[Senate Hearing 114-236]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 114-236

               CONFRONTING THE CHALLENGE OF CYBERSECURITY

=======================================================================

                             FIELD HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 3, 2015

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                         U.S. GOVERNMENT PUBLISHING OFFICE 

99-806 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          




       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
MARCO RUBIO, Florida                 CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire          AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas                      RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska                BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas                  EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska                 CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin               TOM UDALL, New Mexico
DEAN HELLER, Nevada                  JOE MANCHIN III, West Virginia
CORY GARDNER, Colorado               GARY PETERS, Michigan
STEVE DAINES, Montana
                    David Schwietert, Staff Director
                   Nick Rossi, Deputy Staff Director
                    Rebecca Seidel, General Counsel
                 Jason Van Beek, Deputy General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
       Clint Odom, Democratic General Counsel and Policy Director
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 3, 2015................................     1
Statement of Senator Thune.......................................     1

                               Witnesses

Jeremy Epstein, Lead Program Director, Secure and Trustworthy 
  Cyberspace (SaTC), National Science Foundation.................     4
    Prepared statement...........................................     6
Kevin Stine, Leader, Security Outreach and Integration Group, 
  Computer Security Division, Information Technology Laboratory, 
  National Institute of Standards and Technology, U.S. Department 
  of Commerce....................................................    10
    Prepared statement...........................................    12
Mark Shlanta, Chief Executive Officer, SDN Communications........    18
    Prepared statement...........................................    19
Eric A. Pulse, Principal, Eide Bailly, LLC.......................    24
    Prepared statement...........................................    26
Dr. Kevin F. Streff, Dakota State University, Faculty and 
  Department Chair--Cyber Operations and Security; Faculty--
  University of Wisconsin, Graduate School of Banking; Founder 
  and Managing Partner--Secure Banking Solutions, LLC; Founder 
  and Managing Partner--HELIX Security, LLC......................    32
    Prepared statement...........................................    34
Joshua J. Pauli, Ph.D., Professor of Cyber Security, Dakota State 
  University.....................................................    48
    Prepared statement...........................................    50

                                Appendix

Response to written questions submitted to Jeremy Epstein by:
    Hon. John Thune..............................................    71
    Hon. Steve Daines............................................    77
Response to written questions submitted to Kevin Stine by:
    Hon. John Thune..............................................    79
    Hon. Steve Daines............................................    81
Response to written questions submitted to Mark Shlanta by:
    Hon. John Thune..............................................    82
    Hon. Steve Daines............................................    85
Response to written questions submitted to Eric A. Pulse by:
    Hon. John Thune..............................................    87
Response to written questions submitted to Dr. Kevin F. Streff 
  by:
    Hon. John Thune..............................................    88
    Hon. Steve Daines............................................    89
Response to written questions submitted to Josh J. Pauli, Ph.D. 
  by:
    Hon. John Thune..............................................    90
    Hon. Steve Daines............................................    92
 
               CONFRONTING THE CHALLENGE OF CYBERSECURITY

                              ----------                              


                      THURSDAY, SEPTEMBER 3, 2015

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                       Madison, SD.
    The Committee met, pursuant to notice, at 2:30 p.m., in 
room 203, Tunheim Classroom Building, Dakota State University, 
Madison, South Dakota, Hon. John Thune, Chairman of the 
Committee, presiding.
    Present: Senator Thune [presiding].

             OPENING STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    The Chairman. Good afternoon, everybody. I will call this 
Senate Commerce Committee field hearing to order and welcome 
you all today. We are going to talk about the challenges of 
cyberspace. And I am proud to bring this hearing to Dakota 
State University, which is nationally recognized for its 
cybersecurity programs.
    I am also pleased to see so many DSU students here today as 
we discuss this important issue. Many of you students who are 
in the audience today are the next generation of cyber 
professionals that we will need to protect our private 
businesses and government networks from cyber incidents and 
attacks.
    A number of you participate in the National Science 
Foundation's CyberCorps Scholarship for Service program, which 
helps increase the cybersecurity workforce at government 
agencies.
    Federal agencies need help, especially when it comes to 
improving their own cybersecurity practices. You may have read 
in the news about cyber attacks this year on unclassified e-
mail networks at the Pentagon, the State Department, and even 
the White House.
    If any of you have ever applied for a security clearance, 
which some of you probably do in conjunction with the 
CyberCorps job application process, then you have probably been 
subject to the breach of background investigation information 
at the Office of Personnel Management. Similar compromises of 
sensitive information occurred with the Internal Revenue 
Service this year.
    While these cybersecurity attacks and breaches are a 
problem for Federal agencies in Washington, D.C., cyber threats 
are important to South Dakotans, as well. The same state-
sponsored hackers and criminal groups that are attacking the 
Federal Government to gain access to sensitive or classified 
information are using similar techniques to steal intellectual 
property from our businesses and critical infrastructure, 
disrupt and deny access to our online services, and steal our 
identities and personal information to fraudulently spend money 
in our names.
    Two weeks ago, I spoke to Sioux Falls residents at a Stop, 
Think, Connect event hosted by the National Cyber Security 
Alliance to educate consumers and local businesses about how to 
add security layers to their everyday online activities. Good 
Internet practices like creating strong passwords, recognizing 
phishing e-mails, and two-factor authentication go a long way 
toward helping protect yourself online.
    We likely won't ever find one silver bullet solution or set 
of solutions to cybersecurity vulnerabilities, but we can 
continue to improve our ability to manage and mitigate cyber 
risks.
    Congress has a role in this effort, and the Senate plans to 
consider legislation, the Cybersecurity Information Sharing Act 
of 2015, that would spur greater cyber threat information-
sharing between and among the private sector and the 
government. The addition of liability protections under the 
bill would allow businesses to share information more easily 
across industry sectors or among groups of companies that may 
be experiencing the same cyber threats.
    Another bill that I believe will help address cybersecurity 
challenges is the Cybersecurity Enhancement Act of 2014, which 
I cosponsored and which passed out of the Commerce Committee 
and became law last year.
    This law included important provisions for R&D, workforce 
development, and standards. It authorized the National 
Institute of Standards and Technology's continued efforts to 
develop the voluntary framework for critical infrastructure 
cybersecurity, the National Science Foundation's successful 
CyberCorps scholarship program, and NIST's National Initiative 
for Cybersecurity Education, known as NICE.
    It also directed better cooperation and planning across 
Federal agencies in research and development and updated 
efforts on cloud computing and international standards.
    I believe these legislative efforts are a significant step 
forward, but I hope that we can spend some time today 
discussing future efforts to address the ongoing cybersecurity 
challenge, including the importance of honing our ability to 
conduct offensive cyber operations when appropriate.
    I want to thank all of our witnesses for agreeing to 
testify today, and I am grateful to Dakota State University for 
hosting this hearing.
    I want to express my appreciation to Dr. Josh Pauli, a DSU 
professor and one of our witnesses today, for helping to 
arrange this hearing and being an excellent host to the other 
witnesses. I am always proud to tell my colleagues about DSU's 
prestigious designations in cybersecurity from the National 
Security Agency.
    Also joining us from DSU is Dr. Kevin Streff, who chairs 
the Cybersecurity Operations and Security Department and 
founded his own business based on his research at DSU. His 
company, Secure Banking Solutions, aims to improve security at 
community banks here in South Dakota and across the country.
    Joining us from Sioux Falls are Mark Shlanta and Mr. Eric 
Pulse, who represent local companies that deal with managing 
cyber threats as part of their businesses. Mark Shlanta's 
company, SDN Communications, responds to numerous daily threats 
against its network and customers. And at Eide Bailly, Eric 
Pulse advises healthcare, insurance, and financial services 
companies on IT risks and regulatory compliance and often looks 
to NIST standards as part of this effort.
    I look forward to hearing from both of you and, in 
particular, learning about your experience with the NIST 
framework.
    I would also like to offer a special thanks to Mr. Jeremy 
Epstein from NSF and Mr. Kevin Stine from NIST, who flew all 
the way from Washington, D.C., to testify. NSF and NIST, which 
are agencies under the Commerce Committee's jurisdiction, 
support important work in cybersecurity research, education, 
awareness, and standards that we will hear more about today.
    Mr. Epstein is responsible for NSF's cybersecurity research 
program, which spans many different disciplines. Mr. Stine will 
discuss NIST's extensive cybersecurity work with the private 
sector, with other agencies, and academic institutions.
    NIST has been an important partner in helping protect the 
nation's technology infrastructure through efforts like its 
successful collaboration with industry to develop the 
Cybersecurity Framework and technology solutions at the 
National Cybersecurity Center of Excellence.
    So, gentlemen, I want to thank you all for being here today 
and look forward to hearing your testimony.
    As I mentioned, I am going to provide an order here, and we 
will do this based on who came the farthest to come to the 
hearing today.
    [Laughter.]
    The Chairman. So we will get our two gentlemen from 
Washington, D.C., here to speak first.
    But I want to start with Mr. Epstein, who is the Lead 
Program Director, as I mentioned, of the Secure and Trustworthy 
Cyberspace program at the National Science Foundation; followed 
by Mr. Kevin Stine, Manager, Security Outreach and Integration 
Group, Computer Security Division, Information Technology 
Laboratory at the National Institute of Standards and 
Technology.
    Try and put that on a business card, guys.
    [Laughter.]
    The Chairman. So we will start off with them. And then I am 
going to turn to Mr. Mark Shlanta, the CEO the SDN 
Communications, who I mentioned earlier, followed by Mr. Eric 
Pulse, who is the Principal Director of Risk Advisory Services 
at Eide Bailly.
    And then we will go to Dr. Kevin Streff, Department Chair, 
Cyber Operations and Security, at Dakota State University and 
also, as I mentioned, Founder and Managing Partner of Secure 
Banking Solutions; and then our host today, Dr. Pauli, 
Professor of Cybersecurity and NSF SFS CyberCorps Program 
Director at Dakota State University.
    So there were a lot of acronyms in that, but I am delighted 
to be back here at Dakota State University, and I am very proud 
of the work that is done by our professors here, our 
administration, our students. And it really is a great story. 
And it is a great story to be able to tell to my colleagues in 
the Senate and other places I travel, about the work that is 
going on here.
    And I should say, too, the guy who does our IT work in my 
Senate office is a graduate of Dakota State University. Nic 
Budde is someone who went through this fine program here and 
does a great job of making sure that all the trains are running 
on time in our office, so to speak, because we have on any 
given day lots of IT challenges.
    But I don't think there is a bigger challenge in front of 
us as a country right now, with the inevitable proliferation of 
devices, than the issue of cybersecurity. Because over the 
course of the next 5 years we are going to go from 10 billion 
connected devices to 50 billion connected devices.
    And all of you already today probably have phones or TVs or 
laptops, iPads, whatever, that are connected. That is only 
going to proliferate over the course of the next 5 years when 
literally everything that we do in life in the Internet of 
Things requires a level of connectivity. And, of course, with 
that comes great benefit, also risk. And that is what we are 
going to talk a little bit about today.
    So, again, I am delighted to be able to be here and to 
bring the Commerce Committee to Madison, South Dakota, to the 
campus of Dakota State University, and wish you all the best of 
success in the year ahead as well as in the football game on 
Saturday.
    [Laughter.]
    The Chairman. So we are going to start, kick it off, as I 
said, with Mr. Epstein.
    So please proceed with your remarks.
    Mr. Epstein. Thank you.
    The Chairman. And we will try and confine it as best we 
can, I indicated to our panelists, to 5 minutes, and then we 
will open it up to some questions.

           STATEMENT OF JEREMY EPSTEIN, LEAD PROGRAM

      DIRECTOR, SECURE AND TRUSTWORTHY CYBERSPACE (SaTC),

                  NATIONAL SCIENCE FOUNDATION

    Mr. Epstein. Great. Thank you.
    Good afternoon, Senator Thune and members of the Dakota 
State University community. It is a particular pleasure to be 
here. I went to college in a small town, at a university very 
much like this, New Mexico Tech in Socorro, New Mexico, a town 
of 8,000 people, a student body of 1,100. ``Small colleges need 
love, too'' was our slogan back when I went to school.
    [Laughter.]
    Mr. Epstein. So I am Jeremy Epstein. I am the National 
Science Foundation's lead program officer for the Secure and 
Trustworthy Cyberspace program--and speaking of acronyms--
within the CISE Directorate, or the Directorate of Computer and 
Information Science and Engineering.
    As you know, NSF supports fundamental research in all 
disciplines, advances the progress of science and engineering, 
and educates the next generation of innovative leaders. I 
welcome this opportunity to highlight NSF's investments in 
cybersecurity research and education.
    NSF is uniquely positioned to address both today's cyber 
challenges as well as the threats of the future because NSF 
invests in discoveries as well as the discoverers who enable 
fundamental scientific advances and technologies.
    With the rapid pace of technological advancement, we are 
witnessing the tight integration of financial, business, 
manufacturing, and telecommunications systems into a networked, 
global society. These interdependencies can lead to 
vulnerabilities and threats, as the senator said, that 
challenge the security, reliability, and overall 
trustworthiness of critical infrastructure.
    The result is a dramatic shift in the size, complexity, and 
diversity of cyber attacks. Indeed, today, we are witnessing 
attacks on cars, online merchants, healthcare providers, and, 
of course, the government.
    NSF has long supported fundamental cybersecurity research 
critical to achieving a secure and trustworthy cyberspace. NSF 
continuously brings the problem-solving capabilities of the 
Nation's best minds to bear on these evolving challenges by 
establishing a science of cybersecurity, promoting connections 
between academia and industry, transitioning research into 
practice, and bolstering cybersecurity education and training.
    In Fiscal Year 2014, NSF invested $158 million in 
cybersecurity research and education, including $126 million in 
the cross-cutting Secure and Trustworthy Cyberspace program, 
which I lead, which funds both research and education 
activities.
    Research projects range from security at a foundational 
level, including detecting whether a silicon chip contains a 
malicious circuit or developing new cryptographic solutions, to 
the systems level, including determining strategies for 
securing the electrical power grid and protecting individual 
privacy.
    Cybersecurity projects are increasingly interdisciplinary, 
spanning computer science, mathematics, economics, behavioral 
science, and education. They seek to understand, predict, and 
explain prevention, attack, and defense behaviors and 
contribute to developing strategies for remediation while 
preserving privacy and promoting usability.
    The SaTC program, as we call it, considers these 
perspectives within the multidimensional cybersecurity problem 
space while aiming to address the challenge of moving from 
research to capability. Projects include center-scale 
activities representing far-reaching explorations motivated by 
deep scientific questions and grand-challenge problems in, for 
example, privacy, encryption, cloud, and healthcare systems.
    NSF also invests in the IUCRC program--there is another 
acronym for you--Industry University Cooperative Research 
Centers, that feature high-quality, industrially relevant, 
fundamental research, enabling direct transfer of university-
developed ideas to U.S. industry, improving its competitiveness 
globally. In recent years, we have seen research outcomes lead 
to new products and services and to numerous startups in the IT 
sector, bringing innovative solutions to the marketplace.
    To promote this type of innovation and to ensure a well-
prepared work force, cybersecurity education is critically 
important. The shortage of cybersecurity experts has been 
widely estimated in the tens or hundreds of thousands of people 
over the next decade.
    So you all are going to be employed when you graduate.
    NSF's Directorate for Computer and Information Science and 
Engineering, along with the Directorate for Education and Human 
Resources, seeks to recruit and train the next generation of 
cybersecurity professionals through the CyberCorps: Scholarship 
for Service program, which many of you participate in. This 
program provides tuition to U.S. citizens majoring in 
collegiate cybersecurity programs in exchange for government 
service following graduation.
    To date, the Scholarship for Service program has provided 
scholarships to more than 2,400 students and graduated more 
than 1,700. CyberCorps scholarship recipients have been placed 
in internships and full-time positions in over 140 Federal, 
state, local, and tribal government agencies.
    As you know, Dakota State has won two of these awards for 
Scholarship for Service, and a new cohort of students is 
anticipated, or, actually, is beginning right now.
    To conclude, my testimony today has emphasized that our 
nation must continue to invest in long-term fundamental and 
game-changing research in order to match the pace and scope of 
today's cyber threats. NSF's interdisciplinary research and 
education portfolios are contributing to a next generation 
workforce that is increasingly cyber-aware, armed with the 
knowledge that it needs to protect against cyber attacks.
    With robust, sustained support for foundational and 
multidisciplinary cybersecurity R&D, as well as partnerships 
such as those on display here at Dakota State, NSF contributes 
to the protection of our national security and the enhancement 
of our economic prosperity.
    Thank you for the opportunity to be here, and I will turn 
it over to the Senator. Thank you.
    [The prepared statement of Mr. Epstein follows:]

Prepared Statement of Jeremy Epstein, Lead Program Director, Secure and 
       Trustworthy Cyberspace (SaTC), National Science Foundation
    Good afternoon, Chairman Thune, and members of the Committee. My 
name is Jeremy Epstein and I am the National Science Foundation (NSF) 
Lead Program Director for the Secure and Trustworthy Cyberspace (SaTC) 
program within the Computer and Information Science and Engineering 
(CISE) Directorate.
    NSF's mission is ``to promote the progress of science; to advance 
the national health, prosperity, and welfare; [and] to secure the 
national defense . . .''. NSF's goals--discovery, learning, research 
infrastructure and stewardship--provide an integrated strategy to 
advance the frontiers of knowledge, cultivate a world-class, broadly 
inclusive science and engineering workforce, build the Nation's 
research capability through investments in advanced instrumentation and 
facilities, and support excellence in science and engineering research 
and education. I welcome this opportunity to highlight NSF's 
investments in cybersecurity research and education.
The Cybersecurity Challenge
    While the advances in cybersecurity research and development (R&D) 
are many, the Nation must continue its investments in game-changing 
research if our cyber systems are to be trustworthy now and in the 
future. As you know, every day, we learn about more sophisticated and 
dangerous attacks. Why is the cybersecurity challenge so hard? In 
general, it's hard because attacks and defenses evolve together: a 
system that was secure yesterday might no longer be secure tomorrow.
    NSF is uniquely positioned to address both today's cyber challenges 
as well as the threats of the future, because NSF invests in 
discoveries, as well as the discoverers who enable fundamental 
scientific advances and technologies.
Cyber Security Research Programs
    NSF funds a broad range of activities to advance cybersecurity 
research, develop a well-educated and capable workforce, and to keep 
all citizens informed and aware. A major NSF activity is the SaTC 
program, led by CISE in partnership with the Directorates for Education 
and Human Resources (EHR), Engineering (ENG), Mathematical and Physical 
Sciences (MPS), and Social, Behavioral, and Economic Sciences (SBE), 
and funded at $126 million in FY 2015. Currently, there are over 670 
active Secure and Trustworthy Cyberspace awards.
    NSF's SaTC program builds on predecessor programs begun in 2002 and 
seeks to secure the Nation's cyberspace by addressing four perspectives 
within the multi-dimensional cybersecurity problem space:

   Trustworthy computing systems, with goals to provide the 
        basis for designing, building, and operating a 
        cyberinfrastructure with improved resistance and improved 
        resilience to attack that can be tailored to meet a wide range 
        of technical and policy requirements, including both privacy 
        and accountability.

   Social, behavioral and economic sciences, with goals to 
        understand, predict, and explain prevention, attack and/or 
        defense behaviors and contribute to developing strategies for 
        remediation.

   Cybersecurity education, with goals to promote innovation, 
        development, and assessment of new learning opportunities and 
        to help prepare and sustain an unrivaled cybersecurity 
        workforce capable of developing secure cyberinfrastructure 
        components and systems, as well as to raise the awareness of 
        cybersecurity challenges to a more general population.

   Secure, Trustworthy, Assured and Resilient Semiconductors 
        and Systems (STARSS), with goals to develop strategies, 
        techniques, and tools that avoid and mitigate hardware 
        vulnerabilities and lead to semiconductors and systems that are 
        resistant and resilient to attack or tampering. STARSS is a 
        joint effort of NSF and the Semiconductor Research Corporation 
        (SRC), a consortium of leading technology companies.

    The SaTC program further aims to address the challenge of moving 
from research to capability. The program supports research activities 
whose outcomes are capable of being implemented, applied, 
experimentally used, or deployed in an operational environment. Areas 
of emphasis for these ``transition to practice'' investments have 
included malware detection and prevention, situational understanding, 
data assurance, risk analysis, and software assurance.
    For example, NSF-funded researchers have demonstrated the ability 
to remotely take over automotive control systems.\1\ The researchers 
found that, because many of today's cars contain cellular connections 
and Bluetooth wireless technology, it is possible for a hacker working 
from a remote location to take control of various features--like the 
car locks and brakes--as well as to track the vehicle's location, 
eavesdrop on its passenger cabin, and steal vehicle data. The 
researchers are now working with the automotive industry to develop new 
methods for assuring the safety and security of on-board electronics. 
Both the Society for Automotive Engineers and the United States Council 
for Automotive Research have partnered with the researchers to initiate 
efforts focused on automotive security research.\2\ Automotive 
manufacturers have also started dedicating significant resources to 
security.\3\
---------------------------------------------------------------------------
    \1\ http://www.nytimes.com/2011/03/10/business/10hack.html
    \2\ http://www.autosec.org/faq.html
    \3\ http://www.caranddriver.com/features/can-your-car-be-hacked-
feature
---------------------------------------------------------------------------
    NSF-funded researchers supported by the SaTC program use testbeds 
such as the Cyber Defense Technology Experimental Research (DETER) 
Network, originally developed with NSF funding and now supported by the 
Department of Homeland Security (DHS) and the Remotely Accessible 
Virtualized Environment (RAVE) Lab, which was also developed with NSF 
funding and is specifically focused on cybersecurity education. As 
directed by The Cybersecurity Enhancement Act of 2014, NSF is working 
to identify what other testbeds are needed for cybersecurity research 
in the future. NSF appreciates the Committee's awareness of the 
national need for robust cybersecurity testbeds.
Cybersecurity Education and Training Programs
    The NSF Directorate for Education and Human Resources seeks to 
develop a well-prepared cybersecurity workforce of the future in large 
part through the CyberCorps: Scholarship for Service (SFS) program.
    SFS was created as a result of a May 1998 Presidential Decision 
Directive, which described a strategy for cooperative efforts by the 
government and the private sector to protect physical and cyber-based 
systems. In January 2000, a Presidential Executive Order defined the 
National Plan for Information Systems Protection, which included the 
Federal Cyber Services (FCS) training and education initiative and the 
creation of a SFS program. The Cybersecurity Enhancement Act of 2014 
directs NSF, in coordination with the U.S. Office of Personnel 
Management (OPM) and DHS, to continue the SFS program to recruit and 
train the next generation of information technology professionals, 
industrial control system security professionals, and security managers 
to meet the needs of the cybersecurity mission for federal, state, 
local, and tribal governments. We recognize the Chairman and the 
Committee's work on this legislation and appreciate the strong support 
for the SFS program.
    The SFS program funds institutions of higher education to support 
undergraduate and graduate students in academic programs in 
cybersecurity. The students must be U.S. citizens or lawful permanent 
residents of the U.S., and must be able to meet the eligibility and 
selection criteria for government employment. Students can be supported 
on scholarships for up to three years, and in return, they agree to 
take government cybersecurity positions for the same duration as their 
scholarships. The government agencies eligible for job placement 
include federal, state, local, or tribal governments. To assist both 
the agencies and the students in good matches, NSF partners with OPM to 
run an annual job fair. In addition to OPM, NSF also partners with DHS 
and the National Security Agency (NSA) on the SFS program.
    A second emphasis of the SFS program is expansion of the U.S. 
higher education enterprise to produce cybersecurity professionals 
through a variety of efforts. These include research on the teaching 
and learning of cybersecurity, development of curricula, integrating 
cybersecurity topics into relevant degree programs, developing virtual 
laboratories, strengthening partnerships between government and 
relevant employment sectors to better integrate applied research 
experiences into cybersecurity degree programs, and integrating data 
science into cybersecurity curricula.
    From FY 2011 through FY 2014, the SFS program made 117 awards 
throughout the U.S., totaling over $145 million. As of early August 
2015, the SFS program has provided scholarships to more than 2,400 
students and graduated more than 1,700, including 22 percent with 
bachelor's degrees, 76 percent with master's degrees, and two percent 
with doctoral degrees. Of these graduates, 93 percent have been 
successfully placed in the Federal Government. SFS scholarship 
recipients have been placed in internships and full-time positions in 
more than 140 Federal departments, agencies, and branches, including 
the NSA, DHS, Central Intelligence Agency, and Department of Justice, 
along with state, local, and tribal governments.
    The SFS program has recently embarked on a new activity, Inspiring 
the Next Generation of Cyber Stars (or GenCyber) summer camps, to seed 
the interest of young people in this exciting and exploding new field, 
to help them learn about cybersecurity, and to learn how skills in this 
area could pay off for them in the future. These overnight and day 
camps are available to students and teachers at the K-12 level at no 
expense to them; funding is provided by NSF and NSA. A pilot project 
for cybersecurity summer camps in 2014 stimulated such great interest 
that the GenCyber program expanded in 2015, supporting 43 camps held on 
29 university campuses in 19 states with more than 1,400 participants.
    I would like to highlight the fact that Dakota State University 
(DSU) has successfully competed for an NSF award to develop greater 
capacity for cybersecurity education, and for two scholarship grants to 
support cybersecurity students. Of the students who were awarded 
scholarships in the cybersecurity program at DSU, about half have 
graduated and all have been placed in government cybersecurity jobs; 
half are still in school; and a new cohort of scholarship holders is 
anticipated in the fall of 2015. In addition, DSU ran two GenCyber 
camps in 2015, one for high school students entering grades 10-12, and 
one for girls entering grades 8-12. You have heard additional detail 
about NSF-funded cybersecurity activities at DSU from other witnesses 
here today.
Strategic Planning Across the Federal Government
    Finally, NSF closely coordinates its activities with other Federal 
agencies and collaborates with them in pursuing cybersecurity research 
and education activities. In 2011, the National Science and Technology 
Council (NSTC), with the cooperation of NSF, developed a strategic plan 
titled Trustworthy Cyberspace: Strategic Plan for the Federal 
Cybersecurity Research and Development Program.\4\ This plan has guided 
coordination across the Federal Government. As you know, the 2014 
Cybersecurity Enhancement Act called for an updated R&D strategic plan. 
NSF is playing a key role in developing the revision of the strategic 
plan. Recognizing the changes in the threats to the national economy 
and security posed by cyber attacks, the revised strategy will expand 
on the 2011 report, with increased focus on areas including privacy, 
security of the Internet of Things and Cyber-Physical Systems, and an 
increased breadth of the understanding of human-centric aspects 
(social, behavioral, cultural, and psychological) of cybersecurity. 
Without deep awareness of the latter dimensions, a purely technological 
solution to cybersecurity is likely to fail.
---------------------------------------------------------------------------
    \4\ http://www.whitehouse.gov/sites/default/files/microsites/ostp/
fed_cybersecurity_rd_
strategic_plan_2011.pdf
---------------------------------------------------------------------------
Coordination Across the Federal Government
    NSF coordinates its cybersecurity research and planning activities 
with other Federal agencies, including the Department of Defense (DoD) 
and DHS, and the agencies of the intelligence community, through 
various ``mission-bridging'' activities:

   NSF plays a leadership role in the interagency Networking 
        and Information Technology Research and Development (NITRD) 
        program. The National Science and Technology Council's NITRD 
        Subcommittee, of which NSF is co-chair, has played a prominent 
        role in coordinating the Federal Government's cybersecurity 
        research investments.

   A NITRD Senior Steering Group (SSG) for Cyber Security and 
        Information Assurance R&D (CSIA R&D)\5\ was established to 
        provide a responsive and robust conduit for cybersecurity R&D 
        information across the policy, fiscal, and research levels of 
        the government. The SSG is composed of senior representatives 
        of agencies with national cybersecurity leadership positions, 
        including: NSF, DoD, the Office of the Director of National 
        Intelligence (ODNI), DHS, NSA, the National Institute of 
        Standards and Technology (NIST), the Office of Science and 
        Technology Policy, and the Office of Management and Budget. A 
        principal responsibility of the SSG is to define, coordinate, 
        and recommend strategic Federal R&D objectives in 
        cybersecurity, and to communicate research needs and proposed 
        budget priorities to policy makers and budget officials.
---------------------------------------------------------------------------
    \5\ https://www.nitrd.gov/nitrdgroups/
index.php?title=Cyber_Security_Information_Assu
rance_Research_and_Development_Senior_Steering_Group_%28CSIA_R%26D_SSG%2
9

   To facilitate conversation among classified and unclassified 
        programs in the Federal Government, a coordinating group called 
        Special Cyber Operations Research and Engineering (SCORE) was 
        established. SCORE includes members from the CSIA R&D Senior 
        Steering Group. NSF research, which is non-classified, is 
---------------------------------------------------------------------------
        reported in this forum.

   On the education front, NSF is an active participant and 
        contributor in the NIST-led National Initiative for 
        Cybersecurity Education (NICE). NSF's involvement aims to 
        bolster formal cybersecurity education programs encompassing K-
        12, higher education, and vocational programs, with a focus on 
        the science, technology, engineering, and math disciplines to 
        provide a pipeline of skilled workers for the private sector 
        and government.
Conclusions
    Our Nation must continue to invest in long-term, fundamental, and 
game-changing research if our cyber systems are to remain trustworthy 
in the future. NSF's interdisciplinary research and education 
portfolios are contributing to a next-generation workforce that is 
increasingly cyber-aware, armed with the knowledge that it needs to 
protect against cyber attacks. With robust, sustained support for 
cybersecurity research and education in both the executive and 
legislative branches, as well as partnerships such as those on display 
here at Dakota State University, NSF contributes to the protection of 
our national security and the enhancement of our economic prosperity. 
This concludes my remarks. I would be happy to answer any questions at 
this time.
                                 ______
                                 
                          Biographical Sketch
    Mr. Jeremy Epstein is the Lead Program Director for the National 
Science Foundation's (NSF) Secure and Trustworthy Cyberspace (SaTC) 
program, the Federal Government's flagship fundamental cybersecurity 
research program. In addition to SaTC, he leads the Computer and 
Information Science and Engineering (CISE) Research Initiation 
Initiative (CRII) and co-leads the NSF/Intel Partnership on Cyber-
Physical Systems Security and Privacy (CPS-Security) within NSF's CISE 
Directorate. Jeremy's research areas include software security and 
voting systems security. He is associate editor-in-chief of the IEEE 
Security & Privacy Magazine; founder of the Applied Computer Security 
Associates (ACSA) Scholarships for Women Studying Information Security 
(SWSIS); the IEEE representative to the NIST Technical Guidelines 
Development Committee which writes voting systems standards; and a 
senior member of IEEE and ACM. He holds an M.S. in computer sciences 
from Purdue University and a B.S. from the New Mexico Institute of 
Mining and Technology.

    The Chairman. Thank you, Mr. Epstein.
    We will move on now to--I am sorry, got you guys on 
opposite sides here--to Mr. Stine.
    Please proceed.

