b"<html>\n<title> - STRENGTHENING U.S. CYBERSECURITY CAPABILITIES</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n                           STRENGTHENING U.S.\n                       CYBERSECURITY CAPABILITIES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           FEBRUARY 14, 2017\n\n                               __________\n\n                           Serial No. 115-02\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n                                   ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n24-667 PDF                     WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  ALAN GRAYSON, Florida\nTHOMAS MASSIE, Kentucky              AMI BERA, California\nJIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut\nRANDY K. WEBER, Texas                MARC A. VEASEY, Texas\nSTEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia\nBRIAN BABIN, Texas                   JACKY ROSEN, Nevada\nBARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California\nGARY PALMER, Alabama                 ED PERLMUTTER, Colorado\nBARRY LOUDERMILK, Georgia            PAUL TONKO, New York\nRALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois\nDRAIN LaHOOD, Illinois               MARK TAKANO, California\nDANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii\nJIM BANKS, Indiana                   CHARLIE CRIST, Florida\nANDY BIGGS, Arizona\nROGER W. MARSHALL, Kansas\nNEAL P. DUNN, Florida\nCLAY HIGGINS, Louisiana\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut\nSTEPHEN KNIGHT, California           JACKY ROSEN, Nevada\nDARIN LaHOOD, Illinois               SUZANNE BONAMICI, Oregon\nRALPH LEE ABRAHAM, Louisiana         AMI BERA, California\nDANIEL WEBSTER, Florida              DONALD S. BEYER, JR., Virginia\nJIM BANKS, Indiana                   EDDIE BERNICE JOHNSON, Texas\nROGER W. MARSHALL, Kansas\nLAMAR S. SMITH, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                           February 14, 2017\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     4\n    Written Statement............................................     6\n\nStatement by Representative Daniel Lipinski, Ranking Member, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........     8\n    Written Statement............................................    10\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    12\n    Written Statement............................................    14\n\n                               Witnesses:\n\nDr. Charles H. Romine, Director, Information Technology Lab, \n  National Institute of Standards and Technology (NIST)\n    Oral Statement...............................................    16\n    Written Statement............................................    19\n\nMr. Iain Mulholland, Industry Member, CSIS Cyber Policy Task \n  Force; Chief Technology Officer, Security, VMware, Inc.\n    Oral Statement...............................................    28\n    Written Statement............................................    31\n\nDr. Diana Burley, Executive Director and Chair, Institute for \n  Information Infrastructure Protection (I3P); Professor, Human \n  and Organizational Learning, The George Washington University\n    Oral Statement...............................................    39\n    Written Statement............................................    41\n\nMr. Gregory Wilshusen, Director, Information Security Issues, GAO\n    Oral Statement...............................................    53\n    Written Statement............................................    55\n\nDiscussion.......................................................    81\n\n\n             Appendix I: Additional Material for the Record\n\nDocuments submitted by Representative Barbara Comstock, \n  Chairwoman, Subcommittee on Research and Technology, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    99\n\nDocuments submitted by Representative Daniel Lipinski, Ranking \n  Member, Subcommittee on Research and Technology, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..   146\n\nDocuments submitted by Representative Eddie Bernice Johnson, \n  Ranking Member, Committee on Science, Space, and Technology, \n  U.S. House of Representatives..................................   150\n\n \n                           STRENGTHENING U.S.\n                       CYBERSECURITY CAPABILITIES\n\n                              ----------                              \n\n\n                       TUESDAY, FEBRUARY 14, 2017\n\n                  House of Representatives,\n           Subcommittee on Research and Technology,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 10:08 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Barbara \nComstock [Chairwoman of the Subcommittee] presiding.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairwoman Comstock. The Committee on Science, Space, and \nTechnology will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Committee at any time.\n    Good morning, and welcome to today's hearing titled \n''Strengthening U.S. Cybersecurity Capabilities.'' I recognize \nmyself for five minutes for an opening statement.\n    I want to begin by thanking everyone for attending this \nfirst hearing of the Research and Technology Subcommittee in \nthe 115th Congress. I look forward to working with the members \nof the Subcommittee, some of whom are new to the Committee, \nwhile others are new to Congress, and working together on many \nof the issues under our jurisdiction.\n    The topic of cybersecurity is a familiar one for this \nCommittee, and this Subcommittee in particular. It is also a \ntopic of continuously growing international attention and real \nconcern.\n    During the 114th Congress, the Science Committee held a \ndozen hearings related to cybersecurity. Some of these were \ntriggered by notable events such as the Office of Personnel \nManagement and Internal Revenue Service data breaches. I still \nremember receiving my OPM letter, and I also got one of those \nIRS letters, which informed me that my personal information may \nhave been compromised or stolen by the cyber criminals behind \nthis attack. I also chaired a hearing last year during which \nthe IRS Commissioner testified about the breaches under his \nwatch. It's certainly frustrating to hear that criminals used \ninformation from other cyber-attacks to accurately answer \nquestions on the IRS website to access what should have been \nsecured information. Those criminals should not have been able \nto access such information, and may not have been able to \naccess it, had the agency fully followed security guidelines \nprovided by the National Institute of Standards and Technology.\n    I look forward to hearing from our witnesses today about \ncybersecurity recommendations to help protect U.S. information \nsystems. These recommendations were highlighted in recent \ndocuments, which include the report published by the Commission \non Enhancing National Cybersecurity and one published by the \nCenter for Strategic and International Studies. The Government \nAccountability Office (GAO), which has issued countless \nrecommendations in the area of cybersecurity for decades, is \nalso represented at today's hearing. I am interested in hearing \nhow the suggestions from the reports being profiled today align \nwith GAO's body of work.\n    I also look forward to hearing more about what can be done \nto proactively address cyber workforce gaps. This Committee has \nbeen very much involved in STEM education and making sure we \nhave that cybersecurity generation for dealing with this, and \nthat is an important role that we need to play here in \nCongress, continuing to get that cyber workforce up and \nrunning, I, particularly in my district, am pleased that we \nhave so much going on in that area and want to continue in this \nSubcommittee to focus on that also. You know, when I travel \naround my district and visit with constituents who work in this \nsector, a repeated concern is the increasing need for \nindividuals with appropriate education, training, and knowledge \nof cybersecurity matters and being able to tackle what we know \nare going to be increasing problems and that we need to be on \nthe offense on this front.\n    Before I yield to the Ranking Member, let me just note that \nI appreciate everyone's presence here today given that this is \nthe week of the RSA Conference in San Francisco. So sorry you \naren't able to be there and are here, but we truly appreciate \nyou being able to join us here today.\n    [The prepared statement of Chairwoman Comstock follows:]\n    \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n   \n    Chairwoman Comstock. And I now yield to our distinguished \nRanking Member, Mr. Lipinski.\n    Mr. Lipinski. Thank you, Chairwoman Comstock. Too bad we \ncouldn't all go out to San Francisco to have a field hearing \nthere.\n    But I want to thank Chairwoman Comstock and I look forward \nto working with you. It's good to have some continuity in the \nChair of the Subcommittee. I think that will be helpful as we \nmove forward and work together on getting some things done here \non the Subcommittee, and I also look forward to working with \nall our returning and new members of this Research and \nTechnology Subcommittee. I also want to thank our distinguished \npanel for being here today. I know some of you have been here a \nnumber of times, and we always appreciate your expertise.\n    Cybersecurity has long been a priority of mine in Congress. \nThe Cybersecurity Enhancement Act of 2014, which was signed \ninto law, began as a bill that Representative McCaul and I \nintroduced in 2009. As pointed out in the CSIS report, \ncybersecurity is a topic on which nearly every Committee in \nCongress has something to contribute. This is a good thing and \na bad thing. What we need to do is to do our best at making \nsure that there is collaboration and coordination across all \nthese different committees.\n    Our committee is uniquely positioned to contribute \nmeaningfully to oversight and policy development for \ncybersecurity because of our jurisdiction over NIST, and our \noversight responsibility for STEM education and workforce \ntraining activities across the Federal government. I understand \nthat today's hearing is likely just the first of several \nhearings on cybersecurity we will hold in this Congress. I \nunderstand that today's hearing is likely--well, this hearing--\nI got lost in my script here--this is one of several. This one \nis going to be a more broad overview of what we're looking at \nin cybersecurity.\n    However, sitting before us are a few of our nation's top \nexperts on NIST's role in cybersecurity and on cybersecurity \neducation and workforce issues, so I look forward to hearing \nthose specific areas from our witnesses.\n    NIST plays a central role in the security of federal \ninformation systems. The experts at NIST develop the security \nstandards and guidelines that all other civilian federal \nagencies are required to implement through the Federal \nInformation Security Modernization Act, or FISMA. Those experts \nalso provide technical assistance to other agencies. \nFurthermore, NIST led the development of the Cybersecurity \nFramework for Critical Infrastructure, a widely adopted set of \nvoluntary guidelines and standards for industry, and works \nclosely with industry to help develop tools for businesses of \nall sizes and from all sectors to effectively implement the \nFramework.\n    There have been some calls for an expanded role for NIST, \nincluding an expanded oversight role under FISMA. These \nsuggestions warrant careful examination. NIST is successful in \nits current role in large part because of its independence as a \nstandards and technology agency, and not a regulatory or \nenforcement agency. Any discussion about an expanded role must \nbe accompanied by a discussion about increasing resources and \nother issues that would come up.