU) is one of the leading institutions of higher \neducation in the Nation in the area of cybersecurity, where we are \ndesignated as one of only 13 institutions in the Nation as a National \nSecurity Agency (NSA) Center of Academic Excellence (CAE) in Cyber \nOperations. The NSA and Department of Homeland Security (DHS) have also \ndesignate DSU as a CAE in Information Assurance Education and a CAE in \nInformation Assurance Research. We currently have over 500 students \nstudying cyber security at the bachelors, masters, and doctorate level.\n    Assisting Senator Thune\'s office during the last 18 months on this \npiece of legislation has given me an opportunity to see the detailed \ngoals, proposed implementation, and intended outcomes of this Act come \ninto focus. Now that the Act has been signed into law, it is critical \nthat we identify the most appropriate ways to ensure the success of the \nlegislation. The most applicable way to ensure the level of success \nthat we all hope for is to leverage existing mechanisms and models that \nhave a proven track record of success as much as we can. This will \nensure we don\'t ``reinvent the wheel\'\', and instead provide funding and \nsupport to programs that we already trust and are currently reaping the \nbenefits from.\n    One example of this in this Act is the inclusion, by name, of the \nNational Science Foundation\'s Scholarship for Service (NSF-SFS) \nCyberCorps program in Section 302. The positive outcomes from this NSF \nprogram cannot be argued and there is certainly universal support for \nthe continued and expanded support of it. As the Primary Investigator \nfor DSU\'s NSF-SFS CyberCorps program, I can provide firsthand evidence \nof the success of the program as many of my colleagues around the \nNation at other NSF-SFS CyberCorps institutions would as well. It is \none of the driving forces in making DSU a cybersecurity leader in \nhigher education. I applaud you for its inclusion in the Act and \nencourage you to continue to increase its funding level in future \nyears, as it\'s truly a ``best bang for buck\'\'.\n    Along these lines, I would like call your attention to TITLE III--\nEDUCATION AND WORKFORCE DEVELOPMENT and specifically SEC. 301. \nCYBERSECURITY COMPETITIONS AND CHALLENGES. Creating and holding \ncybersecurity competitions and challenges that help identify the next \nwave of cyber professionals are activities that have long been \nconducted by colleges and universities in partnership with NSF, DHS, \nNSA, and others. One current Federal program that fits perfectly with \nthis goal of the Act is NSA\'s Center of Academic Excellence in Cyber \nOperations that started in 2012. This designation program aims to \npartner with institutions of higher education around the Nation that \nhave academic degree programs that match, almost verbatim, to the (d) \nAreas of Skill included in the Act:\n\n  (1)  ethical hacking;\n\n  (2)  penetration testing;\n\n  (3)  vulnerability assessment;\n\n  (4)  continuity of system operations;\n\n  (5)  security in design;\n\n  (6)  cyber forensics;\n\n  (7)  offensive and defensive cyber operations;\n\n    The NSA\'s CAE in Cyber Operations program can help implement \ncurriculum, competitions, workshops, and related assistance in these \nexact seven areas. Without a doubt, any educational efforts dedicated \nto these areas should not only include this NSA program, but I strongly \nencourage you to have the NSA lead any efforts related to these \nspecific areas of skill. By doing so, you\'re not only directly \nleveraging the NSA\'s knowledge and expertise, but more importantly, you \nwould then have a direct pathway to the designated institutions across \nthe Nation that are already working in this exact domain. The NSA and \nthese 13 institutions already have a working structure and model to \ntake on these type of projects and deliver them back out to the greater \ncommunity in a timely and cost-effective manner.\n    Section 301 also includes (b) Participation that includes (1) \nstudents enrolled in grades 9 through 12. This is another perfect match \nfor an already existing program that I would strongly urge you to make \nuse of as you implement this Act. The NSA created the GenCyber \n(``Generation Cyber\'\') Summer Camp program in 2013 through a \npartnership with NSF to create a series of summer camps aimed at high \nschool students and high school teachers held on college and university \ncampuses. Summer 2014 was the first year of these camps and there were \nsix very successful camps. DSU held a camp for 172 high school students \nthat were interested in learning more about cybersecurity. 2015 will \ninclude 20-25 camps across the Nation and the NSA has a vision to \nexpand GenCyber to be 200+ camps in the coming years in the same way \nthat the ``Star Talk\'\' Summer Camps for linguistics has grown and \nprospered across the Nation (https://startalk.umd.edu). Providing \nsupport to NSA for GenCyber would be a very wise investment in our \nchildren\'s future as it\'s critical we continue to get this age group \ninterested in cybersecurity and GenCyber is already two years down this \npath. Supporting NSA\'s GenCyber will support not the NSA\'s goals for \nthis project, but also the GenCyber institutions that are holding \ncamps, and the thousands of high school students that will soon be \ntaking part in these summer experiences. GenCyber has the real \npotential to change how and when high school students are exposed to \ncybersecurity education, which is critical as we try to fill the \npipeline of exceptional cybersecurity talent.\n    While there will certainly be new programs and partners involved \nwith the implementation of the Act, it is critical that we look to our \ntrusted partners, as you already done with NSF-SFS CyberCorps, that we \nknow will do a tremendous job and deserve additional support to \ncontinue the necessary work in cybersecurity education. The NSA\'s \nCenter of Academic Excellence in Cyber Operations and GenCyber Summer \nCamp programs are exactly the type of cybersecurity education partners \nthat deserve direct support as this Act is implemented.\n    I welcome the chance to provide additional guidance and feedback on \nS.1353 as it has the potential to help mature cybersecurity education a \ngreat deal across the Nation.\n                                 ______\n                                 \n                                          Intel Corporation\n                                  Washington, DC, February 18, 2014\n\nHon. John Thune,\nChairman,\nUnited States Senate ,\nCommittee on Commerce, Science, and Transportation,\nWashington, DC.\n\nHon. Bill Nelson,\nRanking Member,\nUnited States Senate,\nCommittee on Commerce, Science, and Transportation,\nWashington, DC.\n\nRe: Senate Commerce, Science, and Transportation Committee Hearing, \n            ``Building a More Secure Cyber Future: Examining Private \n            Sector Experience with the NIST Framework\'\'\n\nDear Chairman Thune and Ranking Member Nelson:\n\n    Intel Corporation commends you for holding a full committee hearing \non February 4, 2015, ``Building a More Secure Cyber Future: Examining \nPrivate Sector Experience with the NIST Framework,\'\' and we thank you \nfor the opportunity to submit written testimony for the record.\n    We appreciate the Committee\'s attention to cybersecurity--advancing \ncybersecurity across the global digital infrastructure has long been a \npriority for Intel as well. Indeed, security, along with power-\nefficient performance and connectivity, comprise the three computing \npillars around which Intel concentrates our innovation efforts, and \nIntel has long shared the sentiment that we cannot delay in \ncollectively addressing the evolving cybersecurity threats facing us \nall. Our commitment to cybersecurity has extended to the Framework for \nImproving Critical Infrastructure Cybersecurity (the ``Framework\'\'), \nfrom its inception through its early implementation. President Obama \nissued Executive Order 13636--Improving Critical Infrastructure \nCybersecurity, in February 2013, and over the ensuing year Intel \ncollaborated with government and industry stakeholders to develop the \nFramework. The first version of the Framework was delivered on February \n12, 2014, and soon thereafter Intel launched a pilot project to test \nthe Framework\'s use at Intel.\n    Intel\'s pilot project assessed cybersecurity risk for our Office \nand Enterprise infrastructure, and demonstrated that the Framework \nprovided clear benefit to Intel. We focused on developing a use case \nthat would create a common language and encourage the use of the \nFramework as a process and risk management tool, rather than as a set \nof static compliance requirements. Our early experience with the \nFramework helped us harmonize our risk management technologies and \nlanguage, improve our visibility into Intel\'s risk landscape, inform \nrisk tolerance discussions across our company, and enhance our ability \nto set security priorities, develop budgets, and deploy security \nsolutions. The pilot resulted in a set of reusable tools and best \npractices for utilizing the Framework to assess infrastructure risk; we \nplan to use these tools and best practices to expand Intel\'s use of the \nFramework. It is our hope that other organizations follow the path we \nforged in demonstrating the value of the Framework when it is put in \naction, by developing their own Framework use cases and driving \nadoption of the Framework. A detailed account of our pilot project and \nthe benefits we derived from using the Framework is contained in the \nattached white paper, The Cybersecurity Framework in Action: An Intel \nUse Case, which we respectfully attach for the record.\n    Thank you again for devoting your Committee\'s resources to \naddressing our cybersecurity challenges, and for providing oversight \nover the Framework. The Framework embodies a longstanding pillar of \nIntel\'s cybersecurity strategy: supporting collaboration between \ngovernment, industry, and non-governmental organization stakeholders to \nimprove cybersecurity in a way that promotes innovation, protects \ncitizens\' privacy and civil liberties, and preserves the promise of the \nInternet as a driver of global economic development and social \ninteraction. We look forward to collaborating with the Committee to \nachieve our mutual goals moving forward. For more information, please \ncontact John Miller.\n            Best regards,\n                                        Peter M. Cleveland,\n                                                    Vice President,\n                                            Global Public Policy Group.\n                               Attachment\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 ______\n                                 \n                        Retail Industry Leaders Association\n                                    Arlington, VA, February 4, 2015\n\nHon. John Thune,\nChairman,\nSenate Committee on Commerce, Science, and Transportation,\nUnited States Senate,\nWashington, DC.\n\nHon. Bill Nelson,\nRanking Member,\nSenate Committee on Commerce, Science, and Transportation,\nUnited States Senate,\nWashington, DC.\n\nDear Chairman Thune and Ranking Member Nelson:\n\n    On behalf of the Retail Industry Leaders Association (RILA), I \nwrite to thank you for holding today\'s hearing entitled, ``Building a \nMore Secure Cyber Future: Examining Private Sector Experience with the \nNIST Framework.\'\' Retailers greatly appreciate the Committee\'s \nleadership in seeking to find a sensible path to address critical \ncybersecurity issues.\n    RILA is the trade association of the world\'s largest and most \ninnovative retail companies. RILA members include more than 200 \nretailers, product manufacturers, and service suppliers, which together \nare responsible for more than $1.5 trillion in annual sales, millions \nof American jobs and more than 100,000 stores, manufacturing facilities \nand distribution centers domestically and abroad.\n    Retailers embrace innovative technology to provide American \nconsumers with unparalleled services and products online, through \nmobile applications, and in our stores. While technology presents great \nopportunity, nation states, criminal organizations, and other bad \nactors also are using it to attack businesses, institutions, and \ngovernments. As we have seen, no organization is immune from attacks \nand no security system is invulnerable. Retailers understand that \ndefense against cyber-attacks must be an ongoing effort, evolving to \naddress the changing nature of the threat. RILA is committed to working \nwith Congress to give government and retailers the tools necessary to \nthwart this unprecedented attack on the United States (U.S.) economy \nand bring the fight to cybercriminals around the globe.\n    As leaders in the retail community, we are taking new and \nsignificant steps to enhance cybersecurity throughout the industry. To \nthat end, RILA formed the Retail Cyber Intelligence Sharing Center (R-\nCISC) in 2014 in partnership with America\'s most recognized retailers. \nThe Center has opened a steady flow of information sharing between \nretailers, law enforcement and other relevant stakeholders. These \nefforts already have helped prevent data breaches, protected millions \nof American customers and saved retailers millions of dollars. The R-\nCISC is open to all retailers regardless of their membership in RILA.