      STATEMENT OF KEVIN STINE, LEADER, SECURITY OUTREACH

       AND INTEGRATION GROUP, COMPUTER SECURITY DIVISION,

          INFORMATION TECHNOLOGY LABORATORY, NATIONAL

             INSTITUTE OF STANDARDS AND TECHNOLOGY,

                  U.S. DEPARTMENT OF COMMERCE

    Mr. Stine. Thank you, Chairman Thune and members of Dakota 
State University.
    I will shorten the business card a little bit and just say 
that I am Kevin Stine, leader of the Security Outreach and 
Integration Group at the National Institute of Standards and 
Technology, which is better known as NIST. I will add to the 
business card that we are part of the U.S. Department of 
Commerce, which puts us at an interesting intersection point 
between government and industry and academia, as well, 
especially in the cybersecurity space.
    Thank you for the opportunity to discuss NIST's role in 
confronting the challenge of cybersecurity.
    NIST's role in cybersecurity was authorized in 1972 with 
the Brooks Act and continues today through FISMA, as well as 
the recent authorities under the Cybersecurity Enhancement Act 
of 2014, to develop key cybersecurity guidelines for protecting 
U.S. Government information and information systems.
    On behalf of NIST, I wanted to thank the Chairman for his 
steadfast leadership on this issue.
    It is important to note that the impact of NIST's 
activities extends beyond providing the means to protect 
Federal information and information systems. Many organizations 
outside the Federal Government voluntarily follow NIST 
standards and guidelines, reflecting their wide acceptance 
throughout the world.
    NIST accomplishes its mission in cybersecurity through 
collaborative partnerships with our customers and stakeholders 
in industry, government, academia, standards bodies, consortia, 
and international organizations. These collaborative efforts 
are constantly being expanded by new initiatives, including in 
recent years through four major programs which I will briefly 
describe.
    The first program is the National Strategy for Trusted 
Identities in Cyberspace, or NSTIC, where NIST works to address 
security issues surrounding the inadequacy of passwords. In a 
2013 industry report, it was reported that 76 percent of 
network intrusions exploited weak or stolen credentials. Many 
recent examples of breaches, which you have heard about in the 
news, fall in line with the findings of that report.
    The second program is the National Cybersecurity Center of 
Excellence, of the NCCoE, which is a partnership between NIST, 
the state of Maryland, Montgomery County, Maryland, and the 
private sector to accelerate the adoption of solutions to 
cybersecurity challenges by working directly with businesses 
across various industry sectors on solutions to those 
cybersecurity challenges.
    Current activities are addressing challenges in the 
healthcare, retail, financial services, and energy sectors, as 
well as looking at security issues around cloud security, 
identity management, mobile devices, and secure e-mail.
    The third NIST program is the National Initiative for 
Cybersecurity Education, or NICE, which works to meet the needs 
of the U.S. workforce by promoting an ecosystem of 
cybersecurity education, training, and workforce development to 
secure cyberspace by accelerating learning and skills 
development, nurturing a diverse learning environment, and 
guiding career development and workforce planning.
    The fourth program is the Framework for Improving Critical 
Infrastructure Cybersecurity, called for in Executive Order 13-
636. The framework, issued over one year ago, was created 
through collaboration with industry, government, and academia 
and consists of standards, guidelines, and practices to help 
organizations understand, communicate, and manage cybersecurity 
risks to critical infrastructure.
    NIST is also tasked with the key role of coordinating 
Federal agency use of voluntary consensus standards and 
participation in the development of relevant standards, as well 
as promoting coordination between the public and private 
sectors in the development of standards and in conformity 
assessment activities.
    The U.S. standards system differs significantly from the 
government-led systems common in many other countries. Under 
the U.S. system, hundreds of standards-developing organizations 
provide the infrastructure for standards, with NIST playing a 
key role as facilitator and technical advisor in the process.
    NIST also conducts cybersecurity research and development 
in forward-looking technology areas, such as the security for 
smartcards, the information and communications technology 
supply chain, mobile devices and applications, cyber physical 
systems, and public safety networks, and the usability of 
systems, including electronic health records and voting 
machines.
    We at NIST recognize that we have an essential role to play 
in helping industry, consumers, and government to counter cyber 
threats. We are extremely proud of our role in establishing and 
improving the comprehensive set of cybersecurity technical 
solutions, standards, guidelines, and best practices and the 
robust collaborations with our Federal Government partners, 
private-sector and academic collaborators, and international 
colleagues.
    Again, I thank you for the opportunity to testify today on 
NIST's work in cybersecurity, and I would be happy to answer 
any questions you may have.
    [The prepared statement of Mr. Stine follows:]

   Prepared Statement of Kevin Stine, Leader, Security Outreach and 
 Integration Group, Computer Security Division, Information Technology 
      Laboratory, National Institute of Standards and Technology, 
                      U.S. Department of Commerce
Introduction
    Chairman Thune, members of the Committee, I am Kevin Stine, Leader 
of the Security Outreach and Integration Group in the Computer Security 
Division, Information Technology Laboratory (ITL) at the Department of 
Commerce's National Institute of Standards and Technology (NIST). Thank 
you for the opportunity to appear before you today to discuss NIST's 
role in confronting the challenge of cybersecurity.
The Role of NIST in Cybersecurity
    With programs focused on national priorities from the Smart Grid 
and electronic health records to forensics, atomic clocks, advanced 
nanomaterials, computer chips and more, NIST's overall mission is to 
promote U.S. innovation and industrial competitiveness by advancing 
measurement science, standards, and technology in ways that enhance 
economic security and improve our quality of life.
    In the area of cybersecurity, NIST has worked with Federal 
agencies, industry, and academia since 1972, starting with the 
development of the Data Encryption Standard, when the potential 
commercial benefit of this technology became clear. NIST's role, to 
research, develop and deploy information security standards and 
technology to protect the Federal Government's information systems 
against threats to the confidentiality, integrity and availability of 
information and services, was strengthened through the Computer 
Security Act of 1987 (Public Law 100-235), broadened through the 
Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. 
Sec. 3541 et seq.) and recently reaffirmed in the Federal Information 
Security Modernization Act of 2014 (Public Law 113-283). In addition, 
the Cybersecurity Enhancement Act of 2014 (Public Law 113-274) 
authorizes NIST to facilitate and support the development of voluntary, 
industry-led cybersecurity standards and best practices for critical 
infrastructure. On behalf of NIST, I want to thank the Chairman for his 
steadfast leadership on this issue. The bill could not have been 
enacted into law without his efforts.
    NIST accomplishes its mission in cybersecurity through 
collaborative partnerships with our customers and stakeholders in 
industry, government, academia, standards bodies, consortia and 
international partners. NIST employs these collaborative partnerships 
to take advantage of the technical and operational insights of our 
partners and to leverage the resources of a global community. These 
collaborative efforts, and our private sector collaborations in 
particular, are constantly being expanded by new initiatives, including 
in recent years through the National Strategy for Trusted Identities in 
Cyberspace (NSTIC), the National Cybersecurity Center of Excellence 
(NCCoE), the National Initiative for Cybersecurity Education (NICE), 
and through the implementation of the Obama Administration's Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity.'' These 
programs and others are supported by and implemented through NIST's 
cybersecurity research, standards, and guidelines.
NIST Cybersecurity Research, Standards, and Guidelines
    NIST Special Publications and Interagency Reports provide 
management, operational, and technical security guidelines for Federal 
agency information systems, and cover a broad range of topics such as 
Basic Input/Output System (BIOS) management and measurement, key 
management and derivation, media sanitization, electronic 
authentication, security automation, Bluetooth and wireless protocols, 
incident handling and intrusion detection, malware, cloud computing, 
public key infrastructure, risk assessments, supply chain risk 
management, online identity, authentication, access control, privacy 
risk management, security automation and continuous monitoring.
    Beyond these documents--which are peer-reviewed throughout 
industry, government, and academia--NIST conducts workshops, awareness 
briefings, and outreach to ensure comprehension of standards and 
guidelines, to share ongoing and future activities, and to aid in 
scoping guidelines in a collaborative, open, and transparent manner.
    In addition, NIST maintains the National Vulnerability Database 
(NVD), a repository of standards-based vulnerability management 
reference data. The NVD makes available information on vulnerabilities, 
impact measurements, detection techniques, and remediation assistance. 
It provides reference data that enable government, industry and 
international security automation capabilities. The NVD also assists/
helps/enables the Payment Card Industry (PCI) to identify and mitigate 
vulnerabilities. The PCI uses the NVD vulnerability metrics to discern 
the IT vulnerability in point-of-sale devices and determine what risks 
are unacceptable for that industry.
    Pursuant to the Cybersecurity Research and Development Act of 2002, 
NIST also maintains a library of security setting configurations, also 
known as ``checklists,'' for IT products used throughout the Federal 
Government. This initiative is known as the National Checklist Program. 
Through the program, product vendors, as well as Federal contributors, 
supply checklists to be quality assured by NIST and peer-reviewed by 
the public, with the final benchmarks cataloged by NIST and made 
available as reference data for both government and the private sector. 
One of the more prominent examples of a checklist is the United States 
Government Configuration Baseline, or USGCB. To produce a USGCB, 
Federal checklist contributors work with the Federal CIO Council and 
NIST to determine government-wide security settings. The resulting 
USGCB checklists are made available to all parties through the National 
Checklist Program.
    NIST researchers develop and standardize cryptographic mechanisms 
that are used throughout the world to protect information at rest and 
in transit. These mechanisms provide security services, such as 
confidentiality, integrity, authentication, non-repudiation and digital 
signatures, to protect sensitive information. The NIST algorithms and 
associated cryptographic guidelines are developed in a transparent and 
inclusive process, leveraging cryptographic expertise around the world. 
The results are in standard, interoperable cryptographic mechanisms 
that can be used by all industries. For example, with approval of the 
Secretary of Commerce, NIST recently published Federal Information 
Processing Standard (FIPS) 202, which specifies the SHA-3 family of 
hash functions that provide many important information security 
applications, including the generation and derivation of digital 
signatures.
    NIST has a complementary program, in coordination with the 
Government of Canada, to certify independent commercial calibration 
laboratories to test commercially available IT cryptographic modules, 
to ensure that they have implemented the NIST cryptographic standards 
and guidelines correctly. These testing laboratories exist around the 
globe and test hundreds of individual cryptographic modules yearly.
    Recently, NIST initiated a research program in usability of 
cybersecurity, focused on passwords and password policies; user 
perceptions of cybersecurity risk and privacy concerns; and privacy in 
general. The concept of ``usability'' refers generally to ``the 
effectiveness, efficiency, and satisfaction with which the intended 
users can achieve their tasks in the intended context of product use.'' 
\1\ This usability research will lead to standards and guidelines for 
improving cybersecurity through increased attention to user 
interactions with security technologies.
---------------------------------------------------------------------------
    \1\ ISO 9241-210:2010, Ergonomics of human-system interaction--Part 
210: Human-centered design for interactive systems.
---------------------------------------------------------------------------
NIST Engagement with Government
    In support of FISMA implementation, NIST continues its 
collaboration with the Department of Defense, the intelligence 
community, and the Committee on National Security Systems, through a 
Joint Task Force Initiative, to develop key cybersecurity guidelines 
for protecting U.S. Government information and information systems.
    This collaboration allows the most broad-based and comprehensive 
set of safeguards and countermeasures ever developed for information 
systems. This unified framework of guidelines and recommendations 
provides a standardized method for expressing security at all levels, 
from operational implementation to compliance reporting. It allows for 
an environment of information sharing and interconnections among these 
communities and significantly reduces costs, time, and resources needed 
for finite sets of systems and administrators to report on 
cybersecurity to multiple authorities.
    Our set of standards, guidelines, and recommendations provide a 
standardized and repeatable framework for managing risk, called the 
Risk Management Framework. The Risk Management Framework provides a 
structured, yet flexible, approach for managing the risk resulting from 
using information systems to achieve the mission and business processes 
of an organization. The risk management concepts are intentionally 
broad-based with the specific details of assessing risk and employing 
appropriate risk mitigation strategies provided by supporting NIST 
information security standards and guidelines.
    This approach allows for implementation of cost-effective, risk-
based information security programs. It establishes a level of security 
due diligence for Federal agencies and contractors supporting the 
Federal Government. It creates a consistent and cost-effective 
application of security controls across an information technology 
infrastructure and a consistent, comparable, and repeatable security 
control assessment. When implemented, it gives an organization a better 
understanding of enterprise-wide mission risks resulting from the 
operation of information systems.
NIST Engagement with Industry
    It is important to note that the impact of NIST's activities under 
FISMA extend beyond providing the means to protect Federal IT systems. 
They provide the cybersecurity foundations for the public trust that is 
essential to our realization of the national and global productivity 
and innovation potential of electronic business and its attendant 
economic benefits. Many organizations voluntarily follow NIST standards 
and guidelines, reflecting their wide acceptance throughout the world.
    Beyond NIST's responsibilities under FISMA, under the provisions of 
the National Technology Transfer and Advancement Act (PL 104-113) and 
related OMB Circular A-119, NIST is tasked with the key role of 
coordinating Federal agency use of voluntary consensus standards and 
participation in the development of relevant standards, as well as 
promoting coordination between the public and private sectors in the 
development of standards and in conformity assessment activities. NIST 
works with other agencies, such as the Departments of Defense, State, 
and Homeland Security to coordinate positions on standards issues and 
priorities with the private sector through consensus standards 
organizations such as the American National Standards Institute (ANSI), 
the Joint Technical Committee 1 (JTC 1) of the International 
Organization for Standardization (ISO) and the International 
Electrotechnical Commission (IEC), the Institute of Electrical and 
Electronics Engineers (IEEE), the Internet Engineering Task Force 
(IETF), and the International Telecommunications Union's 
Standardization Sector (ITU-T).
    NIST's partnership with industry to develop, maintain, and 
implement voluntary consensus standards related to cybersecurity best 
ensures the interoperability, security, and resiliency of the global 
infrastructure needed to make us all more secure. It also allows this 
infrastructure to evolve in a way that embraces both security and 
innovation--allowing a market to flourish to create new types of secure 
products for the benefit of all Americans.
    NIST works extensively in smart card standards, guidelines, and 
best practices. NIST developed the standard for the U.S. Government 
Personal Identity Verification (PIV) Card (FIPS 201), and actively 
works with the ANSI and JTC 1 on global cybersecurity standards for use 
in smart cards, smart card cryptography and the standards for the 
international integrated circuit card. [ANSI 504; ISO 7816 and ISO 
24727]
    NIST also conducts cybersecurity research and development in 
forward looking technology areas, such as security for Federal mobile 
environments and techniques for measuring and managing information 
security. These efforts focus on improving the trustworthiness of IT 
components such as claimed identities, data, hardware, and software for 
networks and devices. Additional research areas include developing 
approaches to balancing safety, security, and reliability in the 
Nation's information and communications technology supply chain; 
enabling mobile device and application security; securing the Nation's 
cyber-physical systems and public safety networks; enabling continuous 
information security monitoring; providing advanced information 
security measurements and testing; investigating information security 
analytics and big data; developing standards, modeling, and 
measurements to achieve end-to-end information security over 
heterogeneous, multi-domain networks; and investigating technologies 
for detection of anomalous behavior and quarantines.
    In addition, further development of cybersecurity standards will be 
needed to improve the security and resiliency of critical U.S. 
information and communication infrastructure. The availability of 
cybersecurity standards and associated conformity assessment schemes is 
essential in these efforts, which NIST supports, to help enhance the 
deployment of sound security solutions and build trust among those 
creating and those using the solutions throughout the country.
International Cybersecurity Standardization
    The Cybersecurity Enhancement Act of 2014 directed NIST to work 
with relevant Federal agencies to ensure interagency coordination in 
``the development of international technical standards related to 
information system security'' and ``ensure consultation with 
appropriate private sector stakeholders.'' It also called for NIST to 
submit a plan for ensuring the Federal agency coordination to Congress 
within one year. The International Cybersecurity Standards Working 
Group, which is led by the Department of Commerce/NIST, was set up by 
the National Security Council's Cyber Interagency Policy Committee to 
draft this plan, which will also serve as the basis of the required 
report to Congress.
    The U.S. standards system differs significantly from the 
government-directed and government-led systems common in many other 
countries. Under the U.S. system, hundreds of standards development 
organizations (SDOs) provide the infrastructure for the preparation of 
standards documents. While these organizations are overwhelmingly 
private sector, government personnel participate in standards 
development activities as equal partners along with representatives 
from industry, academia, and other organizations and consumers.
    The new draft Report on Strategic U.S. Government Engagement in 
International Standardization to Achieve U.S. Objectives for 
Cybersecurity (NIST draft Interagency Report 8074)\2\ and supplement 
lay out strategic objectives and recommendations for enhancing the U.S. 
government's coordination and participation in the development and use 
of international standards for cybersecurity. The draft report 
recommends the government make greater effort to coordinate the 
participation of its employees in international cybersecurity standards 
development to promote the cybersecurity and resilience of U.S. 
information and communications systems and supporting infrastructures.
---------------------------------------------------------------------------
    \2\ http://csrc.nist.gov/publications/drafts/nistir-8074/
nistir_8074_vol1_draft_report.pdf
---------------------------------------------------------------------------
    A supplement \3\ to the draft report provides a summary of ongoing 
activities in critical international cybersecurity standardization and 
an inventory of U.S. government and private sector engagement. It also 
provides guidance for agencies to plan and coordinate more effective 
participation in these activities.
---------------------------------------------------------------------------
    \3\ http://csrc.nist.gov/publications/drafts/nistir-8074/
nistir_8074_vol2_draft_supplemen
tal-information.pdf
---------------------------------------------------------------------------
    The draft report supports the 2010 United States Standards 
Strategy,\4\ which was developed through a public-private partnership 
and outlines the contribution of private-sector led standards 
development to overall competition and innovation in the U.S. economy 
and the imperative of public and private sector participation and 
collaboration.
---------------------------------------------------------------------------
    \4\ http://publicaa.ansi.org/sites/apdl/Documents/
Standards%20Activities/NSSC/USSS_
Third_edition/USSS%202010-sm.pdf
---------------------------------------------------------------------------
National Strategy for Trusted Identities in Cyberspace
    NIST also houses the National Program Office established to lead 
implementation of the National Strategy for Trusted Identities in 
Cyberspace (NSTIC). NSTIC is an initiative that works to address one of 
the most commonly exploited vectors of attack in cyberspace: the 
inadequacy of passwords for authentication.
    Weak authentication and identity proofing methods continue to 
represent a disproportionate share of data breaches and other 
successful attacks. The 2013 Data Breach Investigations Report \5\ 
noted that in 2012, 76 percent of network intrusions exploited weak or 
stolen credentials. In line with the results of this report, many 
recent high profile compromises involved weak or compromised 
credentials or weaknesses in identity proofing as the vector of attack.
---------------------------------------------------------------------------
    \5\ http://www.verizonenterprise.com/resources/reports/rp_data-
breach-investigations-report-2013_en_xg.pdf
---------------------------------------------------------------------------
    NSTIC works to address this issue by collaborating with the private 
sector to catalyze a marketplace of better identity and authentication 
solutions--an ``Identity Ecosystem'' that raises the level of trust 
associated with the identities of individuals, organizations, networks, 
services, and devices online. NIST has funded 15 pilot programs to 
jumpstart the marketplace and test new approaches to overcome barriers, 
such as usability, privacy, and interoperability, which have hindered 
market acceptance and wider use of stronger authentication 
technologies.
    NSTIC exemplifies NIST's robust collaboration with industry, in 
large part, because the initiative calls on the private sector to lead 
implementation. NIST has partnered with the privately led Identity 
Ecosystem Steering Group (IDESG) to craft better standards and tools to 
improve authentication online.
National Cybersecurity Center of Excellence
    In 2012, NIST established the National Cybersecurity Center of 
Excellence (NCCoE). The NCCoE brings together experts from industry, 
government, and academia to develop and transfer practical 
cybersecurity standards, technologies, and best practices to the 
Nation's business sectors. By accelerating dissemination and use of 
standards, best practices, and integrated tools and technologies for 
protecting information technology assets and processes, the NCCoE 
fosters trust in U.S. business sectors and improvements to the overall 
security of the economy. The NCCoE supports implementation of existing 
cybersecurity guidelines and frameworks, serves as a technical resource 
for both public and private sectors, and contributes to the development 
of cybersecurity practices and practitioners.
    The NCCoE is a unique partnership among three levels of government: 
NIST at the Federal level, the State of Maryland, and Montgomery 
County, Maryland. In addition the NCCoE established a Federally Funded 
Research and Development Center (FFRDC), the country's first FFRDC 
dedicated to cybersecurity, which helps the center respond to national 
priorities and critical security concerns impacting critical 
infrastructure, e-commerce, and privacy.
    To date, NIST has established partnerships with 22 industry 
partners who have pledged to have a continuous presence at the center 
as National Cybersecurity Excellence Partner (NCEP) companies. In 
addition to these core partners, there are more than 25 other 
technology companies that are working on projects at the NCCoE under 
Cooperative Research and Development Agreements (CRADAs). These 
partners and collaborators support the NCCoE with hardware, software, 
and expertise. They provide the Center equipment to outfit labs as 
real-world environments, and their personnel work at the NCCoE as guest 
researchers.
    Today, the NCCoE has programs working with the health care, energy, 
financial services, and retail sectors. In addition, the Center is 
addressing challenges that cut across sectors, including mobile device 
security, software asset management, cloud security, identity 
management, and secure e-mail. The NCCoE's first practice guide,\6\ 
released this summer for public comment, helps secure electronic health 
records on mobile devices. As both electronic medical records and 
mobile devices are increasingly used by health care practitioners, 
patient information needs to be protected to preserve privacy and 
safeguard identity and patient care. The NCCoE's practice guide, 
Securing Electronic Health Records on Mobile Devices, provides a 
detailed architecture and instructions so that IT professionals can 
recreate the security capabilities of the example solution. The guide 
does not recommend specific products, but provides a blueprint for the 
deployment and use of standards based technologies that address 
critical security concerns. The solution aligns to standards and best 
practices from NIST and to the Health Insurance Portability and 
Accountability Act Security Rule.
---------------------------------------------------------------------------
    \6\ https://nccoe.nist.gov/projects/use_cases/health_it/
ehr_on_mobile_devices
---------------------------------------------------------------------------
National Initiative for Cybersecurity Education
    As the cybersecurity threat and technology environment evolves, the 
cybersecurity workforce must continue to adapt to design, develop, 
implement, maintain and continuously improve cybersecurity, including 
in our Nation's critical infrastructure.
    Established in 2010, the National Initiative for Cybersecurity 
Education (NICE) promotes an ecosystem of cybersecurity education, 
training, and workforce development that effectively secures 
cyberspace. Led by NIST, NICE is a partnership between government, 
academia, and industry that builds upon existing successful programs, 
including the DHS/NSA Centers of Academic Excellence for Cybersecurity, 
and facilitates innovation to increase the supply of qualified 
cybersecurity workers.
    NICE's emerging strategic priorities include accelerating learning 
and skills development, nurturing a diverse learning community, and 
guiding career development and workforce planning. NICE works to 
instill a sense of urgency in both the public and private sectors to 
address the skilled workforce shortage. It is also working to 
strengthen formal education programs, promote different academic 
pathways, and increase the participation of women, minorities, and 
veterans in the cybersecurity profession. Finally, it supports job 
seekers and employers to address market demands and maximize talent 
management.
    NICE is also aligned with the President's Job-Driven Training 
Initiative and the Secretary of Commerce's Skills for Business 
Initiative that is partnering with business to equip workers for 21st 
century careers.
Cybersecurity Framework
    Over one year ago, NIST issued the Framework for Improving Critical 
Infrastructure Cybersecurity (Framework)\7\ in accordance with Section 
7 of Executive Order 13636, ``Improving Critical Infrastructure 
Cybersecurity.'' \8\ The Framework, created through collaboration with 
industry, government, and academia, consists of standards, guidelines, 
and practices to promote the protection of critical infrastructure. The 
prioritized, flexible, repeatable, and cost-effective approach of the 
Framework helps owners and operators of critical infrastructure to 
manage cybersecurity-related risk. Since the release of the Framework, 
NIST has strengthened its collaborations with critical infrastructure 
owners and operators, industry leaders, government partners, and other 
stakeholders to raise awareness about the Framework, encourage use by 
organizations across and supporting the critical infrastructure, and 
develop implementation guides and resources. The Framework continues to 
be voluntarily implemented by industry and adopted by infrastructure 
sectors, which is contributing to reducing cyber risks to our Nation's 
critical infrastructure.
---------------------------------------------------------------------------
    \7\ http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214.pdf
    \8\ https://www.whitehouse.gov/the-press-office/2013/02/12/
executive-order-improving-critical-infrastructure-cybersecurity
---------------------------------------------------------------------------
    NIST supports Framework awareness and understanding by addressing a 
variety of sectors and communities through speaking engagements and 
meetings. NIST continues to educate other nations about the value of 
the Framework and the processes by which it was developed. Many of 
those nations are adopting Framework principles into equivalent 
national frameworks, while some are adopting the Framework in its 
entirety. To better support industry understanding and use, NIST is now 
publishing frequently asked questions and industry resources at the 
Framework Website.\9\
---------------------------------------------------------------------------
    \9\ http://www.nist.gov/cyberframework/index.cfm
---------------------------------------------------------------------------
    Pursuant to the Cybersecurity Enhancement Act of 2014, NIST also 
convened meetings with regulators to discuss application of the 
Framework within the cyber ecosystem, and the need for the Framework to 
remain a voluntary methodology, adaptable to the critical 
infrastructure risk and mission objectives. NIST participated in an 
advisory role to the Federal Communications Commission (FCC) 
Communications, Security, Reliability and Interoperability Council's 
(CSRIC) Working Group 4. NIST is also an advisory member of the 
Cybersecurity Forum for Independent and Executive Branch Regulators. 
The forum was chartered to increase the overall effectiveness and 
consistency of regulatory authorities' cybersecurity efforts pertaining 
to U.S. Critical Infrastructure. In all of these interactions, NIST 
continues to communicate the merits of the voluntary Framework as an 
organizational and communication tool to better manage cybersecurity 
risk.
Additional Research Areas
    NIST performs research and development in related technologies, 
such as the usability of systems including electronic health records, 
voting machines, biometrics and software interfaces. NIST is performing 
research on the mathematical foundations needed to determine the 
security of information systems. In the areas of digital forensics, 
NIST is enabling improvements in forensic analysis through the National 
Software Reference Library and computer forensics tool testing. 
Software assurance metrics, tools, and evaluations developed at NIST 
are being implemented by industry to help strengthen software against 
hackers. NIST responds to government and market requirements for 
biometric standards by collaborating with other Federal agencies, 
academia, and industry partners to develop and implement biometrics 
evaluations, enable usability, and develop standards (fingerprint, 
face, iris, voice/speaker, and multimodal biometrics). NIST plays a 
central role in defining and advancing standards, and collaborating 
with customers and stakeholders to identify and reach consensus on 
cloud computing standards.
Conclusion
    We at NIST recognize that we have an essential role to play in 
helping industry, consumers and government to counter cyber threats. 
Our broader work in the areas of information security, trusted 
networks, and software quality is applicable to a wide variety of 
users, from small and medium enterprises to large private and public 
organizations, including Federal Government agencies and companies 
involved with critical infrastructure.
    We are extremely proud of our role in establishing and improving 
the comprehensive set of cybersecurity technical solutions, standards, 
guidelines, and best practices and the robust collaborations with our 
Federal Government partners, private sector collaborators, and 
international colleagues.
    Thank you for the opportunity to testify today on NIST's work in 
cybersecurity. I would be happy to answer any questions you may have.
                                 ______
                                 
                              Kevin Stine
    Mr. Kevin Stine is the Leader of the Security Outreach and 
Integration Group in the Information Technology Laboratory's Computer 
Security Division at the National Institute of Standards and 
Technology. In this capacity, he oversees NIST collaborations with 
industry, academia, and government on the mission-specific application 
of security standards, guidelines, and technologies to help 
organizations understand and manage cybersecurity risk. This group 
develops technical cybersecurity guidelines and tools in diverse areas 
such as public safety communications; health information technology; 
smart grid, cyber physical, and industrial control systems; supply 
chain risk management; and Federal agency cybersecurity programs. The 
group is also home to the National Initiative for Cybersecurity 
Education (NICE) and programs focused on cybersecurity outreach to 
small businesses, security education and training professionals, and 
Federal agencies. Recently, he led NIST's efforts to develop the 
Framework for Reducing Cybersecurity Risk to Critical Infrastructure 
(Cybersecurity Framework) as directed in Executive Order 13636. He is 
past chair of the Federal Computer Security Managers' Forum, which 
promotes sharing of information security practices among Federal 
agencies. He holds undergraduate degrees in Information Systems 
Management and Psychology from the University of Maryland, Baltimore 
County.

    The Chairman. Thank you, Mr. Stine.
    And we will flip it now to Mr. Shlanta.
    Mark, welcome.

    STATEMENT OF MARK SHLANTA, CHIEF EXECUTIVE OFFICER, SDN 
                         COMMUNICATIONS

    Mr. Shlanta. Chairman Thune, thank you. Thank you for 
inviting SDN to participate in today's field hearing.
    SDN applauds your support of the voluntary framework 
developed by the National Institute of Standards and 
Technology, or NIST. The NIST Framework provides useful 
guidance to assist service providers, like SDN, in protecting 
their networks.
    In addition, your Cybersecurity Enhancement Act took 
important steps to strengthen our Nation's cyber research, 
workforce development, and public awareness.
    Dakota State University, an institution that has 
distinguished itself as a leader in cybersecurity education, is 
the perfect venue to host this discussion.
    As we sit here in South Dakota, cybersecurity is not a 
problem limited by geography or to high-profile retailers, 
financial institutions, and the Federal Government. Anyone 
using technology is a target. It can be daunting for 
individuals, businesses, and at all levels of government to 
navigate how they can best reduce their risk.
    Last year, SDN investigated 4,500 threats against its 
customers. Each threat ranged from one to several thousand 
separate attacks.
    Let me share one example of an SDN customer. They are a 
small business that manufactures wire twist ties for packaging. 
And who would think of a company like that as a target of a 
cyber attack? Yet, last year, attackers used more than 100 
different attack methods to try breaking into that company's 
network. SDN observed the malicious traffic coming from as far 
away as Brazil. Fortunately, our cybersecurity team halted 
these attacks with our Managed Firewall service.
    In addition to that product, SDN offers a host of services 
that defend against cyber threats. We provide secure data 
storage, remote network monitoring, and managed router 
services.
    SDN is in the process of deploying a new product to protect 
against Distributed Denial of Service attacks, or DDOS. A DDOS 
attack, sometimes also known as ``D-D-O-S,'' is a type of 
attack that disables an online service by flooding it with 
massive amounts of data traffic.
    Sometimes DDOS attackers warn their targets or are even 
boastful. I have an example here. Here is a screenshot of a 
Twitter post from this past July that warns of a pending 
attack.
    The next slide shows the attacker announcing a ``target 
list.'' The next day, the attacker released a long list of 
Federal, state, and local government targets. The domain names 
of our state government and the City of Sioux Falls were 
included on this list. This is a real-life example showing that 
we in South Dakota are not immune to cyber attacks.
    Providers like SDN offer cybersecurity products that can 
reduce risk. The story, however, does not end there. Businesses 
have a responsibility to enforce internal security controls. 
Human error accounts for 95 percent of all security incidents. 
Businesses should therefore improve the cyber literacy of their 
work force, limit access to sensitive information, and take 
necessary steps to properly maintain their equipment, software, 
and websites.
    SDN has reviewed and continues to study the NIST Framework 
and the sector-specific guidance from the FCC's Communications 
Security, Reliability, and Interoperability Council, or CSRIC. 
The CSRIC guidance provides a useful tool to help 
communications providers utilize the NIST Framework. Although 
the Framework has been available since last year, the CSRIC 
guidance was only released in March. It will take time for 
small and regional rural operators to fully digest and put 
these recommendations into practice.
    While I applaud these efforts, it is important to remember 
that SDN, like many small and regional providers, already works 
hard to maintain a secure network. That being said, only one 
thing is certain when it comes to cybersecurity, and that is 
the job is never done. As such, we are continuing to review the 
Framework and the CSRIC guidance and will utilize both tools to 
strengthen our existing cybersecurity programs.
    I encourage you to maintain your support for a voluntary, 
flexible, scalable approach to cybersecurity risk management. 
This approach is more effective than hard-line regulation that 
would struggle to keep pace with new and evolving threats. The 
Federal Government should encourage utilization of the NIST 
framework through outreach and education.
    It is important to note that some small operators may need 
additional assistance, such as one-on-one technical support, to 
help them apply the Framework to their unique operations.
    In closing, I thank you again for inviting SDN to 
participate in today's hearing. Cybersecurity is a 
responsibility that each of us has an obligation to uphold.
    Thank you, Chairman Thune, for your leadership in the U.S. 
Senate and for convening today's hearing.
    With that, I will welcome your questions.
    [The prepared statement of Mr. Shlanta follows:]

     Prepared Statement of Mark Shlanta, Chief Executive Officer, 
                           SDN Communications
    Thank you, Senator Thune, for inviting SDN \1\ to participate in 
today's field hearing. It is an honor to join this esteemed panel of 
experts to discuss the actions that should be taken to address the 
cyber threats facing our state and nation.
---------------------------------------------------------------------------
    \1\ SDN Communications (``SDN'') is the premier business-to-
business broadband service provider in South Dakota and southern 
Minnesota with a fiber optic network connecting eight states with high-
speed broadband Internet and Wide Area Network (WAN) connectivity. In 
2014, SDN became an owner and the managing partner for Southern 
Minnesota Broadband, LLC, which extends SDN's fiber network across 
southern Minnesota. SDN also provides networking equipment, phone 
systems, and managed solutions, including security, routers, firewalls, 
remote network monitoring, and storage.
---------------------------------------------------------------------------
    We applaud Senator Thune for his support of the voluntary framework 
that was developed by industry stakeholders and the National Institute 
of Standards and Technology (NIST). Our national and economic security 
depends upon the reliable functioning of critical infrastructure.\2\ 
The communications industry represents one of the 16 critical 
infrastructure sectors.\3\ The NIST Framework provides useful guidance 
and best practices to assist critical infrastructure operators in 
protecting their networks. In addition to codifying this successful 
process, Senator Thune's ``Cybersecurity Enhancement Act'' took 
important steps to increase our Nation's commitment to cyber research, 
workforce development, and raising public awareness.\4\
---------------------------------------------------------------------------
    \2\ ``Framework for Improving Critical Infrastructure 
Cybersecurity,'' National Institute for Standards and Technology,'' 
page 1, February 12, 2014, http://www.nist.gov/cyberframework/upload/
cybersecurity-framework-021214-final.pdf.
    \3\ ``Critical Infrastructure Sectors,'' Department of Homeland 
Security, June 12, 2014, http://www.dhs.gov/critical-infrastructure-
sectors.
    \4\ ``Rockefeller, Thune Statement on Passage of Commerce 
Cybersecurity Bill,'' Senator Thune Official Website, December 12, 
2014, http://www.thune.senate.gov/public/index.cfm/2014/12/rockefeller-
thune-statement-on-passage-of-commerce-cybersecurity-bill.
---------------------------------------------------------------------------
    The title of today's hearing, ``Confronting the Challenge of 
Cybersecurity,'' gets to the heart of this pervasive and constantly 
evolving threat. Cybersecurity is not a problem limited to high-profile 
retailers, financial institutions, or the Federal Government. It is 
widespread. Any individual or organization using technology is a 
target. It can be daunting for individuals, businesses, and all levels 
of government to navigate how they can best reduce their risk.
    It was appropriate to host this discussion at Dakota State 
University (DSU), an academic institution that has distinguished itself 
as a national leader in cybersecurity education. The National Security 
Agency (NSA) and Department of Homeland Security designated DSU as one 
of the Nation's first National Centers of Academic Excellence.\5\ This 
summer, DSU, with support from the NSA and National Science Foundation, 
hosted a camp to get more young women interested in cybersecurity 
careers. When the 60 available spots quickly filled, SDN sponsored 40 
additional participants. Like other operators of critical 
infrastructure, SDN relies upon a strong pipeline of skilled workers, 
and we are lucky to have many DSU graduates on our team. Prioritizing 
continued workforce development in the field of cybersecurity is an 
important national objective.
---------------------------------------------------------------------------
    \5\ ``Centers of Academic Excellence Institutions,'' National 
Security Agency, July 8, 2015, https://www.nsa.gov/ia/
academic_outreach/nat_cae/institutions.shtml#sd.
---------------------------------------------------------------------------
    It feels like it has become nearly impossible to turn on the news 
without learning of yet another company or Federal department that has 
been compromised. We hear about the high-profile attacks against 
companies like Sony, Target, Anthem, Home Depot, and JPMorgan Chase, 
and many small and regional businesses assume this is a problem 
targeting only large companies. Unfortunately, we here in South Dakota 
are not immune to this threat.
    SDN sees a large number of threats against its own network and 
customers each day. SDN quarantines about half the e-mails directed 
toward its domain. Additionally, our company firewall blocks hundreds 
of unauthorized, malicious traffic attempts each day. We observed 
nearly 4,500 threats against SDN customers within a single year. Each 
of these threats ranged from one to several thousand separate attacks.
    Bedford Industries is a small business, based in Worthington, MN, 
that subscribes to SDN's cybersecurity services. The company 
manufactures wire twist ties and other packaging equipment. Although an 
outside observer might question why Bedford would be a target, SDN's 
cybersecurity threat report tells a different story. In the past year, 
SDN successfully halted more than 100 types of cyberattacks against 
Bedford--ultimately mitigating over 5,300 separate incidents. In 
layman's terms, this means attackers tried to break into Bedford's 
network 5,300 times using 100 different attack methods. Some of the 
threats were launched by attackers in the United States, but others 
originated as far away as Brazil.
    SDN offers a host of security services to counter cyber threats 
targeting businesses in South Dakota and the surrounding region. We 
provide secure data storage at our LaMesa Data Center that protects 
health care, financial, and other sensitive information. We also offer 
around-the-clock remote network monitoring that detects and responds to 
unusual, potentially malicious activity on customer equipment and 
networks. Our managed firewall service blocks harmful malware to 
prevent viruses from entering a customer's network, and SDN's managed 
router service closes security gaps by ensuring devices are properly 
configured. Currently, a limited number of business broadband customers 
subscribe to these managed services, and their networks subsequently 
face a heightened risk of cyberattack. Raising public awareness is key 
to strengthening our Nation's preparedness.
    SDN is in the process of deploying a managed Distributed Denial of 
Service (``DDoS'') protection product. DDoS is a type of attack that 
can disable an online service by overwhelming it with massive data 
traffic. A DDoS attacker controls numerous infected machines--often 
termed ``zombies'' or ``botnets''--to generate the data volumes 
required to perpetrate an attack. In some instances, a DDoS attack is 
designed to disrupt the delivery of services and impede private and 
public business operations. On other occasions, it may be a 
diversionary tactic timed to coincide with a coordinated effort to 
break through network defenses.
    There has been a dramatic rise in the number of DDoS threats 
occurring across the United States, including in South Dakota.\6\ 
During SDN's early deployment of this product, we have detected 
malicious DDoS traffic targeting the networks of South Dakota 
businesses and state government. Just last week during a single 24-hour 
period, SDN's technical team detected 105 possible malicious traffic 
patterns.\7\ A 25-gigabit attack is the largest DDoS threat we have 
seen since launching the product.\8\ To put this in perspective, a 25-
gigabit attack would completely saturate a high-bandwidth business 
customer subscribing to a 10-gigabit Internet connection. A threat of 
this magnitude would take down or severely cripple the networks of most 
business customers in South Dakota.
---------------------------------------------------------------------------
    \6\ ``Q1 2015 State of the Internet--Security Report,'' State of 
the Internet Akamai Report, 2015, https://www.stateoftheinternet.com/
security-cybersecurity-ddos-mitigation.html
    ``Trustwave Global Security Report,'' Trustwave, 2015, https://
www2.trustwave.com/rs/815-RFM-693/images/
2015_TrustwaveGlobalSecurityReport.pdf
    \7\ ``DDoS Cybersecurity Threat Report for August 24, 2015,'' SDN 
Communications.
    \8\ ``DDoS Cybersecurity Threat Report for August 19, 2015,'' SDN 
Communications.
    There has been a dramatic rise in the number of DDoS attacks, with 
the incidents of attacks doubling between Q1 2014 and Q1 2015. While 
hacktivists and other organized cyberattack groups, such as Anonymous 
or the earlier LulzSec, launch politically motivated attacks impacting 
large corporations or governments, individual hackers can now easily 
initiate a cyberattack by subscribing to a DDoS for hire service. 
According to Trustwave's 2015 Global Security Report, DDoS attacks can 
be purchased starting at $5.00 an hour, $40.00 for 24 hours, or $900 
for one month of attacks. A recent Incapsula survey of IT professionals 
from companies with 250 to over 10,000 employees determined that even a 
small DDoS attack can have major financial impacts on the targeted 
organization. The DDoS attack profile is shifting; while the bandwidth 
required to execute an attack has decreased, there has been an alarming 
increase in attack frequency and duration. With low barriers to entry 
and large dollar amounts at stake, DDoS attacks are on the rise. DDoS 
cyberattack protection has become critical for organizations dependent 
upon the Internet for conducting business.
---------------------------------------------------------------------------
    Businesses are not the only organizations facing cybersecurity 
threats. South Dakota state and local governments, as well as our post-
secondary education institutions, are regularly targeted by hacktivists 
and hackers. These attacks may involve DDoS threats. As previously 
described, a DDoS attack may be politically motivated, or it may 
represent a diversionary tactic working in concert with other efforts 
to infiltrate a network. Sometimes there is simply no clue as to why 
these attacks occur. On occasion, attackers warn their targets and are 
even boastful of their efforts. Figure 1 and Figure 2 include 
screenshots of Twitter posts from July 2015 warning of a forthcoming 
attack. Figure 3 contains a ``target list'' of federal, state, and 
local government entities that the attacker has identified as targets. 
The domain names of the South Dakota state government and the City of 
Sioux Falls were included on the target list. These illustrative 
examples are attached as an appendix to this testimony.
    Providers like SDN offer cybersecurity products that can reduce a 
company's cybersecurity risk. The story, however, does not end there. 
Businesses have a responsibility to establish and enforce internal 
security controls.\9\ Employee error can create major vulnerabilities. 
According to IBM's ``2014 Cyber Security Intelligence Index,'' 95 
percent of all security incidents involve human error.\10\ Businesses 
should therefore improve the cyber-literacy of their workforce and 
limit their employees' access and ability to distribute sensitive 
information. Businesses should also take the necessary steps to 
properly configure and maintain their equipment, software, and websites 
to prevent vulnerabilities that can be exploited.
---------------------------------------------------------------------------
    \9\ SDN has cybersecurity internal controls and policies in place 
to mitigate the company's risk of cyberattack. Businesses--both large 
and small--should adopt similar practices. While SDN has in-house 
expertise to operate its internal cybersecurity program, other 
businesses may opt to outsource this responsibility. For purpose of 
example, this footnote includes a general, non-comprehensive 
description of some internal cybersecurity procedures followed by SDN.
    SDN protects its network with an enterprise firewall that enforces 
rules and only accepts traffic from approved external IP addresses. The 
company conducts daily and sometimes hourly antivirus definition 
updates to improve the detection of malicious software and prevent 
harmful downloads. Regular patches to SDN's operating system, PCs, and 
other devises close security gaps that could be exploited by an 
attacker. Any patch deemed critical to protecting our equipment and 
servers is performed immediately. The company enforces access policies 
that require passwords to be regularly changed and pin codes and badges 
in order to enter physical locations. Virtual and physical locations 
are limited to the employees that require access in order to perform 
their job responsibilities. Cameras and door access logs are equipped 
throughout the company premise, and fingerprint entry is required at 
SDN's most secure locations.
    SDN requires employees working remotely to utilize an SSL Virtual 
Private Network (VPN) and perform two-factor authentication to access 
the company's network. This encryption service masks all traffic 
between SDN's network and the end user. The company's local 
administrator policy and account usage monitoring prevents unsanctioned 
software downloads onto company-issued equipment. Limiting an 
employee's ability to download malicious software helps reduce the risk 
of social engineering attacks. SDN also blocks foreign devices from 
accessing its network using a Network Access Control (NAC) appliance to 
prevent unauthorized devices from connecting to the network. Outside 
laptops and mobile devices cannot connect to the company's private wifi 
network and are segregated onto a guest wifi network.
    This represents a limited sample of the security procedures SDN has 
adopted to protect its internal business network.
    \10\ ``IBM Security Services 2014 Cyber Security Intelligence 
Index: Analysis of cyber attack and incident data from IBM's worldwide 
security operations,'' IBM, June 2014, http://www.slideshare.net/
ibmsecurity/2014-cyber-security-intelligence-index.
---------------------------------------------------------------------------
    SDN works to adhere to security standards and best practices to 
protect the integrity of our network. For decades, we have been 
researching and incorporating industry and regulatory cybersecurity 
standards. We completed a Statement on Standards for Attestation 
Engagement No. 16 (SSAE 16) SOC I compliance report and audit and are 
currently working through the SSAE 16 SOC II security module. SDN 
enforces its policies governing how the company operates its network 
and manages access to its facilities. The company also utilizes 
security guidance from the Payment Card Industry (PCI) Data Security 
Standards, Health Insurance Portability and Accountability Act (HIPPA), 
the Federal Trade Administration's Red Flags Rule, and Customer 
Proprietary Network Information (CPNI).
    SDN has reviewed and continues to study the NIST Framework and the 
sector-specific guidance from the Federal Communications Commission's 
Communications Security, Reliability, and Interoperability Council 
(CSRIC).\11\ The NIST Framework helps shift our national focus from a 
``check-the-box'' mentality towards a risk-based approach tailored to 
addressing and mitigating unique organizational risk.\12\ This is a 
preferred, more effective approach than strict and prescriptive 
regulation that would struggle to keep up with emerging and constantly 
evolving threats. The CSRIC guidance provides a useful tool to help 
communications providers evaluate and utilize the Framework, and it 
includes tailored recommendations for small operators. Although the 
Framework has been available since last year, the CSRIC guidance was 
only recently released this past March. It will take time for small and 
regional rural operators to fully digest and put these recommendations 
into practice.
---------------------------------------------------------------------------
    \11\ ``Cybersecurity Risk Management and Best Practices Working 
Group 4: Final Report, Communications Security, Reliability, and 
Interoperability Council, Federal Communications Commission, March 
2015, https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_WG4_Report
_Final_March_18_2015.pdf.
    \12\ ``Cyber Solutions Handbook,'' Booz Allen Hamilton, page 4, 
2014, http://www.booz
allen.com/content/dam/boozallen/documents/Cyber-Solutions-Handbook.pdf.
---------------------------------------------------------------------------
    While I applaud these efforts, it is important to remember that 
SDN--like many small and regional providers in the rural telecom 
industry--already endeavors to maintain a secure communications 
network. SDN's cybersecurity program seeks to protect its core network 
and meet the needs of its customers. That being said, only one thing is 
certain when it comes to cybersecurity: the job is never done. As such, 
my legal and technical teams continue with their review of the NIST 
Framework and the CSRIC ``best practices'' guidance, and SDN plans to 
utilize both of these tools to strengthen its existing cybersecurity 
program.
    As the Senate Commerce Committee continues monitoring the 
utilization of the NIST Framework, I encourage you to maintain your 
support for a voluntary, flexible, and scalable approach to 
cybersecurity risk management. The Federal Government should encourage 
utilization of the Framework through outreach and education to assist 
critical infrastructure operators in understanding, digesting, and 
implementing these practices. It is important to note that some small 
operators may need additional assistance, such as one-on-one technical 
support, to help them apply the Framework to their unique operations.
    In closing, I want to thank you again for inviting SDN to 
participate in today's field hearing. Cybersecurity is a responsibility 
that each of us has an obligation to uphold. As individuals, we should 
take steps to increase our cyber literacy. As businesses--both large 
and small, we have a responsibility to maintain strong safeguards to 
protect our network and the sensitive consumer information we have been 
entrusted. Finally, it is vital that our government and operators of 
critical infrastructure continue bolstering their defenses against 
growing and rapidly evolving cyber threats.
    Thank you, Senator Thune, for your leadership in the United States 
Senate and for convening today's hearing to discuss this important 
topic. With that, I welcome your questions.
                                Appendix
Figure 1.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Figure 2.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Figure 3.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    The Chairman. Thank you, Mr. Shlanta. And we will look 
forward to talking about some of those issues when we get a 
chance to ask some questions.
    And I am going to turn now to Mr. Eric Pulse, who, as I 
mentioned, is with Eide Bailly, but, prior to that, he is from 
Kimball, South Dakota. He was a Kimball Kiote, with a ``K.''
    [Laughter.]
    Mr. Pulse. Which doesn't exist anymore, by the way.
    The Chairman. Which doesn't--yes, which doesn't exist 
anymore. I am a Jones County Coyote, with a ``C.''
    [Laughter.]
    The Chairman. But, anyway, he has a good, small-town 
heritage.
    And we welcome you to our committee this afternoon.