\n    On the topic of education and workforce, NIST leads federal \nefforts through coordination of the National Initiative for \nCybersecurity Education, or NICE. Another agency in our \njurisdiction, the National Science Foundation, supports \nimportant programs such as the CyberCorps Scholarship for \nService.\n    However, the gap between supply and demand for \ncybersecurity training in both the government and the private \nsector remains a challenge. All of the best policies are \nmeaningless without the skilled workforce to implement these \npolicies. Increasing the recruitment and retention of \ncybersecurity talent in our federal agencies is going to \nrequire new and creative thinking, as well as increased \nresources.\n    It is also going to require stepping back from the \ndisparaging rhetoric aimed lately at the civil service. Federal \nagencies already struggle to recruit and retain top talent from \nthe limited pool of qualified cybersecurity professionals, \nespecially when private sector salaries are much higher. \nNegative remarks, combined with a federal hiring freeze, can do \nreal damage to agencies' recruitment and retention efforts.\n    Before I conclude, I want to ask unanimous consent to add \nto the record two letters to the Committee, one from the \nElectronic Privacy Information Center, and the other from the \nNational Association of Federally Insured Credit Unions.\n    Chairwoman Comstock. Thank you. Without objection.\n    [The information appears in Appendix I]\n    Mr. Lipinski. Thank you, and I want to again thank the \nChairwoman for holding this hearing, and the witnesses for \nbeing here, and I look forward to your testimony.\n    I yield back.\n    [The prepared statement of Mr. Lipinski follows:]\n    \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n    Chairwoman Comstock. I thank the Ranking Member, and I also \nthank him for his comments on the importance of our \ncybersecurity workforce and I'll second those sentiments.\n    Our first witness today is Dr. Charles Romine, Director of \nthe--oh, I'm sorry. The Ranking Member is present. I'm sorry.\n    Ms. Johnson. Thank you very much, Madam Chairwoman.\n    I'd like to ask for unanimous consent to enter some \nmaterial in the record prior to making a statement.\n    Chairwoman Comstock. Without objection.\n    Ms. Johnson. Thank you.\n    Chairwoman Comstock, I have been in Congress and on this \nCommittee for a long time. As a matter of fact, this is the \nbeginning of my 25th year. There are many times I have \ndisagreed with my Republican colleagues. Sometimes we've had \nharsh criticisms of each other's political positions. That \ncomes with the job description of being a Member of Congress, \nand I accept that. But what I will not accept is when Members \nor staff provide clearly misleading information about me or my \ncolleagues to the press, the public, or anyone else.\n    Yesterday, a story in The Hill newspaper regarding a letter \nthat I sent along with Mr. Lipinski and Mr. Beyer to you, \nChairman Smith and Chairman LaHood about President Trump's \ncybersecurity practices quoted an unnamed GOP Committee aide \nthat suggested that last Congress, Committee Democrats opposed \ncybersecurity hearings that were held on this Committee \nregarding the Office of Personnel Management, the Internal \nRevenue Service and the Federal Deposit Insurance Corporation \nbecause we believed that they were political and illegitimate. \nI want to speak--I will not speak for my colleagues but I will \nspeak for myself. I did believe many of the hearings that were \nheld on this Committee were politically motivated but none of \nthem included any of the hearings mentioned by the Committee \naide. If this aide had attended any of these hearings or read \nany of the statements by me or the Ranking Members Beyer or \nLipinski, they would have understood that. Since I believe in \nensuring there is an honest record of events, I would like \nunanimous consent to enter into the record all of the Ranking \nMember's statements and press releases issued by the Democrats \nfor each of the hearings referenced by this Republican staffer \njust in order to set the record straight.\n    Chairwoman Comstock. Without objection.\n    [The information appears in Appendix I]\n    Ms. Johnson. Thank you.\n    Let me thank you again and also Ranking Member Lipinski for \nholding the hearing today on cybersecurity, and thank you to \nall the witnesses for being here this morning. We have several \nnew members on the Committee, so it is valuable to start off \nthe year with a Cybersecurity 101 hearing.\n    Today's panel includes four very distinguished experts from \ngovernment, the private sector, and academia, and I know it \nwill be an interesting and informative discussion. I'm pleased \nthat Dr. Romine is able to join us this morning. Testifying \nbefore Congress so early during a transition in administrations \ncan be challenging for any agency official.\n    This is not a hearing specifically about NIST's role in \ncybersecurity, but I'm going to set some context with a few \nwords about this very important but little-known agency. NIST \nplays a crucial role in both public and private sector \ncybersecurity, as we will hear about today. In fact, \ncybersecurity accounts for a significant fraction of NIST's \ntotal budget. However, it is but one of dozens of topics to \nwhich the hundreds of extraordinary scientists and engineers \nworking at the NIST labs in Gaithersburg, Maryland, and \nBoulder, Colorado, devote their careers. NIST hosts the world \nleading measurement scientists, and uses that science to lead \nthe development of technical standards for the nation. NIST \nscientists work closely with industry across all sectors, big \nand small, to advance U.S. innovation and competitiveness.\n    And they do all of this on what amounts to a shoestring \nbudget. Because NIST usually exceeds expectations, there is a \ntendency by policymakers to ask them to do more with less. That \nhas surely been true in the realm of cybersecurity. But I \ncaution this Committee and the Administration not to push NIST \nto the breaking point. Every agency must set priorities, and \nthere may be room even at NIST to put aside some of its work to \nmake room for higher priority topics, including cybersecurity. \nI will be watching closely to ensure that that none of NIST's \nimportant work is compromised in our zeal to save a dollar here \nand dollar there. The costs to the nation will be much greater \nthan the few dollars saved.\n    And finally, I want to bring up a troubling incident from \n2013, in which the National Security Agency (NSA) secretly \ninserted a ``back door'' into a cryptographic standard being \ndeveloped by NIST. There was an immediate outcry, as this sneak \nattack was widely recognized as a potentially slippery slope to \na surveillance state. It undermined the stellar reputation and \ncredibility of NIST in international circles and it had a \nnegative impact on the global operations of U.S. corporations.\n    In the aftermath of that incident, NIST implemented new \nprocedures to reinforce transparency and integrity in their \nstandards development process. I want NIST to be able to \nconsult with the intelligence agencies. Such collaboration is \nnecessary and appropriate in the realm of cybersecurity. Both \nNIST and the U.S. intelligence community share special \ncybersecurity expertise and skills that should be shared to \nhelp defend our nation against the many cybersecurity threats \nthat confront us. However, I will be watching out for the \nslightest hint that such collaborations in any way compromise \nNIST's independence or the integrity of their work.\n    With that, I want to thank the witnesses again for your \ntime and contributions to this Committee's discussion about \ncybersecurity, and I yield back.\n    I thank you, Madam Chair.\n    [The prepared statement of Ms. Johnson follows:]\n    \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n    Chairwoman Comstock. Thank you.\n    Our first witness today is Dr. Charles Romine, Director of \nthe Information Technology Lab at the National Institutes of \nStandards and Technology. This program develops and \ndisseminates standards for security and reliability of \ninformation systems including cybersecurity standards and \nguidelines for federal agencies. Dr. Romine has previously \nserved as a Senior Policy Analyst at the White House Office of \nScience and Technology Policy and as a Program Manager at the \nDepartment of Energy's Advanced Scientific Computing Research \nOffice. Dr. Romine received his bachelor's degree in \nmathematics and his Ph.D. in applied mathematics from the \nUniversity of Virginia.\n    Our second witness today is Mr. Iain Mulholland, Industry \nMember of the Center for Strategic and International Studies \nCybersecurity Task Force and Chief Technology Officer of \nSecurity for VMware, Inc. A 20-year veteran of the software \nsecurity space, Mr. Mulholland was an early member of the \nMicrosoft Trustworthy Computing Group where he led the \nMicrosoft Security Response Center. Mr. Mulholland is also a \nmember of the U.S. Delegation to the Wassenaar Plenary in \nAustria in charge of negotiating international cybersecurity \nprotocols. Mr. Mulholland has received degrees from the Royal \nMilitary Academy in the United Kingdom as well as from Stanford \nUniversity Graduate School of Business' Executive Leadership \nProgram.\n    Our third witness today is Dr. Diana Burley, Executive \nDirector and Chair of the Institute for Information \nInfrastructure Protection, and Professor of Human and \nOrganizational Learning at the George Washington University. \nPrior to joining GW, Dr. Burley managed a multimillion-dollar \ncomputer science education and research portfolio and led the \nCyberCorps Program for the National Science Foundation. Dr. \nBurley holds a B.A. in economics from the Catholic University \nof America, M.S. in public management and policy, M.S. in \norganization science, and Ph.D. in organization science and \ninformation technology from Carnegie Mellon University, where \nshe studied as a Woodrow Wilson Foundation fellow.\n    Our final witness today is Mr. Gregory Wilshusen, Director \nof Information Security Issues at the U.S. Government \nAccountability Office. Prior to joining GAO in 1997, he was a \nSenior Systems Analyst at the Department of Education. He \nreceived his bachelor's degree in business administration from \nthe University of Missouri and his master of science and \ninformation management from George Washington University.\n    Thank you all for joining us this morning, and now I'll \nhear five minutes from Dr. Romine.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n                  INFORMATION TECHNOLOGY LAB,\n\n     NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)\n\n\n\n    Dr. Romine. Chairwoman Comstock, Ranking Member Lipinski, \nand Mrs. Johnson, and Members of the Subcommittee, thank you \nfor the opportunity to discuss NIST's activities that help \nstrengthen the nation's cybersecurity capabilities.\n    In the area of cybersecurity, NIST has worked with federal \nagencies, industry and academia since 1972. Our role to \nresearch, develop and deploy information security standards and \ntechnology to protect the federal government's information \nsystems against the threats to the confidentiality, integrity \nand availability of information and services, was strengthened \nthrough the Computer Security Act of 1987, broadened through \nthe Federal Information Security Management Act of 2002, and \nreaffirmed in the Federal Information Security Modernization \nAct of 2014, or FISMA.\n    In addition, the Cybersecurity Enhancement Act of 2014 \nauthorizes NIST to facilitate and support the development of \nvoluntary, industry-led cybersecurity standards and best \npractices for critical infrastructure.