[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]









                           STRENGTHENING U.S.
                       CYBERSECURITY CAPABILITIES

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 14, 2017

                               __________

                           Serial No. 115-02

                               __________

 Printed for the use of the Committee on Science, Space, and Technology



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





       Available via the World Wide Web: http://science.house.gov



                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

24-667 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001





















              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky              AMI BERA, California
JIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas                MARC A. VEASEY, Texas
STEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas                   JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California
GARY PALMER, Alabama                 ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois               MARK TAKANO, California
DANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana                   CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California           JACKY ROSEN, Nevada
DARIN LaHOOD, Illinois               SUZANNE BONAMICI, Oregon
RALPH LEE ABRAHAM, Louisiana         AMI BERA, California
DANIEL WEBSTER, Florida              DONALD S. BEYER, JR., Virginia
JIM BANKS, Indiana                   EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
LAMAR S. SMITH, Texas















                            C O N T E N T S

                           February 14, 2017

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     4
    Written Statement............................................     6

Statement by Representative Daniel Lipinski, Ranking Member, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........     8
    Written Statement............................................    10

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    12
    Written Statement............................................    14

                               Witnesses:

Dr. Charles H. Romine, Director, Information Technology Lab, 
  National Institute of Standards and Technology (NIST)
    Oral Statement...............................................    16
    Written Statement............................................    19

Mr. Iain Mulholland, Industry Member, CSIS Cyber Policy Task 
  Force; Chief Technology Officer, Security, VMware, Inc.
    Oral Statement...............................................    28
    Written Statement............................................    31

Dr. Diana Burley, Executive Director and Chair, Institute for 
  Information Infrastructure Protection (I3P); Professor, Human 
  and Organizational Learning, The George Washington University
    Oral Statement...............................................    39
    Written Statement............................................    41

Mr. Gregory Wilshusen, Director, Information Security Issues, GAO
    Oral Statement...............................................    53
    Written Statement............................................    55

Discussion.......................................................    81


             Appendix I: Additional Material for the Record

Documents submitted by Representative Barbara Comstock, 
  Chairwoman, Subcommittee on Research and Technology, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    99

Documents submitted by Representative Daniel Lipinski, Ranking 
  Member, Subcommittee on Research and Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..   146

Documents submitted by Representative Eddie Bernice Johnson, 
  Ranking Member, Committee on Science, Space, and Technology, 
  U.S. House of Representatives..................................   150

 
                           STRENGTHENING U.S.
                       CYBERSECURITY CAPABILITIES

                              ----------                              


                       TUESDAY, FEBRUARY 14, 2017

                  House of Representatives,
           Subcommittee on Research and Technology,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:08 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee] presiding.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chairwoman Comstock. The Committee on Science, Space, and 
Technology will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Committee at any time.
    Good morning, and welcome to today's hearing titled 
''Strengthening U.S. Cybersecurity Capabilities.'' I recognize 
myself for five minutes for an opening statement.
    I want to begin by thanking everyone for attending this 
first hearing of the Research and Technology Subcommittee in 
the 115th Congress. I look forward to working with the members 
of the Subcommittee, some of whom are new to the Committee, 
while others are new to Congress, and working together on many 
of the issues under our jurisdiction.
    The topic of cybersecurity is a familiar one for this 
Committee, and this Subcommittee in particular. It is also a 
topic of continuously growing international attention and real 
concern.
    During the 114th Congress, the Science Committee held a 
dozen hearings related to cybersecurity. Some of these were 
triggered by notable events such as the Office of Personnel 
Management and Internal Revenue Service data breaches. I still 
remember receiving my OPM letter, and I also got one of those 
IRS letters, which informed me that my personal information may 
have been compromised or stolen by the cyber criminals behind 
this attack. I also chaired a hearing last year during which 
the IRS Commissioner testified about the breaches under his 
watch. It's certainly frustrating to hear that criminals used 
information from other cyber-attacks to accurately answer 
questions on the IRS website to access what should have been 
secured information. Those criminals should not have been able 
to access such information, and may not have been able to 
access it, had the agency fully followed security guidelines 
provided by the National Institute of Standards and Technology.
    I look forward to hearing from our witnesses today about 
cybersecurity recommendations to help protect U.S. information 
systems. These recommendations were highlighted in recent 
documents, which include the report published by the Commission 
on Enhancing National Cybersecurity and one published by the 
Center for Strategic and International Studies. The Government 
Accountability Office (GAO), which has issued countless 
recommendations in the area of cybersecurity for decades, is 
also represented at today's hearing. I am interested in hearing 
how the suggestions from the reports being profiled today align 
with GAO's body of work.
    I also look forward to hearing more about what can be done 
to proactively address cyber workforce gaps. This Committee has 
been very much involved in STEM education and making sure we 
have that cybersecurity generation for dealing with this, and 
that is an important role that we need to play here in 
Congress, continuing to get that cyber workforce up and 
running, I, particularly in my district, am pleased that we 
have so much going on in that area and want to continue in this 
Subcommittee to focus on that also. You know, when I travel 
around my district and visit with constituents who work in this 
sector, a repeated concern is the increasing need for 
individuals with appropriate education, training, and knowledge 
of cybersecurity matters and being able to tackle what we know 
are going to be increasing problems and that we need to be on 
the offense on this front.
    Before I yield to the Ranking Member, let me just note that 
I appreciate everyone's presence here today given that this is 
the week of the RSA Conference in San Francisco. So sorry you 
aren't able to be there and are here, but we truly appreciate 
you being able to join us here today.
    [The prepared statement of Chairwoman Comstock follows:]
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
   