    STATEMENT OF ERIC A. PULSE, PRINCIPAL, EIDE BAILLY, LLC

    Mr. Pulse. Well, thank you, Chairman Thune. And thank you, 
DSU, for hosting this event. And thanks for the opportunity to 
appear here to discuss this topic of confronting the challenge 
of cybersecurity.
    My testimony is based on my nearly 20 years in working with 
organizations and assessing and remediating and implementing 
their information systems and data security, cybersecurity 
controls.
    NIST defines ``cybersecurity'' as the ability to protect or 
defend the use of cyberspace from cyber attacks. And the U.S. 
Department of Defense revealed that at the very top of the U.S. 
intelligence community's 2013 assessment of global threats is 
cyber. That is ahead of terrorism and transnational organized 
crime.
    The severity in impact of cyber threats have changed the 
landscape in which governments and corporations, individuals, 
and organizations of all industries, sizes, and complexities 
operate. The recent cyber-attack breaches on the U.S. Office of 
Personnel Management, Sony, Anthem, Home Depot, Target, J.P. 
Morgan--the list goes on, right?--simply emphasizes the 
importance of cybersecurity.
    The Identity Theft Resource Center identified that, in 
2015, through August 18, there have been a total of 505 
reported data breaches, resulting in an estimated loss of 
nearly 100 million records. And that number is just the records 
known to be compromised.
    Organizations spend millions of dollars on the latest 
security technologies and infrastructure to protect themselves 
from becoming the next organization in the news. However, 
cybersecurity is more than policies, procedures, and 
technologies; it has to be woven into the fabric of how each 
person, whether it is an employee or a customer, thinks about 
data security.
    It begins with a culture. The best security standards, 
frameworks, policies, and procedures aren't able to anticipate 
every instance they are intended to facilitate. Security should 
be part of the fabric of every decision an employee makes in 
the course of everyday business.
    Too often, organizations sacrifice sound security practices 
in the name of customer service or process efficiency. The 
extra step it may take to clearly verify a customer or gain 
that extra piece of information to validate the legitimacy of a 
person on the other end of a phone call, e-mail, or transaction 
is potentially overlooked because they were conditioned to 
provide exceptional customer service or were striving to be 
more efficient.
    Simply put, security has taken a back seat, and that has to 
change. And that starts with an organizational culture. And, to 
be successful, the culture of IT has to be in sync with the 
organizational mission as a whole.
    My written testimony highlights four areas that need 
attention in order to combat cybersecurity challenges: a 
security culture; the lack of skilled resources, which this 
great organization is working to fulfill; a framework, like the 
NIST framework; and threat intelligence.
    After September 11, 2001, and the tragic events of that 
day, the way our society viewed air travel changed 
dramatically. It changed overnight. Restrictions on carry-on 
contents and long airport security lines are just a few 
restrictive and, to many degrees, necessary changes to air 
travel. On a flight in the months following that fateful day, a 
passenger near the rear of an aircraft proceeded to the front 
and nervously informed a flight attendant that he didn't feel 
safe because there was someone in a seat near him using a set 
of nail clippers. In short, our entire culture changed 
overnight, as it relates to air travel.
    Conversely, in light of the many recent data breaches and 
identified hacks of government, civilian, private 
organizational systems, resulting in the loss of millions of 
data records, our society hasn't had the same necessary 
cultural shift. We tend to be nonchalant with sensitive data, 
whether it be credit cards for card-not-present transactions or 
participate in a drawing by filling out an entry form with 
personally identifiable information or disclosing health 
records or information as part of a survey.
    Given the number of breaches that occur every day because 
someone clicked the proverbial phishing link in an e-mail scam, 
data is being compromised and identities are being stolen, 
millions of dollars are being lost. And yet we have yet to 
experience that cultural shift to better security practices.
    In Verizon's 2015 Data Breach Investigations Report, it 
indicated that over 99 percent of all data breaches were 
successful exploits of vulnerabilities where the CVE, or the 
fix, the preventative fix, was over a year old. So nearly all 
breaches occur because a fix to an exploitable vulnerability 
was simply not applied.
    This is particularly true with smaller organizations that 
continue to be targeted as attackers take advantage of 
frequently nonexistent vulnerability and patch-management 
programs, exploiting weaknesses in edge devices, web-based 
apps, payment card or point-of-sale systems.
    A recent survey by the SANS Institute showed that 66 
percent of respondents cited a skills shortage as an impediment 
to effective incident response and overall cybersecurity. Many 
security professionals maintain a good general technical 
security skill set, tasked with implementing reasonable 
practices and procedures driven by compliance; however, the 
rise in advanced threats and malware demonstrate the need for a 
more sophisticated trained professional.
    And, again, I want to thank you for allowing me to testify 
here today in our efforts to confront the challenges of 
cybersecurity. And, again, there are four areas that I think 
need increased attention, and those are: fostering a change in 
the security culture; an emphasis on increasing security 
personnel; encouraging an implementation of a common framework; 
and threat intelligence collaboration.
    And thank you again for the opportunity.
    [The prepared statement of Mr. Pulse follows:]

    Prepared Statement of Eric A. Pulse, Principal, Eide Bailly, LLP
    Chairman Thune, Ranking Member Nelson, and distinguished members of 
the Committee. My name is Eric Pulse and I am a Principal with the 
accounting, tax and consulting firm Eide Bailly LLP and I am the 
director of our Risk Advisory Services practice, specializing in 
assisting clients with information, data, and cybersecurity needs. 
Thank you for the opportunity to appear before you today to discuss the 
topic of ``Confronting the Challenge of Cybersecurity.'' My testimony 
today is based solely on my personal experiences over nearly 20 years 
working with clients assessing, remediating, and implementing their 
information systems, data and cybersecurity controls.
    The National Institute of Standards and Technology (NIST) defines 
cybersecurity as ``the ability to protect or defend the use of 
cyberspace from cyber-attacks.'' The U.S. Department of Defense 
revealed that ``at the top of the U.S. intelligence community's 2013 
assessment of global threats is cyber, followed by terrorism and 
transnational organized crime.'' The severity and impact of cyber 
threats have changed the landscape in which governments, corporations, 
individuals, and, organizations of all industries, size, and 
complexities operate. Breaches of customer data, credit card 
information, employee and customer authentication credentials, etc. are 
becoming more commonplace. This persistent threat is a societal issue 
facing everyone with personally identifiable information, health 
records, banking and/or payment information, intellectual property, 
etc. At one point considered largely an IT issue, the increase in 
frequency and sophistication of cyber attacks requires organizations 
elevate the priority to C-suites and board rooms and an overall 
cultural shift as it relates to cybersecurity.
    The recent cyberattack breaches at U.S. Office of Personnel 
Management (OPM), Sony, Anthem, Home Depot, Target, JP Morgan, and many 
others simply emphasizes the importance of cybersecurity. The Identity 
Theft Resource Center \1\ identified that in 2015, through August 18, 
there have been a total of 505 reported data breaches resulting in an 
estimated loss of nearly 140 million records--and that number is 
records known to be compromised. Organizations spend millions of 
dollars on the latest security technologies and infrastructure to 
protect themselves from becoming the next organization in the news. 
However, cybersecurity is more than policies, procedures and 
technologies. It has to be woven into the fabric of how each person, 
whether employee or customer, thinks about security of data. It begins 
with a culture. The best security standards, frameworks, policies or 
procedures aren't able to anticipate every instance they are intended 
to facilitate. Security should be a part of the fabric of every 
decision an employee makes in the course of everyday business. Too 
often organizations sacrifice sound security practices in the name of 
customer service or process efficiency. The extra step it may take to 
clearly verify a customer or gain that extra piece of information to 
validate the legitimacy of the person on the other end of the phone, e-
mail, or transaction is overlooked because we are conditioned to 
provide exceptional customer service or we strive to be more efficient. 
Simply put, security has taken a back seat and that has to change. That 
change starts with organizational culture, and to be successful, a 
culture of IT security has to be in sync with the organizational 
mission as a whole.
    I'd like to highlight four areas that need attention in order to 
combat cybersecurity challenges: a culture of security, the lack of 
skilled resources, a common framework, and threat intelligence.
Culture Shift
    After September 11, 2001 and the tragic events of that day, the way 
our society viewed air travel changed dramatically. Restrictions on 
carry-on contents and long airport security lines are just a few 
restrictive, and to many degrees, necessary, changes to air travel. On 
a flight in the months following that fateful day, a passenger near the 
rear of an aircraft proceeded to the front and nervously informed the 
flight attendant that he didn't feel safe because there was someone in 
a seat near him using a set of nail clippers. In short, our entire 
culture changed overnight as it relates to air travel. Conversely, in 
light of the many recent data breaches and identified hacks of 
government, civilian, and private organizational computer systems, 
resulting in the loss of millions of data records, our society hasn't 
had the same necessary cultural shift. We are still nonchalant with our 
sensitive data, whether it be credit cards for card-not-present 
transactions, participating in a drawing by filling out an entry form 
with personally identifiable information, or by disclosing health 
records/information as part of a survey. Given the number of breaches 
that occur every day because someone clicked on the proverbial phishing 
link in an e-mail scam, data is being compromised, identities are being 
stolen, millions of dollars are being lost, and still we have yet to 
experience the cultural shock and shift to better security practices.
    The first ``hacker'' to be charged and convicted of his crimes was 
Kevin Mitnick. He was able to effectively contact the companies to 
which he eventually gained access and simply ask for the access and it 
was granted. The crime was considered ``fraudulent intent'' and not the 
act of gaining access itself. This is still one of the leading threats 
to the security of organizations today and gets identified publically 
as an ``insider threat.'' We lose site of the fact that most of the 
``insider'' acts are unknown and unintentional, thus demonstrating the 
need for an enhanced security culture.
    Verizon's 2015 Data Breach Investigations Report \2\ indicates that 
over 99 percent of all data breaches were successful exploits of 
vulnerabilities where the CVE (Common Vulnerability and Exposure)--or 
preventative fix--was over one year old. Nearly all data breaches occur 
because a fix to an exploitable vulnerability was not applied. This is 
particularly true with smaller organizations that continue to be 
targeted as attackers take advantage of frequently non-existent 
vulnerability and patch management programs, exploiting weaknesses in 
edge devices, web-based applications, payment card or point of sale 
systems.
    Smaller organizations face include the lack of technical 
feasibility to immediately apply a software patch that fixes a 
vulnerability because frequently, a security patch will negatively 
impact the functionality of a piece of software running on the device 
being patched. While vulnerability and patch management programs are an 
integral control in cybersecurity, the clients I serve span the 
spectrum, from mature, highly integrated cybersecurity controls to non-
existent controls where management has turned a blind eye in the 
interest of cost containment. The absence of a mature security culture 
and lack of cyber threat awareness emphasizes the need for further 
education at the highest organizational levels. The maturation of a 
security culture in the marketplace should start at the top in the 
boardrooms and continue with executive management driving it throughout 
their organizations.
    Further educating the citizenry is also critical. Efforts like 
STOP.THINK.
CONNECT by the National Cyber Security Alliance and the Department of 
Homeland Security highlight the importance of taking security 
precautions and understanding the consequences of actions and behaviors 
in order to enjoy the benefits of the Internet. I believe more visible 
efforts are necessary in order to educate a vast majority of people who 
simply take for granted the security of their personal and protected 
information.
Skills Gap
    A recent survey by the SANS Institute \3\ showed that 66 percent of 
respondents cited skills shortage as an impediment to effective 
incident response and overall cybersecurity. Many security 
professionals maintain a general technical security skillset tasked 
with implementing reasonable practices and procedures driven by 
compliance, however the rise in advanced threats and malware 
demonstrate the need for a more sophistically trained professional. 
This shortfall is reflected in my own daily experiences, whether it is 
with our clients or our firm, we are continually looking for personnel 
with the proper technical security skillset. The law of supply and 
demand has driven up the cost of these resources and many organizations 
simply cannot afford them, if they are even available. Many of the 
clients with which I work have opted to outsource many of these 
security functions given the limited availability of these skillsets. 
Heretofore, many security professionals contain a general technical 
security skillset tasked with implementing reasonable practices and 
procedures driven by compliance, however the rise in advanced threats 
and malware demonstrate the need for a more sophistically trained 
professional.
    According to a poll conducted by Information Systems Audit and 
Control Association (ISACA) and the RSA Conference, and published in 
the ``State of Cybersecurity: Implications for 2015'' study, more than 
half of the global cybersecurity professionals polled reported that 
fewer than 25 percent of cybersecurity applicants are qualified to 
perform the skills needed for the job.\4\
    I commend institutions like Dakota State University (DSU), and the 
initiation and evolution of their cybersecurity program. I believe we 
should encourage more institutions to deliver programs to train the 
security talent needed to adequately confront the cybersecurity 
challenge. We are only as strong as our weakest link and often the 
human component is that link. I believe there is also a need for more 
offensive security through hands-on penetration testing skillsets, 
requiring those to successfully attack and penetrate various live 
machines in a safe lab environment. In my opinion, we should be 
recruiting, educating, and training an army for this new frontier and 
the program here at DSU is one of many that should be filling that need 
in order to protect against an unseen attacker that can reside almost 
anywhere in the world, as long as there is an Internet connection.
    In the absence of personnel, organizations can invest in a strong 
security infrastructure using often expensive hardware and software 
solutions. The gap, however, resides with the manpower to effectively 
implement, monitor and maintain such an infrastructure. There are a 
myriad of security-specific certifications available in the 
marketplace, many focus on security generalities and others are 
platform-specific. I believe there is also a need for more offensive 
security hands-on penetration testing skillsets, requiring those to 
successfully attack and penetrate various live machines in a safe lab 
environment. In my opinion, we should be recruiting, educating, and 
training an army for this new frontier and the program here at DSU is 
one of many that should be filling that need in order to protect 
against an unseen attacker that can reside almost anywhere in the 
world, as long as there is an Internet connection.
Frameworks = Roadmap
    Industries often create or rely upon a standard for securing data, 
whether it be critical internal data, customer/patient information, 
intellectual property, trade secrets, financial data, and more. When we 
work with healthcare organizations, the Health Insurance Portability 
and Accountability Act (HIPAA) and Health Information Technology for 
Economic and Clinical Health Act (HITECH) are utilized as standards for 
ultimately securing patient health records. Financial institutions rely 
upon Federal Financial Institutions Examination Council (FFIEC) and 
Gramm-Leach-Bliley Act (GLBA) guidelines for securing customer 
information. Federal Government agencies and contractors thereto rely 
to varying degrees on the NIST Special Publication 800-53--Recommended 
Security Controls for Federal Information Systems. Cloud computing 
companies providing services to the Federal Government must comply with 
Federal Risk and Authorization Management Program (FedRAMP), and many 
Federal agencies and contractors must comply with Federal Information 
Systems Management Act (FISMA), both of which are based on NIST SP 800-
53. Retailers and organizations processing, storing or transmitting 
credit/debit card data utilize the Payment Card Industry (PCI) Data 
Security Standard (DSS). Some third party service providers will 
utilize the American Institution of Certified Public Accountants' 
(AICPA) Trust Services Principles for security, availability, 
processing integrity, confidentiality and privacy of data. Still others 
build information risk and security controls on an ISO 27000 or 31000 
framework; or the Council on Cyber Security's 20 Critical Security 
Controls. These frameworks come in many shapes and sizes, ultimately 
with the same goal--protection and security of information. Yet it is 
very common for us to discuss NIST frameworks with IT staff, many with 
over 10 years experience, who are not familiar with those frameworks, 
what they provide, or how to use them.
    There are a number of private and non-profit organizations that 
provide guidance on securing data. One such organization, HITRUST, is a 
collaboration of healthcare, business, technology and information 
security leaders. HITRUST has established the Common Security Framework 
(CSF), which is a framework that can be used by organizations, 
healthcare in particular, to secure personal health and financial 
information. The CSF is an information security framework that 
harmonizes the requirements of existing standards and regulations, 
including Federal (HIPAA, HITECH), third party (PCI, COBIT) and 
government (NIST, FTC).\5\ In the same light, the Cloud Security 
Alliance (CSA) is an organization ``dedicated to defining and raising 
awareness of best practices to help ensure a secure cloud computing 
environment. CSA harnesses the subject matter expertise of industry 
practitioners, associations, governments, and its corporate and 
individual members to offer cloud security-specific research, 
education, certification, events and products.'' \6\ Other 
organizations, like the Multi-State Information Sharing Analysis 
Center,\7\ the U.S. Chamber of Commerce,\8\ and the Federal Trade 
Commission,\9\ offer guides for assisting organizations with 
establishing a security environment designed to secure data. Many 
organizations have limited resources and others struggle with 
understanding their specific requirements and a direction for building 
a secure environment for protecting themselves, and ultimately their 
data, from cyber attacks. Most depend on their particular industry or 
their own customer requirements for guidance.
    For organizations who are absent a regulated framework, the Council 
on Cyber Security's 20 Critical Security Controls are, in my opinion, 
an effective set of items that can be used across industries to build a 
control structure to combat against cyber threats. Consisting of the 
following, they provide organizations a much needed roadmap.

   Inventory of Authorized & Unauthorized Devices

   Inventory of Authorized & Unauthorized Software

   Secure Configurations for Hardware and Software on Mobile 
        Devices, Laptops, Workstations, and Servers

   Continuous Vulnerability Assessment & Remediation

   Malware Defenses

   Application Software Security

   Wireless Access Control

   Data Recovery Capability

   Security Skills Assessment & Appropriate Training to Fill 
        Gaps

   Secure Configurations for Network Devices such as Firewalls, 
        Routers, and Switches

   Limitation and Control of Network Ports, Protocols and 
        Services

   Controlled Use of Administration Privileges

   Boundary Defense

   Maintenance, Monitoring & Analysis of Audit Logs

   Controlled Access Based on the Need to Know

   Account Monitoring & Control

   Data Protection

   Incident Response and Management

   Secure Network Engineering

   Penetration Tests and Red Team Exercises

    The key to effective implementation of these controls is the growth 
and development of a set of skilled resources in the marketplace.
    I commend NIST, the Council on Cyber Security, HITRUST, FS-ISAC, 
and many other organizations, for creating security standards and 
guidelines for organizations to follow in order to protect themselves. 
I believe continued dialogue between industry groups and the 
legislative branch will help stress the importance of cybersecurity 
initiatives and further the understanding of security expectations in 
the marketplace.
Threat Intelligence
    With cyber threats on the rise, I believe in the collaboration of 
public and private resources to share information about the attacks 
that are on the horizon. Cybersecurity by its nature is more reactive 
than proactive. Perpetrators are able to advance their tactics more 
rapidly than the defensive infrastructure. The ``Deep Net'' contains a 
number of forums offering free attack tools available to anyone with 
the goal of initiating any number of attack scenarios. An attacker can 
launch an attack at any time toward any target and the use of botnets 
make tracing the attack extremely difficult. The commercialization of 
malware tools also allows the hacking community to remain a step ahead. 
However, the more a specific type of attack occurs, the better the 
chance of recognizing it by collaboratively sharing threat 
intelligence. Network defense and incident response require a strong 
element of intelligence and counterintelligence that security teams 
must understand and leverage to successfully defend their cyber 
infrastructure, once again highlighting the need for an increase in 
technically qualified professionals.
    The Department of Homeland Security is responsible for protecting 
our Nation's critical infrastructure from cyber threats and, according 
to its mission, information sharing is critical to create shared 
awareness of malicious cyber activity. The National Cybersecurity and 
Communications Integration Center (NCCIC) is a 24x7 cyber situational 
awareness, incident response, and management center for the Federal 
Government, intelligence community, and law enforcement. The Center 
shares information among the public and private sectors to provide 
greater understanding of cybersecurity and communications situation 
awareness of vulnerabilities, intrusions, incidents, mitigation, and 
recovery actions.
    The Cyber Threat Intelligence Integration Center provides 
integrated all-source intelligence analysis related to foreign cyber 
threats and cyber incidents affecting U.S. national interests; support 
the U.S. government centers responsible for cybersecurity and network 
defense; and facilitate and support efforts by the government to 
counter foreign cyber threats.
    Public-private partnerships like National Cybersecurity Alliance, 
HITRUST, FS-ISAC and others provide industry-specific resources for 
cyber and physical threat intelligence analysis and sharing. Forums 
like BlackHat and Defcon also provide valuable insight into emerging 
threats and how to combat them. I encourage the continued evolution of 
the sharing of threat intelligence between the public and private 
sectors.
Legislation
    For the record, I do not believe additional regulation is 
necessary. Government has taken notice of the cybersecurity as 
challenges evidenced by the volume of recent legislation impacting 
cybersecurity. Recent legislation includes:

        P.L. 113-274, Cybersecurity Enhancement Act of 2014

        P.L. 113-282, National Cybersecurity Protection Act of 2014,

        P.L. 113-246, Cybersecurity Workforce Assessment Act

        H.R. 104, Cyber Privacy Fortification Act of 2015

        H.R. 234, Cyber Intelligence Sharing and Protection Act

        H.R. 555, Federal Exchange Data Breach Notification Act of 2015

        H.R. 580, Data Accountability and Trust Act

        H.R. 1053, Commercial Privacy Bill of Rights Act of 2015

        H.R. 1560, Protecting Cyber Networks Act

        H.R. 1704, Personal Data Notification and Protection Act of 
        2015

        H.R. 1731, National Cybersecurity Protection Advancement Act of 
        2015

        H.R. 1770, Data Security and Breach Notification Act of 2015

        H.R. 2205, Data Security Act of 2015

        S. 135, Secure Data Act of 2015

        S. 177, Data Security and Breach Notification Act of 2015

        S. 456, Cyberthreat Sharing Act of 2015

        S. 547, Commercial Privacy Bill of Rights Act of 2015

        S. 754, Cybersecurity Information Sharing Act of 2015

        S. 961, Data Security Act of 2015

        S. 1027, Data Breach Notification and Punishing Cyber Criminals 
        Act of 2015

        S. 1158, Consumer Privacy Protection Act of 2015

    Bills like H.R. 1770 cite requirements for information security as 
follows: ``A covered entity shall implement and maintain reasonable 
security measures and practices to protect and secure personal 
information in electronic form against unauthorized access as 
appropriate for the size and complexity of such covered entity and the 
nature and scope of its activities.'' Given the number of security 
frameworks available, as cited previously, it is apparent that guidance 
for ``reasonable security measures'' has been established. I believe 
other economic incentives will generate additional results. Evidence 
suggests that contractual implications are driving adherence to 
standards. Many organizations are being asked to demonstrate the 
effectiveness of their security controls as part of initiating a 
contract with a customer. Other economic incentives for the 
demonstration of ``meaningful use'' of a cybersecurity framework could 
prove valuable.
    In addition to legislation, litigation is also a factor driving the 
necessity for more attention to cybersecurity controls. On August 24, a 
Third Circuit U.S. Court of Appeals panel of judges upheld the FTC's 
authority to play a key role in regulating cybersecurity relative to 
consumer data protection against breaches and allowed the FTC to 
proceed with a lawsuit against a large hotel chain citing ``unfair 
business practice provisions'' when it took inadequate security 
measures to protect consumer data after a breach that exposed over 
600,000 payment cards. Litigation like this and a recent Neiman Marcus 
case, where 7th Circuit Court of Appeals reinstated a lawsuit against 
them over a 2013 data breach in which hackers stole credit card 
information from as many as 350,000 customers, could open a virtual 
Pandora's Box and pave the way for an unending line of class-action 
lawsuits that could change the economic landscape.
Conclusion
    Thank you again for the opportunity to appear before you today to 
discuss our efforts to confront the challenges of cybersecurity. In 
conclusion, I highlight four areas that I believe need increased 
attention in order to combat cybersecurity challenges: a culture of 
security, the lack of skilled resources, a common framework, threat 
intelligence and the education, implementation and collaboration 
thereof.
Foster the Change to a Security Culture
    I believe our society needs to experience a cultural shift in the 
attitude of security consciousness. Organizationally, culture is driven 
from the top of the organization, in boardrooms, C-suites, and 
executive management. Public/private sector collaboration should focus 
on education of businesses and consumers to increase awareness of 
evolving cyber threats and practices necessary to combat them. There 
are numerous examples of this effort, one of which is 
STOP.THINK.CONNECT by the National Cyber Security Alliance and the 
Department of Homeland Security. Regulated industries like healthcare, 
government and financial services have provided consumer education as 
part of mandated efforts.
Emphasis on Increasing Security Personnel
    I believe we should invest further in developing programs for 
educating and training a section of the workforce to adequately address 
the ever-changing cyber threat landscape. We necessarily invest 
hundreds of billions of dollars in a military to protect our country 
and we need to be equipping and training a new ``soldier'' to protect 
both public and private entities in this evolving frontier. Programs 
like those at Dakota State University are leading the way.
Encourage Implementation of a Framework
    I believe in the continued evolution of various frameworks, across 
industries, working to incorporate critical controls that are relevant 
to combat cybersecurity threats and encourage the implementation of the 
relative frameworks with the goal of reaching every organizations that 
handles a consumer's sensitive data.
Threat Intelligence Collaboration
    I believe that collaborated information sharing between government 
agencies and the private sector is essential to confronting the 
challenges of cybersecurity. I encourage expanded private sector access 
to threat and intelligence from Federal intelligence and law 
enforcement agencies. The goal should be to provide organizations, 
including their third party vendors with information on threats, 
vulnerabilities, and exploits. The public sector should continue to 
coordinate information sharing efforts with industry organizations and 
others, like National Cybersecurity Alliance, HITRUST, FS-ISAC, and 
others.
    Thank you again for this opportunity to present this testimony and 
I look forward to your questions.
Notes
    1--``Data Breach Reports.'' Identity Theft Resource Center (n.d.): 
n. pag. 25 Aug. 2015. Web. 28 Aug. 2015. .
    2--``2015 Data Breach Investigations Report (DBIR).'' Verizon 
Enterprise Solutions. Verizon, n.d. Web. 28 Aug. 2015. .
    3--Torres, Alissa. ``Maturing and Specializing: Incident Response 
Capabilities Needed.'' (August 2015): n. pag. Https://www.sans.org/. 
SANS Institute. Web. 28 Aug. 2015. .
    4--Richards, Kathleen. ``Cybersecurity Skills Shortage Demands New 
Workforce Strategies.'' SearchSecurity. N.p., Aug. 2015. Web. 28 Aug. 
2015. .
    5--``About Us--HITRUST.'' Hitrust About Us Comments. N.p., 23 Jan. 
2014. Web. 28 Aug. 2015. .
    6--About: Cloud Security Alliance. N.p., n.d. Web. 28 Aug. 2015. 
.
    7--Cyber Security: Getting Started: A Non Technical Guide. Ely, 
Cambridgeshire, United Kingdom: It Governance, 2013. Multi-State 
Information Sharing & Analysis Center. Web. 28 Aug. 2015. .
    8--``Internet Security Essentials for Business 2.0.'' (2012): n. 
pag. U.S. Chamber of Commerce. Web. 28 Aug. 2015. .
    9--Start with Security: A Guide for Business (June 2015): n. pag. 
Federal Trade Commission. Web. 28 Aug. 2015. .

    The Chairman. Thank you, Mr. Pulse.
    We turn now to Dr. Kevin Streff.