\n    For years, RILA members have been developing and deploying new \ntechnologies to achieve pioneering levels of security and service. The \ncyber-attacks that our industry faces change every day and our members \nare building layered and resilient systems to meet these threats. Key \nto this effort is the ability to design systems to meet actual threats \nrather than potentially outdated cybersecurity standards that may be \nenshrined in law. That is why development of any technical \ncybersecurity standards beyond a mandate for reasonable security must \nbe voluntary and industry-led such as the standards embodied in the \nNational Institute of Standards and Technology Cybersecurity Framework. \nRILA members using the Framework have found it to be a helpful tool in \nevaluating their cybersecurity posture and support the continued use of \nvoluntary, industry-led processes as a key method of addressing dynamic \ntechnology challenges.\n    One area of cybersecurity that needs immediate attention is payment \ncard technology. RILA members have long supported the adoption of \nstronger debit and credit card security protections. The woefully \noutdated magnetic stripe technology used on cards today is the chief \nvulnerability in the payments ecosystem. This 1960s era technology \nallows cyber criminals to create counterfeit cards and commit fraud \nwith ease. Retailers continue to press banks and card networks to \nprovide U.S. consumers with the same Chip and PIN technology that has \nproven to dramatically reduce fraud when it has been deployed elsewhere \naround the world. According to the Federal Reserve, PINs on debit cards \nmake them 700 percent more secure than transactions authorized by \nsignature.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Federal Reserve, ``2011 Interchange Fee Revenue, Covers Issuer \nCosts, and Covered Issuer and Merchant Fraud Losses Related to Debit \nCard Transactions,\'\' (March 5, 2013).\n---------------------------------------------------------------------------\n    Increasing cyber threat information sharing is also vital to \ndefeating sophisticated and coordinated cyber actors. RILA strongly \nsupports cybersecurity information sharing legislation that provides \nliability protections for participating organizations. Legislation also \nshould increase funding for government sponsored research into next \ngeneration security controls and enhance law enforcement capabilities \nto investigate and prosecute criminals internationally. The cyber-\nattacks faced by every sector of our economy constitute a grave \nnational security threat that should be addressed from all angles.\n    RILA thanks the Committee for holding this important hearing to \nlook into the positive private sector experience with the NIST \nCybersecurity Framework, cyber information sharing legislation, and \ncybersecurity more broadly. We look forward to working with you on \nthese vital issues. Should you have any additional questions regarding \nthis matter, please feel free to contact Nicholas Ahrens, Vice \nPresident, Privacy and Cybersecurity.\n            Sincerely,\n                                      Jennifer M. Safavian,\n                      Executive Vice President, Government Affairs.\n                                 ______\n                                 \n Prepared Statement of Independent Community Bankers of America (ICBA)\n\n             Cybersecurity: The Community Bank Perspective\n\n    On behalf of the more than 6,500 community banks represented by \nICBA, thank you for convening today\'s hearing on ``Building a More \nSecure Cyber Future: Examining Private Sector Experience with the NIST \nFramework.\'\' The financial services industry and community banks are \ntypically on the front lines of defending against cybersecurity threats \nand take their role in securing data and personal information very \nseriously. ICBA is pleased to take this opportunity to submit the \nfollowing statement for the record which sets forth the community bank \nperspective on cybersecurity and the National Institute for Standards \nand Technology (NIST) framework.\n    All Critical Infrastructure Sectors Must Be Covered and Existing \nMandates Must Be Recognized. ICBA supports the 2013 Executive Order and \nthe NIST framework implementing it because they create a baseline to \nreduce cyber risk to all critical infrastructure sectors. This is a \ncritical test for any new legislation, frameworks, or standards in the \narea of data security: It should extend comparable standards to all \ncritical infrastructure sectors, including the commercial facilities \nsector which incorporates the retail industry and other potentially \nvulnerable entities. Financial institutions have long been subject to \nrigorous and effective data security protocols established by the \nGramm-Leach-Bliley Act. Any new data security mandates must recognize \nthe existing standards and practices community banks observe to protect \nthe confidentiality and integrity of customer personal data as well as \nto mitigate cyber threats.\n    Threat Information Sharing is Critical. ICBA supports the sharing \nof advanced threat and attack data between Federal agencies and the \nappropriate financial sector participants, including community banks. \nCommunity banks rely on this critical information to help them manage \ntheir cyber threats and protect their systems. ICBA supports community \nbanks\' involvement with services such as the Financial Services \nInformation Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a \nnon-profit, information-sharing forum established by financial services \nindustry participants to facilitate the public and private sectors\' \nsharing of physical and cybersecurity threat and vulnerability \ninformation. ICBA also supports FS-ISAC efforts to take complex threat \ninformation across communities, people and devices and analyze, \nprioritize, and route it to users in real-time as long as those efforts \nincorporate community banks and such advancements are cost effective to \ncommunity banks.\n    Regulators Should Recognize Third Party Risk. Community banks \nsignificantly rely on third parties to support their systems and \nbusiness activities. While community banks are diligent in their \nmanagement of third parties, mitigating sophisticated cyber threats to \nthese third parties, especially when they have connections to other \ninstitutions and servicers, can be challenging. Regulators must be \naware of the significant interconnectivity of these third parties and \nmust collaborate with them to mitigate this risk. This can be done by \nagencies evaluating the concentration risks of service providers to \nfinancial institutions, and broadening supervision of technology \nservice providers to include more core, IT service providers by \nexpanding the Multi-Regional Data Processing Servicer Program (MDPS) to \ninclude such providers.\n    Properly Aligned Incentives Will Enhance Data Security and \nCybersecurity. When an entity\'s systems are breached, it is critical \nthat the party that incurs the breach, whether it be a retailer, \nfinancial institution, data processor or other entity, bear \nresponsibility for the related fraud losses and costs of mitigation. \nAllocating financial responsibility with the party that incurs the \nbreach will provide a strong incentive for all parties to effectively \nsecure data.\n    Additionally, aligning incentives to maximize data security and \ncybersecurity by all parties that process and/or store consumer data \nwill make the payments system stronger over time.\n    Thank you again for convening today\'s hearing. ICBA looks forward \nto working with the Senate Committee on Commerce, Science, and \nTransportation to improve cybersecurity.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. John Thune to \n                         Dr. Charles H. Romine\n    Question 1. Dr. Romine, in follow up to my question at the hearing, \nplease provide for the record examples of products and services that \nthe private sector is developing to support use of the Framework.\n    Answer. A variety of products and services have been developed by \nthe private sector, including, but not limited to, implementation \nguides, mappings to the Framework, case studies, educational materials, \nexample profiles, and other document templates. Recently, NIST added an \n``Industry Resources\'\' link to the Cybersecurity Framework website \n(www.nist.gov/cyberframework) which is a non-exhaustive list of these \nresources to share for broader use.\n    It is important to note that in doing this certain commercial \nentities, equipment, or materials may be identified in this Website or \nlinked websites in order to support Framework understanding and use. \nSuch identification is not intended to imply recommendation or \nendorsement by NIST, nor is it intended to imply that the entities, \nmaterials, or equipment are necessarily the best available for the \npurpose.\n\n    Question 2. In response to my question, you testified briefly \nregarding the feedback NIST has received in its draft Guide to Cyber \nThreat Information Sharing. NIST also has identified automated \nindicator sharing as one of the areas for development, alignment, and \ncollaboration in its Roadmap for Improving Critical Infrastructure \nCybersecurity released on February 12, 2014. Would you please elaborate \non NIST\'s work to develop technical standards for information sharing, \nincluding machine-to-machine sharing, for use in both the public and \nprivate sectors?\n    Answer. While the NIST draft Special Publication 800-150, Guide to \nCyber Threat Information Sharing, provides high-level guidance on how \nto form, join, and effectively participate in information sharing \ncommunities, NIST has also participated in, and led significant \ninitiatives to develop technical standards for information sharing. \nNIST\'s Security Content Automation Protocol (SCAP) specifications \nprovide low-level technical guidance in support of automated \ninformation exchange. SCAP is a suite of interoperable open technical \nspecifications, developed through ongoing public-private collaboration, \nthat enable automated, machine-to-machine exchange of information. \nSCAP-validated tools can be used to evaluate the security posture of an \nIT system. SCAP is used to describe known security vulnerabilities, \nidentify configuration issues, and to collect system artifacts that can \nattest to the system\'s current security state and to develop and \npublish indicators.\n    In addition to our role in the development of the SCAP \nspecifications, NIST operates the National Vulnerability Database \n(NVD), the U.S. government repository of SCAP content. The NVD \nrepository includes information regarding over 68,000 known software \nflaws, 281 security checklists that provide security configuration \nguidance for operating systems and applications, and over 101,000 \nproduct names and identifiers. The NVD-hosted SCAP content and \nresources are widely used by both public and private sector \norganizations, including many commercial anti-virus software \ndevelopers.\n    NIST continues to engage with both the private sector and Federal \ndepartments and agencies to help develop and refine technical \nspecifications that enable the near-real-time exchange of cyber threat \nindicators. Through its participation in consensus-driven standards \ndevelopment efforts, such as the International Organization for \nStandardization\'s (ISO) Joint Technical Committee 1 (JTC1), NIST is \nable to help advance the development of technical specifications that \nenable the creation, use, and automated exchange of indicator data.\n\n    Question 3. In addition to automated indicator sharing, NIST \nidentified a number of additional areas for development, alignment, and \ncollaboration in its Roadmap for Improving Critical Infrastructure \nCybersecurity, released on February 12, 2014. Subsequently, on December \n5, 2014, NIST released an update reflecting the responses and feedback \nreceived in response to its August 26, 2014, Request for Information. \nPlease provide an update on NIST\'s role, current status, and path \nforward to address each of the following areas: authentication, \nconformity assessment, cybersecurity workforce, data analytics, Federal \nagency cybersecurity alignment, supply chain risk management, and \ntechnical privacy standards.\n    Answer. NIST\'s role in cybersecurity is to develop information \nsecurity standards, guidelines, tests, and metrics to protect non-\nnational security Federal information, systems, and services against \nthreats impacting their confidentiality, integrity and availability, by \nconducting research that generates the data needed to support these \ntools. As part of this mission, NIST facilitates and plays an active \nrole in the development of voluntary, industry-led cybersecurity \nstandards and best practices. NIST accomplishes its mission in \ncybersecurity through collaborative partnerships with our customers and \nstakeholders in industry, government, academia, standards organizations \nand international partners.