\n    Recently, the independent bipartisan Commission on \nEnhancing National Cybersecurity released its report, which \nprovides detailed recommendations to strengthen cybersecurity \nin both the public and the private sectors. NIST is active in \nmany areas addressed by the Commission report.\n    Three years ago, NIST issued the Framework for Improving \nCritical Infrastructure Cybersecurity, or the ``Framework,'' \nwhich was created through collaboration between industry and \ngovernment, and consists of standards, guidelines, and \npractices to promote the protection of critical infrastructure. \nThe prioritized, flexible, repeatable, and cost-effective \napproach of the Framework helps owners and operators of \ncritical infrastructure to manage cybersecurity-related risk.\n    Last month, NIST released a draft update to the Framework \nfor public comment. The Framework continues to be voluntarily \nimplemented by industry and adopted by infrastructure sectors, \nand this is contributing to reducing cyber-risks to our \nnation's critical infrastructure.\n    NIST works with stakeholders to cultivate trust in the \nInternet of Things, or IoT. NIST performs fundamental research, \ncontributes to the development of consensus standards, and \nissues guidance that addresses security of IoT.\n    NIST's applied research for IoT security addresses market-\nfocused applications such as healthcare, vehicles and \ntransportation, smart home, and manufacturing. NIST carries out \nits responsibilities under FISMA through Federal Information \nProcessing Standards and associated guidelines and practices. \nNIST provides management, operational, and technical security \nguidelines for federal agencies covering a broad range of \ntopics. NIST stresses that the authorization of a system by a \nmanagement official is an important quality control under \nFISMA. By authorizing operation of a system, the manager \naccepts the associated risk, formally assuming responsibility \nfor operating an information system at an acceptable level of \nrisk to agency operations, agency assets, or individuals.\n    NIST is considering additional steps to assist federal \nagencies, including how best to align the Cybersecurity \nFramework with our FISMA suite of standards and guidelines. \nApplying the Cybersecurity Framework across the federal \ngovernment complements and enhances rather than duplicates or \nconflicts with the existing statute, executive direction, \npolicy and standards.\n    NIST is active in other areas identified in the Commission \nreport, such as authentication and identity management, \nprivacy, and cybersecurity education, training and workforce \ndevelopment. NIST recognizes that it has an essential role to \nplay in helping industry, consumers and government to counter \ncyber threats and strengthen the nation's cybersecurity \ncapabilities.\n    NIST is extremely proud of its role in establishing and \nimproving the comprehensive set of cybersecurity technical \nsolutions, standards, guidelines, and best practices and the \nrobust collaborations with its federal government partners, \nprivate sector collaborators, and international colleagues.\n    Thank you for the opportunity to testify today on NIST's \nwork in cybersecurity, and I'd be delighted to answer any \nquestions that you may have.\n    [The prepared statement of Dr. Romine follows:]\n    \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n      \n    Chairwoman Comstock. Thank you, Doctor.\n    And now we'll hear from Mr. Mulholland.\n\n               TESTIMONY OF MR. IAIN MULHOLLAND,\n\n         INDUSTRY MEMBER, CSIS CYBER POLICY TASK FORCE;\n\n              CHIEF TECHNOLOGY OFFICER, SECURITY,\n\n                          VMWARE, INC.\n\n    Mr. Mulholland. Chairwoman Comstock, Ranking Member \nLipinski, Mrs. Johnson, other Members of the Committee, thank \nyou for the opportunity to testify today.\n    I'm Iain Mulholland, a member of the Center for Strategic \nand International Studies Cyber Policy Task Force and the Chief \nTechnology Officer for Security at VMware.\n    VMware is the fourth largest software company in the world \nwith 2016 revenues of over $7 billion and over 19,000 employees \nglobally.\n    The U.S. Government is dependent on a vast cyber world of \ninterconnected networks, data centers, cloud, mobile platforms, \nand other assets. Because we require cyber infrastructure to \nperform the modern-day functions of government, sophisticated \nand aggressive cyber-attacks perpetuated by criminal entities \nand foreign government agencies represent a clear and present \nnational security threat to the U.S. Government.\n    We are also experiencing an unprecedented level of cyber-\nattacks and sophistication in the private sector. The reality \nis that global technology companies like VMware not only \nreceive an unprecedented amount of information in regards to \ncyber threats from inside the U.S. but we also receive a large \nnumber from overseas as well. The fact is, with data moving \nacross borders instantly, the digital devices and technologies \nassociated with this ecosystem and therefore with cybersecurity \nare not confined to physical borders.\n    In order to continue to provide world-class secure \nservices, we must be able to act on a moment's notice whether \nthat information is coming from the U.S. or from abroad. We \nmust have the tools and resources on hand to act immediately.\n    Building on the 2009 Commission on Cybersecurity, the \nCenter for Strategic and International Studies established the \nCyber Policy Task Force to lay out practical steps for policy, \nresources and organization that the new Administration can use \nto build better cybersecurity. In the eight years since that \nreport was published, there has been much activity and an \nexponential increase in attention to cybersecurity. However, we \nare still at risk and there's still much that this new \nAdministration can do.\n    Specifically, CSIS believes that there are five core areas \nthat require renewed focus. Firstly, the development of a new \ninternational strategy based on partnerships with like-minded \nnations to improve the ability of deterring attackers.\n    Secondly, there must be a serious effort to reduce \ncybercrime to build international cooperation to fight botnets \nand sophisticated financial crime. Part of this effort must be \nto penalize countries that won't cooperate in the effort to \nreduce and control cybercrime.\n    Thirdly, we must prepare our critical infrastructures and \nservices for attack and improve cyber hygiene. Greater use of \nshared, managed and cloud services can make government agencies \nmore secure.\n    Further, we must identify where federal action and resource \nissues such as research or workforce development is necessary. \nAnd finally, we must streamline White House bureaucracy, \nincrease oversight of federal cybersecurity, and clarify the \nrules of DOD and other agencies. A stronger DHS is crucial, and \nthe new Administration must strengthen DHS's role in \ncybersecurity.\n    Promoting good cyber hygiene should also be a key standard \nthat helps agencies, consumers, and businesses better protect \ntheir information and networks from hackers. One of the best \nways for the federal government to be proactive is by deploying \nmicrosegmentation technology that offers the ability to segment \ntheir networks in the event of a breach. Let's use the example \nof the cybersecurity breach at OPM. The nature of the security \nbreach at OPM was not particularly unique. Hackers were able to \npenetrate perimeter network security systems and gain access to \nOPM and Department of Interior systems where they were free to \nroam around the internal networks and steal sensitive data over \na period of months. In order to effectively prevent an attacker \nfrom moving freely around the network, agencies must \ncompartmentalize their network perimeters by adding zero trust \nor microsegmented networks within the data center. A zero-trust \nenvironment prevents unauthorized lateral movement within a \ndata center by establishing automated governance rules that \nmanage the movement of users and data between systems and \napplications.\n    Lastly, I'd like to touch on another topic that is \nimportant to securing the cyber ecosystem, the internet of \nthings. As we saw from the distributed denial-of-service \nattacks in October, there are security vulnerabilities that \nmust be addressed to advance the IOT economy. A way to better \nsecure the IOT ecosystem is by ensuring flexible and isolated \nconnection points through secure managed infrastructure such as \nedge systems, which include but are not limited to IOT \ngateways.\n    As Congress and the Administration continue to work on \npolicies to promote the IOT economy, we believe that some \nconsideration should be given to developing some rules of the \nroad, standards for IOT moving forward. Among others, we would \nagree with the CSIS recommendation calling on NIST and other \nfederal agencies to cooperate with industry stakeholders to \ndevelop a set of standards and principles for IOT security.\n    Lastly, another security issue looming that could have \nsignificant impact on the cyber ecosystem is the 2013 Wassenaar \nArrangement. I've included more on this topic in my written \ntestimony. My hope is that the new Administration will continue \nto view this as a leadership opportunity for the U.S. to ship \ninternational cyber norms and support ongoing renegotiations at \nthe Wassenaar Arrangement. The continued U.S. renegotiation \nefforts in partnership with the U.S. technology industry and \nbipartisan support from Congress can ensure a signed Wassenaar \ncyber agreement that enhances our nation's cyber posture and \nultimately strengthens our defense against attacks.\n    Thank you for the opportunity to testify today, and I look \nforward to answering the Committee's questions.\n    [The prepared statement of Mr. Mulholland follows:]\n    \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Chairwoman Comstock. Thank you.\n    And now we will hear from Dr. Burley.\n\n                 TESTIMONY OF DR. DIANA BURLEY,\n\n                 EXECUTIVE DIRECTOR AND CHAIR,\n\n   INSTITUTE FOR INFORMATION INFRASTRUCTURE PROTECTION (I3P);\n\n         PROFESSOR, HUMAN AND ORGANIZATIONAL LEARNING,\n\n                THE GEORGE WASHINGTON UNIVERSITY\n\n    Dr. Burley. Good morning. Chairwoman Comstock, Ranking \nMember Lipinski, and Mrs. Johnson, Members of the Committee, I \nam honored to appear before you today to discuss strategies for \nstrengthening U.S. cybersecurity capabilities.\n    Recommendations from the recent reports serving as the \nfoundation of this Committee hearing highlight the critical \nimportance of developing a cybersecurity workforce of \nsufficient quality and quantity to meet the global threat \nenvironment. The workforce need is acute and immediate with a \nprojected shortfall of nearly 1.5 million professionals by the \nyear 2020.\n    Yet despite significant effort and steady progress, the gap \nbetween supply and demand is widening. Of the recommendations \noffered in the recent reports, I will briefly address two.\n    The first, to develop a comprehensive cybersecurity \neducation and workforce development model that standardizes \ninterdisciplinary curricula, that serves as a foundation for \naccreditation, and integrates with existing programs and \ntaxonomies. To implement this recommendation, I suggest that \nthe federal government leverage the work of the Association for \nComputing Machinery, the ACM Joint Task Force on Cybersecurity \nEducation. I serve as Co-Chair of this task force, and our \nwork, which is developing the first set of global curricular \nguidelines in cybersecurity education, structuring the \ncybersecurity discipline and providing comprehensive and \nflexible curricular guidance, will be complete late this year.