        STATEMENT OF DR. KEVIN F. STREFF, DAKOTA STATE 
UNIVERSITY, FACULTY AND DEPARTMENT CHAIR--CYBER OPERATIONS AND 
SECURITY; FACULTY, UNIVERSITY OF WISCONSIN, GRADUATE SCHOOL OF 
     BANKING; FOUNDER AND MANAGING PARTNER, SECURE BANKING 
 SOLUTIONS, LLC; AND FOUNDER MANAGING PARTNER, HELIX SECURITY, 
                              LLC

    Dr. Streff. Chairman Thune and Ranking Member Nelson, 
members of the Senate Committee on Commerce, Science, and 
Transportation, I am very pleased to be here before you today 
on behalf of Dakota State University to share our views on the 
current state of cybersecurity readiness. DSU thanks you 
personally for your leadership on this issue.
    There are 321 million Americans. It has been reported that 
over 850 million data records have been breached over the last 
10 years. Cyber attacks occur daily on our networks, carrying 
out electronic crimes and disrupting our nation's digital 
infrastructure that Americans depend upon. Technology is simply 
advancing faster than our ability to secure it.
    Further, two trends are making cybersecurity even more 
challenging over the coming decade. You mentioned one, the 
Internet of Things. The Internet of Things is an environment 
where everything is Internet-enabled--objects, animals, people, 
cars, dogs, refrigerators. In the 45 years of the Internet, it 
boasts 10 billion connections, and, as you mentioned, in the 
next 5 years, that is growing to 50 billion connections.
    Couple that with the second trend, digital currency, which 
nobody has talked about here today. Bitcoin and other digital 
currencies are radically changing the face of money exchange. 
It is a new way of exchanging value. Coupled with the Internet 
of Things, this seems like the perfect storm for cyber 
criminals to wreak havoc on our electric systems like we have 
never seen before.
    Some additional areas of concern: America's national 
cybersecurity strategy was last updated in 2003. Small 
businesses and medium businesses often lack the resources and 
knowledge to deal with cyber threats. Mark mentioned a twist-
tie company attacked out of Brazil.
    Data-breach notification is inconsistent in 48 states, and 
I know that Congress is taking that issue up, hopefully.
    Cybersecurity risk management practices are insufficient. 
This leads to a lack of metrics and a lack of measurement in 
the space. And that is what Eric was getting to with his 
testimony.
    The lack of security awareness may be our number-one issue. 
Clicking on things, opening things, sharing things, installing 
things--these are major training issues that have to get 
addressed.
    And, finally, as everybody is talking about, there is a 
national shortage of security experts. Symantec, the world's 
largest software security vendor, recently reported that the 
demand for a cybersecurity workforce is expected to rise by 6 
million professionals globally by 2019, leaving us with a 
projected shortfall of 1.5 million cybersecurity professionals. 
According to CIO Magazine, cybersecurity professionals today 
report an average salary of $116,000.
    SBS people, don't pay any attention to that.
    [Laughter.]
    Dr. Streff. Items for the Committee and yourself to 
consider, Chairman: We would encourage you to pass the 
Cybersecurity Information Sharing Act of 2015 and to take up 
that Federal data-breach notification law.
    Second, we would like to see you work to update and 
maintain the national cybersecurity strategy that has goals, 
objectives, funding sources. And might we suggest that, while 
there are 20 infrastructures that are identified as critical 
infrastructures, might we look at power and telecommunications 
as two infrastructures that are even more critical than others, 
that banking, health care, and everything depends upon.
    Third, improving grant opportunities and funding for 
research in cybersecurity, with an emphasis on risk management 
practices, metrics and measurements, and security awareness 
solutions.
    And, finally, expanding our cybersecurity workforce and 
improving cybersecurity training, building upon the NSA/DHS 
Centers of Excellence program with more scholarships, financial 
support, to make this an even more attractive field so that 
cybersecurity becomes a career choice and we can address that 
million-jobs job shortage.
    In conclusion, the risk to our Nation is clear that a cyber 
terrorist thousands of miles away can hold a citizen, country, 
or organization hostage with binary attacks. We need a 
cybersecurity strategy that focuses our resources, promotes 
awareness, training, and education for business leaders and 
consumers, promotes information-sharing and customer 
notification, and builds that cybersecurity workforce of 
tomorrow.
    To Chairman Thune and the Committee, thank you for the 
opportunity to participate in this important and timely 
hearing. DSU looks forward to working with all stakeholders to 
improve the security of the electronic infrastructure all 
businesses in America use.
    [The prepared statement of Dr. Streff follows:]

  Prepared Statement of Dr. Kevin F. Streff, Dakota State University, 
     Faculty and Department Chair--Cyber Operations and Security; 
 Faculty--University of Wisconsin, Graduate School of Banking; Founder 
   and Managing Partner--Secure Banking Solutions, LLC; Founder and 
                 Managing Partner--HELIX Security, LLC
Witness Statement
    Kevin Streff, Ph.D. is an Associate Professor and Department Chair 
at Dakota State University in Madison, SD and conducts cybersecurity 
education and research in the financial services sector, with a 
particular focus on understanding the security issues of small and 
medium-sized financial institutions. Dr. Streff works with the banking 
associations all across the United States to understand rural banking 
vulnerabilities and solutions to mitigate. Dr. Streff has over 25 years 
of experience working in insurance, banking and credit operations.
    Professor Streff teaches managerial elements of information 
security, including risk management, security policy, information 
security management systems, disaster recovery, business continuity 
planning, auditing, and incident response planning. Dr. Streff has 
numerous publications in peer-reviewed journals such Journal of 
Information Warfare, Journal of Computer Information Systems, Journal 
of Autonomic and Trusted Computing Journal of Computing Sciences in 
Colleges, and Issues in Information Systems. He is the recipient of 
over $7.5 million in grants and contracts over the past ten years. Dr. 
Streff serves on several conference program committees, including 
International Conference on Information Warfare, and Cybersecurity, 
Network, Database and Software Security. Dr. Streff was session chair 
at several prestigious systems science conferences over the past 
several years, including organizing and chairing a mini-track on 
Information on Information Assurance and Computer Security at the 
International Conference on Information Warfare. Dr. Streff was a 
keynote speaker at several national security conferences, presented 
over two hundred times at state, regional and national banking 
conferences, and published in both America's Banker and Community 
Banker. He has been featured on ABC News, Forbes Magazine and National 
Public Radio.
    Dr. Streff is Founder of Dakota State's security program, and 
currently serves as Department Chair for the Cyber Operations and 
Security department, which has been recognized by The Department of 
Homeland Security and The National Security Agency as a Center of 
Excellence in Information Security Education, Research and Cyber 
Operations. He is also Founder and Past-President of InfraGard South 
Dakota, an FBI outreach program to promote the protection of critical 
infrastructure in SD, ND and MN. He is also Founder and Past-President 
of Secure Banking Solutions, an information security consulting firm 
focused on improving information security in community banks and cred 
it unions in the U.S. SBS assists over 900 small and medium-sized 
financial institutions in 48 states with their information security and 
compliance needs. Dr. Streff is on faculty at the Graduate School of 
Banking at the University of Wisconsin where he helped develop the 
recently launched Bank Technology Management School and Bank Security 
School.
Introduction
    Chairman Thune, Ranking Member Nelson and Members of the Senate 
Committee on Commerce, Science, and Transportation, I am pleased to 
appear before you today on behalf of Dakota State University to share 
our views on the current state of data/cybersecurity. These comments 
will be made address our countries readiness to identify and thwart 
attacks on businesses and our Nation's critical electronic 
infrastructure. Particular emphasis will be placed upon small business 
security and the cybersecurity readiness level of the banking sector.
    My name is Dr. Kevin Streff and I am Department Chair of the Cyber 
Operations and Security Program at Dakota State University which has 
been recognized by The Department of Homeland Security and The National 
Security Agency as a Center of Excellence in Information Security 
Education, Research and Cyber Operations. Along with Dr. Pauli, I am 
here today representing one of the top cybersecurity programs in the 
Nation. We appreciate the invitation to appear before the committee on 
this important issue, and thank the committee for their leadership and 
foresight in dealing with these issues before a crisis state.
Background
    Systematic and repeated cyberattacks occur daily against our 
defense, government, academic, and industry networks looking to carry 
out a variety of electronic crime and disruption of our Nation's 
digital infrastructure. In 1998, Presidential Decision Directive 63 
identified 18 critical infrastructures, which America depends upon 
daily. Are we prepared to handle a digital attack against our cyber 
infrastructure? 4.5 million small and medium-sized businesses are also 
under heavy attack and constitute substantial risk of loss to our 
economy. In fact, most small and medium-sized business lack the 
requisite skills and resources to combat these cyber threats.
    In this testimony, we will review the current legal and regulatory 
environment in which financial institutions and small and medium-sized 
businesses must operate (SECTION I), communicate technology trends to 
consider (SECTION II), discuss security and privacy experiences in the 
financial services sector that have impacted small and medium-sized 
financial institutions (SECTION III), and discuss cybersecurity 
concerns and recommendations for the President and Commerce Committee 
to consider (SECTION IV).
Section I. Overview of Current Data Protection Laws, Regulation, and 
        Policy 
        Statements in Financial Services
A. 1970--Bank Secrecy Act

    In 1970, Congress passed the Bank Secrecy Act (BSA). BSA requires 
U.S. financial institutions to assist U.S. government agencies to 
detect and prevent money laundering. The act specifically requires 
financial institutions to keep records of cash purchases of negotiable 
instruments, file reports of cash transactions exceedingly daily 
aggregate amount of $10,000, and to report suspicious activity that 
might signify money laundering, tax evasion, or other criminal 
activities. Several anti-money laundering acts, including provisions in 
title III of the USA PATRIOT Act, have been enacted up to the present 
to amend the BSA. (See 31USC 5311-5330 and 31 CFR Chapter X (formerly 
31CFR Part 103). The documents filed by financial institutions under 
BSA are used by law enforcement agencies, both domestic and 
international to identify, detect and deter money laundering whether it 
is in furtherance of a criminal enterprise, terrorism, tax evasion or 
other unlawful activity.
B. 1999--Financial Industries Modernization Act of 1999 (Gramm-Leach-
        Bliley)

    The Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. Sec. Sec. 6801-6810 
(disclosure of personal financial information), 15 U.S.C. 
Sec. Sec. 6821-6827 (fraudulent access) repealed the GlassSteagall Act 
of 1932, and is part of broader legislation which removes barriers to 
banks engaging in a wider scope of financial services. GLBA applies to 
financial institutions use and disclosure of non-public financial 
information about consumers. Section 501(b) requires administrative, 
technical, and physical safeguards to protect covered non-public 
personal information. Federal banking agencies have published 
Interagency Guidelines Establishing Standards for Information Security 
for financial institutions subject to their jurisdiction. 66 Fed. Reg. 
8616 (February 1, 2001) and 69 Fed. Reg. 77610 (December 28, 2004). The 
Guidelines are published by each agency in the Code of Federal 
Regulations, including:

   Federal Deposit Insurance Corporation, 12 C.F.R., Part 364, 
        App. B;

   Office of the Comptroller of the Currency, 12 C.F.R., Part 
        30, App. B;

   Board of Governors of the Federal Reserve System, 12 C.F.R., 
        Part 208, App. D-2 and Part 225, App. F;

   Office of Thrift Supervision, 12 C.F.R., Part 570, App. B; 
        and

   National Credit Union Administration, 12 C.F.R., Part 748

    The Federal Trade Commission has issued a final rule, Standards for 
Safeguarding Customer Information, 16 C.F.R. Part 314, and the 
Securities and Exchange Commission promulgated Regulation S-P: Privacy 
of Consumer Financial Information, 17 C.F.R. Part 248 for financial 
institutions within their respective jurisdictions. These requirements 
mean that all financial institutions must develop, document and 
operationalize a comprehensive information security program. The 
administrative, technical and physical safeguards are sweeping and 
expansively interpreted by Federal and state regulators to include 
everything from the physical security of buildings, data security at 
service providers, to the types of authentication used during online 
banking sessions. Each bank must report annually to the Board of 
Directors on the status of the information security program. The 
Guidelines require a risk assessment designed to: ``identify reasonably 
foreseeable internal and external threats'' to customer information, 
assess the likelihood and potential damage of these threats, and to 
assess the effectiveness of a wide variety of information security 
controls. GLBA is significant because of the extensive requirements and 
regulatory oversight imposed upon the financial industry and carried 
out by Federal and state regulators.
C. 2001--USA PATRIOT Act

    The USA PATRIOT (Patriot Act), enacted by President George W. Bush 
in 2001, reduced restrictions on law enforcement agencies' ability to 
search telephone, e-mail communications, medical, financial, and other 
records; eased restrictions on foreign intelligence gathering within 
the United States; expanded the Secretary of the Treasury's authority 
to regulate financial transactions. Section 314(b) of the USA PATRIOT 
Act permits financial institutions, upon providing notice to the U.S. 
Department of the Treasury, to share information with one another in 
order to identify and report to the Federal Government activities that 
may involve money laundering or terrorist activity. More specifically, 
the BSA authorizes the Treasury to require financial institutions to 
maintain records of personal financial transactions that ``have a high 
degree of usefulness in criminal, tax and regulatory investigations and 
proceedings'' and to report ``suspicious transaction relevant to a 
possible violation of law or regulation.'' Again, because The Patriot 
Act deals with governmental, rather than private, intrusion into 
customer privacy, it is outside the scope of this discussion.
D. 2002--Sarbanes Oxley Act

    The Sarbanes-Oxley Act of 2002 (SOX) was enacted to restore 
confidence in the integrity of the financial reporting process at 
publicly traded companies, influenced by high profile accounting 
scandals at firms such as Enron and WorldCom. However, each publically-
traded financial institution that is affected by the Sarbanes-Oxley Act 
has some level of reliance on automated information systems to process, 
store and transact the data that is the basis of financial reports, and 
SOX requires financial institutions to consider the IT security 
controls that are in place to promote the confidentiality, integrity, 
and accuracy of this data. SOX states that specific attention should be 
given to the controls that act to secure the corporate network, prevent 
unauthorized access to systems and data, and ensure data integrity and 
availability in the case of a disaster or other disruption of service. 
Also, each system that interfaces with critical financial reporting 
data should have validation controls such as edit and limit checks 
built-into further minimize the likelihood of data inaccuracy.
E. 2006--Payment Card Industry Standard

    The Payment Card Industry Security Standards Council is an Industry 
group formed to manage and maintain the Data Security Standard (DSS), 
which was created by the Council to ensure the security of payment card 
information. Sensitive data is involved in card transactions, including 
account number, cardholder name, expiration date, and PIN. The intent 
of the PCI DSS is to ensure that card transactions occurring across 
multiple private and public networks are subject to end-to-end 
transaction security. The payment card industry consists of Card 
Issuers, Card Holders, Merchants, Acquirers, and Card Associations. 
From the collection of card information at a point of sale, 
transmission through the merchant's systems to the acquiring bank's 
systems, then on to the card issuer, the PCI DSS requirements attempt 
to ensure sufficient security safeguards are in place on the card data 
from beginning to the end of a card transaction. Enforcement of the 
security requirements is done by the card associations and through a 
certification process of each association member. The certification 
process is carried out by Qualified Security Assessors (QSA) who audit 
systems and networks to ensure the mandatory controls are in place. 
Certification does not guarantee that an organization will not suffer a 
data breach, as several PCI certified organizations have suffered data 
breach incidents.
F. 2013--Identify Theft Red Flags Rule

    The Identify Theft Red Flags Rule (Red Flags Rule) requires 
financial institutions to implement a written Identity Theft Prevention 
Program that is designed to detect the warning signs of identity theft 
in their daily operations. By identifying red flags in advance, 
financial institutions will be better able to identify suspicious 
patterns that may arise, and take steps to prevent a red flag from 
escalating into identity theft.
    A financial institution Identity Theft Red Flags Program should 
enable the organization to:

  1.  Identify relevant patterns, practices, and specific forms of 
        activity--the ``red flags''--that signal possible identity 
        theft;

  2.  Incorporate business practices to detect red flags;

  3.  Detail appropriate response to any red flags you detect to 
        prevent and mitigate identity theft; and

  4.  Be updated periodically to reflect changes in risk from identity 
        theft.

    Shortly thereafter, regulatory agencies began issuing examination 
procedures to assist financial institutions in implementing the 
Identity Theft Red Flags, Address Discrepancies, and Change of Address 
Regulations, reflecting the requirements of Sections 114 and 315 of the 
Fair and Accurate Credit Transaction s Act of 2003.
G. 2015 Cyber Security Guidance

    The recent focus of the bank examiners has been cybersecurity 
readiness. In fact, in 2013 and 2014, FFIEC conducted a 500 bank study 
to examine the preparedness level of the U.S. banking system and 
documented their findings which included some major shortcomings, 
especially in the risk management, awareness, information sharing and 
leadership domains. They subsequently documented a cybersecurity risk-
based approach which most banks are examining as we speak to determine 
next steps. The study also focused on the Board and management team 
being able to set ``the tone at the top'' as it relates to 
cybersecurity.
H. Miscellaneous Regulatory Guidance

    The Federal Financial Institutions Examination Council (FFIEC) is a 
formal interagency body empowered to prescribe uniform principles, 
standards, and report forms for the Federal examination of financial 
institutions by the Federal financial regulatory agencies.'' As such, 
the FFIEC publishes the ``Information Technology Examination 
Handbook'', which is used by banking regulators in executing 
examinations of information technology and systems of financial 
institutions. The Hand book includes ten (10) booklets, one of which is 
the ``Information Security Booklet'', which provides a baseline against 
which a financial institution subject to GLBA can be evaluated. The 
``Information Security Booklet'' attempts to provide a high level, 
comprehensive overview of the major types of information security 
controls one would necessarily expect to be operating effectively with 
in a financial institution. The types of controls are not limited in 
applicability to just financial institutions, and are derived from the 
same principles underpinning all major in formation security 
frameworks.
I. Third Party Self-Regulation
    Small and medium-sized financial institutions depend heavily on 
hardware and software vendors for nearly all banking products. In 
addition, many of these vendors become service providers offering to 
host and manage their products for the small and medium-sized financial 
institution (SMFI). The service provider industry has experienced 
several significant data breaches affecting the financial services 
industry in the past several years, including Target (40 million data 
records), JP Morgan Chase (71.5 million data records), Office of 
Personnel Management (21.5 million data records), UCLA Health System 
(4.5 million data records), etc. When companies choose to outsource 
data processing to a third party, they typically perform information 
security due diligence on the third party to understand how the data 
will be protected. A very common standard for third party assurance has 
been the SSAE16 standard. BITS, a non-profit organization, has also 
attempted to standardize the assessment of third-party service 
providers by developing the ``BITS Framework for Managing Technology 
Risk for Service Provider Relationships'', which includes two tools to 
help service providers in control selection and implementation. In 
summary, SMFIs operate in an increasingly complex regulatory 
environment, with community banks regulated aggressively and credit 
unions a little less. This regulation is necessary, but causes 
significant financial, resource, and other issues in SMFIs who must 
leverage technology to compete. Increasing regulation is likely as 
additional technologies are deployed and the cybersecurity stakes grow, 
but all increased regulation must be tempered with a SMFI's ability to 
stay in business and meet the needs of their customers. The majorities 
of SMFI's are in rural locations and may be the only local funding 
source for a community.
Section II. Technology Trends
    Technology is advancing faster than SMFIs' ability to respond with 
appropriate mitigating security controls. For example, the use of cell 
phone cameras to take a picture of a check as the basis for making an 
electronic deposit into an account, or P2P payment transactions by cell 
phones create security exposures for which there are inadequate 
controls to prevent fraud. Fortunately, most SMFIs are not first 
adopters of new technology, but rather prefer to wait until the systems 
become more seasoned before embracing newer technologies. Moreover, the 
timeline between introduction, implementation and adoption of new 
technology by consumers continues to shrink. Just ten years ago, data 
processing was the buzz where computers were essentially back-off 
equipment designed to promote efficiency in the financial institution. 
Today, technology is front-line differentiators for banks and 
businesses, with customers demanding to use mobile technologies and 
social media to conduct commerce. The risk profile ten years ago 
included someone breaking into the bank's computer to get customer 
records, while the risk profile today is someone breaking in to cell 
phones, laptops, mobile devices, social media sites, merchants who 
deposit checks via imaging systems, service providers who host critical 
banking applications, websites which validate flood plains or credit 
bureau information, etc. This list goes on and on regarding the 
technologies typical in a SMFI. The next generation of technologies 
will exponentially increase the risk profile because information and 
Infrastructure will be further distributed, and not partitioned off by 
the walls of the bank. With the increase in outsourcing and the 
mounting risks of offshoring, requiring data centers to be located in 
the U.S. seems consistent with the goal of increasing our cybersecurity 
posture. Banks leverage Brinks trucks to secure the delivery of cash to 
their bank. The financial industry needs to devise ``cyber Brinks 
trucks'' to perform the same role in cyberspace.
    Two major trends will likely drive technology and security over the 
coming decade. First, the Internet of Things (IoT) is an environment in 
which objects, animals or people are provided with unique identifiers 
and the ability to transfer data over a network without requiring 
human-to-human or human-to-computer interaction. IoT has evolved from 
the convergence of wireless technologies, micro-electromechanical 
systems and the Internet. By 2020, there will be a quarter billion 
connected vehicles on the road, enabling new in-vehicle services and 
automated driving capabilities, according to Gartner. All cities will 
(eventually) be smart. With more than one-half of the world's 
population living in cities, innovative new IoT solutions, such as 
smart parking, connected waste, and traffic management, hold great 
promise for combatting the major challenges of rapid urbanization. We 
are unlikely to see many smart cities of the future appearing 
overnight. However, like in the past with the adoption of revolutionary 
technologies such as sewers, electricity, traffic lights, and the 
Internet, mayors will slowly implement IoT solutions to save money, 
shape the future and make their cities better places to live. We will 
be trading mobile dollars for IoT pennies. It is no wonder that the 
mobile operators are salivating at the prospect of a windfall of new 
revenue to be earned from connecting the projected 50 billion devices, 
or things, to the Internet (today there are approximately 10 billion 
things connected to the Internet). However, it is not that straight 
forward. While some of the traffic will flow over mobile networks, the 
majority of the connections will be made over wireline or unlicensed 
wireless networks. And, many of the IOT devices require very low 
bandwidth--simply conveying their status on an occasional basis and 
then remaining dormant until this status changes. Mobile operators will 
need to do more than just sell mobile connectivity to inanimate objects 
to reap the full rewards of IoT. It will be about much more than the 
``things''. The currency of IoT will be ``data''. But, this new 
currency only has value if the masses of data can be translated into 
insights and information which can be converted into concrete actions 
that will transform businesses, change people's lives and effect social 
change.
    The second major trend is digital currency. While no digital 
currency will soon dislodge the dollar, bitcoin (and other digital 
currencies) are much more than a currency. It is a radically new, 
decentralized system for managing the way societies exchange value. It 
is, quite simply, one of the most powerful innovations in finance in 
500 years. It's already proven that bitcoin has contributed a lot to 
the world. For example, PayPal recently urged everyone to use digital 
currencies in their transactions and predicted that these currencies 
will be accepted by the majority of the population and establishments 
in the U.S. within 12 months. However, the shadowy fact remains that 
bitcoins and digital currencies have been risky. Frustrations have 
mounted when the price of the Bitcoin came crashing down. Mt. Gox 
closing down, China banning their use, laws provided by states against 
it and more--these all contributed to the gradual decline of bitcoins 
popularity and price value. The number of attacks involving Bitcoin 
mining malware tripled: from 360,065 attacks in 2013 to 1,204,987 in 
2014. But the reality is these digital currencies are in their infancy 
and the issues of today will get solved for mass acceptance and use in 
our economy. Put together with the Internet of Things where 50 billion 
devices will be connected to the Internet by 2020, it is easy to see 
how digital currencies could be deployed as the backbone currency in 
the digital age.
Section III. Data Security and Privacy Issues in the Financial Sector 
        and Small Businesses
    Over 850 million data records have been breached over the past ten 
years:

        857,702,257 Records in our database from 4584 Breaches made 
        public fitting this criteria
        Source: PrivacyRights.Org

    How many of these data records and breaches involved the financial 
sector?

        349,188,179 Records in our database from 608 Breaches made 
        public fitting this criteria
        Source: PrivacyRights.Org

    How many of these data records and breaches involved the retail 
sector?

        257,514,157 Records in our database from 547 Breaches made 
        public fitting this criteria
        Source: PrivacyRights.Org

    Note that these numbers are likely dramatically understated as 
universal notification laws are not in place and punishment for not 
disclosing is often not a deterrent. For example, JP Morgan Chase 
breach is not accounted for on this site. The breach numbers are likely 
a fraction of the actual activity that is occurring. It is also 
interesting to note that healthcare and government (which receive much 
security attention) have fewer breaches that small businesses and/or 
retail. Claims that the PCI standard are sufficient seem to be 
overstated as retail accounts for the highest percentage of data 
records breached in 2014.
    U.S. SMFIs and small and medium-sized entities (SMEs) are important 
as millions of consumers depend upon community banks, credit unions, 
accounting firms, tax-preparation firms, investment offices, insurance 
agencies, and the like. When issues in the financial system exist, 
confidence erodes and consumers are left paralyzed wondering what to 
do. The margin for error in SMEs is relatively small, and one such data 
breach can shut the doors on viable businesses.
    Further, if terrorists would target these vulnerable SMFIs or SMEs, 
they would find a soft underbelly of relatively under-protected 
targets. A plethora of nefarious activities are then possible, 
including stealing and selling customer data, extorting ransoms, 
``owning'' the computer, making these systems unavailable, etc. Stated 
directly, these activities could be enough to put a SME or SMFI out of 
business. The reality is that while it is nearly impossible to 
challenge the importance of SMEs and SMFIs in the U.S., it is equally 
difficult to convince security experts that either are prepared to 
protect their critical systems, important customer information and do 
their part to battle against the war on terror.
    The Federal Government identified banking and finance as a critical 
infrastructure that requires protection, yet most of the attention is 
paid to the large financial institutions. SMFIs and SMEs store and 
transmit much non-public data, with limited resources to fend off a 
well-equipped, well-funded enemy. A recent survey of bank executives 
called out this very fact. When asked what their top technology concern 
was over the next two years, risk management and compliance topped the 
list. A black market drives insiders and hackers to steal information 
because of its value. Nine out of ten data breaches could be easily 
avoided with basic preventative controls consistently applied. SMFIs 
and SMEs have a wealth of nonpublic, sensitive data that cyber thieves 
are targeting with increasing regularity.
    Cyber security is a broad and pervasive issue leading to at least 
two national issues: critical information protection and identify 
theft. Critical information protection is guarding our electronic 
infrastructures as an issue of national security. Incidents are 
classified, but it is well established that China and others are 
interested in technology disruptions that affect the United States' 
ability to conduct commerce. President Obama is on record stating that 
the United States is not prepared for critical infrastructure 
protection (CIP) and despite national budget pressures is created in 
2013 a division within the national government (U.S. Cyber Command) to 
begin focusing on this new national issue.
    Identity theft remains a fast growing crime in America and the 
risks of not protecting such information can be catastrophic to SMEs in 
communities. When identities of good U.S. citizens are stolen by cyber 
criminals, the good citizen can be humiliated, lack good credit, and 
spend significant time and money in an attempt to partially restore 
their good name. Information risk management is the first step in 
resolving the broad and pervasive issues of CIP and Identity Theft. 
Public Law 111-24 was signed by the President establishing a Small 
Business Information Security Task Force to look in to the issue.
    The Ponemon Institute, an independent research firm which conducts 
research on privacy, data protection and cybersecurity, calculates in 
2014 businesses paid an average of $230 per compromised record. 
Consequently, for a small company with 500 compromised customer 
records, this would math to $115,000. Companies may keep inactive 
customers in their database as well, magnifying the number of customers 
impacted and the resources to manage thru a breach. Simply said, a data 
breach can be so costly that it can put a company out of business or 
halt expansion plans. This issue is amplified in America where there is 
very limited information security expertise, offering unprotected 
businesses as easy targets for organized cyber criminals with financial 
motivation.
Electronic Crimes in Commercial Banking with Small and Medium-Sized 
        Financial Institutions
    Organized cyber-gangs are increasingly preying on small and medium-
sized companies in the U.S., setting off a multi-million-dollar online 
crime wave and grave concerns that critical infrastructure government 
and business depends upon each day may become compromised. It appears 
there are three contributing reasons they are growing so fast: (1) Low 
threat of arrest in these ``safe havens'', (2) High payout for the 
crime, and (3) Victim sharing data on these attacks has been minimal. 
The attacks are amazingly simple and the amount of money taken, 
information stolen, or infrastructure compromised is concerning.' SMEs 
do not know how to protect themselves. In some cases where credit card 
theft has occurred, they have had to shut down because they lost the 
ability to process credit cards. Small businesses are being affected 
greatly by poor security practices. It is not a risk issue, but rather 
an issue of survival. Cyber criminals view SMEs as easy targets without 
the resources or knowledge to fend them off or prosecute them if 
caught. Consequently, cyber criminals are turning their attention to 
perceived easy targets in America. Identity thieves can cost SMFIs and 
SMEs their basic ability to stay in business (i.e., financial losses, 
bad publicity of a data breach, significant costs of recovering from a 
data breach, inability to process credit cards, etc.). Even if there 
were no measurable damages to customers, the notification costs alone 
can put the SME out of business. One-third of companies said that a 
significant security breach could put their company out of business. 
Many SMEs are having a difficult time in this economy, and even the 
smallest of distractions can be devastating. SMFIs, too, are struggling 
with increased assessment fees, limited deposits, limited fee-based 
products, and overwhelming compliance expenses, which is spurring 
closures and consolidation in the industry.
    While SMFIs have struggled to keep pace with hackers, the SMEs have 
clearly fallen short. In a study I completed of SMEs, 7 out of 10 SMEs 
lack at least one basic security control, such as a firewall, antivirus 
software, strong passwords, or basic security awareness for staff. Many 
SMEs simply lack the basic security most of us expect on our home PCs. 
As evidence, I provide a statistic. I am founder of Secure Banking 
Solutions, LLC, a security/privacy firm focused on information security 
and compliance for SMFIs. As such, SBS is regularly hired to conduct 
penetration tests on SMFIs where SBS security personnel run (after 
authorization) hacking tools to see if they can break into the bank's 
network and systems. SBS is effective in 24 percent of SMFIs (meaning 
that SBS personnel were able to gain access to Information and systems 
they were not authorized for). To contrast, SBS is effective in 100 
percent of SME penetration tests. The question is ``why?'' and the 
answer is simple: SMFIs are regulated to a certain level of security 
that is far superior to a SME. Most anyone can download hacking tools 
from the Internet, point them at a SME, and gain unauthorized access, 
zombie the machine, steal data, or disrupt the environment.
    Traditionally, most SMEs have viewed security as a problem faced 
solely by large organizations, government agencies, or online intensive 
operations as large organizations possess large, prolific information 
targets and are generally more regulated than SMEs. However, cyber 
criminals are finding easy targets in SMEs that have limited security. 
The financial gain for cyber thieves targeting SMEs is obviously less 
than that of large organizations, but they can be hacked in 
significantly less time with little to no effort. Tools to conduct 
these attacks on SMEs are freely downloadable from the Internet.
    The FBI previously issued an alert to all SMFIs and SMEs of this 
issue. These attacks are working because of a lack of security controls 
at the SME whereby fraudulent transactions are directly taken out of 
commercial customer's bank accounts. The current generation of banking 
products work because of technology, including remote deposit capture, 
Internet banking, mobile Banking, item imaging, and on-line account 
origination. However, USA Today quoted Amrit Williams, a chief 
technology officer, ``Any organization that cannot survive a sudden 
five-or six-figure loss should consider shunning Internet banking 
altogether.'' Banking security analyst at Gartner, Avivah Litan, tells 
acquaintances that run small businesses to switch from commercial 
online accounts to an individual consumer account to take advantage of 
consumer-protection laws under Regulation E. Regulation E protection 
does not exist for corporate accounts; consequently, SMEs have no legal 
protection if commercial account fraud occurs. Unlike individual 
accounts that protect individual consumers to a maximum exposure of $50 
if fraud occurs, corporate accounts have no such protection. The SME 
can sue or go to the media, but these approaches likely do not get the 
money back and drains even more resources from SME, which are typically 
resource challenged.
    New fees levied by financial institutions on paper-based banking 
products are likely to push more small businesses in to banking online, 
whether or not they are aware of and prepared for the types of 
sophisticated cyber-attacks that have cost organizations tens of 
millions of dollars in recent months. Gartner analysts say banks should 
not be pushing more businesses into online banking without adequately 
informing them of the risks. The reality is that the perfect small-
business storm is occurring: heaving attacks are already beginning and 
significantly more technology will be deployed by SMFIs over the next 
five years, creating a fertile cyber ground for terrorists to create 
problems.
    The latest Business Banking Trust Study provides insights from the 
SME perspective on the pervasiveness of fraud, the state of security at 
banks and businesses, and the impact fraud has on businesses' 
relationships with their banks. The study found:

   74 percent of businesses surveyed experienced online fraud;

   52 percent of businesses reported experiencing payments 
        fraud or attempted payments fraud in the last 12 months;

   In 72 percent of fraud cases, banks failed to catch fraud 
        involving the illegal transfer of funds or other nefarious 
        practices such as information identity theft; and

   70 percent of SMEs have diminished confidence in their FI or 
        take their banking business elsewhere.

    More than nine out of ten small business owners in the study cited 
cybersecurity as a concern. This is not an unfounded fear: Half of them 
report they've already suffered a cyber-attack, with 61 percent of 
those attacks taking place in the last 12 months. The National Cyber 
Security Alliance conducted the National Small Business Security Study 
with Visa Inc. to analyze small business' cybersecurity practices and 
attitudes. Results include:

   94 percent of small business owners report being very or 
        somewhat concerned about cybersecurity; and

   Nearly half of businesses surveyed report they already have 
        been a victim of a cyber-attack.

    In summary, there is little doubt that the financial services 
sector is under attack for identity theft and infrastructure corruption 
motives. There is also little double that the small and medium-sized 
businesses and financial institutions are coming in the cross-hairs of 
cyber criminals. The number and significance of data breaches and 
attacks is significant, and only a comprehensive approach that looks at 
all infrastructure holistically (from government, academia, and 
industry) can ward off these terrorists.
Section IV. Observations and Recommendations
    This section outlines several observations and summarizes 
recommendations to address cybersecurity as a nation, and in both banks 
and small businesses alike.
Concerns

   1.  Lack of a National Cyber Security Strategy--The lack of a 
        comprehensive, bilaterally supported national security strategy 
        is problematic at best. When the President and Congress is on 
        record time and time again declaring the imminent danger the 
        Internet represents, then shouldn't it follow that resources 
        area aligned to this grave danger? The current administration 
        seems to understand the magnitude of the issue but has been 
        remiss to draft a comprehensive strategy to lead our digital 
        infrastructure into a more secure future.

   2.  Internet of Things and Digital Currencies will Accelerate 
        Internet Traffic and Growth--It is fair to say that we cannot 
        manage the Internet environment of today with 10 billion 
        connections and an architecture that doesn't scale well. It 
        took nearly 45 years to get to these 10 billion connection; 
        yet, by the end of 2020 the Internet will include 50 billion 
        connection. Add to this the use of digital monies (i.e., 
        bitcoin) to settle the transactions and this seems like a 
        perfect storm where cyber criminals will wreak havoc on our 
        electronic systems like we have never seen before. Refer to 
        Appendix A and B for Internet and Internet of Things growth 
        statistics.

   3.  Cyber War (or Cyber in War) is Imminent--The power grid 
        represents tremendous risk to American citizens as aggressive 
        nation states continue to ready to attack our SCADA 
        infrastructures. While it is foreseeable that a multi-variant 
        attack coordinated across sector to simultaneously interfere 
        with power, telecommunications, oil/gas and banking 
        infrastructure is plausible, more likely is a single deep 
        rooted attack on a single infrastructure to ingest cyber terror 
        into our citizens' conscious. It is also plausible that cyber 
        war will lead to kinetic war (or some combination of the two). 
        Specifically, an offensive attack by a nation on our power 
        infrastructure could be met with a kinetic attack on their 
        nation's physical target (or vice versa).

   4.  Banking Continues to be the Most Attacked Sector--Based upon 
        volume (number of data records, number of attacks, etc.), the 
        financial sector continues to be the most attacked of our 
        infrastructures. The interconnected nature of this sector has 
        caused the banking regulators to become very concerned about 
        vendor management and corporate account takeover. With the 
        growth of Internet of Things, it is possible that there could 
        be a shift in attention from the hackers; however, it is fair 
        to say that banking and financial services are under attack 
        today and this will likely continue over the next five to ten 
        years.

   5.  Small Business Security Continue to Lag Behind--Small businesses 
        lack the resources to understand and mitigate these cyber 
        threats. The PCI standards are clearly not working, and for the 
        most part based on voluntary compliance and self-audit. Today, 
        the best mitigation strategy seems to be to educate individuals 
        and SMEs to the risks and controls that are essential to 
        minimize the potential for major cyber loss or disruption. 
        Moreover, we do not think it is appropriate or reasonable to 
        shift the burden of loss from the person or organization that 
        had inadequate controls in place to detect and deter cyber 
        hacking attacks, to the financial institutions that process the 
        withdrawals by the crooks, generally through ACH debits.

   6.  Information Sharing is Lacking but Improving--The ISACs were 
        devised over ten years ago, yet it is really only this year 
        that the FS-ISAC is gaining momentum. With the banking 
        regulators getting behind FS-ISAC, banks and credit unions have 
        increased membership rates. The system really only work if many 
        are participating, and we are finally getting to a scale where 
        there is value.