\n    The Roadmap for Improving Critical Infrastructure Cybersecurity \nhighlighted several areas identified by stakeholders that require \ncontinued focus; they are important but evolving areas that have yet to \nbe developed or need further research and understanding. While tools, \nmethodologies, and standards exist for some of the areas, they need to \nbecome more mature, available, and widely adopted. NIST continues to \nwork with stakeholders in each of these areas to identify primary \nchallenges, solicit input to address those identified needs, and \ncollaboratively develop and execute action plans for addressing them. \nNIST is actively engaging with diverse stakeholders through existing \nprograms, including the National Strategy for Trusted Identities in \nCyberspace (NSTIC) and the National Initiative for Cybersecurity \nEducation (NICE), to identify primary challenges, solicit input, and \ndevelop and execute plans to address those identified needs in each of \nthe areas identified in the roadmap.\n\n    Question 4. The U.S. Chamber of Commerce has noted that standards \nare most effective when developed and recognized globally, which can \nhelp to prevent the burden of multiple, conflicting jurisdictional \nrequirements. The Cybersecurity Enhancement Act (Public Law 113-274) \nrecognized NIST\'s convening role in international standards development \nand required NIST to consult with foreign governments and international \norganizations to support the Framework development process. Please \nelaborate on the importance of global alignment in cybersecurity and \nhow NIST has worked with international organizations to promote the \nFramework and the public-private partnership model overseas.\n    Answer. Pursuant to U.S. law and Administration policy, Federal \nagencies are required to use voluntary consensus standards in their \nprocurement and regulatory activities, except where inconsistent with \nlaw or otherwise impractical. The U.S. consensus standardization \ncommunity is comprised mostly of non-governmental standards developers. \nThese groups are primarily shaped by extensive industry participation \nand are market driven. U.S. government participation is motivated by \nthe need to achieve cost-efficient, timely and effective solutions to \nregulatory, procurement and policy objectives. These diverse \nmotivations are mutually beneficial.\n    Meanwhile, many governments are proposing and enacting strategies, \npolicies, laws, and regulations covering information technology for \ncritical infrastructure. Because many organizations and most sectors \noperate globally or rely on the global digital infrastructure, these \nrequirements are affecting, or may affect, how organizations operate, \nconduct business, and develop new products and services. Diverse or \nspecialized requirements that vary by country or region, can impede \ninteroperability, result in duplication, harm cybersecurity, and hinder \ninnovation. In turn, this can significantly reduce the availability and \nuse of innovative technologies to critical infrastructures in all \nindustries and hamper the ability of organizations to operate globally \nand to effectively manage new and evolving risks.\n    Because the Framework references globally accepted standards, \nguidelines and practice, organizations domiciled inside and outside of \nthe United States can use the Framework to efficiently operate globally \nand manage new and evolving risks.\n    During the development of the Framework and since its completion, \nNIST has engaged with foreign governments and private sector entities \nto explain the Framework and seek alignment of approaches when \npossible; worked with industry stakeholders to support their \ninternational engagement; and exchanged information with standards \ndeveloping organizations, and the public and private sectors to ensure \nthe Cybersecurity Framework remains aligned and compatible with \nexisting and developing standards and practices.\n\n    Question 5. How has NIST worked with insurance companies in \nparticular in developing the Framework? How do insurance policies \nprovide an incentive for companies to increase their cybersecurity?\n    Answer. During the development of the Framework, NIST sought the \nparticipation of insurance companies, given their extensive knowledge \nof the effectiveness of specific cybersecurity practices and their \nability to help evaluate specific proposed elements from this \nperspective. This collaboration included a panel at the 4th \nCybersecurity Framework Workshop in Dallas, Texas, where panelists from \nAIG, ACE USA, Willis, and Lockton answered questions from the audience, \nand discussed the current state of the cybersecurity insurance market, \nhow the Cybersecurity Framework could help insurance carriers grow the \nfirst-party market and be incorporated into underwriting/brokering \nprocesses, and anticipated challenges that may arise. According to the \nDepartment of Homeland Security--who NIST has partnered with on \nprojects relating to cybersecurity insurance industry: ``A robust \ncybersecurity insurance market could help reduce the number of \nsuccessful cyber attacks by: (1) promoting the adoption of preventative \nmeasures in return for more coverage; and (2) encouraging the \nimplementation of best practices by basing premiums on an insured\'s \nlevel of self-protection.\'\' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ http://www.dhs.gov/publication/cybersecurity-insurance\n---------------------------------------------------------------------------\n    As industry continues to use the Framework, and insurance companies \nleverage the Framework to provide policies and services, NIST will \ncontinue to work with them to understand their specific implementations \nand how it could inform future work.\n                                 ______\n                                 \n      Response to Written Question Submitted by Hon. Roy Blunt to \n                         Dr. Charles H. Romine\n    Question. The Framework itself is voluntary and based upon a risk \nmanagement model, as opposed to compliance with rote standards. \nWouldn\'t the concept of a mandatory survey be counter to the voluntary \napproach adopted by NIST, and could it impact the use of the Framework \nif private sector owners and operators of critical infrastructure view \nusing the Framework as being linked to new reporting requirements? \nPlease provide your perspective on the mandatory survey proposal.\n    Answer. NIST believes that a mandatory survey would be premature \nand will not provide meaningful results to help determine the adoption \nof the Framework. Adding a mandatory reporting requirement on top of a \nvoluntary Framework could create confusion about the intent of the \nExecutive Order and lead to less participation and use of the \nFramework, as well as reduce trust in NIST\'s consensus development \nprocess adversely affecting future participation.\n    After some time has passed, measurement of use and effectiveness of \nthe Framework is an element of NIST\'s plans. Costs (including burden on \ncompanies) and benefits of doing that as well as alternative options \nwould be considered at that time. Measurement should also include how \nproducts and services--and the overall market forces--are supporting \nuse of the Framework, and where legislative changes may assist with \nuse.\n    Based on feedback from the private sector, the immediate focus of \nthe Administration is on raising awareness about the value of the \nvoluntary Framework in addressing and reducing risk, and encouraging \nits use. NIST continues to hear from the private sector--including our \nmost recent discussions with leaders across many sectors--that raising \nawareness and stimulating use are the essential first steps on the path \nto achieving effectiveness.\n    NIST believes that this is the pathway to effectiveness. Concerns \nabout cybersecurity and risk need to be integrated into each \norganization\'s approach for doing business. There is no single, \ndefinitive and universal end point for improving quality or \ncybersecurity. NIST is asking organizations to do a serious evaluation \nof their current cybersecurity practices and develop plans to improve \ntheir capabilities through use of the Framework--a process that will \ntake time.\n    NIST is also seeing a range of products and services being \ndeveloped or modified to assist organizations use the Cybersecurity \nFramework. The Administration is also working to ensure that this \napproach can scale globally--as NIST sees that alignment it\'s likely to \nalso see increased use of the Framework for companies with \ninternational business.\n    The voluntary nature of the framework in enabling a larger number \nof stakeholders to use the underlying practices--choosing a subset for \na mandatory survey might create an impression that only this subset \nshould use the Framework. The private sector voluntarily participated \nin the Framework development process and NIST has found that \norganizations are willing to discuss how they are using or intend to \nuse the Framework. NIST will work with DHS on their sector-wide \nassessments, monitor surveys that private sector organizations conduct, \nand will continue to receive information through workshops, meetings, \nand potentially future Requests for Information. Much of this will be \ngeared to gathering information on how to improve future versions of \nthe Framework.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. John Thune to \n                           Ann M. Beauchesne\n    Question 1. In August 2013, the Department of Commerce Internet \nPolicy Taskforce released a series of recommendations incorporating \nstakeholder input for ways the government could incentivize use of the \nframework. The U.S. Chamber of Commerce has also suggested a number of \nincentives. What incentives do you think would have the biggest impact \non business behavior?\n    Answer. The U.S. Chamber generally separates the cybersecurity \nincentives discussion into two categories--(1) incentives related to \ninformation sharing and (2) incentives related to using risk management \ntools like the National Institute of Standards and Technology (NIST) \nFramework for Improving Critical Infrastructure Cybersecurity (the \nframework).\n    First, incentives spurring bidirectional information about cyber \nthreats among multiple government and private entities are most \nimportant to Chamber members. The Chamber needs Congress to send a bill \nto the president that gives businesses legal certainty that they are \nprotected from liability when voluntarily sharing and receiving threat \nindicators and countermeasures in real time and taking actions to \nmitigate cyberattacks.\n    The legislation also needs to offer protections related to public \ndisclosure, regulatory, and antitrust matters in order to increase the \ntimely exchange of information among public and private entities. The \nChamber believes that legislation needs to safeguard privacy and civil \nliberties and establish appropriate roles for civilian and intelligence \nagencies. At the time of this writing, the draft Cybersecurity \nInformation Sharing Act of 2015 (CISA) goes the furthest compared with \nother proposals in addressing the legal and policy priorities that the \nChamber has been pushing for several years.\n    Second, the Chamber appreciates that the administration is \nconsidering a limited number of incentives for the private sector to \nvoluntarily use the framework.\\1\\ However, the most important incentive \nthat the administration and lawmakers could extend to companies is the \nassurance that the cybersecurity framework would remain collaborative, \nflexible, and innovative over the long term. The Chamber believes that \nthe presence of these qualities, or the lack thereof, would be a key \ndeterminant to participation by businesses, including critical \ninfrastructure, in using the framework.\n---------------------------------------------------------------------------\n    \\1\\ www.whitehouse.gov/blog/2015/02/02/strengthening-cyber-risk-\nmanagement\n---------------------------------------------------------------------------\n    Ultimately, policymakers need to meet with each critical \ninfrastructure sector to discuss what businesses need to potentially \nencourage greater use of the cybersecurity framework. The right \nincentives may be available or they may need to be created. In April \n2013, the Chamber sent NIST a letter regarding businesses\' use of the \nframework and the role of incentives.