\n    Several points drive my recommendation. First, with over \n100,000 members, the ACM is the largest computing society in \nthe world, and the framework is being developed by global \nsubject-matter experts across academia, government and \nindustry. The ACM has nearly 50 years of experience developing \ncurricular guidance, and the document will be endorsed by major \ncomputing societies, the ACM, the IEEE Computer Society, the \nAssociation for Information Systems, and the International \nFederation for Information Processing.\n    The framework is grounded in both the interdisciplinary \nnature of cybersecurity and the inherently technical foundation \nof the field. It facilitates the alignment between curricular \ncontent and workforce frameworks including the National \nCybersecurity Workforce Framework developed through the U.S. \nNational Initiative for Cybersecurity Education, and it forms \nthe foundation for emerging accreditation standards currently \nunder development by ABET.\n    The second recommendation from the reports is to add new \ncredentialing requirements and to develop a network of \ncredentialing associations. The call for additional \ncredentialing requirements is not new. I support the need to \nensure cybersecurity professionals maintain the highest level \nof competency but caution against blanket professionalization \nrequirements that do not consider differences in occupational \nneeds. Cybersecurity is a broad field with many occupations and \nthe needs of those occupations must be considered separately. I \nco-chaired the 2013 National Research Council Committee on \nProfessionalizing the nation's Cybersecurity Workforce that \naddressed this issue. As we state in our report, before new \ncredentialing requirements are added, workforce developers \nshould review specific occupational characteristics, identify \nthe associated workforce deficiencies, and consider the \ntradeoffs associated with implementing additional requirements. \nI urge the federal government to continue to catalyze \nactivities and to leverage existing multisector stakeholder \ngroups like the Institute for Information Infrastructure \nProtection (The I3P) to integrate, accelerate and guide \nexisting cybersecurity workforce development initiatives. These \ninitiatives should leverage existing and scalable models, \nemphasize both evidence-based short-term interventions that \naddress immediate needs, and strategic long-term initiatives \nthat address the entire ecosystem; expand the pipeline by \nengaging a broad cross-section of society to include women, \nethnic groups typically underrepresented in this workforce, \nveterans, and even special-needs populations who possess \ntargeted skill sets, to lengthen the pipeline by engaging \nstudents early in their education, and including K-12 teachers \nwho will largely influence those students' choices.\n    A coordinated and comprehensive cybersecurity workforce \ndevelopment strategy that supports our ability to scale is a \ncritical success factor for strengthening U.S. cybersecurity \ncapabilities.\n    Again, I am honored to appear before the Committee, and I \nlook forward to your questions. Thank you.\n    [The prepared statement of Dr. Burley follows:]\n    \n  \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n  \n    \n    Chairwoman Comstock. Thank you, Doctor.\n    And now we'll hear from Mr. Wilshusen.\n\n         TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,\n\n                INFORMATION SECURITY ISSUES, GAO\n\n    Mr. Wilshusen. Chairwoman Comstock, Ranking Member \nLipinski, Mrs. Johnson, and Members of the Subcommittee, thank \nyou for the opportunity to discuss ways to strengthen U.S. \ncybersecurity.\n    As recent cybersecurity attacks have illustrated, the need \nfor robust and effective cybersecurity has never been greater. \nToday I will provide an overview of our work related to \ncybersecurity posture of the federal government and the \nnation's critical infrastructure.\n    At your request, I will also identify areas of consistency \nbetween our recommendations and those made in recent reports by \nthe Commission on Enhancing National Cybersecurity and CSIS.\n    Before I do, if I may, I'd like to recognize for the record \nMike Gilmore, Kush Malhotra, Nancy Glover, and Scott Pettis for \ntheir significant contributions to helping develop my written \nstatement.\n    Madam Chairwoman, GAO has consistently identified \nshortcomings in the federal government's approach to protecting \nits computer systems. This year marks the 20th anniversary of \nGAO designating federal information security as a government-\nwide high-risk area. We expanded this area to include the \nprotection of cyber critical infrastructure in 2003 and \nprotecting the privacy of personally identifiable information, \nor PII, in 2015. Federal agencies in our nation's critical \ninfrastructures are dependent upon computerized systems, \nnetworks and electronic data to carry out operations yet these \nsystems and networks are inherently at risk and cyber threats \ncontinue to evolve and become more sophisticated. While \nagencies in previous Administrations have acted to improve the \nprotections over systems supporting federal operations of \ncritical infrastructure, the government needs to take \nadditional actions to bolster U.S. cybersecurity. These include \neffectively implementing risk-based entity-wide information \nsecurity programs consistently and over time improving its \ncyber incident detection, response and mitigation capabilities, \nenhancing its cybersecurity workforce planning and training \nefforts, expanding efforts to fortify cybersecurity of the \nnation's critical infrastructures, and better overseeing \nprotection of personally identifiable information.\n    Over the last several years, GAO has made about 2,500 \nrecommendations aimed at improving the security of federal \nsystems and information. We have identified how agencies can \ntighten technical security controls, fully implement \ninformation security programs, and better protect the privacy \nof PII held on their systems. Many agencies continue to be \nchallenged in safeguarding their computer systems and \ninformation, in part because many of these recommendations have \nnot yet been implemented. As of January 2017, about 1,000 of \nour recommendations had not been implemented.\n    Regarding recommendations made by the Cybersecurity \nCommission and CSIS, several are generally consistent with or \nsimilar to previous GAO recommendations. In particular, certain \nrecommendations pertaining to the establishing of an \ninternational cybersecurity strategy, protecting critical cyber \ninfrastructure, promoting use of the NIST Cybersecurity \nFramework, prioritizing cyber research and expanding \ncybersecurity workforces share common traits.\n    In summary, the dependence upon the federal government and \nthe national critical infrastructure on information and \ncommunications technologies makes them potentially vulnerable \nto a wide and evolving array of cyber-based threats. Securing \nthese technologies is vital to the nation's security, \nprosperity and well-being. Nevertheless, the security over \nthese systems is inconsistent and additional actions are needed \nto address ongoing cybersecurity and privacy challenges. We at \nGAO will continue to work with the Congress and federal \nagencies to address these challenges and strengthen our \nnation's cybersecurity capabilities.\n    Chairwoman Comstock, Ranking Member Lipinski, members of \nthe Subcommittee, this concludes my statement, and I'd be happy \nto answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n    \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n  \n    \n    Chairwoman Comstock. Thank you.\n    I'll now yield myself five minutes, and I appreciate the \nwitnesses' testimony.\n    Mr. Wilshusen, as you noted, 1,000 of the recommendations \nhave not been implemented. That's about 40 percent. What are \nsome of the most common reasons for that lack of \nimplementation, and what steps might Congress take to help \nencourage agencies to implement these recommendations?\n    Mr. Wilshusen. Well, I think the recommendations in some \ninstances require a longer period of time to actually implement \nconsistently throughout the organization, and that may be one \nfactor. Another factor is that agencies often will close a \nrecommendation as implemented when they may have a plan to \nimplement the recommendations and not when they take the action \nneeded to implement the recommendation across the enterprise. \nWe often find that when we go back to an agency that has \nindicated that it has implemented the recs. We go out and re-\ntest the systems across the organization, the conditions still \nexist. They may have implemented it on a couple of the systems \nbut not throughout the organization. So that's another factor.\n    Chairwoman Comstock. Should there be some self-testing then \non that so you have your plan and then you have tests that each \nagency is doing on their own, or do you have recommended \npolicies on that front?\n    Mr. Wilshusen. Right, most definitely. In fact, FISMA \nrequires agencies to test and evaluate the security of their \nsystems frequently, at least once a year, to assure that their \ncontrols are adequately implemented, but----\n    Chairwoman Comstock. But that is not being done?\n    Mr. Wilshusen. Well, it may be done but we have also found \nthat agencies' security tests and evaluation processes may not \nbe that comprehensive. In some cases, they may rely on \ninterviews or document reviews but not dig down to look to see \nhow systems and their settings are actually configured. That's \nvital with information security because so many controls, \nparticularly the technical security controls, are implemented \nin the systems that have to be configured in a certain way. So \nthat's one of the key areas that we consistently find as a \nreason for these outstanding recommendations.\n    Chairwoman Comstock. Thank you.\n    And Dr. Burley, I really appreciate your focus on the need \nfor education, and 1.5 million jobs you said are needed?\n    Dr. Burley. Yes.\n    Chairwoman Comstock. And so that certainly is a good growth \narea that people should be focused on, appreciate GW's focus on \nthat and many of our universities in the region.\n    What type of practices even earlier on can get people into \nthe pipeline? To get young students in this can we be focusing \non really in earlier grades to make this really be kind of a \nlifestyle and understanding that this is something that \neverybody needs to be engaged in?\n    Dr. Burley. I think that there are two different approaches \nthat we can take. One is certainly getting students into the \ntechnology areas earlier - so teaching them how to code and to \nunderstand what that means. Moving computer science down into \nthe K-12 classrooms is critical. But we also need to focus on \nmore general skills like analytical ability, critical thinking, \ncommunication, those types of skills, teamwork, team building. \nAll of those different skill sets are critical for \ncybersecurity professionals and so we need to consider those as \nwell.\n    Chairwoman Comstock. And even for people who aren't going \ninto that field, I mean, obviously, with 1.5 million jobs \nneeded, that is a good field for them to go into, but what type \nof--should there be classes maybe in grades for qualification \nfor just basic understanding for people even who aren't in the \nfield?\n    Dr. Burley. Absolutely. So you're talking about awareness \nprograms?\n    Chairwoman Comstock. Yes.