   7.  Data Breach Notification is Inconsistent--48 states have data 
        breach notification laws; however, every state law is 
        different. This lack of uniformity make it difficult to measure 
        breach rates and makes it difficult for the consumer to 
        understand what is going on.

   8.  Security Awareness (or the lack thereof) is the Number One Issue

      a. Citizens

      b. Business Owners

      c. Investors

      e. Policymakers

      d. Executives

      A recent study in the banking sector determine that the number 
        one cybersecurity issue in banking is the reality that senior 
        management and boards are simply not in position to establish 
        ``the tone from the top'' as it relates to cybersecurity. The 
        lack the requisite skills to set the direction and manage their 
        organizations to achieve cybersecurity objectives.

   9.  The Internet of Today Can Not Be Secured--The Internet was not 
        built for the purpose it carries out today. The Internet was 
        not conceived to become the backbone for commerce. While today 
        countries and companies alike are adopting technologies to grow 
        their interests, the Internet lacks fundamental controls that 
        large-scale networks must have. As the Internet-of-Things 
        explodes over the next ten years and our cyber adversaries grow 
        in both number and strength, the problems of will seem like 
        child's play. Infrastructures like the Internet takes years to 
        change because of its pervasive and invasive nature. The time 
        is now to determine how the infrastructure we know today must 
        be secured and/or fundamentally changed so that cyber resources 
        remain available, accurate and private to those who depend upon 
        them for social and economic well-being.

  10.  Industry Will Continue to Underinvest in Cyber Security 
        Solutions--Digital Infrastructure is Infrastructure. When an 
        ice storm occurs in North Dakota, icing up power lines and 
        taking out power, the region is paralyzed until power is 
        restored. It can sometimes take weeks and months to complete 
        this task, depending upon the tenacity of Mother Nature. What 
        would happen to these financial institutions, our economy, and 
        our consumer confidence level if malicious nation-states 
        disrupted our power instead of an ice storm? How long would it 
        take for power to be restored on power grid infrastructure 
        dating back centuries? Power, water, transportation, and the 
        Internet just to name a few are all required to conduct banking 
        commerce. While SMFIs are required to devise business 
        continuity, incident response, and pandemic prepared ness 
        plans, no SMFI could operate if essential infrastructure we all 
        depend up (such as the power grid) was compromised. The job is 
        much larger than any one SMFI. To the degree major and minor 
        changes are needed at SMFIs or SMEs, we urge the Administration 
        to consider this infrastructure and fund it. There needs to be 
        a mindset shift away from industry paying for everything in 
        this infrastructure (because they created it and are the users 
        of it) to some shared cost model. If this infrastructure is 
        truly a matter of national security then the Federal Government 
        has a funding responsibility. Just as tanks, planes, and 
        weapons are funded to protect our interests, we urge the 
        Administration to consider their financial responsibilities as 
        it relates to this vital electronic infrastructure.

  11.  Securing Our Digital Infrastructure Will Take Cooperation and 
        Resources--Nearly 20 critical infrastructures are identified 
        and would take trillions of dollars to ``secure''. This 
        resource allocation is likely unreasonable so little will be 
        done to remarkably improve our Nation's cybersecurity posture.

  12.  Cyber Security Risk Management Practices are Insufficient--A 
        lack of agreed upon cybersecurity risk management practices, 
        frameworks, tools, methods, etc. is leading to confusion. Cyber 
        security risk management science is in its infancy, but hacker 
        techniques are sophisticated.

  13.  There is a National Shortage of Security Experts. Most 
        organizations do not have an expert who understands the 
        emerging security threats, threat actors, vulnerabilities, and 
        the like as it takes time and expertise and cannot simply be 
        assigned to existing staff. The large companies and government 
        agencies are ``buying'' their experts, leaving most of U.S. 
        companies with insufficient expertise. Government, private and 
        public sectors are all facing an enormous shortage in 
        cybersecurity talent. The subject of cybersecurity is showing 
        up in classrooms all over the Nation to fill a worldwide 
        shortage of 1 million openings. Symantec is the world's largest 
        security software vendor recently reported that the demand for 
        the cybersecurity workforce is expected to rise by 6 million 
        professionals globally by 2019, with a projected shortfall of 
        1.5 million. That will leave companies and information less 
        protected than they should be against hackers. While technology 
        is vital to preventing, detecting and responding to security 
        attacks, equally important are the people who determine 
        security strategy, devise and operationalize security programs, 
        and skillfully deploy the technologies that wall-off our 
        critical infrastructures and information. According to CIO 
        Magazine, cybersecurity professionals report an average salary 
        of $116,000 which is nearly three times the national median 
        income for full-time wage and salary workers, according to the 
        Bureau of Labor Statistics. We need to expand our cybersecurity 
        workforce.
Recommendations

  1.  Think through the Global Nature of the Issue--An international 
        group should study the cybersecurity issues and draft a series 
        of issues and recommendations which could feed our National 
        Strategy. The Internet is not a U.S. thing. It is a global 
        infrastructure with global reach and implications.

  2.  Develop a National Cyber Security Strategy--The Federal 
        Government should work with government, academia, corporate 
        America and the small business community to devise a 
        comprehensive, bilaterally supported national security strategy 
        that includes goals, objectives and funding sources. 
        Establishing a front line of defense against today's immediate 
        threats and to defend again a full spectrum of future threats 
        is so massive that only the Federal Government could take this 
        on. Improved awareness needs to be at the center of this 
        strategy.

  3.  Focus on Power and Telecommunications--while there are many more 
        ``critical infrastructures'' which need protection, all 
        infrastructures depend upon Power and Telecommunications. 
        Melissa Hathaway mentioned at Harvard's 2015 class entitled, 
        Cybersecurity--The Intersection of Policy and Technology that 
        these two infrastructures should be the first order of priority 
        protection in the United States and around the world. Funding 
        the improved security of 20 infrastructures has proven 
        impossible, so a strategy to focus resources on power and 
        telecommunications seems reasonable.

  4.  Pass Cybersecurity Information Sharing Act of 2015 (CISA)--
        Congress should pass a cybersecurity bill that encourages and 
        incentivizes private companies to share data with the Federal 
        Government. While the ISACs are improving information sharing, 
        companies are still reluctant to share. A bill that would 
        incentivize the sharing of cybersecurity threat information 
        between the private sector and the government and among private 
        sector entities and responds to the massive and mounting threat 
        to national and economic security from cyber events. The bill 
        should also look to improve the cybersecurity of both public 
        and private computer networks by increasing awareness of both 
        threats and countermeasures.

  5.  Pass Federal Data Breach Notification Law of 2015--allow for 
        uniform definition and application of data breach policy, while 
        providing exemptions to improve the flexibility to hone the law 
        to meet specific needs. Consistent with the February 5, 2015 
        testimony of American Bankers Association Senior Vice President 
        Doug Johnson, we support 1) pre-empting inconsistent state laws 
        and regulations in favor of strong Federal data protection and 
        notification standards, 2) strong national data protection and 
        consumer notification standards with effective enforcement 
        provisions, and 3) the costs of a data breach should ultimately 
        be borne by the entity that incurs the breach.

  6.  Improve grant opportunities and funding for research in 
        cybersecurity, with an emphasis on risk management practices 
        and security awareness solutions. The National Science 
        Foundation and others could be equipped with the resources to 
        focus on these two very important areas. While cybersecurity 
        technology-based research funding is available, these two 
        important focus areas should be emphasized. SBIR programs can 
        also look to write these two areas into their solicitations. 
        Applied research should be emphasized.

  7.  Consider Requiring Cyber Insurance--Organizations which operate a 
        digital capability might need to carry cyber insurance. Many 
        businesses have been resistant to spend money in this area. 
        Congress may consider either 1) requiring a basic level of 
        cyber insurance for those organizations that meet a certain 
        profile, or 2) requiring a specific set of mitigating controls 
        that all organization should implement. Examples are already 
        documented in the SBA Small Business Security Standard and the 
        NIST Small Business Security Standard.

  8.  Build Upon Existing NSA/DHS CAE Program--This program is a 
        tremendous success story and should be enhanced to include many 
        other audiences (i.e., industry, high schools, veterans, etc.). 
        Scholarships and financial support must be made available to 
        make the cybersecurity field an attractive career choice to 
        close the gap on the million job shortage we are facing. The 
        CAE program is a huge success and the credit goes to the 
        thought leaders in the Federal Government that anticipated the 
        cybersecurity issue and the resource shortage it would create. 
        We advise the President to consider expanding this program with 
        funding, so that more educational, research, and outreach 
        capacity is created to serve the needs of government and 
        industry (companies small and large). We advise the expansion 
        of the Scholarship for Service Program (SFS) at NSA, DoD, and 
        NSF, including expanding the number of scholarships and the 
        places scholarship students can pay back their scholarship. For 
        example, can we make it possible for a SFS student to complete 
        his/her service at a critical infrastructure owned and operated 
        by the private sector such as a power supplier or an Internet 
        Service Provider?

  9.  Devise More Effective (and Affordable) Cyber Security Training 
        and Educational Programs--Citizens and businesses alike must be 
        trained in to run technology securely in this digital age. 
        Making cybersecurity training and education available and 
        affordable is the key. One such example is the Program in Bank 
        Technology Management that Kirby Davidson at the Graduate 
        School of Banking at the University of Wisconsin has developed. 
        This Program launched in April, 2011 and was capped at 50 
        students (which filled in two weeks). The Program is a blend of 
        technology and security honed specifically to the community 
        banking audience. The program includes 12 hours of ``ethical 
        hacking'', where students download and execute common hacking 
        tools so they understand what tools the adversary has in the 
        arsenal. After the training is completed, they have a better 
        understanding of the adversary and more importantly can return 
        to their businesses and help secure our infrastructure.
Conclusion
    Electronic products and delivery systems are the future in banking 
and beyond, and if businesses cannot understand and resource their 
technology and security requirements then they will likely be left 
behind. We agree with the White House's conclusion in their recent 
cybersecurity legislative proposal that, at least with respect to cyber 
terrorists, the vulnerability of the electricity grid poses one of the 
most severe exposures to our country's critical infrastructure. The 
fact that a computer Programmer or hacker in another country could 
cause the partial or complete disruption of this Nation's grid is, to 
say the least, extremely disturbing, but is beyond the scope and 
expertise of businesses to respond. However, small and medium-sized 
financial institutions need representation at the table, and we 
encourage the President to consider including this voice as small and 
medium-sized financial institutions and businesses are the majority, 
not the minority, of America n businesses.
    We conclude with this thought. In 2009, President Obama stated:
    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    The first question is, ``have we made enough progress over the past 
six years''? No doubt we are improved, but so have the capabilities of 
our cyber adversaries. With the explosion of the Internet, digital 
currencies, and the next generation of networked technologies, 
organizations will become more dependent upon technology to grow their 
businesses and reach more customers. The second question is, ``are we 
prepared for the future''? Customers will interact with technology even 
more frequently and intimately than today, and cyber criminals will be 
more savvy and well-funded than ever before. The risk to our Nation is 
clear that a cyber-terrorist thousands of miles away can hold a 
citizen, organization or country hostage with binary attacks. When this 
happens, it is not simply Microsoft or Oracle who must respond. We need 
a strategy that focuses resources, builds capabilities in the areas we 
need, informs consumers and business leaders of their responsibilities, 
promote information sharing and customer notification, and builds the 
cyber workforce of tomorrow.
    Chairman Thune, Ranking Member Nelson and Members of the Senate 
Committee on Commerce, Science, and Transportation, thank you for the 
opportunity to participate in this important and timely hearing. Dakota 
State University looks forward to working with all stakeholders to 
operationalize the President's vision of a safe electronic 
infrastructure for all businesses to use. We applaud the President in 
making cybersecurity an Administration priority, and concur with the 
President's comments that the ``cyber threat is one of the most serious 
economic and national security challenges we face as a nation.'' To 
make an impact, policy must change, resource allocation must change, 
and a more comprehensive approach must be deployed.
    We want to thank you again for your leadership and this opportunity 
to appear before you.
                               Appendix A
Growth of the Internet
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                               Appendix B
Growth of Internet of Things
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    The Chairman. Thank you, Dr. Streff.
    We will turn now to our final witness, and that is Dr. Josh 
Pauli.

    STATEMENT OF JOSHUA J. PAULI, Ph.D., PROFESSOR OF CYBER 
               SECURITY, DAKOTA STATE UNIVERSITY

    Dr. Pauli. Thank you. So I live a mile from campus, so I 
get to go last.
    [Laughter.]
    Dr. Pauli. It would be easy for me to say I have nothing 
more to add, but, of course, anybody who knows me knows that is 
not true.
    So we have heard a lot of bad news, we have heard a lot of 
doom and gloom. I have some good news. I have some excellent 
news.
    Everything you have heard up here is true, right? Breaches, 
shortages of people, more complex attacks--100 percent true. 
But what we are dealing with mostly is a people shortage. So 
the good news is we have everything in place to fix this. We 
don't need to reinvent anything; we just need to use what we 
have.
    For those of you that were here this morning and met with 
our students and saw some of the research projects from our 
CyberCorps students, I think you would know that, and you would 
agree with me, right? We have a people problem. We don't have a 
shiny red box thing or a new tool thing, right? We have a 
people shortage.
    So my idea--and I don't have a script, right? I have notes. 
So that is just kind of how I go. You have my written 
testimony. I am more than happy to go line by line with you if 
you would like, but I would like everybody----
    The Chairman. That won't be necessary.
    Dr. Pauli. What?
    The Chairman. That won't be necessary.
    [Laughter.]
    Dr. Pauli. That won't be necessary, yes. You have seen my 
work before.
    [Laughter.]
    The Chairman. No.
    Dr. Pauli. So think of a funnel; everybody think of a 
funnel. And what we need to pop out of the end of the funnel is 
a higher quantity and a higher quality of graduate. We don't 
need anything else, right? We have everything else.
    You heard our students this morning talk about let's get 
back to the basics--strong passwords, segmented networks, some 
of those fundamental things that, if we had this hearing 10 
years ago or 20 year ago we are still talking about.
    So let's consider this funnel that we need to have a higher 
number and a higher quality of person pop out of the end. So 
what we need to do is we need to make this funnel wider. And to 
do that, we need to reach down lower into our middle schools 
and our high schools to excite and retain and recruit students 
into cybersecurity.
    Some of you are familiar with the GenCyber summer camp, 
Generation Cyber, which is a joint project from the National 
Security Agency and the National Science Foundation. Touched 
1,500 students this year.
    The crazy thing is there was no dedicated funding to that 
project, right? There were kind of these leftovers from NSA, 
some leftovers from NSF that they were able to scrape together 
and fund camps for 1,500 students. Right? Fifty percent which 
were females. That is a lot better than the 18 percent of 
females that enter computer-science-related fields. We had two 
slam-dunk camps here on campus, right? One for girls, 100 
girls, 200 co-ed. Right?
    So we need to expand GenCyber. So if it is NSF, great, 
let's do that. If it is NSA, great, let's do that. If it is 
somebody else that wants to help, let's do that. But we don't 
need to reinvent the wheel.
    Second, we need to continue to develop our university 
programs and our faculty. You see this through the Center of 
Academic Excellence designations the senator mentioned. DSU is 
1 of 14 cyber operations schools. We were one of the first four 
in 2012, right? That is a very, very elite club, right?
    So it is great to say DSU is right there with MIT and 
Carnegie Mellon and Northeastern, right? That is fun, and our 
students bear the benefit of that. Those types of programs that 
are upping the ante for our academic programs are needed to 
continue.
    We also need to fund our university students through 
programs like the CyberCorps program. I don't know one 
university, one student who is in a CyberCorps award, or one 
government entity who takes these students on that doesn't 
think this is a fantastic program. Think about that. Government 
loves it, academics love it, and students love it? I don't know 
of another program in existence that has that triad.
    CyberCorps is $45 million a year, which you think, like, 
wow, that is really good. The entire National Science 
Foundation is $7.7 billion. So CyberCorps is barely one-half of 
1 percent of the entire foundation. We need to increase that. 
Everybody knows and everybody agrees that CyberCorps is 
important. We need to increase that.
    For example, DSU has one of the largest CyberCorps 
programs. We give out 10 new scholarships a year. I can look 
anybody in the eye and tell you we could fund 30 per year of 
students who deserve that program, who deserve that 
scholarship. And I think that story is the same across the 
nation.
    So, once we fund them, we need to find them jobs, right? So 
we have some efforts going, which you have heard, right? NIST 
is all over this with their Cybersecurity Framework, which 
businesses of all sizes should be implementing, right? We need 
to continue to figure out ways to get that into the hands of 
everybody.
    We need to continue to look at the NICE framework, the NICE 
job framework that says, if you have these types of skills and 
abilities, these types of jobs would be good for you. We need 
to implement that framework not only through government but 
across everywhere, right? SDN should be able to post a job that 
said, ``Here are your NICE framework details,'' and a student 
could say, ``Wow, that kind of matches my profile. I should 
apply to that.'' That framework is out there; we need to use 
it.
    And I think what we are seeing is more industries becoming 
more aware of cyber, right? So right here in little Madison, 
South Dakota, we have two power entities that are all over 
cyber, right? So some of you may have heard East River here in 
town hired some new CIO, right? Some wacky college professor 
left DSU, right? That is a huge testament to East River's 
forward thinking on cybersecurity. We need more of that. We 
need to help with that.
    And then their friends--I think they are friends. I think 
Heartland and East River get along, right? Heartland, led by 
Russ Olson, not only taking care of his own house but partnered 
with Helix Security, a security firm here in town, to look out 
for their customers, right? So how crazy is that? A power 
company pushing down cyber guidance to their customers. That is 
pretty awesome, and we need to continue to grow some of that 
stuff.
    So, in closing, if you think of my funnel, we need to widen 
the funnel, we need to dump more kids into the top when they 
are 10 and 12 years old so that when they are 23 they pop out 
and they are ready.
    Thank you.
    [The prepared statement of Dr. Pauli follows:]

   Prepared Statement of Joshua J. Pauli, Ph.D., Professor of Cyber 
                   Security, Dakota State University
Recent DSU Successes
    There is much to celebrate at Dakota State University in Madison, 
SD as our cybersecurity programs are experiencing explosive growth in 
both the quantity and quality of student enrollments. Since 2012, our 
three undergraduate degrees most closely aligned with cybersecurity, 
those being Cyber Operations, Network Security, and Computer Science, 
have seen an 83 percent increase in students from 382 in the fall of 
2012 to 698 in the fall of 2015 as introduced in the table below.

----------------------------------------------------------------------------------------------------------------
                                                                                2012     2013     2014     2015
                                                                                Fall     Fall     Fall     Fall
----------------------------------------------------------------------------------------------------------------
Cyber Operations, Network Security, & Computer Science BS Degrees at DSU          382      470      569      698
----------------------------------------------------------------------------------------------------------------

    Approximately 400 of these students are on-campus and account for 
an estimated 1/3 of the entire on-campus student population of DSU, 
while the remaining 300 are online students from around the country. 
Our graduate programs, which include a Masters in Applied Computer 
Science, a Masters in Information Assurance, and a Doctorate in Cyber 
Security are also growing rapidly as Dakota State University's 
reputation for high-quality education in cybersecurity at a reasonable 
price continues to expand across the country.
    Much of this student growth at DSU can be traced back to three main 
milestones. First, DSU was awarded a grant from the National Science 
Foundation (NSF) in 2011 to join the CyberCorps SFS program to award 
full ride scholarships and stipends to high-achieving students that are 
interested in working for the government in a cybersecurity position 
after graduation. 44 DSU students have been awarded this scholarship 
and we've placed 100 percent of our interns and graduates in government 
positions around the country.
    Second, DSU's Cyber Operations undergraduate degree program was 
designated as a Center of Academic Excellence in Cyber Operations (CAE-
CO) by the National Security Agency (NSA) as one of the first four such 
Centers in 2012. This is a very exclusive honor for DSU as there are 
currently only 14 designated programs in the Nation. Less than 25 
percent of university applying to the CAE-CO program meet the stringent 
requirements for this designation and DSU is widely viewed as one of 
top Cyber Operations programs in the Nation by the government and 
academic communities alike for our deeply technical focus and hands-on 
approach.
    Third, DSU entered an academic articulation agreement with the NSA 
in 2015 to award DSU academic credit towards our Cyber Operations 
undergraduate program for education and training that NSA employees, 
primarily military personnel, complete as part of their work at the 
Agency. This articulation agreement is the first such agreement in the 
history of the NSA and will enable these employees to be retained by 
the NSA or Department of Defense (DoD) after graduating from DSU. This 
is also likely the first such agreement by any Federal Government 
agency dedicated to cybersecurity education, which has huge potential 
for all agencies to help attract and retain top cybersecurity 
graduates.
Current Threat
    Despite the good news at DSU and the focus of many academic, 
government, and professional organizations on cybersecurity threats 
today, I believe the United States would lose a cyber conflict between 
nation states if it took place today. My worries go beyond the data 
breaches that have dominated the headlines in recent months, but 
instead extend into the military, intelligence, and business 
competitiveness arenas of our country. We have an extreme shortage of 
qualified professionals in the cybersecurity domain across both public 
and private sectors. We must greatly expand the quantity and quality of 
the cyber workforce to ensure the necessary knowledge, skills, and 
abilities are in place to help protect the Nation and conduct cyber 
operations. We can help solve this capacity problem with existing 
programs that have already proven to be highly effective and successful 
as partially discussed in my testimony of S. 1353: Cybersecurity 
Enhancement Act of 2014.
The Way Ahead
    To meet the cybersecurity personnel needs in public and private 
sectors, we must increase the numbers in every stage of the process in 
order to end up with a tangible increase in the number of qualified 
professional. The funnel introduced below is an accurate representation 
of the processes that must occur when trying to grow the cyber 
workforce.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

1. Excite Middle and High School Students (Age 10-18)
    We must increase the funding to the GenCyber Summer Camp program 
that has been offering cybersecurity summer camps to middle school 
students, high school students, and K-12 teachers since 2014 on 
university campuses around the Nation. GenCyber is a joint effort by 
NSF and NSA that administered 43 camps at 29 universities in 18 
different states during the summer of 2015 that supported approximately 
1,500 students and 300 teachers. The student population was 50 percent 
female, which is a dramatic increase from the 18 percent of females 
that enter computer science programs at the university level. GenCyber 
has been a tremendous success despite never having dedicated funding 
from the NSA or NSF in the last two years. It has only been funded by 
``left over'' funding. In order to expand GenCyber, and other similar 
programs with the goal of increasing student interest at a young age, 
dedicated funding and programs need to be established. Expansion of 
this program should also include year-round programming for interested 
students by the way of after-school programs, college-level courses, 
and other engagements integrated into the academic year of middle 
school and high school students. This education of young minds is 
critical in order to increase the quantity of students that at least 
consider going into a cybersecurity field of study at the university 
level. Programs like GenCyber are the entry point to the funnel, thus 
it needs to pull from a very wide audience of students and teachers.
2. Recruit Students (Age 16-18)
    Direct recruitment of high school students to university programs 
is not a formal aspect of GenCyber as the camps are 100 percent about 
cybersecurity education and to excite students to pursue cybersecurity 
educational and professional pathways. Any recruitment is secondary to 
the goal of the camps and only happens organically. We need to develop 
a formal recruitment plan for students that is overt in its mission and 
can be scaled nationwide. I believe this is an excellent project for 
NIST's Security Outreach and Integration (SOI) Group and the National 
Initiative for Cybersecurity Education (NICE) to work alongside 
universities and government agencies to develop a ``full court press'' 
approach to recruiting students directly into cybersecurity academic 
programs and career pathways. With the support of NIST, NSF, GenCyber, 
and universities around the nation, a recruitment plan to target this 
population would further widen the audience of upcoming cybersecurity 
professionals.
3. Develop University Programs and Faculty
    Our university programs must continue to grow and evolve in order 
to keep up with the demands of the professional workplace and the 
incoming students. While there are capacity building funds attached to 
various grant programs, the current level of support must be increased 
to support more academic programs in additional ways. NIST's National 
Initiative for Cybersecurity Education (NICE) is an ideal mechanism to 
provide additional resources into the ongoing development of our 
programs and faculty around the Nation. The NICE Workforce Framework is 
a tremendous effort to identify and classify the necessary knowledge, 
skills, and abilities (KSAs) that are required in today's cybersecurity 
workforce. Now is the time to take this same framework and provide 
assistance to educational institutions to ensure our programs and 
faculty are positioned to implement the framework.
    An existing mechanism within the Department of Defense (DoD) that 
needs to be mimicked across the Nation is University affiliated 
Research Centers (UARCs) that enable a closer working relationship 
among government agencies, university faculty members, and university 
students. UARCs are very similar to Federally Funded Research and 
Development Centers (FFRDCs) in that an external entity, such as a 
university or non-profit corporation, conducts research and development 
for the U.S. Government. It's now time to have such Centers dedicated 
to solving the problem of attracting and educating the next generation 
of cybersecurity professionals. These Centers would be the hub of 
activity for government agencies, universities, and high schools across 
the Nation to support the mission of increasing the quantity and 
quality of cybersecurity professionals.
    Currently the only Department of Commerce FFRDC is the National 
Cybersecurity Center of Excellence (NCCoE) that is dedicated to 
cybersecurity best practices across critical infrastructures, but 
multiple Departments of the U.S. Government can sponsor an FFRDC, so 
the Center can conduct research for both Departments. There are many 
moving parts to such an endeavor, but we must better identify and 
coordinate our efforts to cybersecurity recruitment and education and 
UARCs and FFRDCs are a great approach to this coordination.
4. Fund University Students (Age 18-23)
    NSF is the source for 89 percent of all Federal funding to computer 
science and cybersecurity at our universities, so we look to the NSF as 
almost the sole source of Federal funding to our programs. The NSF's 
CyberCorps SFS program is widely viewed by government and academia 
alike as the most effective way to place top students in cybersecurity 
careers within the government. The program has achieved the rare feat 
of gaining positive endorsements from government agencies, university 
faculty members, and scholarship students alike. CyberCorps SFS has 
supported 1,750 students since the programs inception in 2002 and 
approximately 200 new students per year, which is a drop in the bucket 
compared to the need we face. The NSF's Graduate Research Fellow (GRF) 
program, which spans all academic disciplines and is the NSF program 
CyberCorps is most commonly referenced with, supports 2,000 students 
per year. The CyberCorps budget for 2015 is $45M, which is 0.62 percent 
of the NSF's $7.7B 2015 appropriation and just 13.5 percent of GRF's 
2015 appropriation. An increase to the CyberCorps program is a wise 
investment for the future of cybersecurity professionals within 
government agencies.
5. Place Students in Internships and Graduates in Careers
    Any efforts to continue to streamline the hiring process of student 
into internships and graduates into careers is greatly appreciated by 
everyone involved. Continued work on raising salaries for the most 
critical cybersecurity positions in all government agencies is also a 
positive step forward and should continue. It's unrealistic to expect 
government jobs to keep pace with private sector pay, but it must at 
least be close enough for the student to consider accepting the 
government position. Often times the application and hiring process is 
by far the worst experience for students and graduates. These delays 
also result in government agencies missing out on students and 
graduates that actually want to work for them, but get hung up during 
the hiring process. This is a topic that has received discussion for 
several years between academia and government, but should continue to 
be researched for a way to make the process better on an on-going 
basis.
    We must also find better ways to get students who are not 
CyberCorps scholars placed at government agencies. As an example, DSU 
has 10 new CyberCorps students per year, but realistically has 20-25 
students that deserve the scholarship and another 20-25 students per 
year that would make perfectly capable hires into government 
cybersecurity positions. But because the process is so convoluted and 
slow, these 50 non-CyberCorps students can not get noticed by 
government agencies and are forced to take jobs, often times lesser 
jobs, outside of government. There are countless students around the 
Nation who would gladly work for the government, but they are so turned 
off by the hiring process that they don't even consider public service.
Conclusion
    The demand for cybersecurity professional is only going to increase 
in both public and private sectors. We need to act now to help fill 
this demand with the types of graduates that are well prepared for the 
workplace of the coming years. Although there is much work to be done 
to generate the quantity and quality of the cyber workforce, there is a 
proven plan to achieve noticeable progress towards this goal. Now we 
need to execute this plan.