\n    Here are some incentives that are frequently discussed by public \nand private sector stakeholders, which the Chamber is willing to \nconsider:\n\n  <bullet> Extending liability protections (information sharing). \n        Businesses seek to participate in the online equivalent of a \n        Neighborhood Watch program for cybersecurity. Companies\' \n        security professionals want to exchange cyber threat \n        information and vulnerabilities with their peers and \n        government--but they fear being sanctioned for doing the right \n        thing. The Chamber strongly urges Congress to pass an \n        information-sharing bill this year with strong protections \n        related to liability, public disclosure, regulatory, and \n        antitrust concerns.\n\n  <bullet> Extending liability protections (framework). Congress may \n        consider extending liability protections to companies that \n        voluntarily adopt the cybersecurity framework. This is a \n        welcome option. However, our experience with S. 3414, the \n        Cybersecurity Act of 2012, demonstrates that the level of \n        protection authorized in the bill (i.e., against punitive \n        damages sought in a lawsuit) was relatively weak. The bill \n        provided insufficient protection to sway businesses\' decision \n        making in favor of the legislation. In other words, the stick \n        was considerably bigger than the carrot.\n\n  <bullet> Extending liability protections (SAFETY Act). The \n        administration and Congress are expected to assess how the \n        Support Anti-terrorism by Fostering Effective Technologies Act \n        of 2002 (SAFETY Act) could allow for legal liability \n        protections for providers of qualified cybersecurity \n        technologies. The act is intended to expand the development and \n        commercialization of innovative products and services to \n        mitigate significant cybersecurity incidents. This may require \n        a review and possibly a modification of the events that would \n        trigger SAFETY Act coverage and the types of technologies and \n        services that would be covered. House cybersecurity legislation \n        in the 113th Congress (H.R. 3696) contained such as provision.\n\n  <bullet> Harmonizing cybersecurity regulations. Information-security \n        requirements should not be cumulative. The Chamber believes it \n        is valuable that agencies and departments are urged under the \n        2013 cybersecurity executive order (EO) to report to the Office \n        of Management and Budget any critical infrastructure subject to \n        ``ineffective, conflicting, or excessively burdensome \n        cybersecurity requirements.\'\' The Chamber urges the \n        administration and Congress to prioritize eliminating \n        burdensome regulations on businesses. One solution could entail \n        giving businesses credit for information security regimes that \n        exist in their respective sectors. It is positive that Michael \n        Daniel, the administration\'s lead cyber official, has made \n        harmonizing existing cyber regulations with the framework a \n        priority in a February 2, 2015, blog.\n\n  <bullet> Leveraging Federal procurement. The Chamber generally \n        supports a government procurement process that rewards vendors \n        that follow industry-recognized cybersecurity guidance. \n        However, we are concerned about the unintended consequences of \n        procurement incentives, such as a program that leads to one-\n        size-fits-all outcomes or to artificially chosen technology \n        winners and losers. The Chamber urges the administration to be \n        mindful of how procurement incentives, however beneficial in \n        the American context, could prompt foreign governments to \n        emulate this policy as a way of restricting U.S. companies\' \n        access to overseas markets.\n\n    The Chamber cautions against expanding the scope of section 8 of \n        the 2013 cybersecurity EO.\\2\\ The administration recognizes \n        that it should not determine how companies design, develop, and \n        manufacture their technology and products. There are well-\n        established laws and policies on the books to ensure that \n        government procurement processes leverage--rather than \n        duplicate and weaken--industry-led, international technology \n        standards and best practices.\n---------------------------------------------------------------------------\n    \\2\\ www.whitehouse.gov/the-press-office/2013/02/12/executive-order-\nimproving-critical-infrastructure-cybersecurity\n\n  <bullet> Making the research and development (R&D) tax credit \n        permanent. Congress should make the R&D tax credit permanent to \n        help businesses adopt a multilayered cybersecurity program that \n        matures over time in relation to risks. This is particularly \n        important for small and midsize company owners and operators \n        who typically lack the money and human talent to deploy a \n---------------------------------------------------------------------------\n        sophisticated program.\n\n    Question 2. The U.S. Chamber has noted that standards are most \neffective when developed and recognized globally, which can help \nprevent the burden of multiple, conflicting jurisdictional \nrequirements.\n    The Cybersecurity Enhancement Act (Public Law 113-274) recognized \nNIST\'s convening role in international standards development and \nrequired NIST to consult with foreign governments and international \norganizations to support the framework development process. How can the \nU.S. Chamber leverage its members\' global operations to facilitate this \ninternational alignment?\n    Answer. The Chamber is urging U.S. and foreign government officials \nto align international cybersecurity regimes with the framework. Many \nChamber members operate globally. We applaud NIST for actively meeting \nwith foreign officials urging them to embrace the framework. Like NIST, \nthe Chamber believes that efforts to improve the cybersecurity of the \npublic and private sectors should reflect the borderless and \ninterconnected nature of our digital environment.\n    Standards, guidance, and best practices relevant to cybersecurity \nare typically industry driven and adopted on a voluntary basis. They \nare most effective when developed and recognized globally. Such an \napproach would avoid burdening multinational enterprises with the \nrequirements of multiple, and often conflicting, jurisdictions.\n    The Chamber is planning to hold meetings in May in Berlin and \nBrussels with U.S. and European public officials and industry \nrepresentatives to discuss issues of mutual interest including the \ncybersecurity framework, digital innovation, international data flows, \nand data privacy. Our organization intends to engage additional \ncountries and regions globally.\n    Meanwhile, the Chamber urges the administration to organize \nopportunities for stakeholders to participate in multinational \ndiscussions. We encourage the Federal Government to work with \ninternational partners and believe that these discussions should be \nstakeholder driven and occur on a routine basis.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. Roy Blunt to \n                           Ann M. Beauchesne\n    Question 1. You state in your testimony that the NIST framework is \nincomplete without Congress enacting information-sharing legislation. \nCan you elaborate on this? Is it fair to say that, in the same sense \nthe NIST framework is voluntary, that the sharing of cyber threat \nindicators must be voluntary as well?\n    Answer. I would like to begin with part two of this question by \nsaying that cybersecurity information sharing must be voluntary. The \nU.S. Chamber would oppose any program mandating that companies report \ncyber threat data to the government, save for what companies agree to \nvia contract.\n    Improving information sharing should be job No. 1 for policymakers. \nThe National Institute of Standards and Technology\'s (NIST\'s) Framework \nfor Improving Critical Infrastructure Cybersecurity (the framework) \nwould be incomplete without enacting information-sharing legislation \nthat removes legal and regulatory barriers to rapidly exchanging data \nabout threats to U.S. companies. On January 27, 35 associations, \nincluding the Chamber, urged the Senate to quickly pass a cybersecurity \ninformation-sharing bill. The Senate Intelligence committee passed in \nJuly the Cybersecurity Information Sharing Act (CISA) of 2014, a smart \nand workable bill, which earned broad bipartisan support.\n    Recent cyber incidents underscore the need for legislation to help \nbusinesses improve their awareness of cyber threats and enhance their \nprotection and response capabilities. The Chamber urges Congress to \nsend a bill to the president that gives businesses legal certainty that \nthey have safe harbor against frivolous lawsuits when voluntarily \nsharing and receiving threat indicators and countermeasures in real \ntime with multiple private and public entities, as well as when \nmonitoring information systems to mitigate cyberattacks. The \nlegislation also needs to offer protections related to public \ndisclosure, regulatory, and antitrust matters in order to increase the \ntimely exchange of technical cyber threat indicators (CTIs) and \ncountermeasures among public and private entities.\n    The Chamber further believes that legislation needs to safeguard \nprivacy and civil liberties and establish appropriate roles for \ncivilian and intelligence agencies. For example, businesses must remove \npersonal information from CTIs before sharing indicators. Private \nentities must share ``electronic mail or media, an interactive form on \nan Internet website, or a real time, automated process between \ninformation systems\'\' with DHS--a civilian entity--if they are to be \noffered protection from liability.\n    CISA, which is sponsored by Sens. Richard Burr and Dianne \nFeinstein, reflects practical compromises among many stakeholders on \nthese issues. At the time of this writing, the measure was marked up on \nMarch 12 and reported to the full Senate on a strong bipartisan vote of \n14-1. The Chamber urges the Senate to pass CISA soon.\n\n    Question 2. In your testimony, you cited the need for the U.S. \ngovernment to raise the costs on malicious cyber-attackers through an \nintelligent and forceful deterrence strategy. Can you elaborate what a \ncyber-deterrence strategy should look like?\n    Answer. The Chamber is reviewing actions that businesses and \ngovernment can take to deter nefarious actors that threaten to empty \nbank accounts, steal trade secrets, or damage vital infrastructures. \nWhile our organization has not formally endorsed the report, the U.S. \nDepartment of State\'s International Security Advisory Board (ISAB) \nissued in July draft recommendations regarding cooperation and \ndeterrence in cyberspace.\n    The ISAB\'s recommendations--including cooperating on crime as a \nfirst step, exploring global consensus on the rules of the road, \nenhancing governments\' situational awareness through information \nsharing, combating IP theft, expanding education and capacity building, \npromoting attribution and prosecution, and leading by example--are \nsensible and worthy of further review by cybersecurity stakeholders.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The ISAB report is available at www.state.gov/documents/\norganization/229235.pdf.\n---------------------------------------------------------------------------\n    The Chamber believes that the United States needs to coherently \nshift the costs associated with cyberattacks in ways that are legal, \nswift, and proportionate relative to the risks and threats. \nPolicymakers need to help the law enforcement community, which is a key \nasset to the business community but numerically overmatched compared \nwith illicit hackers.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ The Chamber argued for a clear cyber deterrence strategy in its \nDecember 2013 letter to NIST on the framework. See http://\ncsrc.nist.gov/cyberframework/framework_comments/2013\n1213_ann_beauchesne_uschamber.pdf.\n---------------------------------------------------------------------------\n    The Chamber would welcome working with you, other lawmakers, and \nthe administration on establishing an effective cyber deterrence \nstrategy, using an array of policy tools that the United States lacks.\n\n    Question 3. The framework itself is voluntary and based upon a risk \nmanagement model, as opposed to compliance with rote standards. \nWouldn\'t the concept of a mandatory survey be counter to the voluntary \napproach adopted by NIST, and could it impact the use of the framework \nif private sector owners and operators of critical infrastructure view \nusing the framework as being linked to new reporting requirements? \nPlease provide your perspective on the mandatory survey proposal.\n    Answer. The framework is a remarkable public-private achievement. \nNIST worked closely with the Chamber\'s Cybersecurity Working Group and \nother private sector organizations to develop the framework. NIST \ntreated the business community as a genuine partner as it tackled a \ntough assignment in ways that should serve as a model for other \nagencies and departments.