\n    Dr. Burley. We certainly need to make sure that everyone \nunderstands what cybersecurity is, and what role they play as \nindividuals in that workforce. Not all of the cybersecurity \ncareers are solely focused on only doing cybersecurity. There \nare a lot of what we consider to be hybrid roles so that if \nsomeone is going into healthcare, they may have an opportunity \nto work with electronic medical records or need to understand \nprivacy considerations and so it is very important that the \nawareness programs aren't just general blanket broad awareness \nprograms but that they also contain elements that specifically \nlink cybersecurity concepts and ideas to all of the disciplines \nacross the curriculum as early as we possibly can do it.\n    Chairwoman Comstock. So it sounds like we need something \nakin to a continuing education program for everybody in various \nfields on the need to be aware of this, and Mr. Mulholland, I \nnoticed you're nodding too. If you wanted to----\n    Mr. Mulholland. Yeah, if I could just add to that, you \nknow, as someone who hires and over the last 20 years has hired \nmany, many security engineers, certainly I would support, you \nknow, enhancement of skills. We find it incredibly difficult to \nhire well-qualified security engineers, but also more broadly \nin some of the software security programs that we run, I end up \nspending a lot of time just teaching known security software \ndevelopers about security. I would love to see basic security \nskills to be part of every computer science degree, you know, \nin the curriculum moving forward so I can invest my time in \nbeing proactive and defending rather than having to teach all \nof my known security colleagues about the basics of security.\n    Chairwoman Comstock. Excellent. Thank you all, and I now \nyield to Mr. Lipinski for five minutes.\n    Mr. Lipinski. I want to thank you all for your testimony, \nand just very briefly, education, workforce. Dr. Burley, you \nwere speaking about that. I just want to say that as Co-Chair \nof the STEM Ed Caucus, I think there's more that we need to be \ndoing to encourage STEM education. Next week is National \nEngineers Week. I know one of those days is Introduce a Girl to \nEngineering Day and there's a lunch up here tomorrow about \nthat. We need to get as many people as we can into the \npipeline. And also, we need to have general education on things \nlike cyber hygiene.\n    I wanted to--there's so many things we could talk about. I \nhave some questions for the record. But I wanted to ask Mr. \nMulholland, you had spoken a little bit about the internet of \nthings and what needs to--you started touching on what needs to \nbe done. Both the Commission and the CSIS focused on security \nof IOT devices, and in his testimony, Dr. Romine discussed the \nsteps NIST is already taking to address security for IOT in \ndifferent sectors.\n    Now, I assume that the CSIS task force took into account \nthe efforts already underway at NIST to develop security \nstandards. Would you have any thoughts on how NIST should \nprioritize their IOT work in the next couple years given \nlimited resources?\n    Mr. Mulholland. You know, I think all of us in the CSIS \ncyber task force felt that IOT is really critical in terms of \npriorities. The speed and acceleration of things is quite \nphenomenal, and the spectrum that they cover is quite \nconsiderable. If you look at, you know, IOT as a concept, it is \nnot necessarily new. We've had industrial control systems for a \nvery long time in the power and the energy sectors but if you \nlook at--you know, I'm wearing a watch today that's probably as \npowerful as my iPhone was ten years ago--the proliferation of \nthese devices is critical, and I think NIST's involvement in \nsetting some basic rules of the road are going to be critical, \nparticularly actually in the consumer segment around how these \ndevices are actually manufactured and supported over the \nlifecycle of those.\n    Mr. Lipinski. Anything--nothing more specific on where you \nwould direct NIST to go?\n    Mr. Mulholland. I think that there are a couple of specific \nareas. I think first of all, you need to look at it from a \nsector-specific point of view. If you look at industrial \ncontrol systems, for example, or healthcare advices or \nmanufacturing, certainly I think some of the work NIST has \nalready done should be accelerated around how do we actually \nconnect these systems through things like internet gateways and \nedge-type devices, what are, you know, appropriate \narchitectures and controls for those.\n    But I think the other area that can't be forgotten is the \nconsumer side. If we look at the attacks in October last year, \nthat was predominantly consumer devices where there really \naren't any standards or any recommendations around how a \nconsumer device should be developed or, you know, some basic \nkind of frameworks for how it should be supported over its \nlifecycle. If we don't look at that full spectrum, you know, \nmuch more prescriptive around, you know, more kind of \nmanufacturing, industrial, but also a consumer, then we're \ngoing to continue to see attacks like that.\n    Mr. Lipinski. Thank you. And since we're going down that \nroad, let me finish with a question about privacy.\n    Last week, Vizeo agreed to pay $2.2 million settlement for \ncharges that TVs collected owners' information without their \nknowledge. We have devices like Amazon Echo, Google Home, all \nthese listening devices that are proliferating. We have facial \nrecognition technologies that are getting better and better. So \nthe issue of privacy, cybersecurity, privacy is also very \nimportant. Are there any recommendations that any of you have \nfor how the Science Committee or Congress in general should \nthoughtfully address both the cybersecurity and privacy issues \nand balancing them?\n    Mr. Mulholland. So certainly at CSIS, we made a set of \nrecommendations again specifically around the definition of PII \nand some recommendations that NIST should revisit the \ndefinition both on kind of reestablishing a baseline but also \non an ongoing basis. I think what is considered PII \nhistorically is rapidly, rapidly evolving. One of the things \nthat we discussed quite a lot about was that five years ago, \nnone of us would have considered that we'd have a device in our \npocket that is tracking every move or we might have a \ntelevision that's listening to our every conversation, and you \nknow, the data that those devices create does not necessarily \nfit under the traditional definition of PII. So we had a \nrecommendation that NIST should specifically look at what the \ndefinition of PII is but see that as a moving target that needs \nto be so that we can set some acceptable norms around, you \nknow, privacy and private information.\n    Mr. Lipinski. All right. Thank you.\n    I yield back.\n    Chairwoman Comstock. Thank you.\n    I recognize Mr. Webster for five minutes.\n    Mr. Webster. Thank you, Madam Chair.\n    I have a question, I believe, for Dr. Romine. So we have \nthis--if we looked at the negative side of cybersecurity and \nall the things that are happening, the attacks from other \ngovernments and even in the private sector and things that are \nall going on, it seems like just from what I've heard today \nthat that's an issue that's moving at light speed, and yet \nwe're not here in this body known for moving at snail speed, \nand I guess my question is, you had testified that there have \nbeen three modifications in 30 years of the document that \npretty much tells you what you should be doing and how you \nshould be doing it, and so we're walking along and yet we have \nsomething moving three times ten to the eighth meters per \nsecond. And so my question, I believe, is there an \ninfrastructure that you're a part of and others that are part \nof who have testified--we've got this whole list of acronyms of \norganizations that are working on this. Is that infrastructure \nthat's there combined fast enough and good enough to catch it?\n    Dr. Romine. Thank you for the question. Let me address it \nin this way. One of the reasons that NIST is as effective as it \nis in this space is our deep and longstanding partnerships with \nthe private sector, the folks who are moving at light speed, \nand so I think the idea that we maintain that connection with \nthem, that we provide input to them on priorities that the \nfederal government has, that they provide us with a partnership \nworking collaboratively on solving some of these really \nchallenging technical problems in security, frankly I think is \nthe only way that we can maintain the kind of pace and to \nanticipate some of the challenges that we have down the road to \nremain relevant.\n    We have deep technical expertise ourselves but we rely \nentirely on that connection that we have with industry and with \nacademia to maintain our awareness and engagement at the speed \nthat's necessary.\n    Mr. Webster. Do you think that there is too many or too few \nkingdoms that are addressing this issue, or do they--maybe if \nthere are too many, are they bleeding over into each other and \nmaybe doing things that the other might be doing?\n    Dr. Romine. Well, I'm not exactly sure how to interpret \nyour question but----\n    Mr. Webster. I'm only looking at the structure to see if \nthis is the right structure or there should be something else.\n    Dr. Romine. Oh, I see.\n    Mr. Webster. That's what I'm thinking about.\n    Dr. Romine. Right. Yes, I can really address only NIST's \nrole with regard to how we provide guidance and standards in \nthis space, and I think the statutory role that we have is \nessential for us. It's--you alluded to the fact that there----\n    Mr. Webster. Is it more defensive in that the agency--let's \nsay the federal agencies, do they have to come to you before \nyou give them or are you aggressive in----\n    Dr. Romine. No, we have partnerships. I alluded to the \npartnerships with the private sector but we also have strong \nengagement in the public sector as well with other federal \nagencies and even with state and local governments in some \ncases.\n    From my perspective, you alluded to the fact that there are \nonly three updates to the governing legislation of FISMA in the \nlast 30 years. I view that in many ways as a strength because \nthe legislation actually sets the structure, the very high-\nlevel components, and if that were to change rapidly, I think \nit would be much more difficult for us. Whereas putting the \nstructures in place and providing roles and responsibilities \nclearly in legislation gives us the opportunity to then operate \neffectively in that structure.\n    Mr. Webster. Thank you very much. That was helpful.\n    I yield back.\n    Chairwoman Comstock. Thank you, and I now recognize Mr. \nBera for five minutes.\n    Mr. Bera. Thank you, Madam Chairwoman, and the Ranking \nMember.\n    You know, just listening to the testimony, Mr. Mulholland, \nin your opening statement, you talked about how cyber-attacks \nrepresent a clear and present security threat, and I think each \nof you, you know, alluded to the sense that the federal \ngovernment is pretty vulnerable to cyber-attacks. Would any of \nyou dispute that statement? So we've got vulnerabilities there.\n    I think, Dr. Burley, in your opening statement, you talked \nabout the workforce need being acute and immediate, and I think \nyou mentioned over a million jobs, maybe 1.5 million vacancies. \nNow, that's not just federal government, that's the need that \nexists in the private sector, and so there's this acute need, \nand unfortunately, I would bet that it's going to get worse \nbefore it gets better because we're not training that \nworkforce.\n    If we look at the federal government, maybe Mr. Wilshusen, \nI would imagine we've got critical hiring needs in the federal \ngovernment that we can't fill. Would that be correct? In the \nthousands?\n    Mr. Wilshusen. I hesitate to give a specific number but \nwith the work we've done and the surveys where we've gone out \nto the agencies, it was pretty much across the board that they \nall felt they were very challenged to attract and retain the \ncyber skill sets that they needed.