    The Chairman. Well, thank you, Dr. Pauli.
    And thank all of you for terrific testimony and great 
insights, all of which I think will be very useful as we 
continue to examine these issues and look for solutions, at 
least to the degree that solutions are going to be found in 
Washington, D.C., and Congress. And there are some things that 
we do need to do, we realize, and some things that we really 
need to stay out of the way.
    But I want to come back to this workforce issue since we 
are here on the campus of Dakota State University. And, Dr. 
Pauli, I will start with you, since you kind of wrapped up with 
that.
    You mentioned in your written remarks that there are 10 new 
CyberCorps students per year but, realistically, that DSU has 
20 to 25 students that deserve the scholarship, another 25 
students per year that would make perfectly capable hires into 
government cybersecurity positions.
    And then you also indicated that there are many students 
who are turned off by the Government hiring process. So I am 
wondering maybe if you could elaborate on the current hiring 
issues that your students encounter.
    And then I would like to, after you conclude, just for 
those of you on the panel who employ people--and we have a 
couple of folks in government, some private sector--as you are 
looking for people to hire in your operations, what you are 
looking for, and how might DSU best prepare students for those 
types of opportunities.
    Dr. Pauli. Yes. So you are absolutely right. I am happy you 
read my written testimony. So you are right. We give out 10 of 
these scholarships per year. We do have 20 to 25 who absolutely 
deserve it.
    And then we have this other group that, even without the 
CyberCorps scholarship, are ready, willing, and able to work 
for the government. And part of it is because of our 
geographical location, right? We don't have Google in our 
backyard saying, ``Give me all of your best students.'' We have 
some in the region, but we have 700 cybersecurity students at 
DSU.
    So, yes, we have capacity. We have better students now than 
we ever have, and that is going to keep getting better.
    In terms of hiring, getting hired into the government, it 
is a very disheartening thing when the first thing a student 
hears, right, they go out to a website--NSA, CIA, NIST, doesn't 
matter--and the first thing that they are told is, ``Go out to 
USAJOBS.gov and apply.'' So, being studious, they go out and do 
that. And they wait, and they wait, and they wait. There is no 
acknowledgment that their application was received. There is 
no, ``Here is the timeline of your application and where it is 
in the process.'' And then, months later, they may or may not 
get notified, right?
    So I think too many of our students--the CyberCorps 
students are locked in. I make those students go through that 
process. They have to do it. But we are losing a big chunk of 
students who could and want to go do that work during that slow 
process. And it is easy to bash HR. I am not bashing HR. I am 
bashing the hiring process.
    So a student who is not on CyberCorps wants to go work at 
NSA, they apply, they don't hear anything for 6 months. Well, 
in the meantime, it is really easy for them to say, I'm 23 
years old, I have the world by the tail, I want to go out and 
do great things, but I haven't heard anything, and I need a 
job, so I will take a job that is a rung or two down.
    And we are missing the boat there with that population.
    The Chairman. Yes.
    Anybody else want to talk about, in terms of hiring, when 
you are looking for people to work in this particular space, 
notwithstanding the Federal hiring issues? And I don't know if 
you can speak to that, you know, either NIST or NSF.
    And then, any of the guys that are working in the private 
world, any observations that you might have about how best to 
get our young people ready and expedite that hiring process so 
we can address the deficit, which Dr. Streff pointed out, which 
is a million positions relative to the number of people that 
are available to fill them.
    Mr. Pulse. I will jump in here, if you don't mind.
    Great stuff, Josh.
    One thing I will say is I think that private industry needs 
to get over one thing, and that is, if you are out looking for, 
you know, a new hire and they don't happen to particularly have 
an industry-level skill set, whether it is in the financial 
sector, healthcare sector, insurance, or whatever it is, 
organizations tend to shy away from them. This person doesn't 
know banking,'' ``This person doesn't know health care,'' or 
whatever. But, from my perspective, and hopefully some agree 
here, this security thing is agnostic, it is industry-agnostic.
    I mean, we talked about, you know, binary obfuscation this 
morning. Bits and bytes are bits and bytes, right, whether you 
are in a bank or a hospital or the Federal Government. And 
securing against, you know, APTs and everything that is out 
there, I think, culturally, now, a lot of--and, again, I am big 
on this culture thing--a lot of it has to do with that. And I 
think we just need to get over the hump of, you know, the old 
industry thing.
    The Chairman. Being industry-specific.
    Mr. Pulse. Exactly.
    The Chairman. OK. All right. Thank you.
    Mr. Stine. Yes, I think that is a very important point.
    I think one of the other realizations here is that the 
technical skills are very important, the traditional computer 
science and the engineering courses are absolutely critical, 
but cybersecurity is a very multidisciplinary area. So there is 
a need for not only those kind of bits-and-bytes technical 
skills but also looking beyond to some of the psychologies and 
the sociologies, some of the softer sciences, the finances.
    Because there is very much a human-centric element to all 
of cybersecurity, as well, not only in terms of working with 
kind of the end user, so to speak, but also developing 
solutions that are going to be understandable and usable and 
effective for those end users and those organizations that have 
missions and business objectives to accomplish.
    The Chairman. Anybody else?
    Mark, go ahead.
    Mr. Shlanta. I just wanted to add I am probably someone who 
benefits from the slow process of the Federal Government 
hiring, you know, in that----
    [Laughter.]
    Dr. Pauli. I wasn't going to say that, Mark. I wasn't going 
to say it.
    [Laughter.]
    Mr. Shlanta.--that, you know, just right up the road, less 
than an hour from where SDN is located, we have this school. 
And we have a number of graduates of Dakota State on our staff.
    But I think other things that businesses can do to help 
develop staff--we have a long history of internships, and I 
would encourage all in the private sector to work with the 
educational facilities, put the students to work over the 
summer. No matter where they go and where they come from, they 
will bring skills to you, and they will probably learn 
something, I know they will learn something from you and take 
it other places. But all of that, just think of that at a level 
of information-sharing, as well, in terms of just developing 
the talent.
    But I think one of the things we have to do as businesses, 
as well, is, in addition to the internships that I talked 
about, like, we worked with Josh and Dr. Streff in DSU with 
that cyber camp this summer. When it filled so quickly, they 
ran out of budget; we helped them with expanding that platform. 
And it really is South Dakota's workforce that I was most 
interested in at that point, in terms of developing it, and 
businesses can step in and assist.
    And then, really, the last thing that I would add is really 
just that, you know, the continued prioritization, kind of what 
Eric was talking about, you know, that cyber professionals can 
add, really, to just about any business. They don't have to be 
a technology business like ours. And businesses across the 
country need to recognize that. And that will grow the 
workforce.
    The Chairman. Good.
    Anything else?
    Go ahead.
    Mr. Epstein. Just a brief comment, that we agree at NSF 
that we need to widen the funnel, as you say, and bring in more 
students. SFS can't do it all, of course, but we agree.
    There has been an average of about 170 students a year for 
the past few years nationwide graduating from SFS. And Dakota 
State is the 15th biggest in terms of number of students 
nationwide, which is a pretty good number for a small school. 
As a percentage basis, I would guess that you are probably the 
highest in the country, and that is great. And we do need to 
expand it as funding allows.
    Dr. Streff. And if I could make a couple comments.
    The first is there is a huge multiplying effect with these 
scholarship programs. It is not about 10 kids, right? Josh can 
talk about the numbers. We had 100 kids before the program, and 
then we get the program and it is 700. There is a huge 
multiplying factor here that happens.
    The second thing that I would ask for NSF and others on the 
Committee to think about is the scholarship needs to be paid 
back at a government agency. I would ask that we look at that. 
How about a power company, or how about at a telco? I mean, if 
we are prioritizing infrastructures high, like power and 
telecommunications, and they need help, isn't that the point, 
getting our best and brightest there? Can they pay back their 
service there?
    And I know that that is not a part of the deal right now, 
but I would ask for us to look at those critical 
infrastructures and say, how do we help?
    The Chairman. OK.
    If there are any students who want to ask any of these guys 
a question about any of these workforce issues, think about 
that for a minute, and we will come back to this before we kind 
of exhaust this subject. Because I think this is an important 
one and very relevant to the broader discussion about 
cybersecurity.
    I want to shift gears for just a minute and go back to 
something that, Mark, you talked about in your remarks, and 
that is, you know, you pointed out that these cyber attacks 
don't confine themselves to populated areas or big businesses. 
This hits rural areas, South Dakota, and the examples you put 
up about the state of South Dakota and Sioux Falls governments.
    And then you mentioned in your testimony that 95 percent of 
these cyber incidents, security incidents, involve human error 
and that ``businesses should therefore''--and I am quoting from 
your written testimony--``improve the cyber literacy of their 
workforce and limit their employees' access and ability to 
distribute sensitive information.''
    So you have touched on this in your testimony. I wondered 
if you could elaborate on what SDN is doing to promote 
increased cyber literacy. And maybe if anybody else wants to 
jump in on that, too. What are we doing to educate better the 
people that we are involved with--employees, clients, et 
cetera--when it comes to just literacy about cyber issues and 
the threats?
    Mr. Shlanta. I will address a few of the items that we are 
doing at SDN. And, when you start to think about them, they are 
really basic things, but apparently not enough companies are 
doing it.
    A variety of testimony today talked about the levels of 
attacks with vulnerabilities where patches existed for over a 
year, as an example. So, frankly, patches, the security 
patches, applying them on a timely basis. We have a daily 
update into our patch program, and, frankly, if there is a 
zero-day threat that is identified, there could be multiple 
updates during the day. And that is just one way to handle 
those types of things.
    Password control. Strong passwords, meaningful passwords, 
passwords that have to be changed, passwords that can't be 
repeated. Those are as simple as locking the front door. If you 
think of your network as your house and your password is the 
way into the house, change the locks from time to time, you 
know? It is the way to keep the bad guys out.
    Solid network administration. We have 180 employees at SDN, 
and 180 employees don't need to touch every file on the 
network, as an example. So making sure you are limiting access 
to your staff. That way, if there is a compromise and someone's 
credentials are compromised and a bad guy gets in, they can 
only go as far as that person is authorized to get into the 
network.
    And, even remote access--you talked about Office of 
Personnel Management, two-step authentication. That is really 
one of the easiest things, in addition to solid password 
control and network administration.
    So those are a couple of things that we do and really every 
business could do, but they take education, they take 
discipline. They are just good, solid business practices.
    The Chairman. OK.
    Anybody else?
    Mr. Epstein. I think you hit on a really important point, 
which is that cybersecurity isn't just a technical issue; it is 
a human issue, as well, as Kevin mentioned a few minutes ago.
    We set up a new activity within the SaTC program at NSF 
that I lead to bring together social scientists and computer 
scientists to explore some of these questions. For example, why 
don't users install patches when they get warnings, when they 
get messages?
    How many of you have gotten that message, would you like to 
install an upgrade, and you say, no, no, no, I am busy, I am 
busy, I am too busy on Facebook, I don't want to install the 
update now? We all do this. I did it on my phone yesterday, or 
today. We have to understand this better.
    We have to understand why users pick poor passwords and how 
we can encourage them to do a better job, other than beating 
them up all the time, because we know beating them up doesn't 
really work very effectively. It has negative side effects. 
They may choose a good password today and then use it on 10 
different websites because they can't remember 10 good 
passwords.
    Are there differences between different groups? We have a 
project we are funding to talk to teenagers and college 
students in different ethnic groups. Do Hispanic kids, African-
American kids, white kids, Native American kids, do they have 
different attitudes toward privacy that lead them to make 
different decisions about how they treat data online and how 
they behave online? Do teenagers behave differently from senior 
citizens? What motivates senior citizens to behave differently?
    We have to understand the people aspect, not just the 
technology aspect, because as we understand the people aspect, 
then we will be able to come up with better solutions that will 
work for the Nation as a whole and not just for a subset.
    The Chairman. Good.
    Anybody else on this?
    Mr. Pulse. If I can add, again, for me, it kind of comes 
back to this security culture thing. And, you know, obviously, 
Mark is at the top of his organization, and they take security 
very seriously there.
    You know, organizations are spending millions and millions 
of dollars, or they can spend millions of dollars on a 
hardware/software secure infrastructure, but if there is not a 
secure culture, right, if, you know, an employee is going to 
click on that, you know, phishing link or whatever it is, I 
mean, they effectively become the prettiest horse in the glue 
factory, right? They spent all that money for what? And, to me, 
it starts at the top.
    I mean, I commend Dakota State University. I just learned 
this today at lunch. Every student at this university has to 
take a computer course, has to understand computing and, as an 
extension, security. I mean, I think, you know, all STEM 
education should really add a security component to it, 
because, again, culturally, you know, as we go down the road, 
it is going to become more important, more and more important.
    The Chairman. We had a meeting a few weeks ago in Sioux 
Falls, very well attended, and it was a STOP.THINK.CONNECT. 
event that was sponsored by the National Cybersecurity 
Alliance. And it was, you know, designed to recognize how 
important it is to increase our cyber awareness. And one of the 
things that came out of that in the discussion was that the two 
most commonly used passwords are ``123456'' and ``password.''
    [Laughter.]
    The Chairman. So, strong passwords. They talked a lot about 
two-step authentication, not opening up the phishing links, 
thing like that that we can do that are fairly straightforward, 
simple fixes that are precautions that every individual ought 
to be taking when it comes to our own cybersecurity.
    Just out of curiosity, and this is more of kind of a 
general question, but you all work in this field, so what is 
the thing, the biggest threat, the biggest vulnerability that 
you see as you sort of look out on the horizon, the thing that 
might, as people who are concerned about cybersecurity, keep 
you up at night as we look down the road?
    And a couple of you commented, which I thought this was a 
good observation--and maybe, Eric, you mentioned this--that 
oftentimes you come up with a prescription or a remedy and it 
fixes something for a time, but too often, you know, then the 
bad guys figure out a way around it and come up with a 
different solution. And you have to constantly be upgrading and 
looking for new safeguards and new firewalls and new ways to 
protect not only critical infrastructure but even people's 
personal information.
    So, you know, given the fact that there is a constant 
evolving threat matrix out there, as you kind of look at this 
issue in the bigger 30,000 foot context, what is it that 
worries you the most?
    Yes, sir. Mr. Epstein.
    Mr. Epstein. Senator, what worries me the most is the 
lifetime of our systems. As we go to Internet of Things 
systems, the average lifetime is going to go from 2 years with 
a phone or 3 years with a laptop to 10, 15, 20 years. I don't 
know how to design a computer system today that is still going 
to be secure 20 years from now.
    And as an example of this, my research is in voting system 
security. And I have talked to some of you about this over 
lunch. Systems that we approve for voting today are still going 
to be in use 10 or 20 years from now. How do I design a system 
that protects our democracy that is going to be secure against 
a threat that I can't even conceive of?
    So that is what keeps me up, is worrying about how I can 
come up with anything today that is going to be able to evolve 
and continue to be protected.
    In the Katrina disaster, the water system in New Orleans 
shut down and they had to restart it. It was the first time in 
over 100 years that they had restarted the water system in New 
Orleans, and they had to figure--there was obviously no one 
around who was there when they started it the last time.
    Do we have people who will know how to fix the problems 
with our Internet of Things technologies when they start 
breaking down 10 or 20 years from now, which is several 
lifetimes in terms of technology?
    The Chairman. Should the threats that come from a nation-
state or just, you know, a criminal hacker or a hacktivist be 
treated or judged any differently? I mean, obviously, some that 
are coming from a nation-state are threats to our critical 
infrastructure and should be taken very, very seriously. But 
how do you discriminate between those types of threats?
    And when we are trying to stop something, we are trying to 
stop everything, and does the same level of commitment have to 
be there for the criminal hacker as there is for some of the 
more, I guess, serious threats to our--as you described, I 
think, threats to our democracy?
    Mr. Epstein. I think we have to address it for all of the 
attackers, because what today's nation-state can do tomorrow's 
teenage hacker in their basement can do. The sort of attacks we 
see today that some of these other witnesses have talked about, 
when I went to college, were unimaginable. We had things we 
did, but they were a whole lot simpler.
    The things that we are seeing now, what we are seeing as 
today's nation-states' attacks, in 10 years, in 20 years, will 
be everywhere. And so we have to come up with the defenses and 
learn to deal with every class of attacker, because it is going 
to be everybody. Everybody is going to be the same.
    The Chairman. Anybody else, what keeps you up at night?
    Yes, go ahead.
    Mr. Stine. I was going to add on to Mr. Epstein's point. 
There are many threat actors, threat adversaries out there. I 
think the one constant that we see is really focusing on the 
impact. So, regardless of whether it is a nation-state or a 
recreational hacker, for example, what is the impact to my 
organization or to me as an individual, and then being able to 
make informed decisions based on the potential worst-case 
impact of a potential attack or hack on my systems.
    The Chairman. Anybody else?
    Dr. Streff. Senator, you know, I think we all talk about 
power-grid attacks and things like that. Those are things we 
have talked about already. But I am really concerned about 
small-business security. I am concerned that a lot of small 
businesses are at their tipping point anyway, and now here 
comes more technology and more security, and here comes a hack, 
and now it causes a huge disruption.
    We have already seen it in the banking sector--forced 
consolidation, where we have gone from 12,000 banks to 7,000 
banks, now we are at 6,000 charters; and health care following 
suit, with consolidation there, with technology and security 
being a part of that.
    So, yes, that worries me. I mean, is Madison going to have 
the same number of banks or healthcare institutions, you know, 
10 years from now that it does now? Things like that worry me.
    The Chairman. Go ahead.
    Dr. Pauli. I think across any spectrum, any industry--you 
know, a minute ago, we said, how can we create a system today 
that is going to be secure 20 years from now? We can do that. 
We can do that. It is not fun. It is not easy. It is not cheap. 
But the Department of Defense set out the Orange Book 40 years 
ago that talked about, these are the eight ways in which you 
create trustworthy software. And when they are followed, they 
work.
    They are extremely difficult to follow, because the 
security of a system naturally fights against usability, 
performance, all these things, right? So, if you are trying to 
get a product to market, do you want it to be secure or do you 
want it to be user-friendly and fast? 99.9 percent of the time, 
that company is going to say, I want it to be usable, friendly, 
and fast. Very few systems do we get to say, no, security is 
the number one thing.
    That is why we have breaches. That is why our software is 
terrible. That is why we have to keep piling on, you know, get 
back to the basics with all these network security measures. If 
we actually implemented the eight first security principles, we 
would be well down the road to creating robust software.
    The Chairman. All right. Just--go ahead. Did you want to 
say something, Mark?
    Mr. Shlanta. Well, I was going to say there are two things 
that keep me up at night, Senator. One is my son, wondering 
when he is going to come home.
    [Laughter.]
    Mr. Shlanta. The second is making sure that we are taking 
care of our customers and the data that they have entrusted to 
us.
    One of the things that we do as a service provider--and, 
again, the NIST guidelines are relatively new. The CSRIC 
guidelines are even newer. But as we have reviewed those, they 
follow closely to really some of the business continuity 
guidelines we have followed for years.
    And I think just annually or semi-annually reviewing your 
highest risks, your priority risks, making sure they are still 
current. And you just have to ask yourself the tough questions. 
But you don't do that as an individual. You need to bring 
together the operation and ask the operation what are those 
biggest risks and are the risks that we identified three years 
ago still the biggest risks or are there new ones.
    So, once in a while, I ask myself that question: When was 
the last time we went through that process, and are we really 
getting to the roots of those issues?
    The Chairman. Yes.
    Just kind of on that, a follow-on question. But at our 
February hearing, when we talked about the NIST framework--and 
we talked a little bit about the NIST framework today--that 
measurement can be difficult. And even the companies that 
practice the best cybersecurity can fall victim to cyber 
incidents.
    So, with that in mind, how do we measure an entity's 
cybersecurity posture? How do we measure success in an entity's 
investment in cybersecurity?
    And maybe, for those of you that have had experience with 
it, if you could speak briefly, too, to how the NIST framework 
is working.
    Some of the things that we worked with in the bill that we 
passed through the Commerce Committee and passed through the 
Congress and got signed into law by the president last year was 
maintaining a voluntary, industry-driven set of best practices 
that people could use. And I am just wondering, one, how that 
is working and, two, how do you measure the success of it. Is 
there a good metric? How do you quantify that?
    Mr. Pulse. I will jump in here, Senator.
    I mean, how do you measure if it is working? Well, 
ultimately, fewer breaches, right? Less lost data.
    I mean, I think, from a framework perspective--and there 
are a lot of frameworks out there, you know, from a security 
perspective. You know, SANS 20 Critical Controls; the CSA has 
a, you know, framework, and NIST has a framework. And, I mean, 
I would love to see a mutual adoption of a framework that 
organizations can look to. And I am a fan of NIST, and I 
recommend NIST frameworks. I work in NIST frameworks all day 
every day.
    And, you know, we have various organizations--Dr. Streff 
and I were talking earlier today, you know, that the financial 
institution sector came up with their own cybersecurity 
framework. It wasn't built on NIST's framework; it was mapped 
to it, but it wasn't built on it.
    And, you know, why industries and that sort of thing are 
not adopting, you know, a similar framework is--I mean, I----
    Dr. Streff. Senator, that is a big point that Eric is 
bringing up there. The banking sector had a chance, as they 
were publishing their cybersecurity framework, to get on board 
with the NIST framework, which is what we were encouraging. 
And, instead, they came up with their own. And then they said, 
``Oh, here is Appendix B. It is mapped to the NIST 
Cybersecurity Framework.''
    We believe that that is a mistake, and we have been on 
record with them about that, the regulators. There was a 
comment period. We have taken advantage of that comment period, 
and I know Eric's organization has, as well.
    The point with frameworks is everybody has to get close to 
on the same framework if we are going to measure readiness. I 
mean, how are we doing in an industry, how are we doing as a 
country, how are we doing when everybody is doing security 
their own way.
    So, at some point in time, we have to have some common 
elements of framework, with some flexibility for 
individualization, customization.
    Mr. Stine. So I would add a few points.
    I think there are certainly things that you can count, as 
has been referenced--reduced breaches, less data loss, those 
types of things.
    I think the important point to remember in the 
cybersecurity framework specifically and in many risk-based 
approaches is that cybersecurity is a very dynamic space, and 
the approaches to implement cybersecurity capabilities within 
each organization could vary significantly from one 
organization to the next.
    It is going to be influenced by your mission and business 
objectives. It is going to be influenced by your operating 
environment, your resourcing, your threat landscape, and 
ultimately the risk tolerance of your organization. Not only 
looking at cybersecurity but also viewing cybersecurity in the 
context of your mission and other dimensions of risk--financial 
risk, safety risk, reputational risk, for example.
    I think when you look at the Cybersecurity Framework and 
many of the resources that NIST has produced and our standards 
and guidelines, they do take very much that risk management 
approach that you were referencing earlier, leaving the 
specific measurement to each individual organization because 
they have the context of their mission by which to view 
cybersecurity and understand those things that are important to 
their mission but also kind of be able to track the 
improvement.
    If I could add just one more thing, in response to part of 
your question, the framework has been out for 18 months, 
roughly 18 months, version 1.0. We are very pleased with the 
use of the framework to date across many different industry 
sectors and individual companies and organizations of all 
shapes and sizes not only within the critical infrastructure, 
like the telecommunications sector, the financial sector, 
health care, for example, but also in non-critical 
infrastructure, as well.
    We are seeing organizations, not only sectors as a whole 
for their entire membership, if you will, but also individual 
organizations, taking the framework, customizing it or 
tailoring it in a way that puts it in the context of the 
mission and business objectives of the organizations and the 
sectors.
    And part of our approach at NIST is to collect those types 
of use cases, those experiences, those resources, and reflect 
those back out to the community so that others can take those, 
learn from those, implement them, adapt them in a meaningful 
way for them, and hopefully innovate on top of those for the 
betterment of all.
    The Chairman. Thank you.
    Dr. Pauli. Yes, I think it is quite simple to start, 
actually. If you are interested in measuring the success of the 
NIST framework, then let's find out who is using it.
    And let's start with a captive audience. So let's start 
with everybody within the Department of Commerce. It came out 
of the Department of Commerce. How many entities within the 
Department of Commerce are using it? Right? Understanding that 
everyone will tweak it, everyone will customize it. Until we 
standardize things, we can't compare across and against each 
other.
    But what we can measure and what we can measure success on 
is: Who is using it? Who has used it since the Enhancement Act 
went into effect? If you are not using it, why not? If you are 
using it, what do you like about it, and what stories can we 
share with the nonbelievers? We need to get that in order 
before we start comparing banks to hospitals to government 
agencies.
    So I think we need to start with a captive audience, and I 
think we should start with the groups within the department.
    The Chairman. Who are using it. Good.
    Well, if there is anybody out here that wants to take a few 
minutes here, and if anybody has a question from the audience. 
And, again, I would open it up to students who might have 
questions of any of these guys on the panel here. So we will 
get you a microphone there. Or if you want to holler it out, 
holler it out.
    Audience Member. My name is Tanner. I am a [inaudible] 
student. I work at Secure Banking Solutions.
    And I listened to you guys say that [inaudible]. However, I 
have [inaudible] things. Some of you have talked about, you 
know, what are we doing to make sure that access [inaudible], 
what are we doing to make sure that we are not going to be 
hacked.
    As Mr. Stine said, cybersecurity is very dynamic. So what 
are we doing to make sure that our employees and our customers 
know, OK, these aren't the things that I am supposed to be 
doing? What are we doing to make sure that we are not being 
socially engineered?
    Basically, the question is, what are each of your 
businesses or what are you doing in your roles to provide to 
your customers and to your employees saying, OK, while we are 
preaching cybersecurity, what are we doing ourselves to make 
sure that we are not hosting personal information and company 
information out on the Internet? What are we doing to make sure 
that our Facebook accounts aren't being seen by everybody? What 
are you guys doing in order to make sure that you yourselves 
aren't being socially engineered?
    The Chairman. All right. Anybody want to----
    Dr. Pauli. I will jump in there.
    The Chairman. Sure.
    Dr. Pauli. I know the university is developing a user-
awareness training, which will go out, like every other 
training, to every faculty, staff, and students.
    I am working with organizations. I mentioned Heartland 
earlier, with Helix Security. That is exactly what they are 
doing, right? Buzz and everybody at Helix Security is saying, 
you know, we can develop these models. Russ and his crew at 
Heartland are pushing those out to their customers.
    And user-awareness training and moving along that maturity 
model is job one, you know. So I think, you know, the 
university as a whole plays the education role, right? We are 
educating you and all of your classmates and your colleagues to 
go out into spots like SBS and Heartland and SDN and everywhere 
across so that you carry that message forward.
    So I hope that the business owners and the business 
executives back me up on that one.
    The Chairman. Anybody else?
    Mr. Shlanta. You know, from a practice perspective, we have 
annual training. It is mandatory. At the end of the year, if 
you are not on the list, we are tracking you down to sit you 
through training. We will do those trainings on Saturday 
mornings. We will do those training on Friday evenings for our 
staff who works weekends and evenings.
    In those trainings, we go over, say, network literacy, in 
terms of just protecting the network, but then also customer 
information, making sure people understand you can't share 
customer information. It is just part of the business that we 
are in. And, if there was a breach, how do you report it, who 
do you report it to.
    So we do that annually. That is one thing we are doing, and 
I would encourage all businesses to do those things to help 
educate their employees.
    Mr. Pulse. I will jump in. Good question, Tanner. And we 
use some things similar, as well, from a social engineering 
perspective. We get phishing e-mails and those sorts of things 
that are learning tools.
    I will tell you, from a social engineering perspective, I 
had an interesting personal experience where I had just posted 
a job posting, and I think it might have been 3 days later I 
got an e-mail to my business e-mail with a resume. It was 
quarantined because it was infected. I didn't get an 
opportunity to be dumb enough to open it up, but guess what? I 
might have. Because I was in that market, right? We had just 
placed a posting.
    So the ingenuity of these people, these attackers, these 
social engineers, you know, it is crazy. So just being diligent 
and understanding and knowing that--you know, fortunately, we 
had some pretty good detective software in place.
    Dr. Streff. Just to add on to that, I mean, I don't think 
it is enough to----
    The Chairman. Boss?
    [Laughter.]
    Dr. Streff. No, I mean, for our customer, I don't think it 
is enough to just educate them; you have to test them on what 
they know.
    You know, so if you are concerned about phishing in your 
risk management program, then you have to test to see--you have 
to train people in phishing, but then you have to test it, 
right? And 10 times a year, you have to give it to employees 
and see who is clicking on stuff and see who is not. If you are 
worried that they are going to hook a USB stick up into your 
network, then if you are worried about it, then you have to 
test it.
    So, I mean, I think it is one thing to say, you know, have 
an acceptable use policy, ``I will not do that,'' and it is 
another thing to train them in that they won't do it, but I 
think you have to test it. So I think that is the next 
generation of these services, is to test things out.
    The Chairman. OK. Well, that is a really good question, 
Tanner, and I appreciate you asking it and getting some of the 
responses to it.
    And, you know, we have--and I have seen him in the 
audience. Nic Budde, who is a DSU grad and does our IT stuff, 
is constantly harassing people in our office to have strong 
passwords, among other ways of protecting our information, in 
addition to some of the things that the Senate already does.
    But it is something that I think everybody has to look at a 
lot more seriously. And we all take a lot of this for granted, 
but there are lot of bad people out there who want to do bad 
things. And we just want to make sure that all of you guys out 
here play for the good side, because we know you are smart 
enough, probably, to hack into all our computer systems.
    Any other questions out there from--yes, sir?
    Audience Member. [inaudible] progress. So how would you go 
about trying to adjust to that? Because [inaudible]. So my 
question is, how would you go about that?
    The Chairman. Good question.
    Mr. Pulse. I think there is an economic answer to that 
question, and that is putting pressure on the software vendor. 
Because, I mean, what else can you do?
    You see it every day, where, you know, you have a device 
that is not patched, but I can't patch that device because I 
have this piece of software running over here that will break 
if we do. And the software vendor tells me, ``Don't apply that 
patch.''
    I think it is an economic thing that we just, 
collectively--the marketplace needs to correct itself there.
    Mr. Epstein. There is a broader question. Those of us who 
carry Android phones are aware of what is called fragmentation, 
market fragmentation and update fragmentation.
    I happen to--and this is my personal phone, not a 
government phone--I use Verizon. And this is a Samsung phone. 
Every time there is a patch released by Google for Android, it 
has to go from Google to Samsung to Verizon to me. And, 
historically, each of the intermediary steps have not done a 
very good job of passing along those patches.
    So the vast majority of Android phones out there are 
unpatched and effectively unpatchable because of the economic 
incentives, that vendors don't want to risk breaking phones, 
especially given that phones are replaced very frequently.
    So there are economic issues. There are also the social 
issues of people not wanting to install the patches, either 
because it is going to break their applications or just because 
they don't want to take time or they don't want to use data 
minutes or data megabytes to do the download.
    So we have to look at this from a cyber economic 
perspective, not just a technical perspective. And this is 
again why we have to look at problems not just as technical 
problems but as cyber human problems.
    The Chairman. Anyone else?
    Yes, sir?
    Audience Member. Yes. So the question was asked earlier, 
what keeps you up at night and, you know, what scares you in 
the cyber realm?
    I want to tell you, from the perspective of somebody who 
grew up doing this as a hobby, what scares me is that I, as a 
security researcher finding problems and then wanting to go and 
report them, am putting myself in danger. I am walking a thin 
line between what may be legal and what is not, even if my 
intentions are good and everything that I am doing is helping.
    The Computer Fraud and Abuse Act came in place under the 
Reagan administration, like, in the 1980s. It is severely 
outdated. The consensus in the security community is that the 
law has not kept up with what is going on and that people are 
afraid to do research and more afraid to tell people about that 
research once it is done.
    So what can we do as a country, as companies, as senators, 
Congressmen, anything, to let security researchers know that we 
are behind them and the work that they do is appreciated and 
helpful?
    Mr. Stine. So, when I opened up, I mentioned that NIST is a 
part of the Department of Commerce. And we have a sister 
agency, NTIA, that actually has just initiated a multi-
stakeholder process looking at things such as vulnerability 
disclosure in the research community specifically.
    So there is a very new opportunity, within the last couple 
of months, and certainly an ongoing one, to engage in that 
process as a researcher and then, I think, an interesting 
perspective as a student, as well, to contribute to that 
discussion to help us, as Commerce, understand what are the 
positive research uses for vulnerabilities that are identified, 
responsible disclosure, those types of things, in the process. 
And I am happy to share some more information with you out of 
band.
    Dr. Pauli. Andrew, I think what we are going to see is the 
proliferation of bug bounty programs, right? Some of the 
companies that are now involved in bug bounties we would have 
never dreamed were part of bug bounties, right? Bug bounties 
are the new black, kind of, right now.
    So I think we are going to see some spreading of that. I 
know that doesn't give you the carte blanche that maybe you 
want, right? It only gives you certain targets. But I think we 
are going to see a spreading of bug bounties.
    The computer abuse and fraud, you are not the first student 
to bring it up; you won't be the last. I hope we can get some 
movement on it, as well. But maybe the bug bounties will be a 
little bit of a pacifier until we get that figured out.
    Dr. Streff. So, Chairman, the story here, then, goes, if 
somebody finds a flaw, if they report it, they are in trouble, 
maybe even in jail. And if they give it to a bad guy, they will 
make money off of that. They can sell it. So it is a double 
whammy.
    The Chairman. Yep.
    Mr. Epstein. So the CFAA, as you say, is one of the areas 
that researchers point to. The other that is related is the 
DMCA, the Digital Millennium Copyright Act.
    And I do hear this a lot from researchers. Some of the 
researchers won't tell me what areas they won't research 
because they are--it is not so much me, but, in general, they 
don't want to talk about what areas they don't want to research 
because they are afraid that that might indicate to potential 
vendors who might want to sue them what areas they think are 
risky, and so they don't want to tip them off.
    So there is no doubt that it is having an impact on the 
research community because people are afraid to do research. 
Whether, from a policy perspective, that should be changed or 
not is a political question, and that is for the senator to 
decide. But there is no question that it is having an impact on 
research.
    The Chairman. And I thought I needed a bug bounty in my 
house.
    [Laughter.]
    The Chairman. That is a really good question and, 
obviously, one that needs to be--it sounds like one that we 
need to be thinking about, too, in terms of how we support the 
people who are doing good things out there.
    Anything else for the good of the order? Anybody else got 
a--OK.
    Audience Member. My name is [inaudible]. I am a Cyber 
Operations Major at Dakota State.
    You said earlier what keeps you up at night. What keeps me 
up at night is [inaudible], not from my wallet, not from a 
credit card statement [inaudible]. I believe it is a lot easier 
now to get access to your credit card information through them. 
And I was just curious to know what is, like, being done about 
that.
    The Chairman. Does anybody want to take a stab at that?
    Dr. Pauli. Anybody from Apple----
    [Laughter.]
    Dr. Pauli.--on the panel that would care to go on the 
record?
    I think what we are going to have to do is watch and see. 
There has been no huge, you know, oh, my gosh, you know, Apple 
Pay is vulnerable to this type of attack. When we see that, and 
we probably will see that, then we will see some movement from 
Apple, right? It is the economic ebb and flow of exploitation 
versus patching.
    Should it keep you up at night? I don't know. It might be a 
worthy reason to keep you up at night. But we haven't seen 
anything yet; thus, we are not going to see anything from Apple 
yet. And I know that is very reactionary, but that is the 
economic reality.
    The Chairman. All right.
    Mr. Epstein. I think the bigger risk is not, frankly, to a 
student who probably doesn't have enough money in your checking 
account to be worth stealing, if you are anything like I was 
when I was a student. If I got my account up to $100, I was 
feeling pretty good.
    I think the bigger risk is actually to small businesses. If 
you as an individual, if there is a theft from your bank 
account, from your credit card, by and large, banks are either 
required, if it is a credit card, or voluntarily if it is a 
debit card, to make you whole again. When it happens to small 
businesses, when it happens to local governments, it is a lot 
harder to deal with.
    And we know that this happens, and there are, perhaps, 
regulatory changes but certainly technical changes that we 
could be doing to encourage small businesses to be using 
dedicated computers whenever they are processing money instead 
of using the same computer that they use for other purposes, to 
be using two-factor authentication with their banks, to prevent 
malware on their computer from transferring the funds offshore, 
et cetera.
    So there are technical measures that we could be using. 
There is research to be done, as well. We recently funded a 
project to look at mobile payment systems that are largely in 
use in the Third World, where you don't have a credit card and 
you don't have a bank; you just process the money directly from 
one phone to another. What are the security risks associated 
with those? They are in widespread use, especially in Africa 
and Asia, and nobody knows how bad the security risks are.
    So we need to continue research in those areas. And the 
State Department is cooperating with NSF in that research, with 
funding the research.
    The Chairman. OK. One more.
    Audience Member. My question is [inaudible]. I want to know 
what the U.S. knows [inaudible] and what is going to be done.
    The Chairman. Well, that is a good question. I will tell 
you, what keeps a lot of our military and intelligence 
community up a lot at night is, you know, what are the rules of 
engagement in the new world of cyber warfare? And, you know, 
nation-states, we get hacked, we get attacked; what is a 
proportionate response?
    And so I can tell you that the military and intelligence 
community are grappling with those types of issues, and I don't 
know that they have come to any hard and fast conclusions yet.
    With regard to law enforcement, on just criminal attacks, I 
mean, does anybody want to talk about what is being done on 
that front?
    I think it is kind of a whole new world, honestly. But 
there is going to have to be some consequence and a reckoning 
for people who steal people's personal information, steal their 
money by somehow, you know, hacking into their, if it is a 
phone system or their--I worry about financial services. And 
everybody does everything online these days, you know. I think 
there are just all kinds of threats out there and all kinds of 
risks, and a lot of bad people are trying to exploit it.
    I think right now, it seems to me, at least, that most of 
the prosecution has been case by case and, you know, trying to 
bring people to justice, but I don't know that there has been a 
lot of thought given--and I know there is a lot of thought 
given on the military side to nation-states and, you know, 
rogue states and terrorist organizations that are trying to 
hack in and, you know, disrupt some of our critical 
infrastructure. But on the prosecutorial side, law enforcement 
side, I am not sure that there is a lot of movement on that 
front.
    And maybe I am--I would look to Nick Rossi, who is a former 
FBI guy and does a lot of our cybersecurity stuff on the 
Committee, if you have any thoughts on that.
    Mr. Rossi. Typically, it is a challenge because you have to 
try to lure folks into a jurisdiction where the U.S. can take 
custody of them or work out an arrangement with a foreign 
government in order to follow through on it. And it is a big 
challenge.
    Dr. Pauli. I think on the nation-state side, the writing is 
on the wall, and it is pretty obviously what we are doing, 
right?
    A couple years ago, we had no Centers of Academic 
Excellence in cyber operations; now the U.S. has 14. A couple 
years ago, there was no such thing as U.S. Cyber Command; now 
we have the U.S. Cyber Command. Six thousand employees in the 
U.S. Cyber Command, which is the military branch of cyber. The 
Cyber Command started as this blob of people; now there are 14 
very specific job roles within the U.S. Cyber Command.
    So, while the Department of Defense probably isn't going to 
come out and have a press conference and tell us exactly what 
we are going to do and how we are going to do it and what the 
thresholds are, I think the writing on the wall is pretty 
obvious what the Department of Defense is thinking.
    Dr. Streff. I think that is true with offensive 
capabilities, as well. Businesses can't fight back, right? If 
we get hacked, if a business gets hacked, you can't just hack 
back, right? But Cyber Command can.
    So that is part of the capability that is being developed 
there, right? I mean, if you can get somebody to hack them 
back, then you can get them to maybe stop, and maybe they won't 
be successful with their attack and you can thwart their 
attack.
    I think there is a lot being done here, but just--you know, 
law enforcement is understaffed, too, Arnold, right? I mean, 
you know, FBI has only got so many agents; they can only handle 
so many cases of certain value in certain jurisdictions. You 
know, it is an expensive fight.
    Dr. Pauli. Yes. And to put a bow on it, maybe it comes full 
circle. If we are going to do that, right, if we are going to 
engage U.S. Cyber Command on behalf of Madison Community 
Hospital, that is going to take information-sharing, which is 
going to be a heck of a battle coming up, right?
    Madison Community Hospital would love that when something 
happens. ``Go get them, go get them, Cyber Command.'' But that 
is going to take information-sharing in the good times and in 
the bad, right? It is a true marriage --good times, bad, 
health, you know, sickness, all that good stuff.
    [Laughter.]
    The Chairman. But if you do visit with our military 
leadership in the country--and standing up Cyber Command was a 
really important acknowledgment and recognition, but I think 
there is still a lot of grappling going on about the, again, 
proportionate response, rules of engagement.
    And, frankly, I am glad, I think we have the most 
sophisticated operations in the world. And I have visited the 
NSA facilities up in Maryland and looked at the things that 
they can do and what the capabilities are, and, you know, we 
have tremendous capability.
    But what are going to be, in this new world--and I think it 
is a very serious national security consideration and one that 
is not going away. We are going to be dealing with it well into 
the future, which is, again, the focus of this hearing and why 
I appreciate so much our panelists for joining us and all of 
you for your really good questions.
    It is clear that students here at Dakota State University 
have done their homework. They are asking questions, tough 
questions, that are hard to answer. But we want to do our best 
to make sure that we have, as best we can, the answers to those 
questions for the future.
    Because, as I mentioned earlier, by 2020, the estimate is 
we are going to have 50 billion connected devices in the world. 
And that creates a tremendous benefit, convenience, 
opportunity, but also great risk.
    And the people who are going to be principally in charge of 
addressing those risks and trying to prevent those attacks and 
deal with those are a lot of the folks, hopefully, that are 
seated in this room. We hope that there are going to be a 
number of students here at Dakota State University that are 
going to be leading the way when it comes to helping us deal 
with these issues in the future.
    So I want to thank everybody for attending.
    I will say, the hearing record will remain open for 2 
weeks, during which time, if there are additional questions 
that would be submitted for the record, those can be. And, upon 
receipt, the witnesses are requested to submit their written 
answers to the Committee for inclusion in the record.
    And, with that, we are adjourned. Thank you very much.
    [Whereupon, at 4:10 p.m., the hearing was adjourned.]

                            A P P E N D I X

     Response to Written Questions Submitted by Hon. John Thune to 
                             Jeremy Epstein
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia?
    Answer. The National Science Foundation's (NSF) investments in 
cybersecurity research are accompanied by investments in cybersecurity 
education and workforce development. Research undertaken in academia 
not only engages some of our Nation's best and brightest researchers, 
but because these researchers are also teachers, new generations of 
students are exposed to the latest thinking from the people who 
understand it best. And when these students graduate and move into the 
workplace, they will bring this knowledge and understanding with them. 
Moreover, faculty members in this dual role of researchers and teachers 
have incentives to write textbooks and prepare other teaching materials 
that allow dissemination of their work to a wide audience, including 
teachers and students nationwide.
    In recent years, the NSF Directorate for Education and Human 
Resources (EHR) has focused on increasing the number of professionals 
with degrees in cybersecurity. An overwhelming majority of these EHR-
developed professionals were supported by the CyberCorps: Scholarship 
for Service (SFS) program.
    Through the end of FY 2014, the SFS program has provided 
scholarships to more than 2,300 students and graduated more than 1,700, 
including 22 percent with bachelor's degrees, 76 percent with master's 
degrees, and two percent with doctoral degrees. Of these graduates, 93 
percent have been successfully placed in the Federal Government. SFS 
scholarship recipients have been placed in internships and full-time 
positions in more than 140 Federal departments, agencies, and branches, 
and state, local, and tribal governments, including the National 
Security Agency, Department of Homeland Security, Central Intelligence 
Agency, and Department of Justice.
    NSF believes that basic research in cybersecurity together with 
research on learning can also address the challenge of expanding 
existing educational opportunities and resources in cybersecurity. In 
FY 2014, the Secure and Trustworthy Cyberspace program released a Dear 
Colleague Letter \1\ to encourage new collaborations between the 
cybersecurity research and computing education research communities. As 
a result of the Dear Colleague letter, NSF has made 12 cybersecurity 
education Early Concept Grants for Exploratory Research (EAGER) awards 
in FY 2015.
---------------------------------------------------------------------------
    \1\ http://www.nsf.gov/pubs/2014/nsf14075/nsf14075.jsp
---------------------------------------------------------------------------
    NSF is an active participant and contributor in the National 
Initiative for Cybersecurity Education (NICE) led by the National 
Institute of Standards and Technology (NIST). The goal of NICE is to 
establish an operational, sustainable and continually improving 
cybersecurity education program for the Nation to use sound cyber 
practices that will enhance the Nation's security. NSF's involvement 
aims to bolster formal cybersecurity education programs encompassing K-
12, higher education, and vocational programs, with a focus on the 
science, technology, engineering, and mathematics disciplines to 
provide a pipeline of skilled workers for the private sector and 
government.
    Through NSF's Research Experiences for Undergraduates (REU) 
program, NSF has supported several REU Sites based on independent 
proposals that seek to initiate and conduct projects that engage a 
number of undergraduate students in research. REU Sites must have a 
well-defined common focus, based in a single discipline or spanning 
interdisciplinary or multi-disciplinary research opportunities with a 
coherent intellectual theme, which enables a cohort experience for 
students. Each REU Site typically supports 8 to 12 undergraduate 
students each summer, including housing and stipend support, with each 
student involved in a specific project guided by a faculty mentor. REU 
Sites are an important means for extending high-quality research 
environments and mentoring to diverse groups of students. NSF's 
investments in REU Sites focused on cybersecurity and information 
assurance include:

   Trustable Computing Systems Security Research and Education 
        at the University of Connecticut;

   Information Assurance and Security at Dakota State 
        University;

   Undergraduates Engaged in Cyber Security Research at the 
        University of Maryland;

   Site for Extensive and Collaborative Undergraduate Research 
        Experience (SECURE) at the University of Nebraska at Omaha;

   Multidisciplinary Information Assurance and Security at 
        Purdue University; and

   Digital Forensics Research in Rhode Island at the University 
        of Rhode Island.