\n    Generally, the Chamber does not survey its members, which we have \nalso communicated to Sen. Nelson. However, the Chamber is committing \nsubstantial resources to promoting the framework to its membership and \nthe wider business community. As highlighted in my testimony, the \nChamber has organized an extensive, ongoing cybersecurity education and \nadvocacy campaign--Improving Today, Protecting Tomorrow <SUP>TM</SUP>--\npartnering with state and local chambers to host events in Chicago, \nAustin, Seattle, and Phoenix.\n    The Chamber also hosted a number of events in Washington, D.C., \nincluding America\'s Small Business Summit 2014 and the Third Annual \nCybersecurity Summit, where discussion of the framework was prominently \nfeatured. Further, we are planning events this year to build on the \nsuccess of the 2014 campaign.\n    Use of the framework is voluntary--not mandatory--which is why many \nbusinesses and public-sector organizations, such as county IT \ndepartments, have embraced it. Industry\'s interest in cybersecurity and \nthe framework is robust and expanding. Michael Daniel, White House \nspecial assistant to the president and cybersecurity coordinator, said \nin September 2014 at the Chamber\'s third cyber roundtable in Seattle \nthat industry\'s response to the framework has been ``phenomenal.\'\'\n    The Chamber supported the Cybersecurity Enhancement Act of 2014 (S. \n1353, P.L. 113-274), sponsored by Sens. Rockefeller and Thune and \nsigned into law on December 18, 2014. The act directs the comptroller \ngeneral to conduct a study assessing the extent to which ``sectors of \ncritical infrastructure have adopted a voluntary, industry-led set of \nstandards,\'\' and ``the reasons behind the decisions\'\' of critical \ninfrastructure to do so. The Chamber believes that this study would \noffer much more insight about framework use than a mandatory survey of \nindividual firms.\n    It is worth adding that critical infrastructure sectors are keenly \naware of and supportive of the framework and similar risk management \ntools. The Chamber understands that critical infrastructures at \n``greatest risk\'\' (CIGR) have been identified and engaged by \nadministration officials under the terms of the 2013 cybersecurity \nexecutive order (EO).\\3\\ If the United States is to build a more secure \ncyber future, the Chamber urges you and other government officials to \nensure that all resources, particularly the latest cyber threat \ninformation, are available to CIGR to counter increasing and advanced \nthreats.\n---------------------------------------------------------------------------\n    \\3\\ www.whitehouse.gov/the-press-office/2013/02/12/executive-order-\nimproving-critical-infrastructure-cybersecurity\n---------------------------------------------------------------------------\n    At the time of this writing, it is not clear that Federal entities \nsuch as the Department of Homeland Security (DHS) have utilized all \nresources at their disposal to help CIGR mitigate expensive \ncyberattacks emanating from highly advanced and nefarious actors. \nPolicymakers have not sufficiently acknowledged this expensive, \npractical reality. Nation-states or their proxies and other \nsophisticated criminal actors are apparently hacking businesses with \nimpunity. This needs to stop.\n\n    Question 4. Ms. Beauchesne, in your testimony you cite the need to \nharmonize preexisting regulations on cybersecurity. Please submit for \nrecord specific details regarding which agencies and what regulations \nare duplicative, burdensome, inconsistent, or otherwise in conflict \nwith the NIST framework and our goal of better cybersecurity.\n    Answer. Information-security requirements should not be cumulative. \nThe Chamber believes it is valuable that agencies and departments are \nurged under the 2013 cybersecurity EO to report to the Office of \nManagement and Budget any critical infrastructure subject to \n``ineffective, conflicting, or excessively burdensome cybersecurity \nrequirements.\'\' We urge the administration and Congress to prioritize \neliminating burdensome regulations on businesses.\\4\\ Thus, it is \npositive that Michael Daniel, the administration\'s lead cyber official, \nhas made harmonizing preexisting cyber regulations with the framework a \npriority.\\5\\\n---------------------------------------------------------------------------\n    \\4\\ The business community already complies with multiple \ninformation security rules. Among the regulatory requirements impacting \nbusinesses of all sizes are the Chemical Facilities Anti-Terrorism \nStandards (CFATS), the Federal Energy Regulatory Commission-North \nAmerican Reliability Corporation Critical Information Protection (FERC-\nNERC CIP) standards, the Gramm-Leach-Bliley Act (GLBA), the Health \nInsurance Portability and Accountability Act (HIPAA), and the Sarbanes-\nOxley (SO<INF>X</INF>) Act. The Securities and Exchange Commission \n(SEC) issued guidance in October 2011 outlining how and when companies \nshould report hacking incidents and cybersecurity risks. Corporations \nalso comply with many non-U.S. requirements, which add to the \nregulatory mix.\n    \\5\\ www.whitehouse.gov/blog/2015/02/02/strengthening-cyber-risk-\nmanagement\n---------------------------------------------------------------------------\n    The Chamber would defer to leading sector associations and \ncompanies to determine what works best for them vis-a-vis government \nregulators. The examples that follow partially illustrate the \nchallenges involved in streamlining regulations.\n    First, some businesses in the communications sector--made up of \nbroadcasting, cable, wireline, wireless, and satellite segments--\nbelieve that agency duplication is a growing concern. Multiple \nagencies--including DHS, the Federal Communications Commission (FCC), \nand the National Telecommunications and Information Administration \n(NTIA)\\6\\--address cybersecurity in the communications sector. Whether \nit is the communications sector or another one, quality cybersecurity \nexpertise is hard to attract and retain. Cyber personnel and their \nbusiness colleagues (e.g., with legal and risk management duties) \nshould not be unduly stressed battling both advanced hackers and \nFederal regulators. Regulatory overlap could easily lead to conflicting \nrules and the splintering of industry resources, which would be \ndetrimental to cybersecurity. Such a problem is not unique to the \ncommunications sector.\n---------------------------------------------------------------------------\n    \\6\\ www.ntia.doc.gov/press-release/2015/iptf-seeks-comment-key-\ncybersecurity-issues\n---------------------------------------------------------------------------\n    Second, financial institutions offer numerous products and services \nthat subject them to multiple cybersecurity and information privacy \nprograms, including the Gramm-Leach-Bliley Act (GLBA) and various rules \nand guidance issued by Federal and state regulators. Federal financial \nsector regulators work toward harmonizing their mandates across \nagencies through bodies like the Federal Financial Institutions \nExamination Council (FFIEC)\\7\\ and the Financial and Banking \nInformation Infrastructure Committee (FBIIC). Nevertheless, agencies \ncommonly leave the interpretation of rules and guidance documents to \nindividual agency officials who may interpret them differently, often \nleading to confusing or conflicting recommendations.\n---------------------------------------------------------------------------\n    \\7\\ http://ithandbook.ffiec.gov/it-booklets/business-continuity-\nplanning.aspx\n---------------------------------------------------------------------------\n    Further, beyond the Federal level, there are several state-based \nfinancial regulatory entities that create their own guidance and have \noversight responsibilities, adding to the regulatory mix. The financial \nservices industry needs improved consistency and clarity among their \nvarious regulators to minimize costs while maximizing business safety \nand soundness.\n    Third, the natural gas sector is impacted by a long list of \nrecommended practices, standards, and guidelines--including the DHS \nTransportation Security Administration (TSA) Pipeline Security \nGuidelines (2011),\\8\\ the Department of Energy\'s (DOE\'s) Cybersecurity \nCapability Maturity Model (C2M2),\\9\\ and DHS\' Cyber Security Evaluation \nTool (CSET\x04)--which are employed by industry operators to bolster their \ncybersecurity posture and resilience in an all-hazards context. Natural \ngas companies have worked diligently to use one or more of these \nstandards and recommended practices. However, as companies are \nincreasingly pressured by government agencies to use multiple tools, \ncybersecurity can become more of a record-keeping and compliance \nexercise rather than an exercise in advancing legitimate security.\n---------------------------------------------------------------------------\n    \\8\\ www.tsa.gov/assets/pdf/guidelines_final_apr2011.pdf\n    \\9\\ http://energy.gov/oe/services/cybersecurity/cybersecurity-\ncapability-maturity-model-c2m2-program/cybersecurity\n---------------------------------------------------------------------------\n    The Chamber hopes that the new Cybersecurity Forum for Independent \nand Executive Branch Regulators can help, according to its fall 2014 \ncharter, ``identify and explore opportunities to align, leverage, and \ndeconflict cross-sector regulatory authorities\' approaches and promote \ncybersecurity protection.\'\' \\10\\ We would like to maintain a dialogue \nwith your office and the Commerce committee as the administration and \nthe interagency forum tackle the regulatory streamlining initiative \ntied to the framework.\n---------------------------------------------------------------------------\n    \\10\\ http://pbadupws.nrc.gov/docs/ML1428/ML14288A568.pdf; http://\npbadupws.nrc.gov/docs\n/ML1501/ML15014A296.pdf\n---------------------------------------------------------------------------\n                                 ______\n                                 \n    Response to Written Questions Submitted by Hon. Bill Nelson to \n                           Ann M. Beauchesne\n    Question 1. I want to follow up on the request I made to you at the \nhearing. Of the 200 or so members that make up the National Security \nTask Force, how many of them have implemented the framework? How many \nmembers in your general membership have implemented the framework?\n    Answer. The U.S. Chamber of Commerce believes that the Framework \nfor Improving Critical Infrastructure Cybersecurity (the framework) is \na remarkable public-private achievement. The National Institute of \nStandards and Technology (NIST) worked closely with the Chamber\'s \nCybersecurity Working Group and other private sector organizations to \ndevelop the framework. NIST treated the business community as a genuine \npartner as it tackled a tough assignment in ways that should serve as a \nmodel for other agencies and departments.\n    Generally, the Chamber does not survey its members. Yet, the \nChamber is committing substantial resources to promoting the framework \nto its membership and the wider business community. As highlighted in \nmy testimony, the Chamber has organized an extensive, ongoing \ncybersecurity education and advocacy campaign--Improving Today, \nProtecting Tomorrow <SUP>TM</SUP>--partnering with state and local \nchambers to host events in Chicago, Austin, Seattle, and Phoenix.\n    The Chamber also hosted a number of events in Washington, D.C., \nincluding America\'s Small Business Summit 2014 and the Third Annual \nCybersecurity Summit, where discussion of the framework was prominently \nfeatured. Further, we are planning events this year to build on the \nsuccess of the 2014 campaign.\n    Use of the framework is voluntary, not mandatory, which is why many \nbusinesses and public-sector organizations, such as county IT \ndepartments, have embraced it. Industry\'s interest in cybersecurity and \nthe framework is robust and expanding. Michael Daniel, White House \nspecial assistant to the president and cybersecurity coordinator, said \nin September 2014 at the Chamber\'s third cyber roundtable in Seattle \nthat industry\'s response to the framework has been ``phenomenal.\'\'\n    The Chamber supported the Cybersecurity Enhancement Act of 2014 (S. \n1353, P.L. 113-274), sponsored by Sens. Rockefeller and Thune and \nsigned into law on December 18, 2014. The act directs the comptroller \ngeneral to conduct a study assessing the extent to which ``sectors of \ncritical infrastructure have adopted a voluntary, industry-led set of \nstandards,\'\' and ``the reasons behind the decisions\'\' of critical \ninfrastructure to do so. The Chamber believes that this study would \noffer much more insight about framework use.\n    It is worth adding that critical infrastructure sectors are keenly \naware of and supportive of the framework and similar risk management \ntools. The Chamber understands that critical infrastructures at \n``greatest risk\'\' (CIGR) have been identified and engaged by \nadministration officials under the terms of the 2013 cybersecurity \nexecutive order (EO).