\n    Mr. Bera. So we recognize we're vulnerable as the federal \ngovernment. We've got critical vacancies and needs that we need \nto hire for. We understand that our salaries, you know, \ncompared to just looking at simple rules of supply and demand \ncannot compete with what folks in the private sector may be \npaying so we have difficulty retaining and recruiting those \nindividuals. Would that be an accurate statement? So that, you \nknow, obviously is a critical need, and a critical security \nneed. Recently a few weeks ago, the President signed a broad, \nsweeping federal Executive Order freezing the hiring of federal \nemployees. Do we know if these critical IT, critical \ncybersecurity jobs are exempt from that federal order, Dr. \nRomine?\n    Dr. Romine. We're seeking clarification on that now just to \nmake certain because we do want to know whether we're going to \nbe able to continue to recruit in this space.\n    Mr. Bera. I mean, I guess I would go on the record along \nwith my colleagues in a bipartisan way that, you know, we ought \nto send a strong message to the Administration that these are \nclearly critical jobs that need to be filled that are in our \nnational security interest and we would provide you with \nwhatever support you need might in that clarification, but my \nsense is, if it's already hard enough to recruit these \nindividuals and hard enough to retain these individuals, let's \nnot make it any more difficult, and, you know, that broad order \nin my mind is making us less secure and certainly it's \nworrisome.\n    You know, maybe, Mr. Wilshusen, if we were thinking about \nstrategies to recruit and retain some of these individuals, \nwe've introduced a couple bills. One was the Tech Corps Act in \nthe last Congress which would try to work with universities to \nhelp offset the cost of tuition. I'm a physician by training. \nMuch as doctors can go back and fill critical needs and serve \ntheir country and community, perhaps that's one idea. You know, \nwe've also considered prioritizing hiring of veterans and \ngetting them into quick technical training skills--we know \nthey're already patriotic--in order to fill some of these \nneeds. What would be some other ideas that could help us fill \nthese needs?\n    Mr. Wilshusen. Well, I think the one you mentioned too \nabout reimbursement of student--well, one of the things would \nbe reimbursement of student loans. That's one that we use at \nGAO, and it's a very useful and effective way of helping to \nrecruit staff, particularly in the IT security realm where we \nperform these IT audits. So that has been very helpful in being \nable to reimburse and help those individuals to pay off their \nstudent loans would be one thing.\n    Another, of course, is just the focus on the civic \nresponsibility and I would say the satisfaction of doing \nfederal work. That's been very effective for us as well because \nof the type of work that we do.\n    Mr. Bera. Dr. Romine, do you have any suggestions?\n    Dr. Romine. I agree with Mr. Wilshusen that one of the \nsecret weapons we have in recruiting top-notch staff is the \nfact that our mission is so compelling and interesting and we \nwork in a really terrific place. I'm guessing GAO would make \nthat same claim.\n    So people who do feel a sense that they want to contribute \nthrough public service, we're able to be competitive with that \nsegment of the population.\n    I also want to point out one of the things that really \nneeds to be understood well is that cybersecurity as it's \ncurrently constituted is interdisciplinary, and by that I mean \npeople from economists, sociologists, psychologists, electrical \nengineers, computer scientists, across the board, these folks \nhave roles to play in cybersecurity that are really compelling, \nand so we find that we're able to attract those folks.\n    Mr. Bera. I realize I'm out of time so I'll yield back.\n    Chairwoman Comstock. And I now recognize Mr. Abraham for \nfive minutes, the new Vice Chair of the Subcommittee. Welcome.\n    Mr. Abraham. Thank you, Mrs. Chair.\n    Mr. Wilshusen, as far as--give me the advantages and \ndisadvantages from your perspective as an auditor, when the \nfederal government and the private sector, they take the same \napproach, in this case using NIST Cybersecurity Framework for \nsecuring their information and information systems, the good, \nthe bad, the uglies?\n    Mr. Wilshusen. Well, one of the benefits of the NIST \nCybersecurity Framework is its flexibility. The way that it can \nbe used by different organizations, whether they're federal \ngovernment organizations or private sector organizations who \napply the techniques. The guidance in that document is very \nuseful. Certainly, over the years NIST has issued a complete \nand comprehensive set of cybersecurity guidelines and standards \nthat could be used by the private sector and indeed many do. \nThey certainly are required for the federal agencies. We use \nthat criteria in our audits, and we think that NIST does a very \ngood job of identifying those.\n    Mr. Abraham. Mr. Mulholland, your take on the advantages \nand disadvantages of taking that same approach?\n    Mr. Mulholland. Well, I would actually second that the NIST \nFramework, even within the private sector is still seen as \nbeing a very compelling standard. There are many standards out \nthere, and NIST is certainly one of the most compelling.\n    I'll add a different spin to my answer, though, which is \nthat because it is a compelling framework, it actually means \nit's software manufacturers like ourselves who actually build \nour software so that it can conform to the standard and make \nimplementing the standard a little easier for people who are \nusing our software. So by having that kind of standard somehow \nfloat to the top actually, you know, a rising tide lifts all \nboats, so to speak.\n    Mr. Abraham. Let me stay with you, Mr. Mulholland. In your \ntestimony, you said that there may be a need to increase \nfederal oversight or increase oversight of the federal \ncybersecurity by creating a special GAO office, would you \nelaborate on that? What does that entail?\n    Mr. Mulholland. That's certainly one of the CSIS \nrecommendations that I'm less familiar with so I'll defer to my \nwritten testimony if that's okay.\n    Mr. Abraham. Mr. Wilshusen, give me your take on that. I'll \nping pong between you guys.\n    Mr. Wilshusen. Okay. Well, with respect to GAO assessing \nagencies' implementation of cybersecurity, that's something we \ndo already. One of our roles is to provide and help Congress \nprovide the oversight over federal agencies' implementations of \ncybersecurity. So that recommendation in terms of having GAO \nconduct reviews is something that we do and we'll continue to \ndo.\n    Mr. Abraham. Mrs. Chairman, I yield back.\n    Chairwoman Comstock. Thank you, and I now recognize Mr. \nBeyer for five minutes.\n    Mr. Beyer. Thank you, Chairman Comstock.\n    Last week, Ranking Members Lipinski and Johnson and I sent \na letter to Chairmen Smith, LaHood and Comstock calling on them \nto investigate President Trump's cybersecurity practices, and \nmy friend, Chairman Smith, was quoted in the press as saying \nthat this is hypocritical since we didn't support the \nCommittee's investigation of Hillary Clinton's email server. I \njust want to highlight a few facts.\n    Number one is that by the time Science Committee launched \nits investigation of former Secretary Hillary Clinton's emails, \nthree government agencies--the FBI, the State, Inspector \nGeneral, et cetera--had already completed investigations of \nClinton's emails and five other Congressional committees were \ninvestigating the same issue, and the Committee essentially \ndropped all interest in Hillary Clinton's emails right after \nthe presidential election.\n    There's also a quote in The Hill yesterday from an \nanonymous Science Committee staffer claiming Science Committee \nDemocrats refused to support past investigations into cyber \nhacks, specifically mentioning the OPM hack and breaches at the \nFDIC, and I'd like to submit two documents for the record that \ndispute these alternative facts. The first is my letter to \nChairman Smith, which requested the hearing into the OPM hack, \nand the second was any opening statement--my opening statement \nfrom the FDIC hearing in which I voiced explicit support for \nthe inquiry into the FDIC breaches. I also don't remember any \nof the Democrats defending Secretary Clinton's email server.\n    And I believe really that members of both parties are \ndeeply concerned about cybersecurity, and I look forward to \ncontinuing to work together with my Republican friends on this.\n    This past week, the Trump Administration revised and then \ndelayed the release of a new Executive Order on cybersecurity. \nIt was reported that the Chief Information Security Officer in \ncharge of cybersecurity for the White House and the President \nwas fired. As I pointed out in the letter with Ranking Members \nJohnson and Lipinski, in the few short weeks in office, \nPresident Trump and some of his senior staff appear to be \nstruggling with implementing proper and appropriate \ncybersecurity practices. The President still apparently uses \nhis easily hackable personal cell phone, his Android, not an \niPhone, which of course opens it up to the foreigners who could \nuse foreign intelligence services who can tracking location, \ncan log keystrokes, could use the camera.\n    The official Twitter account has been linked to unsecure \nprivate Gmail account, and just this weekend it was widely \nreported that the President held conversations and reviewed \ndocuments about the North Korean missile launch in the middle \nof Mar-a-Lago's restaurant, potentially within earshot of \nwaiters and fellow diners, and according to eyewitnesses and \npictures we've all seen, aides used their phones as flashlights \nto illuminate the documents, which could let hackers if they \nhad compromised these phones to read the materials because the \nphones' cameras were pointed right at them.\n    So these actions give the appearance that the Trump \nAdministration's cybersecurity policies are in disarray and \nthat the personal cybersecurity practices of the President and \nsenior staff are both unwise and insecure. And by the way, if \nwe're concerned--you know, the security of the President's \nTwitter account is not trivial. I mean, his tweets have given \nrise to a drop in Toyota stock, the Mexican peso to devalue, \nthe best subscription day ever on Vanity Fair, the scuttling of \nthe Mexican president's trip to the United States.\n    So Dr. Burley, could you speak to this issue, particularly \nabout how effective cybersecurity policy requires buy-in from \nthe top of the organizational chart, whether it's from a CEO or \nagency head or even the President of the United States?\n    Dr. Burley. Thank you for that question. I would say two \nthings. One, certainly when we're dealing with cybersecurity \nculture within any organization, it is important that all \nlevels of the organization buy in and employees are certainly \ndriven by what the top of the organization pushes forward.\n    With regard to awareness and understanding how our \nindividual behavior impacts the security of our enterprise and \nour personal security, I would say that this is something we \nneed to address in the redevelopment of cybersecurity awareness \nprograms. We need to move beyond simply trying to make people \naware of the issues and move toward helping them understand \nwhat their particular behavior does in terms of making a \nsituation more or less secure, and that's something that needs \nto happen across all levels of organizations and even starting \nwith some of the programs that we were talking about earlier in \nterms of going down into the K-12 range because awareness is \none thing but understanding the implications of your behavior \nthat then lead to behavioral changes is another matter.