    With an emphasis on two-year colleges, the Advanced Technological 
Education (ATE) program focuses on the education of technicians for the 
high-technology fields that drive our Nation's economy, including 
cybersecurity. The program involves partnerships between academic 
institutions and industry to promote improvement in the education of 
science and engineering technicians at the undergraduate and secondary 
school levels. The ATE program supports curriculum development; 
professional development of college faculty and secondary school 
teachers; career pathways to two-year colleges from secondary schools 
and from two-year colleges to four-year institutions; and other 
activities. Another goal is articulation between two-year and four-year 
programs for K-12 prospective science, technology, engineering, and 
mathematics (STEM) teachers who focus on technological education.
    The ATE program supports projects, centers, and targeted research 
on technician education. Activities may have either a national or a 
regional focus. A project or center is expected to communicate a 
realistic vision for sustainability and a plan for achievement. It is 
expected that at least some aspects of both centers and projects will 
be sustained or institutionalized past the period of award funding. 
Being sustainable means that a project or center has developed a 
product or service that the host institution, its partners, and its 
target audiences want continued.
    Of 17 active ATE awards, four are focused on cybersecurity, 
including a national center, a resource center, and two regional 
centers:

   National CyberWatch Center (Maryland)--This center, 
        originally established in 2005 at Prince George's Community 
        College and re-funded as a national center in 2012, leads 
        collaborative efforts to increase the quantity and quality of 
        the cybersecurity workforce by advancing cybersecurity 
        education. The center comprises over 50 two-year schools, over 
        50 four-year institutions in 33 states, over 30 industry 
        partners, three government partners, six public school systems, 
        and two non-profit organizations. It pursues curriculum 
        development, faculty professional development, and K-12 
        initiatives. It is estimated that over 11,000 students have 
        been impacted by the National CyberWatch Center's faculty 
        development.

   National Resource Center for Systems Security and 
        Information Assurance (CSSIA) (Illinois)--Originally 
        established in 2003, this center, based at Moraine Valley 
        Community College, seeks to support: innovative faculty 
        development; expansion of comprehensive cyber competitions at 
        the higher education and minority levels; development and 
        expansive distribution of high-quality cybersecurity lab 
        content; and remote virtualization content delivery and 
        innovative virtualization lab environments. CSSIA has mentored, 
        established, and expanded cybersecurity degree and 
        certification programs at hundreds of institutions in over 30 
        states. In 2013 alone, 1,191 students participated in CSSIA-
        sponsored cybersecurity competitions.

   Cyber Security Education Consortium (CSEC) (Oklahoma)--Based 
        at the University of Tulsa, this center is a partnership of 
        community colleges and career and technology centers in eight 
        states in the central U.S. CSEC has established cybersecurity 
        certificate and degree programs at 49 two-year program sites in 
        eight states, and signed over 120 articulation agreements that 
        provide students with advanced placement, dual enrollment, or 
        cybersecurity course credit at two- and four-year institutions. 
        Since 2004, over 1,300 CSEC students have completed certificate 
        programs in cybersecurity; over 800 others have received 
        associate degrees; and over 200 others have attained bachelor's 
        degrees in cybersecurity. In the 2013-14 academic year, CSEC 
        had 2,337 security-related student enrollments.

   CyberWatch West (Washington)--The overarching goal of 
        CyberWatch West is to strengthen the cybersecurity workforce in 
        California and the Pacific Northwest. To accomplish this goal, 
        CyberWatch West is concentrating on the following four major 
        areas: (1) student activities, including meaningful internships 
        and a cyber-defense league with weekly virtual exercises; (2) 
        assistance in curriculum development based on recognized 
        standards and creation of cybersecurity pathways from community 
        colleges to four-year institutions; (3) a faculty development 
        and mentor program to help infuse cybersecurity concepts into 
        coursework; (4) outreach and partnership with regional 
        community colleges, universities, high schools, and industry to 
        determine and assist with regional needs in cybersecurity 
        education. CyberWatch West consists of 44 academic partners, 
        plus three high-schools and 19 industry and government 
        partners, and has an active enrollment of nearly 1,000 
        students, including a large minority student population.

    Question 2. The certification organization for cyber professionals, 
(ISC),\2\ recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. NSF includes broadening participation in its core values, 
as it seeks and accommodates ``contributions from all sources while 
reaching out especially to groups that have been underrepresented.'' 
This is especially the case within the Computer and Information Science 
and Engineering (CISE) community, where the longstanding 
underrepresentation of many demographic groups coincides with the 
increasingly pervasive role of computing in our society, the importance 
of IT innovation in driving our economy, and the growing demand for IT 
specialists at all levels of the workforce. To this end, NSF is working 
to broaden participation in cybersecurity in a number of ways.
    For many kids, the connection between careers and computing is 
blocked at the high-school level: few of our high-schools teach any 
computer science (CS). In fact, we teach less computer science in high-
school now than we did two decades ago. Only 19 percent of U.S. 
students take a single CS course. This lack of CS in high-schools 
disproportionately affects women and minorities: women because they 
don't see any counters to the popular misconceptions about computing 
and minorities because they are more likely to attend low-resourced 
schools that don't offer any CS course.
    NSF has funded the development of two new high-school courses: an 
introductory course called Exploring Computer Science, and a new AP 
course called CS Principles. Both courses were designed to be engaging 
and inspiring for all students. Both teach programming but are not 
programming-centric; rather, they focus on computational concepts, 
covering the design of algorithms and software, computational problem-
solving, the wide range of potentially transformative applications of 
computing, and ethics and social impacts. These courses are being 
piloted and adopted in hundreds of schools across the country and many 
of the pilots are already seeing representative numbers of women and 
minorities. In addition to a comprehensive CS curriculum, NSF has 
funded 20 large projects around the country to develop scalable models 
of teacher professional development.
    NSF has also funded the National Center for Women and Information 
Technology (NCWIT), a non-profit community of more than 600 
universities, companies, non-profits, and government organizations 
nationwide working to increase women's participation in computing and 
technology. NCWIT equips change leaders with resources for taking 
action in recruiting, retaining, and advancing women from K-12 and 
higher education through industry and entrepreneurial careers. NCWIT 
works to correct the imbalance of gender diversity in technology and 
computing because gender diversity positively correlates with a larger 
workforce, better innovation, and increased business performance.
    Finally, through the SFS program, NSF has developed and funded the 
Inspiring the Next Generation of Cyber Stars (or GenCyber) summer 
camps, to seed the interest of young people, to help them learn about 
cybersecurity, and to learn how skills in this area could pay off for 
them in the future. These overnight and day camps are available to 
students and teachers at the K-12 levels at no expense to them; funding 
is provided by NSF and the National Security Agency (NSA). A pilot 
project for cybersecurity summer camps in 2014 stimulated such great 
interest that the GenCyber program expanded in 2015, supporting 43 
camps held on 29 university campuses in 19 states with more than 1,400 
participants (including one GenCyber camp at Dakota State University 
for girls entering grades 8-12).

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. NSF closely coordinates and collaborates with other Federal 
agencies and the private sector in pursuing cybersecurity research and 
development activities. In 2011, the National Science and Technology 
Council (NSTC), with the cooperation of NSF, put forward a strategic 
plan titled Trustworthy Cyberspace: Strategic Plan for the Federal 
Cybersecurity Research and Development Program.\2\ The Plan specifies 
four strategic thrusts to organize activities and drive progress in 
cybersecurity R&D across the Federal Government:
---------------------------------------------------------------------------
    \2\ http://www.whitehouse.gov/sites/default/files/microsites/ostp/
fed_cybersecurity_rd_stra
tegic_plan_2011.pdf

   Inducing Change--Utilizing game-changing themes to direct 
        efforts towards understanding the underlying root causes of 
        known current threats with the goal of disrupting the status 
        quo with radically different approaches to improve the security 
        of the critical cyber systems and infrastructure that serve 
---------------------------------------------------------------------------
        society.

   Developing Scientific Foundations--Developing an organized, 
        cohesive scientific foundation to the body of knowledge that 
        informs the field of cybersecurity through adoption of a 
        systematic, rigorous, and disciplined scientific approach. 
        Promotes the discovery of laws, hypothesis testing, repeatable 
        experimental designs, standardized data-gathering methods, 
        metrics, common terminology, and critical analysis that 
        engenders reproducible results and rationally based 
        conclusions.

   Maximizing Research Impact--Catalyzing integration across 
        the game-changing R&D themes, cooperation between governmental 
        and private-sector communities, collaboration across 
        international borders, and strengthened linkages to other 
        national priorities, such as health IT and Smart Grid.

   Accelerating Transition to Practice--Focusing efforts to 
        ensure adoption and implementation of the powerful new 
        technologies and strategies that emerge from the research 
        themes, and the activities to build a scientific foundation so 
        as to create measurable improvements in the cybersecurity 
        landscape.

    In response to the Cybersecurity Enhancement Act, the Networking 
and Information Technology Research and Development (NITRD) Cyber 
Security and Information Assurance Research and Development Senior 
Steering Group is developing an updated Federal cybersecurity research 
and development strategic plan. The strategic plan will be used to 
guide and coordinate federally-funded cybersecurity research.
    In August 2015, the President's Council of Advisors on Science and 
Technology (PCAST) released its review of the NITRD program,\3\ which 
since its establishment in 1991 has coordinated the government's 
investments in networking and information technology R&D. PCAST noted 
eight specific areas that are critical to the future of IT, including 
cybersecurity, and emphasized their relevance to national priorities.
---------------------------------------------------------------------------
    \3\ https://www.whitehouse.gov/sites/default/files/microsites/ostp/
PCAST/nitrd_report_
aug_2015.pdf
---------------------------------------------------------------------------
    The PCAST report identified Federal investments in at least five 
key R&D areas that have the potential to improve the foundations of 
cybersecurity:

   Cybersecurity by Design--An understanding of how to 
        construct secure and trustworthy systems.

   Defense Against Attack--Ongoing mechanisms for 
        authentication, authorization, data provenance, and integrity 
        checks, as well as powerful tools to detect potential 
        vulnerabilities automatically, for systems in use.

   Systems Resilience--Improved methods to mitigate the effects 
        of an attack.

   Implementation Support--Methods to express cybersecurity 
        policies formally in ways that are understandable both to 
        people and to computers and tools to use them for policy 
        implementation and compliance checking.

   Better and faster methods for attribution, enabling both 
        technical and non-technical mitigations.

    Question 4. We briefly discussed at the hearing the possible 
cybersecurity concerns with the proliferation of connected devices and 
the Internet of Things. Given the wide-ranging applications of cyber-
physical systems, many agencies, including the NSF, identify and fund 
research on such systems. How does NSF work to coordinate that research 
with other agencies and private sector companies, and what research is 
NSF currently supporting related to the security of cyber-physical 
systems?
    Answer. NSF coordinates its cybersecurity research and planning 
activities with other Federal agencies, including the Departments of 
Defense (DoD) and Homeland Security (DHS) and the agencies of the 
Intelligence Community, through various ``mission-bridging'' 
activities:

   NSF plays a leadership role in the interagency NITRD 
        Program. The National Science and Technology Council's NITRD 
        Subcommittee, which NSF co-chairs, has played a prominent role 
        in the coordination of the Federal Government's cybersecurity 
        research investments.

   In January 2008, President Bush initiated the Comprehensive 
        National Cyber Security Initiative (CNCI).\4\ The current 
        Administration supports and has continued efforts on this 
        initiative. One of the goals of the CNCI is to develop ``leap-
        ahead'' technologies that would achieve orders-of-magnitude 
        improvements in cybersecurity.
---------------------------------------------------------------------------
    \4\ http://www.nitrd.gov/subcommittee/csiacyberlink.html

   Based on this directive, a NITRD Senior Steering Group (SSG) 
        for Cyber Security and Information Assurance R&D (CSIA R&D)\5\ 
        was established to provide a responsive and robust conduit for 
        cybersecurity R&D information across the policy, fiscal, and 
        research levels of the government. The SSG is composed of 
        senior representatives of agencies with national cybersecurity 
        leadership positions, including: DoD, Office of the Director of 
        National Intelligence (ODNI), DHS, NSA, NSF, NIST, Office of 
        Science and Technology Policy, and Office of Management and 
        Budget. A principal responsibility of the SSG is to define, 
        coordinate, and recommend strategic Federal R&D objectives in 
        cybersecurity, and to communicate research needs and proposed 
        budget priorities to policy makers and budget officials. One of 
        CISE's Division Directors is the co-chair of this group.
---------------------------------------------------------------------------
    \5\ https://www.nitrd.gov/nitrdgroups/
index.php?title=Cyber_Security_Information_Assuran
ce_Research_and_Development_Senior_Steering_Group_%28CSIA_R%26D_SSG%29

   The NITRD Cyber Security and Information Assurance 
        Interagency Working Group (CSIA IWG)\6\ coordinates 
        cybersecurity and information assurance research and 
        development across the member agencies, including DoD, the 
        Department of Energy and the National Security Agency, which 
        focus on research and development to prevent, resist, detect, 
        respond to, and/or recover from actions that compromise or 
        threaten to compromise the availability, integrity, 
        orconfidentiality of computer-and network-based systems.
---------------------------------------------------------------------------
    \6\ https://www.nitrd.gov/nitrdgroups/
index.php?title=Cyber_Security_and_Information_
Assurance_Interagency_Working_Group_(CSIA_IWG)

    Beyond its coordination with other Federal agencies, NSF also 
promotes partnerships between academia and industry. These partnerships 
are critical to a healthy trustworthy computing ecosystem. They enable 
discoveries to transition out of the lab and into the field as threats 
and solutions co-evolve over time. And they ensure U.S. leadership, 
economic growth, and a skilled workforce.
    Let's take cyber-physical systems (CPS) as one example. Cyber-
physical systems are subject to threats stemming from increasing 
reliance on computer and communication technologies. Cyber security 
threats exploit the increased complexity and connectivity of critical 
infrastructure systems, placing the Nation's security, economy, public 
safety, and health at risk. NSF is working with its Federal partners 
(such as DHS, NIST, the Department of Energy, and the Department of 
Transportation) in many areas of CPS--such as strategic planning of 
R&D, research collaboration, joint program solicitations, multi-agency 
proposal review and processing, and co-funding of research proposals.
    NSF is also partnering with Intel Corporation in the security and 
privacy of CPS. The national and economic security of the U.S. depends 
on the reliable function of critical infrastructure. This 
infrastructure is rapidly being advanced through the integration of 
information and communication technologies, leading to cyber-physical 
systems. Advances in CPS will enable capability, adaptability, 
scalability, and usability that will far exceed the simple embedded 
systems of today. CPS technologies will transform the way people 
interact with engineered systems--just as the Internet has transformed 
the way people interact with information. New smart CPS will drive 
innovation and competition in sectors such as food and agriculture, 
energy, different modes of transportation including air and 
automobiles, building design and automation, healthcare and medical 
implants, and advanced manufacturing.
    The goal of NSF's partnership with Intel is to foster novel, 
transformative, multidisciplinary approaches that ensure the security 
of current and emerging cyber-physical systems, taking into 
consideration the unique challenges present in this environment 
relative to other domains with cybersecurity concerns. These challenges 
arise from the non-reversible nature of the interactions of CPS with 
the physical world; the scale of deployment; the federated nature of 
numerous infrastructures; the deep embedding and long projected 
lifetimes of CPS components; the interaction of CPS with users at 
different scales, degrees of control, and expertise levels; the 
economic and policy constraints under which such systems must often 
operate; and the sensing and collection of information related to a 
large spectrum of everyday human activities. A set of joint NSF/Intel 
awards was awarded in FY 2015.
    A number of NSF-funded researchers, particularly those working in 
larger, inter-or multidisciplinary teams, also collaborate closely with 
industry to deepen and extend the outcomes of their research 
activities. For example, building on NSF-funded research dating back to 
FY 2010, researchers at the University of California at San Diego \7\ 
and University of Washington \8\ have demonstrated the ability to 
remotely take over automotive control systems.\9\ The researchers found 
that, because many of today's cars contain cellular connections and 
Bluetooth wireless technology, it is possible for a hacker working from 
a remote location to take control of various features--like the car 
locks and brakes--as well as to track the vehicle's location, eavesdrop 
on its passenger cabin, and steal vehicle data. The researchers are now 
working with the automotive industry to develop new methods for 
assuring the safety and security of on-board electronics. Both the 
Society for Automotive Engineers (SAE) and the United States Council 
for Automotive Research (USCAR) have partnered with the researchers to 
stand up efforts focused on automotive security research.\10\ 
Automotive manufacturers have also started dedicating significant 
resources to security.\11\
---------------------------------------------------------------------------
    \7\ http://www.nsf.gov/awardsearch/
showAward?AWD_ID=0963702&HistoricalAwards=false
    \8\ http://nsf.gov/awardsearch/
showAward?AWD_ID=0963695&HistoricalAwards=false
    \9\ http://www.nytimes.com/2011/03/10/business/10hack.html
    \10\ http://www.autosec.org/faq.html
    \11\ http://www.caranddriver.com/features/can-your-car-be-hacked-
feature
---------------------------------------------------------------------------
    Similarly, NSF-funded researchers at the University of Michigan, 
University of Massachusetts Amherst, and University of Washington were 
able to gain wireless access to a combination heart defibrillator and 
pacemaker, reprogramming it to shut it down and to deliver jolts of 
electricity that could have potentially been fatal if the device had 
been implanted in a person. This research team is now collaborating 
with industry, including the Medical Device Innovation, Safety, and 
Security (MDISS) Consortium, Association for the Advancement of Medical 
Instrumentation (AAMI), and specific biomedical device companies, 
including Medtronic, Philips Healthcare, Siemens Healthcare, and Welch 
Allyn, to prevent illegal or unauthorized hacking of devices that have 
wireless capabilities. For each of the last two years, this NSF-funded 
research team has also held a Medical Device Security Workshop \12\ 
\13\ to bring together solution-oriented experts in medical device 
manufacturing and computer security to meet and discuss effective ways 
to improve information security and inform Food and Drug Administration 
(FDA) guidelines on cybersecurity. Additionally, the research team has 
created a traveling classroom for medical device manufacturers, and has 
provided private on-site security engineering education and training to 
over 500 employees from a half-dozen major medical device 
manufacturers. We expect such academic/industry collaborations to 
continue to grow as new cybersecurity challenges and results emerge.
---------------------------------------------------------------------------
    \12\ http://secure-medicine.org/workshop/2014
    \13\ http://secure-medicine.org/workshop/2013
---------------------------------------------------------------------------
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Steve Daines to 
                             Jeremy Epstein
    Question 1. Mr. Epstein, you mentioned $158 million was dedicated 
to cybersecurity research and education in FY 2014, and a portion of 
this went to prevention and prediction research. Can you elaborate on 
these preventative measures and how these can help us act proactively 
instead of reactively?
    Answer. The National Science Foundation (NSF) invests in 
unclassified, fundamental, long-term research in the science of 
trustworthiness and related trustworthy systems and technologies. The 
Secure and Trustworthy Cyberspace (SaTC) Program funds research that 
investigates the motivations and incentives of individuals and 
institutions, both as attackers and defenders, in order to design and 
produce software systems that are resistant to attacks by designing-in 
security, to dramatically reduce the number of exploitable flaws.
    Today, NSF's cybersecurity research portfolio includes projects 
addressing security from the microscopic level, detecting whether a 
silicon chip is a counterfeit or may contain a malicious circuit, to 
the macroscopic level, determining strategies for securing the next-
generation electrical power grid and transportation network, as well as 
at the human level, studying online privacy and security behaviors of 
both adolescents and senior citizens, methods for leveraging 
personality differences to improve security behaviors, and motivations 
for keeping systems patched.
    Examples of research to design-in security includes NSF-funded 
research dating back to FY 2010, when researchers at the University of 
California at San Diego \1\ and University of Washington \2\ 
demonstrated the ability to remotely take over automotive control 
systems.\3\ The researchers found that, because many of today's cars 
contain cellular connections and Bluetooth wireless technology, it is 
possible for a hacker working from a remote location to take control of 
various features--like the car locks and brakes--as well as to track 
the vehicle's location, eavesdrop on its passenger cabin, and steal 
vehicle data. The researchers are now working with the automotive 
industry to develop new methods for assuring the safety and security of 
on-board electronics. Both the Society for Automotive Engineers (SAE) 
and the United States Council for Automotive Research (USCAR) have 
partnered with the researchers to stand up efforts focused on 
automotive security research.\4\ Automotive manufacturers have also 
started dedicating significant resources to security.\5\
---------------------------------------------------------------------------
    \1\ http://www.nsf.gov/awardsearch/
showAward?AWD_ID=0963702&HistoricalAwards=false
    \2\ http://nsf.gov/awardsearch/
showAward?AWD_ID=0963695&HistoricalAwards=false
    \3\ http://www.nytimes.com/2011/03/10/business/10hack.html
    \4\ http://www.autosec.org/faq.html
    \5\ http://www.caranddriver.com/features/can-your-car-be-hacked-
feature
---------------------------------------------------------------------------
    Similarly, NSF-funded researchers at the University of Michigan, 
University of Massachusetts Amherst, and University of Washington were 
able to gain wireless access to a combination heart defibrillator and 
pacemaker, reprogramming it to shut it down and to deliver jolts of 
electricity that could have potentially been fatal if the device had 
been implanted in a person. This research team is now collaborating 
with industry, including the Medical Device Innovation, Safety, and 
Security (MDISS) Consortium, Association for the Advancement of Medical 
Instrumentation (AAMI), and specific biomedical device companies, 
including Medtronic, Philips Healthcare, Siemens Healthcare, and Welch 
Allyn, to prevent illegal or unauthorized hacking of devices that have 
wireless capabilities. For each of the last two years, this NSF-funded 
research team has also held a Medical Device Security Workshop \6\ \7\ 
to bring together solution-oriented experts in medical device 
manufacturing and computer security to meet and discuss effective ways 
to improve information security and inform Food and Drug Administration 
(FDA) guidelines on cybersecurity. Additionally, the research team has 
created a traveling classroom for medical device manufacturers, and has 
provided private on-site security engineering education and training to 
over 500 employees from a half-dozen major medical device 
manufacturers. We expect such academic/industry collaborations to 
continue to grow as new cybersecurity challenges and results emerge.
---------------------------------------------------------------------------
    \6\ http://secure-medicine.org/workshop/2014
    \7\ http://secure-medicine.org/workshop/2013

    Question 2. Mr. Epstein, in your testimony, you talked about a 
cybersecurity expert shortage. Can you explain how cybersecurity 
presents an opportunity for high tech jobs in all areas of the U.S.?
    Answer. With the rapid pace of technological advancement, daily 
life is now intimately connected to the Internet. Key aspects of 
business operations, our financial systems, manufacturing supply 
chains, and military communications are tightly networked, integrating 
the economic, political, and social fabric of our global society. These 
interdependencies can lead to vulnerabilities and a wide range of 
threats that challenge the security, reliability, availability, and 
overall trustworthiness of all systems and resources rooted in 
information technology. Due to the fast growth of the cybersecurity 
field, the Nation is facing a scarce talent pool, with thousands of 
positions to fill as demand for a well-trained cybersecurity workforce 
continues to rise. The U.S. Bureau of Labor Statistics expects 
employment of information security analysts to grow by 37 percent by 
2022, a rate far greater than the average growth rate for all other 
jobs.\8\
---------------------------------------------------------------------------
    \8\ http://www.bls.gov/ooh/computer-and-information-technology/
information-security-analysts.htm
---------------------------------------------------------------------------
    To address the important issues in the preparation of tomorrow's 
cybersecurity workforce, NSF's investments in cybersecurity research 
are accompanied by investments in cybersecurity education and workforce 
development in order to inform and grow a prepared U.S. workforce with 
the competencies essential to success in an increasingly competitive 
global market.
    In recent years, NSF has focused on increasing the number of 
professionals with degrees in cybersecurity. An overwhelming majority 
of these professionals were supported by the CyberCorps: Scholarship 
for Service (SFS) program. The SFS program provides scholarships to 
students who in turn work for the federal, state, local, or tribal 
government or related organizations after graduating. The program is 
offered at 55 college and universities, with additional participating 
institutions added every year. Through the end of FY 2014, the SFS 
program has provided scholarships to more than 2,300 students and 
graduated more than 1,700, including 22 percent with bachelor's 
degrees, 76 percent with master's degrees, and two percent with 
doctoral degrees. Of these graduates, 93 percent have been successfully 
placed in the Federal Government. SFS scholarship recipients have been 
placed in internships and full-time positions in more than 140 Federal 
departments, agencies, and branches, and state, local, and tribal 
governments, including the National Security Agency, Department of 
Homeland Security, Central Intelligence Agency, and Department of 
Justice.
    NSF is also an active participant and contributor in the National 
Initiative for Cybersecurity Education (NICE) led by the National 
Institute of Standards and Technology. The goal of NICE is to establish 
an operational, sustainable and continually improving cybersecurity 
education program for the Nation to use sound cyber practices that will 
enhance the Nation's security. NSF's involvement aims to bolster formal 
cybersecurity education programs encompassing K-12, higher education, 
and vocational programs, with a focus on the science, technology, 
engineering, and mathematics disciplines to provide a pipeline of 
skilled workers for the private sector and government.
    The Advanced Technological Education (ATE) program focuses on the 
education of technicians, for the high-technology fields that drive our 
Nation's economy, including cybersecurity. The program involves 
partnerships between academic institutions and industry to promote 
improvement in the education of science and engineering technicians at 
the undergraduate and secondary school levels. The ATE program supports 
curriculum development with an emphasis on two-year colleges; 
professional development of college faculty and secondary school 
teachers; career pathways to two-year colleges from secondary schools 
and from two-year colleges to four-year institutions; and other 
activities. Another goal is articulation between two-year and four-year 
programs for K-12 prospective science, technology, engineering, and 
mathematics (STEM) teachers who focus on technological education.

    Question 3. Mr. Epstein, in the research that the NSF has completed 
on cybersecurity, have you seen any trends in the source of attacks? 
Are most threats domestic or international? Are the international 
threats concentrated in certain regions or countries?
    Answer. NSF does not directly research or assess the source of 
cyberattacks on the United States. However, NSF closely collaborates 
with other Federal mission-agencies on cybersecurity. For example, NSF 
co-chairs the Networking and Information Technology Research and 
Development Program (NITRD) Cyber Security and Information Assurance 
(CSIA) Senior Steering Group (SSG), which provides leadership across 
the government in cybersecurity research and development by serving as 
a forum for information sharing and cross-agency agency setting. The 
SSG is composed of senior representatives of agencies with national 
cybersecurity leadership positions, including: the Department of 
Defense, the Office of the Director of National Intelligence, the 
Department of Homeland Security, the National Security Agency, the 
National Institute of Standards and Technology, the Office of Science 
and Technology Policy, and the Office of Management and Budget. A 
principal responsibility of the SSG is to define, coordinate, and 
recommend strategic Federal R&D objectives in cybersecurity, and to 
communicate research needs and proposed budget priorities to policy 
makers and budget officials.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                              Kevin Stine
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia?
    Answer. The National Initiative for Cybersecurity Education (NICE), 
led by NIST, with support from other Federal agencies including the 
Office of Personnel Management (OPM), the Department of Defense (DoD), 
and the Department of Homeland Security (DHS), is working with 
government, academia, and industry to establish a new strategic plan as 
called for in the Cybersecurity Enhancement Act. Under NIST leadership, 
the strategic plan anticipates building on existing successful 
programs, instituting new creative approaches, and instilling a spirit 
of continuous improvement designed to increase impact as measured by 
appropriate metrics of effectiveness. The new strategic plan also calls 
for the acceleration of learning and skills development to create a 
sense of urgency for closing the talent gap. NICE has increased its 
investment and emphasis on industry engagement to discover and 
highlight effective practices and solutions that are being deployed to 
train, or retrain the existing workforce.
    As part of their support for the NICE program, DHS led development 
of the National Cybersecurity Workforce Framework (Workforce 
Framework). The Federal Government, educational institutions, and 
several industry sectors are implementing the Workforce Framework, and 
we believe that greater use of the Workforce Framework will lead to 
improved talent management. We believe that NICE is building momentum 
that will enable its partners--both in government and industry--to 
increase the availability of a qualified cybersecurity workforce.

    Question 2. The certification organization for cyber professionals, 
(ISC)\2\, recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. NIST is currently leading development of a new strategic 
plan for the NICE program. This new strategic plan will include an 
objective to encourage creative and effective efforts to increase the 
number of underrepresented populations, including women, minorities, 
and veterans. NICE is also committed to creating a culture of evidence 
that uses data to analyze current workforce data and project future 
trends.
    There are numerous initiatives in place across the country to 
increase the number of women in cybersecurity that NICE intends to 
support. For example, several of the GenCyber Camps (http://www.gen-
cyber.com/) funded by NSA and NSF are focused on increasing girls' 
interest in cybersecurity careers. There is also a growing network of 
women who serve as mentors, including the annual Women in Cybersecurity 
Conference (https://www.csc.tntech.edu/wicys/) funded by the National 
Science Foundation. Additionally, DHS is a sponsor of the Air Force 
Association's CyberPatriot program. CyberPatriot's goals include 
promoting STEM and cyber education among young women. Through 
partnerships such as these, the NIST NICE program office and NICE 
partner agencies are working to mentor girls and young women with the 
goal of inspiring them to pursue STEM and cybersecurity professions.
    NICE anticipates the facilitation of a workshop in 2016 that will 
inventory and analyze existing programs, and develop a Call for Action 
that identifies a strategy and path forward for increasing the 
representation of women in cybersecurity.

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. NIST is committed to the value of communicating its 
cybersecurity research and development (R&D) efforts to industry, 
academic, and government colleagues and identifying opportunities to 
collaborate and support R&D efforts across these communities. NIST is 
one of several Federal agencies working together through the Networking 
and Information Technology Research and Development (NITRD) Program to 
provide a framework in which many Federal agencies come together to 
coordinate their networking, IT, and cybersecurity R&D efforts.
    Under this program, agencies are collaborating to develop the 
Cybersecurity Research and Development Strategic Plan called for in the 
Cybersecurity Enhancement Act. The new plan aims to identify research 
opportunities intended to thwart adversaries, expand trust, and sustain 
innovation, focusing on desired cybersecurity capabilities that deter 
attackers, protect assets, detect attacks, and respond using effective 
mitigation, forensics, and adaptive defense techniques. Cross cutting 
issues will also be explored such as the human centric nature of 
cybersecurity, risk management, scientific foundations, infrastructure/
data development/access, transition to practice, and workforce 
development. Additionally, it will consider emerging technologies and 
expanding threats in relation to mobile, cloud, IoT/CPS, additive 
manufacturing, and pervasive use of cryptography.

    Question 4. We've heard very positive feedback about the NIST 
Framework for Improving Critical Infrastructure Cybersecurity. Some of 
the cited benefits of the Framework include the creation of a common 
language and greater involvement of company executives in cybersecurity 
decision making. What steps has NIST taken to ensure industry is aware 
of the Framework and is using it to the fullest extent? What does NIST 
plan to do to keep it up to date?
    Answer. Since the release of the Framework, NIST has strengthened 
its collaborations with critical infrastructure owners and operators, 
industry leaders, government partners, and other stakeholders to raise 
awareness about the Framework, encourage use by organizations across 
and supporting the critical infrastructure, and develop implementation 
guides and resources.
    NIST supports Framework awareness and understanding by addressing a 
variety of sectors and communities through speaking engagements and 
meetings. NIST develops and disseminates information and training 
materials that advance use of the Framework, including actual or 
exemplary illustrations of how organizations of varying sizes, types, 
and cybersecurity capabilities can practically employ the Framework to 
make their enterprises more secure.
    NIST provides an Industry Resources page on its Cybersecurity 
Framework website (http://www.nist.gov/cyberframework/cybersecurity-
framework-industry-resources.cfm). This page provides publicly 
available Framework resources produced by critical infrastructure 
owners and operators, industry associations, technology manufacturers 
and service providers, government agencies, and others. These resources 
include, but are not limited to approaches, methodologies, 
implementation guides, mappings to the Framework, case studies, foreign 
language translations and other materials intended to help 
organizations understand, use, and innovate on the Cybersecurity 
Framework to identify, assess, and manage cybersecurity risk.
    The Framework is a living document and will continue to be updated 
and improved as industry provides feedback on implementation. Lessons 
learned will be integrated into future versions of the Framework. NIST 
plans to issue a Request for Information in the fall of 2015 to obtain 
additional input from industry on the variety of ways in which the 
Framework is being used to improve cybersecurity risk management, how 
best practices for using the Framework are being shared, the relative 
value of different parts of the Framework, the possible need for an 
update of the Framework, and options for the long-term governance of 
Framework.

    Question 5. A number of Federal agencies have issued guidance that 
incorporates or implements the NIST Cybersecurity Framework for 
different critical infrastructure sectors. Which agencies has NIST been 
working with most closely? How do those agencies ensure the Framework 
does not conflict with existing standards in those sectors?
    Answer. NIST has worked with numerous Federal agencies to assist 
with the implementation of the NIST Cybersecurity Framework across 
industry. This includes regular participation in workshops and events 
hosted by other agencies, including those run by the Department of 
Homeland Security. NIST has also assisted in guidance done 
collaboratively with industry, such as the Energy Sector Cybersecurity 
Framework Implementation Guidance and the Federal Communications 
Commission (FCC) Communications, Security, Reliability and 
Interoperability Council's (CSRIC) Cybersecurity Risk Management and 
Best Practices Working Group 4: Final Report. During the development of 
the Cybersecurity Framework, considerable attention was spent ensuring 
alignment with existing standards. Since the issuance of the Framework, 
NIST continues to provide advice to agencies, sectors, associations, 
and other groups to ensure proper alignment.