    Chairwoman Comstock. And I now yield to our distinguished 
Ranking Member, Mr. Lipinski.
    Mr. Lipinski. Thank you, Chairwoman Comstock. Too bad we 
couldn't all go out to San Francisco to have a field hearing 
there.
    But I want to thank Chairwoman Comstock and I look forward 
to working with you. It's good to have some continuity in the 
Chair of the Subcommittee. I think that will be helpful as we 
move forward and work together on getting some things done here 
on the Subcommittee, and I also look forward to working with 
all our returning and new members of this Research and 
Technology Subcommittee. I also want to thank our distinguished 
panel for being here today. I know some of you have been here a 
number of times, and we always appreciate your expertise.
    Cybersecurity has long been a priority of mine in Congress. 
The Cybersecurity Enhancement Act of 2014, which was signed 
into law, began as a bill that Representative McCaul and I 
introduced in 2009. As pointed out in the CSIS report, 
cybersecurity is a topic on which nearly every Committee in 
Congress has something to contribute. This is a good thing and 
a bad thing. What we need to do is to do our best at making 
sure that there is collaboration and coordination across all 
these different committees.
    Our committee is uniquely positioned to contribute 
meaningfully to oversight and policy development for 
cybersecurity because of our jurisdiction over NIST, and our 
oversight responsibility for STEM education and workforce 
training activities across the Federal government. I understand 
that today's hearing is likely just the first of several 
hearings on cybersecurity we will hold in this Congress. I 
understand that today's hearing is likely--well, this hearing--
I got lost in my script here--this is one of several. This one 
is going to be a more broad overview of what we're looking at 
in cybersecurity.
    However, sitting before us are a few of our nation's top 
experts on NIST's role in cybersecurity and on cybersecurity 
education and workforce issues, so I look forward to hearing 
those specific areas from our witnesses.
    NIST plays a central role in the security of federal 
information systems. The experts at NIST develop the security 
standards and guidelines that all other civilian federal 
agencies are required to implement through the Federal 
Information Security Modernization Act, or FISMA. Those experts 
also provide technical assistance to other agencies. 
Furthermore, NIST led the development of the Cybersecurity 
Framework for Critical Infrastructure, a widely adopted set of 
voluntary guidelines and standards for industry, and works 
closely with industry to help develop tools for businesses of 
all sizes and from all sectors to effectively implement the 
Framework.
    There have been some calls for an expanded role for NIST, 
including an expanded oversight role under FISMA. These 
suggestions warrant careful examination. NIST is successful in 
its current role in large part because of its independence as a 
standards and technology agency, and not a regulatory or 
enforcement agency. Any discussion about an expanded role must 
be accompanied by a discussion about increasing resources and 
other issues that would come up.
    On the topic of education and workforce, NIST leads federal 
efforts through coordination of the National Initiative for 
Cybersecurity Education, or NICE. Another agency in our 
jurisdiction, the National Science Foundation, supports 
important programs such as the CyberCorps Scholarship for 
Service.
    However, the gap between supply and demand for 
cybersecurity training in both the government and the private 
sector remains a challenge. All of the best policies are 
meaningless without the skilled workforce to implement these 
policies. Increasing the recruitment and retention of 
cybersecurity talent in our federal agencies is going to 
require new and creative thinking, as well as increased 
resources.
    It is also going to require stepping back from the 
disparaging rhetoric aimed lately at the civil service. Federal 
agencies already struggle to recruit and retain top talent from 
the limited pool of qualified cybersecurity professionals, 
especially when private sector salaries are much higher. 
Negative remarks, combined with a federal hiring freeze, can do 
real damage to agencies' recruitment and retention efforts.
    Before I conclude, I want to ask unanimous consent to add 
to the record two letters to the Committee, one from the 
Electronic Privacy Information Center, and the other from the 
National Association of Federally Insured Credit Unions.
    Chairwoman Comstock. Thank you. Without objection.
    [The information appears in Appendix I]
    Mr. Lipinski. Thank you, and I want to again thank the 
Chairwoman for holding this hearing, and the witnesses for 
being here, and I look forward to your testimony.
    I yield back.
    [The prepared statement of Mr. Lipinski follows:]
    