\n    Mr. Beyer. Thank you very much.\n    And Dr. Romine, we know how powerful the President's \nTwitter account is. It's an important way for him to \ncommunicate. What should the Administration do to secure his \nimportant Twitter account?\n    Dr. Romine. Well, that verges on a certain oversight \nfunction in a specific case like this, and NIST is a non-\nregulatory agency with no oversight role or capabilities. I \nthink the oversight typically for federal cybersecurity rests \nwith the Inspectors General, with the GAO and with OMB who has \nthe policy lever for ensuring cybersecurity of systems. So \nbeyond that, I don't think I can really comment.\n    Mr. Beyer. Madam Chair, I yield back.\n    Chairwoman Comstock. Thank you, and I'd also like to enter \ninto the record Chairman Smith's letter responding to Mr. \nBeyer's letter, and I'm sure he welcomes your newfound interest \nin oversight, and you obviously have a role on the Oversight \nSubcommittee and this Committee, but I would like to also enter \ninto the record Mr. Beyer's August 22nd, 2016, press release \nthat was critical of the full Committee and the email \ninvestigation and your quote here, ``The House Science \nCommittee must focus on its role promoting science and ensuring \nthat America is the global leader in research and development \nrather than scoring cheap political points.'' And I'd also \nenter into the record an October 2016 interview that was on a \nlocal TV show which was critical of the FBI Director in that \nregard also.\n    [The information appears in Appendix I]\n    Chairwoman Comstock. I will now yield five minutes to Mr. \nLaHood, the Chairman of the Oversight Subcommittee.\n    Mr. LaHood. Thank you, Madam Chair, and I want to thank the \nwitnesses for being here today and for your valuable testimony.\n    I do want to make a couple observations in response to my \nfriend Mr. Beyer. I would first say that there's no evidence \nthat President Trump is using his personal phone. In contrast \nto what was said, the New York Times has reported that he \ntraded in his Android phone for a secure encrypted device \nauthorized by the Secret Service, which is protocol for all \nPresidents, and he is abiding by that protocol by having an \nauthorized phone.\n    I would also dispute the assertion that somehow the \nallegations of what occurred with former Secretary of State \nHillary Clinton which was brought up, you know, in that case, I \nthink it is really apples and oranges in terms of the activity \nthat went on there and the allegations there. You know, the FBI \nin that case found multiple violations of federal law on \nnational security, cybersecurity and criminal statutes. The FBI \nDirector said in his press conference that there were \nviolations of federal law there. There's currently an active \nDepartment of Justice investigation and a grand jury looking \ninto that, and I think the underlying circumstances and facts \nthere are completely different than a Twitter account. And \nlet's remember, Twitter is by its nature a service meant to \nprovide information to the public, and there is again no \ninformation that somehow the tweets that are being put out by \nthe President are done by a private phone. They can clearly be \ndone by a secure, authorized phone, and I think we live in a \nunique age with technology. The fact that the President \ncommunicates every day with 20 to 25 million people by Twitter \nin an unfiltered, raw manner I think is unique, but that's the \nage that we live in now. But to make the comparison to what \nhappened with Hillary Clinton I think is really disingenuous to \nthis discussion, and I think the facts bear that out.\n    I guess in looking at our hearing here today and how we can \nimprove on cybersecurity at the federal level, I'm very \ninterested, and I've talked about this in previous hearings, \nlooking at the private sector and what has been beneficial in \nthe private sector, what has worked there, and public-private \npartnerships specifically, and I guess I would start with Mr. \nMulholland.\n    In looking at the private sector, how do we look at metrics \nor effective strategies that have worked, Mr. Mulholland, that \nwe can implement, learn from, and then how do we--how do we in \nan effective way put together a framework or metrics to judge \nthat moving forward?\n    Mr. Mulholland. Thank you for the question. I think in \nterms of metrics, we can have metrics for metrics sake, or we \ncan have metrics that are actually measuring outcomes. I think \nin the private sector, actually to refer back to something that \nDr. Burley mentioned earlier, we've moved from basic awareness \nto understanding. So sometimes metrics can be the kind of \noutcome of a checklist of items that people can complete \nwithout necessarily actually understanding what they're doing \nor why they're doing it. So certainly in the private sector, \nwe've moved from, you know, predominantly checklists to really \nfocusing on what outcomes are on how do you measure and use \nmetrics to measure those outcomes. So specific examples might \nbe actually looking at what are our threat models so what is \nthe actual threat that we are subject to and then focusing and \nprioritizing around that. So for example, we're a Silicon \nValley-based technology company. A big threat to us is the \ntheft of intellectual property so a lot of the metrics and a \nlot of the outcomes we're looking at is, how do we protect our \nintellectual property. Perhaps some other pieces of data are \nless important to us than, you know, the lifeblood of our \ncompany. So we focus our metrics on outcomes and not so much on \nchecklists for checklists' sake.\n    Mr. LaHood. Thank you for that.\n    The Cybersecurity Commission report recommends that the \nPresident issue a national cybersecurity strategy within the \nfirst six months of the Administration. I guess, Mr. Wilshusen, \nwhat might you--I guess what might you wish to see reflected in \nthat strategy and what advice would you give?\n    Mr. Wilshusen. Well, I think a couple things. One would be \njust to come to an agreement on what the norms of behavior \nshould be within the cybersecurity realm across the various \ndifferent nations. As you know, norms differ in many different \nways across nations. Coming to some sort of understanding of \nwhat's acceptable behavior, what is not when using the internet \nand cyberspace would be one of those areas that should be \ndiscussed.\n    And also how to go about raising that discussion with the \ndifferent nations who have different values and mores would be \nanother key area as part of that strategy.\n    Mr. LaHood. Thank you.\n    Those are all my questions. Thank you.\n    Chairwoman Comstock. And I now yield five minutes to Ms. \nRosen, a new member of the Committee.\n    Ms. Rosen. Thank you, Madam Chairwoman.\n    I have to tell you that I started my career as a computer \nprogrammer in the 1970s with a card deck and a mainframe, and \noh, how I long for those days when no one could break into the \nsystem. It was very difficult. We had a phone with a modem. \nRemember that was the only way in? And there weren't the \npossibility for attacks in those kinds of ways.\n    So I couldn't agree more that we need to have the \nanalytical and teach the analytical and critical thinking \nskills that are needed of course to move us forward in all jobs \nacross all platforms for this sector and that as you so \neloquently said, the computer industry, engineering sciences, \nwe have to take a multifactorial approach to be able to \ndynamically respond across all platforms to the challenges that \nwe're facing, and nobody knows this better than you, and like I \nsaid, as I wrote software trying to keep that secure and safe, \nso I have a different perspective maybe than some people on \nthis panel. I could talk to you all all day.\n    But what I find most important, as I started as a woman in \ntechnology in the 1970s, it's still not so popular but more \npopular. How do we teach and train--how do we promote the \neducation? First of all, I think it starts with our teachers \nand our educators. How do we get them trained to inspire the \nstudents that understand that computers and all these things \nare very creative? It's not dull and boring. It's extremely \ncreative and innovative. And then teachers can take those to \nour schools K-12 and above.\n    And then also my second part of the question is the general \npublic when you begin to talk about computer things, our eyes \nroll back. They don't want to hear about cyber hygiene. They \ndon't get it. They just want to use their social media, Twitter \nor Facebook or whatever. How do we educate the public about how \neasy it is for them to be used as a target into things with \nphishing and all those? How do we make them--give them the buy-\nin to do something?\n    Dr. Burley. Well, with your first question, thank you. I \nwould say that we have to target all of the K-12 teachers \ninstead of just focusing on those who have self-identified as \nbeing interested in computer science or in cybersecurity. So I \nwould say that we need to start to work with the schools and \ncolleges of education so that when the teachers are in their \ndevelopmental process that they begin to understand \ncybersecurity concepts and that they understand how to \nintegrate those concepts into what they're doing in their \nfifth-grade English classroom or what they're doing in ninth \ngrade biology because there is an aspect of cybersecurity that \npervades across the curriculum. But in order for the teachers \nto be able to do that, we have to educate them as such, so I \nwould say that that's a part of what we need to do and focusing \non them.\n    The other thing with regard to getting more women and young \ngirls into STEM in general and certainly cybersecurity is in \nrole models, understanding that there are people who look like \nthem and who do this job and what that really means. We talk \nabout cybersecurity as if it is one thing when it's really not, \nand so--but we do ourselves a disservice because we don't \nreally help people to understand what it means and what it can \nmean to be a cybersecurity professional. So we need to do a \nbetter job of that. And I would say that that also adds into \nthis notion of the general public and awareness and \nunderstanding. That we're not talking about something that only \npeople down in the corner are doing or that those guys over \nthere will keep us safe but that we really understand as \nindividuals what our role is, how we interact with things, that \nwe understand the tradeoffs that come along with convenience so \nthat we understand what we're giving up when we're getting \nsomething, and as a society we don't really have that \nunderstanding and so we need to do more to educate the public \non what those tradeoffs are and what their role is in making \nsure that they are safe and that collectively the society is \nsafe.\n    Ms. Rosen. Thank you. I appreciate that.\n    I yield back.\n    Chairwoman Comstock. Thank you, and I now recognize Mr. \nMarshall for five minutes, and welcome to the Committee, our \nnew member from Kansas.\n    Mr. Marshall. Thank you so much, Chairman.\n    I'm a physician and had the pleasure of leading a hospital \nand a group of physicians through meaningful stages 1 and 2, \nbeen using an electronic medical record now for a couple years. \nI'm intrigued with the value. Someone here in the review \nmentioned that medical record is worth ten times more than some \nother records you would hack. What brings the value to people? \nWhat's in there that brings value to start with? And I'm not \nsure who could answer that question the best.\n    Mr. Mulholland. If I can clarify, do you mean in terms of \nthe value of a medical record versus, say, a tax record or a \ncredit card?