    Question 6. Federal agencies have suffered numerous cyber attacks 
this past year, including high-profile incidents at OPM, IRS, the 
Pentagon, and the White House. While some Federal agencies have made 
improvements to their cybersecurity practices, weaknesses still remain. 
Are there lessons from the private sector or academia that can be 
applied to the government? What steps has NIST taken recently to 
address identified vulnerabilities at Federal agencies as part of its 
work under the Federal Information Security Management Act (FISMA)?
    Answer. NIST routinely collaborates with nonfederal organizations 
in the development of its security standards and guidelines. In 
addition to direct interactions with industry and academic 
institutions, nonfederal organizations frequently provide important 
feedback to NIST during the public comment period of the standards and 
guidelines development process. This helps to ensure that leading-edge 
cybersecurity concepts, principles, and solutions are incorporated into 
NIST's publications (for example, NIST Special Publication 800-53 Rev 
4, Security and Privacy Controls for Federal Information Systems and 
Organizations). As part of its significant outreach program, NIST 
visits Federal agencies on a regular basis to discuss ongoing 
cybersecurity issues and problems. This includes examining specific 
vulnerabilities that may have been exploited during a cyberattack or 
other events that lead to a cyber breach or compromise of Federal 
information. NIST uses this information to assess the completeness and 
efficacy of the current security safeguards and countermeasures that 
are included in the suite of Federal standards and guidelines and to 
ensure the appropriate defensive measures are available to Federal 
agencies. These collaborative outreach activities have been increased 
due to the recent cyberattacks and the severity of the breaches.

    Question 7. The National Security Agency Information Assurance 
Directorate recently announced it will ``initiate a transition to 
quantum resistant algorithms in the not too distant future.'' Since 
NIST specified the Suite B cryptographic algorithms, how is NIST 
engaging academia, industry, standards setting bodies, and its Federal 
partners in order to research and identify quantum resistant algorithms 
in a transparent and open manner?
    Answer. NIST initiated its Quantum Resistant Algorithms program on 
April 1-2, 2015 with an open and transparent public Workshop on 
Cybersecurity in a Post-Quantum World. At this workshop, NIST engaged 
industry, academia, Federal partners and other stakeholders to 
understand and discuss requirements, threat models, and priorities in 
quantum resistant algorithm research, development and standardization.
    In FY16, NIST intends to finalize its initial requirements and 
scope of work, seeking broad community input and feedback through 
participation in public industry events and in open standards bodies. 
Additionally, NIST actively solicits public engagement and feedback on 
all cryptographic standards and guidelines through our public comment 
process, which is described in NIST Draft Interagency Report 7977, NIST 
Cryptographic Standards and Guidelines Development Process.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Steve Daines to 
                              Kevin Stine
    Question 1. Mr. Stine, the NIST cybersecurity framework seems to be 
focused on businesses. What framework or guidance applies to schools? 
Has NIST dedicated any resources specifically to student data privacy?
    Answer. The NIST Cybersecurity Framework, while developed for 
critical infrastructure, is also available for use by other types of 
organizations, including non-profit organizations and educational 
institutions. For example, the ``Information Security Guide'' (http://
educause.edu/security/guide) maintained by EDUCAUSE, a non-profit 
association of colleges and universities, is organized according to the 
ISO 27002 standards, but includes a mapping to the NIST Cybersecurity 
Framework.
    Student data privacy is not a specifically addressed by NIST, 
although the Cybersecurity Framework provides the guidance by which an 
educational institution can protect information, including student 
educational records and personally identifiable information. Student 
data privacy is addressed in the Federal Government by the U.S. 
Department of Education.

    Question 2. Mr. Stine, we heard from the other witnesses how 
businesses are working every day to ensure their customers privacy and 
personal information remains secure. Is the government taking these 
same precautions to protect the personal information of American 
citizens? Can you explain what steps the government takes to deal with 
cyber threats and cyber terrorists?
    Answer. Like businesses, the government faces cybersecurity 
challenges. NIST develops and issues standards, guidelines, and best 
practices to help Federal agencies manage cybersecurity risk and 
protect mission information, including the personal information of 
American citizens, from a variety of cyber threats, including those 
posed by cyber terrorists. The development of NIST standards and 
guidelines includes a comprehensive, collaborative, and transparent 
public consulting process that invites and incorporates input and 
comments from government, industry, and academia. This process ensures 
that the security standards and guidelines developed by NIST for 
Federal agencies and their contractors are timely, effective, rigorous, 
comprehensive, and reflective of security best practices employed by 
industry, academia, and government. The sharing of best practices and 
lessons learned between and across government and the private sector 
will benefit all. While NIST does not have an operational role in 
responding to cyber threats or cyber terrorists, NIST supports other 
agencies, including the Department of Homeland Security, in ways that 
are consistent with its mission.

    Question 3. Mr. Stine, through the OPM breach, we learned that the 
Federal Government's National Cybersecurity and Protection System 
(NCPS) is not keeping pace with the types of threats now facing Federal 
agencies. What steps can the government take today to prevent another 
OPM breach?
    Answer. Questions related to the National Cybersecurity Protection 
System (NCPS) should be directed to the Department of Homeland Security 
as they have responsibility for this program.
    NIST develops standards, guidelines, measurements, tools and 
reference implementations that Federal agencies can use to identify, 
assess, and manage cybersecurity risk. The Federal Information Security 
Modernization Act of 2014 (FISMA 2014) reaffirmed NIST's role of 
developing Federal information processing standards (FIPS) and 
guidelines for non-national security Federal information systems and 
assigned NIST some specific responsibilities, including the development 
of:

   Standards to be used by Federal agencies to categorize 
        information and information systems based on the objectives of 
        providing appropriate levels of information security according 
        to a range of risk levels;

   Guidelines recommending the types of information and 
        information systems to be included in each category; and

   Minimum information security requirements (management, 
        operational, and technical security controls) for information 
        and information systems in each such category.

    A key aspect of a risk management approach to cybersecurity is an 
organization's informed selection and implementation of the appropriate 
set of security and privacy controls to provide adequate protection for 
Federal information and information systems. Properly applied in a 
comprehensive approach to cybersecurity, the controls can help 
significantly reduce susceptibility of Federal agencies to modern cyber 
threats. This application requires employing a risk-based, defense-in-
depth strategy that includes strengthening the underlying IT 
infrastructure to increase the penetration resistance of Federal 
information systems to cyber-attacks; designing security architectures 
that help limit the damage to Federal assets if an adversary 
successfully penetrates those systems; and making the systems 
sufficiently resilient to survive the attack and continue to operate 
and support critical Federal missions and business functions. While no 
security control or group of controls can stop every attack, 
implementing a risk-based, defense-in-depth strategy greatly reduces 
the susceptibility of Federal agencies to modern cyber threats.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                              Mark Shlanta
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia?
    Answer. Addressing shortages in our country's cyber workforce is an 
important national priority. SDN Communications, like many business 
organizations and the Federal Government, relies upon skilled 
cybersecurity professionals, but experiences difficulty when recruiting 
these workers. There is competition between the private and government 
sectors to recruit the limited pipeline of high-skilled cybersecurity 
professionals graduating from academic institutions, like Dakota State 
University (DSU). The Federal Government should maintain its support 
for programs, like the National Institute for Standards and Technology 
(NIST) National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and the National Science 
Foundation's CyberCorps Scholarships, to increase this critical 
workforce.
    SDN has partnered with DSU and the Federal Government to support 
cybersecurity camps. The camps sponsored by the National Security 
Agency and National Science Foundation are an effective tool to inspire 
and educate young people about opportunities within cybersecurity 
fields. The Federal Government and higher education institutions should 
maintain their support for these educational initiatives and partner 
with private industry to extend the reach of these valuable programs.
    Given the competition for skilled cybersecurity professionals and 
challenge recruiting these workers, companies should focus on growing 
their workforce from within by providing training and educational 
benefits. SDN provides internship opportunities to post-secondary 
students as an investment in the next crop of cybersecurity 
professionals. The internship program also helps the company recruit 
future employees. SDN's people are the company's most valuable asset. 
Through tuition benefits and other internal and external training 
opportunities, SDN is continually strengthening the skills of its 
workforce. It is essential that we make smart investments in our 
employees to ensure our company can continue combating rapidly evolving 
and sophisticated cybersecurity threats.

    Question 2. The certification organization for cyber professionals, 
(ISC)\2\, recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. With the shortage of cybersecurity professionals reaching 
an astonishing 1 million, addressing the labor shortage will require 
not only greater female representation in cybersecurity careers, but 
also outreach to other underrepresented populations. According to a 
report from the American Association of University Women (AAUW), one in 
five male college students and only one in 17 female college students 
plan to major in engineering or computing. The study found there is a 
similar retention rate for both men and women, 60 percent in 
engineering and 40 percent in computing. The AAUW report highlights the 
importance of generating interest in cybersecurity career fields at an 
early age to influence a student's academic field of study and future 
career aspirations.
    As mentioned in the response to question one, SDN has partnered 
with the Federal Government and higher education to support 
cybersecurity camps. Last summer, SDN served as the leading private 
sponsor of the Girls GenCyber Camp held on the DSU campus. The camp, 
one of the first in the nation, narrowed its eligibility to young women 
between the ages of 12 to 18 years old and encouraged the participants 
to pursue cybersecurity careers. When the 60 available spots quickly 
filled, SDN sponsored 40 additional young women. The Federal 
Government, higher education, and private industry should build upon 
the successful experiment launched at DSU to help address the 
insufficient pipeline of female cybersecurity professionals.

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. As discussed during the field hearing on September 3, 2015, 
cybersecurity threats are a significant and growing concern facing the 
Federal Government and every industry sector. Cybersecurity research 
represents a worthwhile investment in bolstering our country's ability 
to address these threats. Recognizing the importance of cybersecurity 
research and development, Congress should prioritize strong and 
continued funding for the research activities outlined in the 
Cybersecurity Enhancement Act.
    The Federal Government should encourage collaboration between its 
academic and private research partners. Greater collaboration between 
the Federal Government, critical infrastructure operators, and academia 
could be helpful in identifying valuable research topics. The Federal 
Government can maximize the effectiveness of its research investments 
by directing funding toward research projects aimed at addressing our 
country's leading cybersecurity challenges.
    Outreach and the sharing of research findings is another important 
priority. Those receiving Federal research funding should be encouraged 
to consider effective ways to share their discoveries. Expanding the 
adoption of best practices and proven techniques can help organizations 
reduce their risk of cyber breaches and improve their ability to detect 
and respond in the event of cybersecurity attacks.

    Question 4. Federal agencies have suffered numerous cyber attacks 
this past year, including high-profile incidents at OPM, IRS, the 
Pentagon, and the White House. While some Federal agencies have made 
improvements to their cybersecurity practices, weaknesses still remain. 
Are there lessons from the private sector or academia that can be 
applied to the government?
    Answer. The recent series of cyber attacks exposed weaknesses in 
the Federal Government's preparedness against cybersecurity threats. In 
the case of the U.S. Office of Personnel Management, the absence of 
basic security precautions, such as two-step authentication, exposed 
the agency to heightened vulnerability that was exploited by hackers. 
Consistent adoption and enforcement of best practices and internal 
security controls would reduce risk and improve the Federal 
Government's ability to detect and respond to cyber threats.
    As described in the written testimony prepared, SDN Communications 
enforces an internal cybersecurity program. The Federal Government 
should ensure similar controls and policies are implemented. A general 
description of some of the security protocols followed by SDN is 
outlined below. This represents a limited sample of the procedures SDN 
uses to protect its internal business network.
    SDN protects its network with an enterprise firewall that enforces 
rules and only accepts traffic from approved external IP addresses. The 
company conducts daily and sometimes hourly antivirus definition 
updates to improve the detection of malicious software and prevent 
harmful downloads. Regular patches to SDN's operating system, PCs, and 
other devises close security gaps that could be exploited. Any patch 
deemed critical to protecting SDN's equipment and servers is performed 
immediately.
    The company enforces access policies that require passwords to be 
regularly changed and pin codes and badges in order to enter physical 
locations. Virtual and physical locations are limited to the employees 
who require access in order to perform their job responsibilities. 
Cameras and door access logs are equipped throughout the company 
premise, and fingerprint entry is required at SDN's most secure 
locations. SDN requires employees working remotely to utilize an SSL 
Virtual Private Network (VPN) and perform two-factor authentication to 
access the company's network. This encryption service masks all traffic 
between SDN's network and the end user.
    The company's local administrator policy and account usage 
monitoring prevents unsanctioned software downloads onto company-issued 
equipment. Limiting an employee's ability to download malicious 
software helps reduce the risk of social engineering attacks. SDN also 
blocks foreign devices from accessing its network using a Network 
Access Control (NAC) appliance to prevent unauthorized devices from 
connecting to the network. Outside laptops and mobile devices cannot 
connect to the company's private Wi-Fi network and are segregated onto 
a guest Wi-Fi network.
    The NIST Framework established a common language to encourage 
greater collaboration across the Federal Government and industry 
sectors. The utilization of the NIST Framework by the Federal 
Government and operators of critical infrastructure can help to 
facilitate the sharing of best practices and adoption of effective 
cybersecurity techniques. The NIST Framework can equip Federal 
agencies, as well as the private sector, with a useful tool to 
critically evaluate and further strengthen cybersecurity programs.
    The risk of reputational harm, liability, and other costs 
associated with cybersecurity breaches have prompted many businesses--
both large and small--to make significant investments in their 
cybersecurity programs. In the case of SDN, our organization is 
continually making investments to further protect its network and the 
sensitive information we have been entrusted. In applying this lesson 
to the Federal Government, agency budget requests should reflect the 
importance of cybersecurity network maintenance and improvements. 
Boards of directors and executive leadership in the private sector are 
increasingly demanding that cybersecurity be a top organizational 
priority. When confirming agency officials, the U.S. Senate should 
similarly demand that appointees to Federal agencies recognize the 
importance of cybersecurity.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Steve Daines to 
                              Mark Shlanta
    Question 1. Mr. Shlanta, your company participates in the NIST 
cybersecurity framework. Does this framework provide adequate guidance 
to help you protect your customers? In what areas does industry need 
additional guidance or legislation to help sector secure our 
information?
    Answer. The National Institute for Standards and Technology (NIST) 
Framework serves as a useful tool to assist organizations in examining 
their cybersecurity practices. SDN Communications is a business-to-
business broadband provider and offers a variety of cybersecurity 
services to its customers, including Managed Router, Managed Firewall, 
Managed Distributed Denial of Service (DDoS) Protection, Remote Network 
Monitoring, and Secure Data Storage. The company serves as a 
cybersecurity partner to numerous critical infrastructure sectors.
    The creation of a common language regarding cybersecurity, 
extending across industry sectors, is one of the benefits that emerged 
from the NIST Framework. This common language encourages improved 
understanding and collaboration between critical infrastructure 
operators and the government as they work together to address 
cybersecurity threats.
    The value of the NIST Framework stems from its voluntary, flexible, 
and scalable nature. Its flexibility enables the guidance to evolve 
with changes in technologies, cybersecurity threats, and the unique 
needs of critical infrastructure operators utilizing the framework. The 
NIST Framework helps shift our national focus from a ``check-the-box'' 
mentality towards a risk-based approach tailored to addressing and 
mitigating unique organizational risk.\1\ This is more effective than 
strict and prescriptive regulation that would struggle to keep up with 
emerging and constantly evolving threats. According to Booz Allen 
Hamilton's ``2014 Cyber Solutions Handbook,'' cybersecurity is 
intimately tied to an organization's unique operations, and therefore, 
companies must assess their unique organizational risk when designing 
and maintaining their cybersecurity programs.\2\
---------------------------------------------------------------------------
    \1\ ``Cyber Solutions Handbook,'' Booz Allen Hamilton, 2014, page 
4, retrieved from http://www.boozallen.com/content/dam/boozallen/
documents/Cyber-Solutions-Handbook.pdf.
    \2\ Ibidem.
---------------------------------------------------------------------------
    Although the NIST Framework is based upon existing regulatory 
standards and industry best practices, the framework itself is still 
relatively new. The guidance from the Federal Communications 
Commission's Communications Security, Reliability, and Interoperability 
Council (CSRIC) was released in March 2015, giving communications 
providers less than a year to review and utilize these recommendations 
relating to the NIST Framework. The CSRIC guidance included a useful 
section tailored to small and mid-size communications carriers.\3\ It 
will take time for small operators to learn about, digest, and apply 
the NIST Framework and CSRIC guidance to their existing cybersecurity 
programs. Some small operators may even need one-on-one technical 
assistance. As such, congressional policymakers and Federal agencies 
should focus on raising awareness and making training and other 
educational resources available to encourage further utilization of the 
NIST Framework.
---------------------------------------------------------------------------
    \3\ ``Cybersecurity Risk Management and Best Practices,'' Working 
Group 4, Communications Security, Reliability, and Interoperability 
Council, Federal Communications Commission, 2014, page 370, retrieved 
from https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4
_Final_Report_031815.pdf.
---------------------------------------------------------------------------
    As a company, SDN is working with our national and state industry 
trade associations to raise awareness about the NIST Framework and 
serve as a useful resource to smaller operators. Topics relating to the 
NIST Framework and cybersecurity have been on the agenda at every 
national meeting since the framework's release in February 2014. NIST 
and its Federal agency partners should build upon these industry 
efforts and continue working to raise awareness and provide 
consultative assistance by expanding their outreach activities, 
including in rural areas. These outreach efforts would expedite the 
utilization of the NIST Framework by helping providers apply the 
guidance to their unique operations.

    Question 2. Mr. Shlanta, in your testimony, you gave a real example 
of a cyber threat via social media. When SDN becomes aware of these 
threats what steps do you take to prepare, prevent, and combat these 
attacks?
    Answer. The attack described in my testimony featured a distributed 
denial of service (DDoS) attack targeting the domain names of the State 
of South Dakota and the City of Sioux Falls. DDoS attacks have become 
increasingly prevalent and pose a growing threat to organizations 
relying upon the Internet to conduct their business and operations. 
Preparing for these attacks is an important component of cybersecurity 
risk management. A DDoS protection service can equip an organization 
with the necessary tools to prepare, prevent, and combat DDoS attacks.
    DDoS attacks disable an online service by overwhelming a targeted 
IP address with massive data traffic. As a result, an attack can 
interrupt an organization's website, customer orders, and even phone 
systems by preventing the flow of legitimate traffic to the targeted 
network. These attacks can be purchased for as little as $5 per hour, 
making them an affordable and highly accessible attack platform for 
cyber criminals, cyber activists, unscrupulous businesses competitors, 
disgruntled former employees, or dissatisfied customers.\4\ The 
frequency of DDoS attacks has grown, with attack incidents doubling 
between the second quarter of 2014 and the second quarter of 2015.\5\ 
Given the growing number of attacks and consequences to targeted 
organizations, it is important for organizations to take proactive 
steps to protect their networks against these threats.
---------------------------------------------------------------------------
    \4\ ``Global Security Report,'' Trustwave Holdings, 2015, page 48, 
retrieved from: https://www2.trustwave.com/rs/815-RFM-693/images/
2015_TrustwaveGlobalSecurityReport.pdf.
    \5\ ``State of the Internet Security Q2 2015 Report,'' Akamai, 
2015, page 5, retrieved from: https://www.stateoftheinternet.com/
downloads/pdfs/2015-cloud-security-report-q2.pdf.
---------------------------------------------------------------------------
    In October 2015, SDN Communications added a Managed DDoS Protection 
service to its menu of cybersecurity solutions. Figure 1 demonstrates 
the DDoS attack structure, and Figure 2 shows how SDN's Managed DDoS 
Protection service detects and prevents the flow of malicious traffic, 
represented by a red arrow, while allowing the delivery of legitimate 
traffic, represented by a green arrow. This service is constantly 
evolving to respond to changing DDoS attack profiles. Known attack 
signatures from around the world are used to inform the identification 
of suspicious traffic patterns. When SDN's cybersecurity team detects a 
new threat, our team works to quickly stop the threat before it impacts 
our customer, and the attack signature is shared with our security 
partner Arbor Networks. The product is then updated to identify future 
attacks bearing the signature.
Figure 1. DDoS Attack Structure \6\
---------------------------------------------------------------------------
    \6\ ``DDoS Attack Structure,'' SDN Communications, 2015.
   
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
Figure 2. DDOS Mitigation Solution \7\
---------------------------------------------------------------------------
    \7\ ``DDoS Mitigation Solution,'' SDN Communications, 2015.


    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                             Eric A. Pulse
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia?
    Answer. I believe the existing Federal programs mentioned are an 
excellent start. I believe two points deserve attention: ensuring this 
information is shared and communicated between public and private 
sectors, and further integration into academia. Emphasis on 
cybersecurity at early stages of education could prove beneficial to 
the needed growth in the cyber workforce. Integrating basic 
cybersecurity concepts at grade and middle school levels would build a 
foundation on which to spur interest at an early age.
    I believe there is also an opportunity for organizations to work 
together to identify specific cybersecurity workforce needs and 
collaboratively provide a platform to develop a workforce with 
necessary skills training to fill those needs.

    Question 2. The certification organization for cyber professionals, 
(ISC)\2\, recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. As stated earlier, I believe placing emphasis on 
cybersecurity at early stages of education could prove beneficial to 
the needed growth in the cyber workforce. Integrating basic 
cybersecurity concepts at grade and middle school levels would build a 
foundation on which to spur interest at an early age. The earlier 
females are introduced to the field, the more likely the increase in 
overall participation. I also believe that creating mentorship programs 
that encourage women already in the security field to mentor other 
women in the technology field positively impact female involvement in 
cybersecurity.

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. Threat intelligence collaboration. With cyber threats on 
the rise, I believe in the collaboration of public and private 
resources to share information about the attacks that are on the 
horizon. Cybersecurity by its nature is more reactive than proactive. 
Perpetrators are able to advance their tactics more rapidly than the 
defensive infrastructure. The ``Deep Net'' contains a number of forums 
offering free attack tools available to anyone with the goal of 
initiating any number of attack scenarios. An attacker can launch an 
attack at any time toward any target and the use of botnets make 
tracing the attack extremely difficult. The commercialization of 
malware tools also allows the hacking community to remain a step ahead. 
However, the more a specific type of attack occurs, the better the 
chance of recognizing it by collaboratively sharing threat 
intelligence. Network defense and incident response require a strong 
element of intelligence and counterintelligence that security teams 
must understand and leverage to successfully defend their cyber 
infrastructure, once again highlighting the need for an increase in 
technically qualified professionals.

    Question 4. Federal agencies have suffered numerous cyber attacks 
this past year, including high-profile incidents at OPM, IRS, the 
Pentagon, and the White House. While some Federal agencies have made 
improvements to their cybersecurity practices, weaknesses still remain. 
Are there lessons from the private sector or academia that can be 
applied to the government?
    Answer. Accountability. In the private sector, much of the 
regulatory guidance emphasizes executive and board involvement relative 
to overall responsibility for securing information and the 
infrastructure that supports it. Organizations in the private sector 
are required to report breaches in order to meet regulatory compliance. 
Corporate officers and boards of directors are also held accountable 
for their actions or in-actions. I believe government should enforce 
the same reporting requirements and implement a culture of 
accountability to be more responsible to the people--ours is a 
government of, by and for the people. One state government (Oklahoma) 
has an initiative to consolidate its cybersecurity efforts and to 
better manage the public resources it receives. This initiative has had 
some early successes and by all indicators will continue.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                          Dr. Kevin F. Streff
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia? SBIR programs could encourage ideas/inventions focused on 
this unique problem.
    Answer. Without question, the NIST National Initiative for 
Cybersecurity Education, the National Cybersecurity Workforce 
Framework, and NSF's CyberCorps Scholarships steps in the right 
direction to increase our workforce. However, this massive projected 
shortage will not be filled with these three important initiatives. 
Industry sponsored initiatives will become important to build out this 
workforce. For example, SFS-I (scholarship for service--industry) could 
be created to model the SFS program so that industry attracts more 
cybersecurity professionals. Industry sponsored hacking competitions 
where industry professionals square off can also garner a lot of 
attention and serve to attract workforce.

    Question 2. The certification organization for cyber professionals, 
(ISC)\2\, recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. Dakota State boasts the largest cyber girls camp in the 
Nation. With this foundation, DSU can do more to work with other 
universities to replicate our model. For example, GenCyber attracted 
150 girls for a one-week summer camp to introduce them to 
cybersecurity. This model (marketing, materials, etc.) can be leveraged 
in other community colleges and universities to attract more women. 
Retooling programs/grants should be considered to retrain female IT 
professionals into the cybersecurity domain. SBIR programs could 
encourage ideas/inventions focused on this unique problem.

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. This research agenda will change each year, so identifying 
the top areas of research for today seems pointless. Rather, the 
Federal Government should identify a group responsible for establishing 
the research agenda and work with academia and industry to make 
progress. The lack of a fresh national cybersecurity strategy 
highlights this shortcoming.

    Question 4. The Federal Financial Institutions Examination Council 
recently came out with a tool for financial institutions that maps 
guidance to the NIST Framework for Improving Critical Infrastructure 
Cybersecurity. Given your work with small and medium-sized enterprises, 
how do we get small businesses to appreciate cyber risks, while 
ensuring that guidance isn't one-sized fits all?
    Answer. The Federal Financial Institutions Examination Council 
cybersecurity assessment ``tool'' isn't really a tool, but rather 
guidance on how to assess cyber risk in the banking sector. It also 
doesn't address how we get small businesses to appreciate and/or deal 
with their cyber exposures. Clear guidance on specific steps small 
businesses must take is needed. For example, all business are required 
to carry E&O insurance. Should all businesses be required to run 
antivirus? Without very clear requirements, small businesses will 
likely remain on the sideline and their businesses will remain 
vulnerable.

    Question 5. Federal agencies have suffered numerous cyber-attacks 
this past year, including high-profile incidents at OPM, IRS, the 
Pentagon, and the White House. While some Federal agencies have made 
improvements to their cybersecurity practices, weaknesses still remain. 
Are there lessons from the private sector or academia that can be 
applied to the government?
    Answer. Information sharing between academia, government and 
industry is paramount. The three parties must share information, tools, 
best practices, etc. if we are to mature our defense capabilities. 
Making the ISACs free for everyone is a good first step. Charging 
membership fees is a bad idea and will not result in everyone 
participating as is necessary for an information sharing model to work. 
The result will likely be that the large organizations will participate 
and the medium and small sized organizations will not.

    Question 6. Thank you for the opportunity to hold this field 
hearing at Dakota State University. What do you envision DSU's role in 
advancing cybersecurity will be in five or ten years and how does that 
vision complement efforts to improve cybersecurity across the nation?
    Answer. Dakota State currently enrolls approximately 600 students 
in its security program. We envision this doubling or tripling over the 
next 10 years. We anticipate research programs that focus on specific 
areas in which DSU has excellence, including network testing, offensive 
tools, and securing the financial sector. Everyone must do more to 
create tools, workforce and a shared mindset to build our capabilities 
in the area of cyber defense. Thank you for the opportunity to 
participate in this hearing.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Steve Daines to 
                          Dr. Kevin F. Streff
    Question. Dr. Streff, you mentioned in your testimony that 
America's national cybersecurity strategy was last updated in 2003. Can 
you explain the importance of a national strategy in enabling the U.S. 
to better prevent cyber attacks?
    Answer. The strategy is important for several reasons. First, it 
serves to bring awareness to this national issue. It serves to build 
agreement on what the issue is and what is necessary to deal with it 
effectively. Next, it serves as the backdrop for which other 
strategies, grant programs, etc. fit. For example, if information 
sharing is an important aspect of dealing with the cyber adversary, 
then the national strategy should highlight its role and industry, 
government and academia should work to execute the concept. Grant 
programs (i.e., SBIR programs, NSF programs, etc.) can pick up on the 
important aspects of the strategy and allocate dollars accordingly. 
Industry can also invest in solutions with confidence that there will 
be a market for their products and services.
    Security is a complicated issue and how our Nation goes about its 
approach is complicated. Many strategies are possible and each include 
assumptions. These assumptions and strategies should be debated so that 
an approach is devised. This approach should be documented and 
disseminated so that all parties understand what it will take in this 
electronic battle.
    On a personal note I remember getting a new President at our 
university who didn't really understand security. When America's 
National Strategy to Secure Cyberspace was drafted, it indicated to him 
how important this issue might become and supported me in getting 
resources to create a security program. Today I am proud to boast that 
Dakota State has one of the top programs in the country, and the 2003 
document had something to do with where we are today.
    Thank you for the opportunity to address the importance of 
freshening or rewriting our national cybersecurity strategy.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                          Josh J. Pauli, Ph.D.
    Question 1. As attacks and breaches continue to rise, shortages in 
our cyber workforce need to be addressed. The Cisco Annual Security 
Report recently stated that the global shortage of cyber professionals 
is at 1 million openings. Are existing Federal programs like the NIST 
National Initiative for Cybersecurity Education, the National 
Cybersecurity Workforce Framework, and NSF's CyberCorps Scholarships 
steps in the right direction to increase our workforce? What other 
initiatives do you think would be helpful to build the required 
workforce--either government initiatives or those by industry or 
academia?
    Answer. NSF's CyberCorps program is a tremendous asset to the 
cybersecurity workforce shortage at the government level. It does need 
to be expanded as we aren't even keeping up with demand currently, let 
alone filling the empty positions. NSF also partnered with NSA on the 
GenCyber Camps, which provide cybersecurity content to high school 
students and teachers. This is another good way to get additional 
future employees interested in the field. Other agencies need to 
develop and fund CyberCorps-like programs to attract students into 
jobs. Such a program could offer a subset of the benefits of CyberCorps 
and still attract tremendous talent. We also need to reach down deeper 
into middle and high schools to recruit students into cybersecurity 
programs.
    I strongly encourage NIST to take on a more active role within the 
cybersecurity workforce efforts in the same way DHS, NSA, and NSF have. 
The NIST NICE and National Cybersecurity Workforce Framework are great 
resources that need to be implemented by a wider audience. NICE should 
be the entity that truly leads the charge for cybersecurity education 
and workforce development by partnering with NSF, NSA, and DHS (and 
others certainly) to come up with agile strategies to help develop 
courses, programs, and graduates that are cyber-ready. This is not 
trivial work. This is an issue we've been battling for 10+ years, but 
we have to keep working on it. We need to come up with new ideas and 
try these ideas in a real-world setting to see if they work.
    We need to continue and hopefully expand ``special hiring 
authority'' and ``direct hiring authority'' programs that allow Federal 
offices to quicken the hiring process for cybersecurity professionals. 
We can't do too much about the pay, but people want to work at the 
Federal level for the mission above pay. So let's make it as 
streamlined as possible to get these people placed. This is 100 percent 
applicable at almost every Federal agency.
    Not enough government entities ever engage the true hacker and 
professional cybersecurity communities. Cybersecurity is a huge 
industry by itself, but it's also present in every single other 
industry. These people want to help the government figure out hard 
problems because it would make everyone's life better. They are wildly 
smart and creative. They think of things that government-only efforts 
just can't or don't. We need to engage these people to inject new ideas 
and to leverage them as magnificent thinkers in ways to come up with 
workforce development ideas.

    Question 2. The certification organization for cyber professionals, 
(ISC)\2\, recently noted that a poll of 14,000 information security 
professionals found that only 10 percent were women. In addition to the 
overall labor shortage in the cyber industry, what can be done to 
increase representation of women in this particular STEM discipline?
    Answer. Summer camps such as GenCyber, especially those that 
partner with existing female groups such as the Girls Scouts' GenCyber 
camp in San Bernardino, CA and the GenCyber Girls camp at Dakota State 
University, should continue to stress the tremendous job prospects in 
cybersecurity industry for females. Including computer science and 
programming requirements in the high school curriculum would also 
provide additional exposure of cybersecurity foundations to female 
students. Once female students are fully engaged with cyber, they 
realize a very high percentage of job satisfaction. The challenge is to 
reach female students early enough before they have already discounted 
cyber as a field of study and career path. Efforts such as Code.org and 
Microsoft's TEALS (https://www.tealsk12
.org/) should be implemented in all 50 states to better prepare all 
students for STEM careers.

    Question 3. The Cybersecurity Enhancement Act directed increased 
coordination on research and development activities across the Federal 
Government. It also directed activities for research centers, test 
beds, secure coding, and cloud computing. In your views, what research 
activities should the private sector, academia, and Federal agencies 
prioritize? In other words, what do you see as the future of 
cybersecurity research?
    Answer. There are so many domains within cybersecurity that have 
limitless research potential in the near future, but I will list just a 
few that I believe are the most critical. First, the widespread 
adoption of user-friendly encryption techniques for all data (at rest 
and in transit) will continue to be an important research topic. We 
simply need to get to a place where all data is encrypted in a strong 
manner and have it implemented for all users.
    Next, secure software engineering should continue to be explored as 
an answer to the on-going software vulnerability epidemic. This goes 
beyond secure programming concepts, and also includes protocols (a new 
version of HTTPS is needed that includes security from the planning 
phase forward) and distributed environments (cloud computing) that are 
so pervasive now.
    Lastly and perhaps most importantly, an intersection of policy and 
technical solutions is needed to clearly articulate the USA's position 
on cyber operations. There are many levels to this decision and 
capability: military, government, private industry, and civilians are a 
general list of actors that need a clear ``rules of engagement'' for 
cyber operations. As a nation, we need to continue to develop our cyber 
capabilities as the cyber domain continues to become an ever bigger 
factor in global relations and conflicts. This ties directly into the 
information sharing efforts between and among government and private 
entities.

    Question 4. Federal agencies have suffered numerous cyber attacks 
this past year, including high-profile incidents at OPM, IRS, the 
Pentagon, and the White House. While some Federal agencies have made 
improvements to their cybersecurity practices, weaknesses still remain. 
Are there lessons from the private sector or academia that can be 
applied to the government?
    Answer. The private sector has many aspects that government can 
learn from. Some will argue that regulation is the key to strong 
cybersecurity, but I am against that thinking. Regulation has a role in 
the overall cybersecurity levels of an organization, but it should be 
in place to provide best practices and minimum standards. Very few 
companies that are only compliant are also secure. Being secure 
includes many more facets than compliance alone. Additionally, and more 
importantly, compliance does not fully cover all the facets that make a 
company secure. Private companies have made the investment in people 
and technology that directly impact the security of their environments. 
This is true of regulated environments and unregulated environments 
alike.
    Academia has a very poor cybersecurity posture right now, which 
makes them the #3 target of hackers right now only behind government 
and healthcare. Academia has no standards or regulation related to 
cybersecurity in addition to the ``free thinking'' aspects of higher 
education that make implementing a cybersecurity strategy a tough 
challenge, so it is not a good situation currently in academia. We have 
a lot to learn and implement to get to where we need to be as an 
industry given the sensitive data that we house.

    Question 5. Thank you for the opportunity to hold this field 
hearing at Dakota State University. What do you envision DSU's role in 
advancing cybersecurity will be in five or ten years and how does that 
vision complement efforts to improve cybersecurity across the nation?
    Answer. I believe DSU will play a prominent role in cybersecurity 
research and development (R&D) with Federal Government agencies such as 
the National Security Agency (NSA), Department of Defense (DoD), 
National Science Foundation (NSF) and other like-minded agencies. We 
have refined our academic programs for the past five years and we are 
now in a position to conduct applied research in these same areas of 
cyber operations, secure software engineering, and network security. 
DSU will continue our role as one of the most prominent cybersecurity 
institutions, at all academic levels, in the Nation and a place that 
government and private firms can come to for world-class cybersecurity 
interns and career placements.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Steve Daines to 
                          Josh J. Pauli, Ph.D.
    Question. Dr. Pauli, you talked about the need for a higher 
quantity and quality of graduates to meet the growing demand for 
cybersecurity and how changes in K-12 can attract more students to this 
field. But attracting more students into programs doesn't guarantee 
quality. What programs and policies does Dakota State University 
utilize to guarantee that program graduates are equipped with the 
skills needed to enter the workforce?
    Answer. DSU, as an institution, has an open enrollment policy so we 
do not limit the quantity of students attending the university. Thus, 
we are left to ensure quality is ensured at the program level. We do 
this by a couple of approaches. We take very seriously the academic 
rigor of our courses. We are constantly evaluating not only the content 
of the coursework, but also are instructional methodologies and student 
engagement techniques. Our BS in Cyber Operations curriculum is mapped 
directly to the knowledge units as mandated by the National Security 
Agency as one of 14 Centers of Academic Excellence in Cyber Operations. 
Our other academic programs are part of our institution-wide 
designation from NSA and DHS as a Center of Academic Excellence in 
Information Assurance Education. We also take very seriously the 
program and student assessments mechanisms that we use during the exit 
exams as each student graduates the program. Lastly, we stay very 
closely connected to all of our employers, both in the government and 
private sector, to ensure DSU graduates are adequately prepared to 
excel in an internship and full-time career setting.

                                  [all]

                  This page intentionally left blank.
                  This page intentionally left blank.
                  This page intentionally left blank.