\\1\\ If the United States is to build a more secure \ncyber future, the Chamber urges you and other government officials to \nensure that all resources, particularly the latest cyber threat \ninformation, are available to CIGR to counter increasing and advanced \nthreats.\n---------------------------------------------------------------------------\n    \\1\\ www.whitehouse.gov/the-press-office/2013/02/12/executive-order-\nimproving-critical-infrastructure-cybersecurity\n---------------------------------------------------------------------------\n    At the time of this writing, it is not clear that Federal entities \nsuch as the Department of Homeland Security (DHS) have utilized all \nresources at their disposal to help CIGR mitigate expensive \ncyberattacks emanating from highly advanced and nefarious actors. \nPolicymakers have not sufficiently acknowledged this expensive, \npractical reality. Nation-states or their proxies and other \nsophisticated criminal actors are apparently hacking businesses with \nimpunity. This needs to stop.\n    In addition to having policymakers acknowledge cost concerns, the \nChamber would welcome working with you, other lawmakers, and the \nadministration on establishing an intelligent and forceful deterrence \nstrategy, using an array of policy tools that the United States lacks.\n\n    Question 2. What is the prevalence of cyber insurance policies \namong members of the U.S. Chamber of Commerce? And what is the amount \nof annual payouts under those policies?\n    Answer. The prevalence of cyber insurance among Chamber members is \nunknown. Typically, the Chamber does not ask its members about such \nmatters because this information is relatively sensitive.\n    We note, however, that more than 50 major insurance providers now \noffer cyber insurance coverage. According to a Marsh Risk Management \nResearch report, demand for cyber insurance grew by 21 percent across \nall industries in 2013, compared with 2012, and the pace is increasing. \nFinancial institutions accounted for the largest percentage--nearly 30 \npercent--of that increase. Other data-intensive sectors, including \nretail/wholesale and professional services, saw increases of 19 percent \nand 13 percent, respectively. It appears that demand for cyber \ninsurance is booming as a result of a number of high-profile hacks and \ndata breaches, spurring explosive growth in what is approximately a $2 \nbillion industry.\n    The Chamber applauds the insurance industry for developing market-\ndriven policies to help businesses mitigate losses from a variety of \ncyber incidents, including data breaches, business interruption, and \nnetwork damage. Business purchases of cybersecurity insurance should go \nhand in hand with investments in cybersecurity.\n    Cyber insurance risk is challenging to measure, model, and price. \nNevertheless, growing awareness of the cybersecurity framework and \nalmost daily headlines about cyber incidents have stimulated industry\'s \ninterest in cyber insurance. A healthy cyber insurance market should \nplay a role in businesses\' reducing the number of successful \ncyberattacks by implementing risk management tools in return for more \ncoverage.\n    The Chamber supports a growing cyber insurance market, which is \nnascent compared with more established lines such as auto, life, and \nhealth. But, the Chamber would not support public policies either \ncompelling insurers to offer cyber insurance or mandating that firms \nbuy cyber insurance.\n    The Chamber plans to promote cyber risk management tools, including \ncyber insurance, as part of its national roundtable cybersecurity \nseries. The campaign emphasizes growing awareness of the framework--\nparticularly recommending that businesses of all sizes and sectors \nadopt fundamental Internet security practices--and teaming up with law \nenforcement and entities like DHS.\n    If the campaign comes to a Florida city, the Chamber would welcome \nhaving you as a keynote speaker.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. John Thune to \n                             Paul N. Smocer\n    Question 1. The financial services sector is a leader in cyber \nthreat information-sharing innovation, as evidenced by the successful \ncollaboration via the FS-ISAC and the creation of Soltra Edge, a new \nthreat intelligence-sharing software platform. What are the key \nprinciples that cyber threat information sharing legislation must \ninclude to eliminate existing constraints on the activities of the FS-\nISAC and Soltra Edge?\n    Answer. The financial services sector realizes that in order to \nappropriately defend itself, threat information sharing is key.\n    The FS-ISAC coordinates information sharing today among its member \ninstitutions, with industry associations, and between financial \ninstitutions and the Federal Government, law enforcement and other \ncritical infrastructure sectors. Information is shared through the \ntraffic light protocol (TLP), which allows recipients of the threat \ndata to know the sensitivity of the information they receive and their \nability to share. This allows data to be distributed to the right \naudiences in a more secure and trusted format. Soltra Edge expands on \nthe FS-ISAC\'s trust model for cyber threat information sharing in that \nSoltra Edge is an automation platform that collects, distills, and \ntransfers threat intelligence from and to a variety of other sources, \nincluding, but not limited to the FS-ISAC.\n    Because of the level of current sharing that occurs, the financial \nservices sector is often and rightly credited as being one of leaders \nin cybersecurity and, particularly, cyber threat information sharing. \nEven at that level though, not everyone participates in sharing and \neven those that do at times become reticent to share. In the latter \ncase, this is particularly true when there is some success to an attack \nversus just an attempt to attack. In these cases, issues of liability \noften influence the decisions to share freely.\n    One must also recognize that our sector exists in an interconnected \nworld. As a sector, we are not an island unto ourselves. We need and \nrely on the sectors that provide us with power, water, \ntelecommunications, computing, etc. A key reason for the immaturity in \nthose sectors is concern over the potential liabilities associated with \nsharing such information.\n    To encourage better information sharing within our sector, in other \nsectors, between the sectors, and to the government, sensible ``Good \nSamaritan\'\' protections are needed. Without such legislation, cyber \nthreat information sharing will not expand beyond those companies that \nalready do so to those companies that should do so, but fear litigation \nand potential reputational damage for sharing. In particular, we \nbelieve that in order to protect current initiatives, such as the FS-\nISAC and Soltra Edge, and to expand cyber threat sharing beyond those \nthat already do so, legislation is needed that includes the following \nprovisions:\n\n  <bullet> Facilitates real-time sharing to enable institutions and \n        government to act quickly;\n\n  <bullet> Provides a targeted level of liability and disclosure \n        protections for cyber threat information sharing and receiving \n        between individual institutions, through existing sharing \n        mechanisms such as our FS-ISAC, private to government, and \n        government to private;\n\n  <bullet> Offers a good faith defense for the sharing of threat \n        information and data;\n\n  <bullet> Provides protection from disclosure through the Freedom of \n        Information Act or to prudential regulators;\n\n  <bullet> Facilitates the appropriate declassification of information \n        by the intelligence agencies and expedites the issuance of \n        clearances to appropriate private sector individuals; and\n\n  <bullet> Includes appropriate levels of privacy and civil liberties \n        requirements.\n\n    The threat of cyber-attacks is a real and constant danger to our \nindustry and to other critical infrastructure sectors upon which we, \nand the Nation as a whole, rely. The financial services industry is \ndedicated to improving our capacity to protect customers and their \nsensitive information. Effective cyber threat information sharing \nmitigates cyber risks to our customers, clients, partners and networks \nfrom malicious cyber activity.\n\n    Question 2. Mr. Smocer, you mentioned in your testimony that the \nCybersecurity Forum for Independent and Executive Branch Regulators is \nlooking at ways to align and harmonize with the Framework and thus \nstreamline regulatory agencies\' cybersecurity efforts regarding \ncritical infrastructure. Can you tell me how the financial services \nsector will benefit from harmonizing regulatory authorities and \nrequirements and how this Forum is facilitating such benefits?\n    Answer. According to the Charter for the Independent and Executive \nBranch Regulators, ``[t]he purpose of the voluntary Cybersecurity Forum \nfor Independent and Executive Branch Regulators (The Forum) is to \nincrease the overall effectiveness and consistency of regulatory \nauthorities\' cybersecurity efforts pertaining to U.S. Critical \nInfrastructure, much of which is operated by industry and overseen by a \nnumber of Federal regulatory authorities. The Forum will enhance \ncommunication among regulatory agencies and regulated entities through \nthe sharing of best practices and exploring ways to align, leverage, \nand deconflict approaches to enhance cybersecurity protections, and \nwill establish processes to encourage coordination and consistency \nwhere multiple Agencies have regulatory authority over a common \nindustry.\'\' We laud such an approach and hope that it bears fruit. \nHowever, as described in our response to Sen. Blunt\'s question, there \nis some cause for concern.\n    Simply, financial institutions are subject to various cyber \nsecurity and information privacy requirements under the Gramm Leach \nBliley Act and to regulatory standards and guidance issued by numerous \nfinancial regulators. In today\'s world, financial institutions often \nare multi-faceted, offering products and services that subject them to \nthe regulatory authority of multiple agencies.\n    To their credit, the Federal financial sector regulators do attempt \nto bring some consistency to their guidance and regulatory expectations \nacross agencies through organizations such as the Federal Financial \nInstitutions Examination Council (FFIEC) and the Financial and Banking \nInformation Infrastructure Committee (FBIIC). To a limited extent, this \nhelps avoid a single organization facing multiple expectations about \nthe same operations. Even then, agencies often leave the interpretation \nof that guidance to agency-specific reviewers who may interpret it \ndifferently. Moreover, beyond the Federal level, there are a plethora \nof state level financial regulators who create their own guidance and \nby law have oversight responsibilities. For financial institutions, \nconsistency among their various regulators helps keep down costs and \noverhead while still assuring safety and soundness.\n    Beyond our industry though, the financial services sector would \nbenefit from harmonizing regulatory standards across critical \ninfrastructure sectors, such as telecommunications and electrical \npower. This would help all the sectors that rely upon each other to be \nable to better assess the level of cyber risk between sectors. It would \nbetter allow agencies responsible for assuring the Nation\'s cyber \nprotection of the consistency of cybersecurity efforts across sectors. \nPractically, as the number of regulators with disparate requirements \nincreases, the ability to train and place cybersecurity experts--\nalready an expertise with a recognized shortage--also becomes more \ntaxed.\n                                 ______\n                                 \n      Response to Written Question Submitted by Hon. Roy Blunt to \n                             Paul N. Smocer\n    Question. Mr. Smocer, in your testimony you mention your concerns \nthat some Federal and state agencies have their own approaches to \nregulation that do not align with the Framework.\n    Please submit for record specific details regarding which agencies \nand what regulations are duplicative, burdensome, inconsistent, or \notherwise in conflict with the NIST framework and our goal of better \ncybersecurity.\n    Answer. As mentioned in my prior testimony, FSR/BITS is a trade \nassociation representing the country\'s leading financial service \ncompanies. Under current regulatory regimes, some of our individual \nmember institutions face regulation from the following regulatory \nbodies:\n\n  <bullet> The Securities and Exchange Commission (SEC);\n\n  <bullet> FINRA;\n\n  <bullet> The Federal Reserve System;\n\n  <bullet> The Office of the Comptroller of the Currency (OCC) ;\n\n  <bullet> The Federal Deposit Insurance Corporation (FDIC);\n\n  <bullet> The Consumer Financial Protection Bureau (CFPB);\n\n  <bullet> The U.S. Commodity Futures Trading Commission (CFTC);\n\n  <bullet> State banking agencies, and\n\n  <bullet> State insurance agencies.