\n    Mr. Marshall. I guess so. In one of the testimonies, \nsomeone said that the--on the black market, it would be worth \nten times than other type of record.\n    Mr. Wilshusen. What I would say is that one of the benefits \nwith electronic health records and information is the fact that \nthe accessibility of that information not only to patients if \nthey're able to access it but to other healthcare providers can \nhelp to assure that the treatments, the drugs prescribed to \nparticular patients, you know, if they have a full view of the \nindividual's overall health records that that can be very \npositive and beneficial to the healthcare of that individual.\n    But at the same time, what we have found in our audits of \nreviewing the security and the privacy controls over that \ninformation is that while the Centers for Medicaid and Medicare \nServices have come up with guidelines for that through HIPAA \nand the security and privacy rules, the actual use and \nimplementation of controls on certain health information \ntechnology has not been adequately reviewed in some respects to \nassure that those capabilities have been designed into the \ntechnology and that in fact at some of the healthcare providers \nthat that information and those controls are effectively \nimplemented.\n    Mr. Marshall. Yeah, I guess----\n    Mr. Wilshusen. I'm not sure if----\n    Mr. Marshall. --I'm not explaining my question very well. I \ncertainly understand about physician-to-physician transfer of \nrecords and that we used to go from one page of information, \nnow it's 40 pages and it's almost a worthless piece of \ndocument. My question is on the black market. When people are \nhacking medical records, what makes it ten times more valuable \nthan a credit card or other things they hack into? What do they \ndo with it?\n    Mr. Mulholland. I think I'll take an attempt at that. \nSomething like a medical record, to your point about, you know, \nthe 40 pages of information, that's going to contain a lot of \neffective metadata that perhaps would not be available in, you \nknow, just a credit card-type hack or whatever, so, you know, \nyou're going to be able to get a person-- probably be able to \nget a person's Social Security number, their date of birth, \ntheir address, so that can be used for other attacks. You might \nthen be able to use that to hack a person's credit card details \nor their tax return, but also you're going to have a list of \nmedical conditions that can be used for, you know, extortion \npurposes in the most extreme case but also basic things like \nprescription fraud. You can see who is the--you know, does the \npatient have any controlled substances prescribed to them, \nwhere their pharmacy is, and you've also got all the \ninformation to be able to impersonate that person and \npotentially go and steal their records. So it's a little bit of \na goldmine. You've got a lot of information in the same place \nthat can be very valuable used----\n    Mr. Marshall. I mean, my big--one of my bigger concerns \nwould be Medicare fraud, Medicaid fraud, people pretending like \nthey're a physician. They've got this person's health record \nand they bill Medicare and Medicaid for procedures never done. \nAre we seeing much of that now or how big of an issue do you \nthink it actually is today?\n    Mr. Mulholland. I can't personally speak to that but it's \ncertainly very feasible with the information available.\n    Mr. Marshall. Okay. When someone made the statement that it \nwas ten times more valuable to have that record than other, \nsay, a credit card record, is it ten times 10 cents? Is it ten \ntimes a dollar? Give me a--what's a black-market value of \nsomething like this?\n    Mr. Mulholland. Well, I can't tell you the exact value of a \nMedicare record--or sorry, a medical record but I will tell you \nto calibrate that credit card information goes for cents. It is \nthat much of a commodity. So your credit card details are \nprobably, you know, worth 10 or 20 cents.\n    Mr. Marshall. And this might be theoretically then worth \n$10 or $20. If you could hack into my physician's office and I \nhave 5,000 records there that it might be worth 5,000 times $10 \nto somebody?\n    Mr. Mulholland. Conceivably. I couldn't give you an exact \nfigure, but yes.\n    Mr. Marshall. Thank you. I yield back.\n    Chairwoman Comstock. Thank you. I now recognize Ms. \nBonamici for five minutes.\n    Ms. Bonamici. Thank you very much, Chair Comstock and \nRanking Member Lipinski, and thank you to our witnesses for \ntestifying today. I've been in a hearing in the Education and \nWorkforce Committee, which explains my absence for the \nbeginning of this, but I did read your testimony and really am \nparticularly concerned that we are falling short when it comes \nto developing adequate cybersecurity personnel both in quantity \nand quality, and I know that the NIST report recommends that \nfederal programs supporting education at all levels should \nincorporate cybersecurity awareness for students as they're \nintroduced to and provided with internet-based devices, and I \nknow this has been discussed already here this morning but I \nreally want to emphasize that especially with my concerns about \neducation and workforce issues as well that these programs be \ndeveloped as the report says and focused on children as early \nas preschool and throughout elementary school, and we also need \nprograms to better prepare our teachers, and I know that that's \nbeen discussed.\n    So I wanted to talk a little bit about the tremendous \npotential for community and technical colleges, community \ncolleges to have an increased role in preparing the workforce. \nWhat more can we be doing to create an environment that \nsupports this? And then also if you'll address public-private \npartnerships as well. My State of Oregon has been working on a \nCenter for Cyber Excellence, which is a collaboration with \nprivate sector as well as our universities and community \ncolleges. So can you talk about what sorts of roles community \nand technical colleges can play as well as public-private \npartnership?\n    Dr. Burley, I'll start with you.\n    Dr. Burley. Community and technical colleges play an \nincredibly important role in developing the cybersecurity \nworkforce. They are often more flexible than four-year \ninstitutions and so they're able to integrate curriculum a \nlittle bit faster. They are often where we turn to for more of \nthe hands-on technical training that we are not necessarily as \nequipped to provide as rapidly in the four-year space but it \nreally is a collaboration across all of the different levels of \nthe academy because while the community and technical colleges \nare possibly able to help us develop technical skill sets a \nlittle bit faster, there are other aspects that perhaps they \nare not as well versed in doing and so we really have to \ncontinue to enable and push partnerships across all the levels \nof academia, and that also gets to your second question about \nthe public-private partnership. Because we're dealing with an \nenvironment where the needs are very broad and very rapidly \nevolving, it is critical that all of the different sectors play \na role and collaborate to make sure that the programs that \nwe're developing have all of the different components that are \nnecessary and that we are really getting at holistically \nlooking at the development of the workforce, and it's not a \nsituation where we can simply focus on one part of the \necosystem at the expense of another because we'll only grow a \nportion of the workforce.\n    Ms. Bonamici. I'm going to ask the others to respond as \nwell, but before I do, would you please talk a little bit about \nhow we can get more girls, young women and minorities involved?\n    Dr. Burley. A couple of things. I mean, first we have to \nbegin to really push forward role models so that people \nunderstand that there are people in the workforce that look \nlike them and that are doing these jobs. That's very important, \nand evidence has shown that across all of the STEM disciplines, \nthat that's an important consideration.\n    Ms. Bonamici. And I'll put in a little plug for Hidden \nFigures if nobody else has done that.\n    Dr. Burley. Absolutely. We also need to unbundle what it \nmeans to be a cybersecurity professional. It really is a very \nbroad field with many, many different occupations and different \nroles that people can play, and while you may not see yourself \nin one type of role, there are a thousand other roles that you \ncould see yourself in and so we really have to do a better job \nat explaining what it means to be a part of the cybersecurity \nworkforce.\n    Ms. Bonamici. And you say ``we.'' Who would that be? \nTeachers----\n    Dr. Burley. All of us, the government, academia, anybody \nwho is developing or working on developing the cybersecurity \nworkforce. This is part of what awareness programs ought to do \nbut it's all of those who are involved in the development, the \neducation of future professionals.\n    Ms. Bonamici. Terrific. I have a little bit more time left \nif somebody wants to jump in. Dr. Romine?\n    Dr. Romine. I'd like to just make two very quick points. \nNIST, specifically my laboratory's, privileged to house the \nProgram Office for the National Initiative for Cybersecurity \nEducation, which is an interagency program with a lot of \nagencies committed to working together to help solve this \nproblem, workforce problem and awareness problem, and certainly \ncommunity colleges are one area where we have touch points and \nare engaged.\n    With regard to your public-private partnership, we're also \nprivileged in my laboratory to house the National Cybersecurity \nCenter of Excellence, the NCCOE. I'm delighted to learn that \nyour State of Oregon is doing an analogous thing. I'd love to \nlearn more about it.\n    Ms. Bonamici. Terrific. Thank you very much.\n    Mr. Wilshusen. And if I may just add one comment real quick \nfrom a personal note? I took a community college course at PG \nCommunity--Prince Georges County Community College on network \ndefense about a year and a half ago. It was very rigorous and \nit was very informative for me, and I used that as part of my \ncontinuing professional education. So there's definitely a very \nuseful place for community college to provide technical skill \nsets to the federal workforce.\n    Ms. Bonamici. Thank you very much. I see my time is \nexpired. I yield back. Thank you, Madam Chair.\n    Chairwoman Comstock. Thank you, Ms. Bonamici, and I believe \nwe will continue on that education front and have future \nhearings, and I agree very much with you on the role of \ncommunity colleges, you know, online classes, and a lot of \nthese approaches, and we are very pleased that the Hidden \nFigures are not as hidden anymore, and it's a fabulous movie, \nand I'll just take the--since I have a young women's leadership \nprogram, I hope Dr. Burley can come and join us in highlighting \nthe importance of this because STEM education and STEM careers \nare something that we very much try and promote with young \npeople, and since I have a daughter in that field, I always \nappreciate getting mentors out there in front of young women, \nand it's exactly what you say. They need to see other people in \nthat role so that they can relate and understand the job, so it \nis very apropos.\n    So I thank all of the members of the panel this morning for \ntheir testimony and their insight and their passion on this \nvery important issue, and I know we will continue to have a \nnumber of hearings on this front.\n    The record will remain open for two weeks for additional \nwritten comments and written questions from members.\n    And this hearing is now adjourned.\n    [Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n</pre></body></html>\n"