\n\n    None of the above regulators, however, are Executive Branch \nagencies. Thus, these agencies are not subject to the President\'s \nExecutive Orders and they do not have to adhere to the Administration\'s \ndirectives to harmonize cybersecurity regulations. Perhaps because of \nthis, we have seen examples of agencies each asking their own set of \ncybersecurity examination questions that may loosely ``track\'\' to the \nNIST Cybersecurity Framework, but in substance deviate from agency to \nagency.\n    For example:\n\n  <bullet> In April 2014, the SEC\'s Office of Compliance Inspections \n        and Examinations (OCIE) issued a risk alert in which it \n        announced that it would be conducting cybersecurity-focused \n        examinations of approximately 50+ registered broker-dealers and \n        investment advisors. In this same risk alert (http://\n        www.sec.gov/ocie/announcement/\n        Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf), OCIE \n        stated that ``some\'\' of its questions would ``track information \n        outlined in the `Framework for Improving Critical \n        Infrastructure Cybersecurity.\'\' Of the 28 example questions \n        with subparts not all did.\n\n  <bullet> On November 3, 2014, the FFIEC issued its ``FFIEC \n        Cybersecurity Assessment General Observations.\'\' This document \n        detailed the FFIEC\'s cybersecurity examinations of 500+ \n        community institutions and provided cybersecurity areas to \n        focus on and certain questions to consider when considering \n        cybersecurity risk. It did not, however, tie these focus area \n        or questions to the NIST Cybersecurity Framework.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ https://www.ffiec.gov/press/PDF/\nFFIEC_Cybersecurity_Assessment_Observations.pdf\n\n  <bullet> Without a reference to the NIST Cybersecurity Framework, the \n        New York State Department of Financial Services issued an \n        ``examination guidance\'\' to all New York State chartered or \n        licensed banking institutions on December 10, 2014, stating \n        that it would be conducting ``new targeted cybersecurity \n        preparedness assessments\'\' of these entities.\\2\\ In this \n        announcement, the Department also announced that as part of \n        that assessment it would be asking 12 specific questions.\\3\\\n---------------------------------------------------------------------------\n    \\2\\ http://www.dfs.ny.gov/about/press2014/pr1412101.htm\n    \\3\\ http://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf\n\n  <bullet> On February 3, 2015, FINRA issued its ``Report on \n        Cybersecurity Practices.\'\' \\4\\ Like the SEC, it referenced the \n        NIST Cybersecurity Framework. However, in detailing \n        cybersecurity best practices that firms should implement, it \n        did not ``map\'\' such practices back to the NIST Cybersecurity \n        Framework categories or subcategories. Such an exercise would \n        be left to an individual firm that wished to compare the \n        Framework against this new set of cybersecurity best practices.\n---------------------------------------------------------------------------\n    \\4\\ http://www.finra.org/web/groups/industry/@ip/@reg/@guide/\ndocuments/industry/p602363.pdf\n\n    We certainly are glad to see an increasing focus on cybersecurity \nby agencies that play an important role in protecting the financial \nservices industry. However, lack of harmonization between agencies and \nwith the Cybersecurity Framework means that regulated organizations \nmust continually reinvest their resources not in defending themselves \nagainst cyber assaults, but in assessing and reassessing themselves \nagainst multiple agency expectations. That is simply not an effective \napproach.\n                                 ______\n                                 \n    Response to Written Questions Submitted by Hon. Bill Nelson to \n                             Paul N. Smocer\n    Question 1. Some members of the Financial Services Roundtable sell \ninsurance products that cover financial losses associated with \ncyberattacks. Do you have any data on how much is being paid out to \ninsureds as a result of losses from cyberattacks?\n    Answer. FSR does not have, nor do we collect, data on what our \nmember companies pay out under various cyber insurance policies.\n\n    Question 2. Last week, the press reported on a massive hacking ring \nthat is alleged to have stolen up to $1 billion from banks in numerous \ncountries, including the United States. The news, which emerged from a \nreport written by Kaspersky Lab, is just the latest in a string of \nmassive hacks and breaches in recent years, including last year\'s \nbreach at JPMorgan Chase. At what point does consumer dissatisfaction \nwith cyberattacks affect a company\'s decisions to devote more resources \nto cybersecurity?\n    Answer. Specific to the report from Kaspersky Lab, FSR has been \naware of the analysis that has underlied this report since early \nJanuary. Our BITS division has distributed such information to security \nexperts within our member companies. In addition, the FS-ISAC has \ndistributed information to the entire financial sector. At this point \nin time, we are unaware of incidences where this malware has harmed our \nmember companies or their customers. Like all cyber-attacks, FSR will \ncontinue to monitor these threats and work with our member companies \nand the FS-ISAC to share threat information and assist our members in \nresponding to them and in protecting customers.\n    More broadly, the Kaspersky report and other recent security trends \npoint to the fact that the threats are rapidly growing. However, it is \nimportant to recognize that financial institutions\' investment in cyber \nis a long-established practice. While recent events help feed the \ncontinual reassessment of cyber risk within institutions that, in turn, \nhelp drive investments in cyber protections, it would be improper to \nsuggest that recent events have somehow been a stimulus that awoke the \nsector to this risk. The sector has focused on this risk for decades.\n    As I noted in my testimony, the current cyber threat environment is \ngrim. Each day, cyber risk grows as attacks increase in number, pace, \nand complexity. We are no longer in the days wherein the threat was \nconfined to individual hacktivists and fraudsters. We are now in an era \nof attacks by not only organized crime syndicates, but also nation-\nstates. Correspondingly, the attacks have grown beyond webpage \nvandalism and fraud into large-scale attacks that threaten the \navailability of services to citizens and threaten the privacy and \naccuracy of their information. Our sector is increasingly concerned \nwith these threats, particularly with the potential for attacks that \ncould undermine the integrity of the financial system through data \nmanipulation or destruction. This growing threat affects all \ninstitutions in our sector regardless of size or type of financial \ninstitution including large and small, banks, credit unions, insurers \nand investment firms. Increasingly, and as we have recently witnessed, \nother sectors face these same threats.\n    Being a focus of attacks is certainly one reason why the financial \nsector has historically led the way in making huge investments in not \nonly security infrastructure and the best-qualified people to maintain \nthe systems, but also in driving collaboration across industries and \nwith the government. The primary reason for these investments though is \nthe recognition that our customers trust us to protect them--to protect \ntheir investments, their records and their information. Individual \nfinancial institutions invest in personnel, infrastructure, services, \nand top of the line security protocols to protect their customers and \nthemselves and to respond to cyber-attacks. These investments protect \nthe individual institutions and their customers. The level and nature \nof cybersecurity investments are subjects of discussions within both \nthe C-suite of institutions and with their boards. Institution \nexecutives know they are responsible for managing risk in their \ncompanies, and recognize that cyber-risk in particular bears special \nattention. Directors understand their oversight role in assuring \nmanagement is fulfilling those responsibilities. Both management\'s and \ndirectors\' ability to assess and respond to cyber risk is also the \nsubject of review by financial regulators.\n\n    Question 3. What is the prevalence of cyber insurance policies \namong members of the Financial Services Roundtable? And what is the \namount of annual payouts under those policies?\n    Answer. While we do not have data specific to our members, our \nresearch has revealed that 2014 marked an important milestone in the \ngrowth of cyber insurance, with a significant jump in both the number \nof companies offering cyber insurance and the number of firms buying \ncyber insurance. Currently, over fifty major insurance providers now \noffer cyber liability insurance coverage. Demand for that insurance \nrose by 21 percent across all industries in 2013 compared to 2012, with \nfinancial institutions representing the biggest increase of 29 percent \nin coverage buying. In 2014 that pace doubled, in some areas tripled, \nin what suddenly has become a $2 billion industry.\n    Several developments contribute to the growth in cyber insurance.\n\n  1.  The recent increase in cyber incidents, both in number and \n        severity, including a string of high-profile hacks and data \n        breaches.\n\n  2.  A growing realization that although steps can be taken to \n        minimize the likelihood of experiencing a successful cyber-\n        attack and the severity of the loss if the attack succeeds, its \n        occurrence cannot be entirely eliminated, especially if the \n        enterprise becomes the target of a sophisticated, persistent \n        adversary. It is becoming accepted that cybersecurity is \n        similar to healthcare in the sense that one can take \n        precautions, but not prevent entirely.\n\n  3.  Increased appreciation and understanding of best practices, such \n        as those found in the NIST Cybersecurity Framework, has \n        improved underwriting ability, which has bolstered supply.\n\n    Regarding payouts by member company insurers, as noted in my \nresponse to question #1 above, we do not have, nor do we collect, data \non FSR member company payouts on cyber insurance policies.\n                                 ______\n                                 \n     Response to Written Questions Submitted by Hon. John Thune to \n                          Jefferson H. England\n    Question 1. In August of 2013, the Department of Commerce Internet \nPolicy Taskforce released a series of recommendations incorporating \nstakeholder input for ways the government could incentivize use of the \nFramework. Some of the potential incentives mentioned include engaging \ncyber insurance companies, studying tort liability, identifying \nopportunities for regulatory streamlining, further research and \ndevelopment initiatives, government procurement, and technical \nassistance. What incentives do you think would have the biggest impact \non business behavior?\n    Answer. As a small business, we recognize that the greatest \nincentive is the ability to attract and retain customers by \ndemonstrating capability in our cybersecurity practices and the ability \nto enter into contracts with our vendors to deliver secure services to \nour customers. The market already provides strong cybersecurity \nincentives.\n    However, tort liability review would have a powerful impact on \nbusiness behavior. Individuals who attack our networks are criminals. \nState sponsored attacks on our networks are acts of war. As businesses, \nwe need to know that if we employ reasonable cybersecurity practices \nthat our government has our back when it comes to brining the \nperpetrators to justice. Not only will evildoers be more discouraged \nfrom committing cybercrime, but business and consumers will by \nextension have greater protection. Businesses know that they need to \naccept responsibility. and providing protections from liability.\n    There are already many creative ideas designed to protect an \nindividual\'s identity. Examples include multi-factor authentification \nwhen accessing personal information, cyber ``keys\'\' that are required \nto unlock certain personal information, and virtual information that is \na proxy for real information so that the need for safeguarding the \nvirtual information is less relevant. Government sponsorship of \nresearch and development initiatives and government procurement are \nalso ways that can incentivize business to reach beyond what they may \nalready be doing. In the rural telephone industry, recovery on certain \ncybersecurity expenditures is not allowed via the universal service \nfund and yet we are required to provide defined levels of Internet \nservice. There is a disconnect in our industry that needs to be \naddressed.\n    Cyber insurance companies already have a business imperative to \n``incentivize\'\' the market because of the risk they themselves are \nassuming by insuring companies conducting business over the internet, \nso I do not believe there is a need for government to engage them in \nthis space unless it is to be a lessons learned exercise.\n    It is my experience that business tends to reach out to peers and \nsuppliers for recommendations and assistance so I cannot speak to the \nvalue of Federal technical assistance.\n    I would also caution against grants for cybersecurity improvements \nas I believe this model to be a disincentive. Grants are typically \nawarded on a needs basis potentially causing businesses that are \ncurrently engaged in improvement (on their own dime) to cease all \nimprovement until they receive grant dollars. The result is a race to \nthe bottom in terms of cyber security quality because improvements may \nbe limited to the availability of grant dollars as distributed.\n\n    Question 2. What role, if any, do you think your industry \nregulator, the Federal Communications Commission, should have with \nrespect to the Framework and cybersecurity regulations or guidelines in \ngeneral?\n    Answer. I believe there is a significant role that the FCC can play \nwith respect to the framework and cybersecurity regulations or \nguidelines in general.\n    First and foremost, there needs to be continued education within \nour industry regarding the availability of the framework and its \nbenefits to telecommunications providers. Staff availability and \nencouragement is critical for more widespread adoption. Creating an \natmosphere of fear and regulation is counterproductive.\n    Second, the FCC can and should recognize that the framework itself \n(let alone organizational adoption) is still in its infancy and needs \nthe proper time to grow and evolve into a meaningful tool. I (and other \nemployees of Silver Star Communications) participate as members of the \nCommunications Security, Reliability and Interoperability Council \n(CSRIC) Working Group IV which was created with the primary purpose of \ndeveloping voluntary mechanisms that provide macro-level assurance to \nthe Federal Communications Commission (FCC) and the public that \ncommunication providers are taking the necessary corporate and \noperational measures to manage cybersecurity risks across the \nenterprise. The outcomes from this organization have been impressive, \nincluding widespread industry participation and meaningful industry \nsuggestions and practical solutions, including a set of specific \nguidance to small and medium sized businesses that face very different \nchallenges than the much larger communications companies. The FCC has \nplayed an important role in contributing to the outcomes of this \nworking group and has been able to gain important visibility regarding \nindustry progress from this group.\n    Third, the FCC can be a government advocate for communications \nproviders with respect to tracking down and bringing criminals and \nstate sponsored attackers to justice. The easy solution is to play the \nhard hand and penalize business through regulation and liability but \nthis approach only treats the symptoms without addressing the cause of \nthe problem.\n    Finally, I believe that the FCC has a responsibility to uphold the \noriginal scope of Executive Order 13636 and stand firm in the position \nthat cybersecurity improvements should be voluntary in nature. \nRegulation implies that at some point (typically a reporting period) \nthere is a static state in regards to cybersecurity, that somehow an \norganization is complete or done when the requirements are met. Cyber \nsecurity activities are far too dynamic and businesses need to respond \nand even fail in their attempts to improve. The market rewards \nbusinesses who make decisions to make commerce a safer cyber \nexperience. The FCC should recognize that things will go wrong. There \nwill be more cybersecurity breaches. With each one, there are cries for \nimproved regulation or to hold someone (excepting the criminals who \ncarried out the attack) responsible without drawing attention to the \nfact that at the same time there are amazing advancements made in \nprotecting information by organizations who are voluntarily adopting \npractices to be more competitive. I would add that because of the \nexisting business imperative, these advancements will always outpace \nregulation. The consequence is that there is extreme waste of resources \nboth on the part of businesses performing outdated activities to be \ncompliant with regulation and by the regulating body enforcing outdated \nmeasures.\n                                 ______\n                                 \n      Response to Written Question Submitted by Hon. Roy Blunt to \n                           Dr. James A. Lewis\n    Question. The Framework itself is voluntary and based upon a risk \nmanagement model, as opposed to compliance with rote standards.\n    Wouldn\'t the concept of a mandatory survey be counter to the \nvoluntary approach adopted by NIST, and could it impact the use of the \nFramework if private sector owners and operators of critical \ninfrastructure view using the Framework as being linked to new \nreporting requirements?\n    Answer. The NIST Framework is part of a larger approach to \ncybersecurity created by the February 2013 Executive Order (EO) 13636 \n(http://www.whitehouse.gov\n/the-press-office/2013/02/12/executive-order-improving-critical-\ninfrastructure-cyber\nsecurity). It is a standards-based approach reinforced by information \nsharing and partnerships between critical infrastructure companies and \nsector-specific agencies. The Framework must be put in the larger EO \ncontext to be understood. The EO instructed that:\n\n  <bullet> NIST develop a voluntary cybersecurity framework (Section \n        7);\n\n  <bullet> The Secretaries of Treasury and Commerce identify possible \n        incentives for better cybersecurity (Section 8);\n\n  <bullet> The Departments of Homeland Security and Justice, and the \n        Director of National Intelligence take steps to improve \n        information sharing (the subject of a February 2105 Executive \n        Order) (Section 4);\n\n  <bullet> That all agencies integrate strong privacy and civil \n        liberties protections into cybersecurity initiatives to secure \n        critical infrastructure (Section 7), and\n\n  <bullet> The White House, DHS, and agencies responsible for \n        regulating the security of critical infrastructure review and \n        report on the adequacy of the Framework and of existing \n        regulation for cybersecurity (Section 10).\n\n    The EO already has a two-part reporting requirement. The first \nrequirement was for agencies to determine whether and how existing \nregulation could be streamlined and aligned with the NIST Framework. \nExecutive Branch departments and agencies with responsibility for \nregulating private-sector critical infrastructure were tasked to assess \nwhether existing regulatory authority was sufficient to meet the \nobjectives of the Framework and identify what changes, if any, were \nneeded. At the conclusion of the review, the White House determined \nlast May that existing regulatory requirements, combined with strong, \nvoluntary partnerships, could mitigate risks to critical infrastructure \n(http://www.whitehouse.gov/blog/2014/05/22/assessing-cy\nbersecurity-regulations).\n    The EO also calls for agencies, in consultation with critical \ninfrastructure owners and operators, to determine by September 2016 if \ncybersecurity requirements are ineffective, conflicting, or excessively \nburdensome. This 2016 reporting will provide data to assess whether if \nthe Framework is useful or not. The areas for further consideration \ninclude deciding if any action is needed before 2016, and ensuring that \nany review imposes only a minimal burden. There is an unfortunate \nprecedent in a 2011 Commerce Department survey of telecom companies on \ncybersecurity-related issues, where the survey was both complicated and \nexpensive. Congress can help ensure that this experience is not \nrepeated and that requirements are not excessively burdensome.\n    Congress can also help ensure that in meeting the EO requirement, \nthe Executive Branch collects only the data that will allow it to \nassess if Framework is effective in improving cybersecurity and where \nit needs to be amended or strengthened. This essentially revolves \naround two questions: have companies adopted the framework and is it \nimproving their cybersecurity. Without knowing the answer to these \nquestions, we cannot say if the Framework has improved our defenses \nagainst the kinds of actions that affected Anthem, Sony, and many other \ncompanies. A simple attestation runs the risk of suffering from what is \ncalled in survey research, ``respondent error.\'\' The best way to reduce \nthe likelihood of this error is to find quantitative metrics that will \nindicate Framework performance. A quantitative approach is a standard \npractice in business and should be duplicated in the reports required \nby the EO.\n    Over time, it is likely that as companies implement the Framework, \ntheir experience will narrow it to a shorter and more focused list of \nactions relevant to their particular industry sector, as they \nexperiment with different approaches to implementing it. Each \nindustrial sector may find that some parts of the framework are more \nimportant for their business than others. An assessment of adoption and \neffectiveness would speed this evolution and answer important questions \nabout the contributions of the Executive Order and the Framework to \nbetter cybersecurity and to national defense.\n                                 ______\n                                 \n     Response to Written Question Submitted by Hon. Bill Nelson to \n                           Dr. James A. Lewis\n    Question. NIST is considering the future governance of the \nFramework so that it is maintained by the private sector instead of by \nNIST. We have seen with Target, Home Depot, and the numerous other \nbreaches that have occurred in recent years that voluntary industry-\nmaintained standards often do not work. Instead, such industry self-\nregulation just becomes a minimum standard. And when companies suffer \ncyberattacks, harming consumers and themselves, they will often just \nsay that they were fully compliant with their respective industry\'s \nstandards to avoid responsibility for their weak cybersecurity. Do you \nthink there is any danger in that becoming the case for the Framework \nif it becomes wholly maintained and operated by the private sector?\n    Answer. The NIST Framework is part of a new approach to \ncybersecurity created by the February 2013 Executive Order (EO) 13636. \nIt is a voluntary, standards-based approach, reinforced by information \nsharing, and the involvement of sector specific regulatory agencies. \nThe administration also hopes to identify incentives but any real \nincentive will probably require legislation.\n    The involvement of sector specific agencies means that the future \ndevelopment of the Framework will most likely take two separate paths. \nSector specific agencies, agencies, in consultation with their critical \ninfrastructure owners and operator partners, will adjust and customize \nthe Framework to better meet the needs of their sectors. At the same \ntime, it is possible that a private entity, such as a non-profit \norganization will undertake to maintain and update the Framework \nDocument. My understanding is that NIST intends to pass responsibility \nfor updating the Framework to such an entity if it can find a neutral \nnon-profit with sufficient technical expertise.\n    The EO tasks the sector-specific agencies to work with critical \ninfrastructure owners and operators to maintain and adapt the Framework \nto their sector\'s circumstances. This means that future work on the \nFramework, as part of the larger cybersecurity structure created by EO \n13636, will be undertaken as apart of public-private partnerships \nbetween critical infrastructure companies and agencies. Since work on \nthe Executive Order began in August 2012, many high-profile incidents \nhave highlighted the need for improved cyber security. Cybersecurity \nhas become an issue of concern for many corporate boards. More \nincidents can be expected to occur in the future. This heightened \nattention and increasing risk, along with the government-private sector \npartnerships, suggests that the impetus will be for these partnerships \nto improve and extend the Framework and avoid the pitfalls of self-\nregulation. Congress will have an opportunity to review the status of \nthe Framework and its implementation in September of 2016, since the EO \nrequires agencies to report on implementation, burdensomeness, and \neffectiveness. This will provide us with data to determine that the \nframework is actually contributing to better cybersecurity in critical \ninfrastructure or needs to be amended or replaced.\n\n                                  [all]\n\n                 \n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'