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
    Chairwoman Comstock. I thank the Ranking Member, and I also 
thank him for his comments on the importance of our 
cybersecurity workforce and I'll second those sentiments.
    Our first witness today is Dr. Charles Romine, Director of 
the--oh, I'm sorry. The Ranking Member is present. I'm sorry.
    Ms. Johnson. Thank you very much, Madam Chairwoman.
    I'd like to ask for unanimous consent to enter some 
material in the record prior to making a statement.
    Chairwoman Comstock. Without objection.
    Ms. Johnson. Thank you.
    Chairwoman Comstock, I have been in Congress and on this 
Committee for a long time. As a matter of fact, this is the 
beginning of my 25th year. There are many times I have 
disagreed with my Republican colleagues. Sometimes we've had 
harsh criticisms of each other's political positions. That 
comes with the job description of being a Member of Congress, 
and I accept that. But what I will not accept is when Members 
or staff provide clearly misleading information about me or my 
colleagues to the press, the public, or anyone else.
    Yesterday, a story in The Hill newspaper regarding a letter 
that I sent along with Mr. Lipinski and Mr. Beyer to you, 
Chairman Smith and Chairman LaHood about President Trump's 
cybersecurity practices quoted an unnamed GOP Committee aide 
that suggested that last Congress, Committee Democrats opposed 
cybersecurity hearings that were held on this Committee 
regarding the Office of Personnel Management, the Internal 
Revenue Service and the Federal Deposit Insurance Corporation 
because we believed that they were political and illegitimate. 
I want to speak--I will not speak for my colleagues but I will 
speak for myself. I did believe many of the hearings that were 
held on this Committee were politically motivated but none of 
them included any of the hearings mentioned by the Committee 
aide. If this aide had attended any of these hearings or read 
any of the statements by me or the Ranking Members Beyer or 
Lipinski, they would have understood that. Since I believe in 
ensuring there is an honest record of events, I would like 
unanimous consent to enter into the record all of the Ranking 
Member's statements and press releases issued by the Democrats 
for each of the hearings referenced by this Republican staffer 
just in order to set the record straight.
    Chairwoman Comstock. Without objection.
    [The information appears in Appendix I]
    Ms. Johnson. Thank you.
    Let me thank you again and also Ranking Member Lipinski for 
holding the hearing today on cybersecurity, and thank you to 
all the witnesses for being here this morning. We have several 
new members on the Committee, so it is valuable to start off 
the year with a Cybersecurity 101 hearing.
    Today's panel includes four very distinguished experts from 
government, the private sector, and academia, and I know it 
will be an interesting and informative discussion. I'm pleased 
that Dr. Romine is able to join us this morning. Testifying 
before Congress so early during a transition in administrations 
can be challenging for any agency official.
    This is not a hearing specifically about NIST's role in 
cybersecurity, but I'm going to set some context with a few 
words about this very important but little-known agency. NIST 
plays a crucial role in both public and private sector 
cybersecurity, as we will hear about today. In fact, 
cybersecurity accounts for a significant fraction of NIST's 
total budget. However, it is but one of dozens of topics to 
which the hundreds of extraordinary scientists and engineers 
working at the NIST labs in Gaithersburg, Maryland, and 
Boulder, Colorado, devote their careers. NIST hosts the world 
leading measurement scientists, and uses that science to lead 
the development of technical standards for the nation. NIST 
scientists work closely with industry across all sectors, big 
and small, to advance U.S. innovation and competitiveness.
    And they do all of this on what amounts to a shoestring 
budget. Because NIST usually exceeds expectations, there is a 
tendency by policymakers to ask them to do more with less. That 
has surely been true in the realm of cybersecurity. But I 
caution this Committee and the Administration not to push NIST 
to the breaking point. Every agency must set priorities, and 
there may be room even at NIST to put aside some of its work to 
make room for higher priority topics, including cybersecurity. 
I will be watching closely to ensure that that none of NIST's 
important work is compromised in our zeal to save a dollar here 
and dollar there. The costs to the nation will be much greater 
than the few dollars saved.
    And finally, I want to bring up a troubling incident from 
2013, in which the National Security Agency (NSA) secretly 
inserted a ``back door'' into a cryptographic standard being 
developed by NIST. There was an immediate outcry, as this sneak 
attack was widely recognized as a potentially slippery slope to 
a surveillance state. It undermined the stellar reputation and 
credibility of NIST in international circles and it had a 
negative impact on the global operations of U.S. corporations.
    In the aftermath of that incident, NIST implemented new 
procedures to reinforce transparency and integrity in their 
standards development process. I want NIST to be able to 
consult with the intelligence agencies. Such collaboration is 
necessary and appropriate in the realm of cybersecurity. Both 
NIST and the U.S. intelligence community share special 
cybersecurity expertise and skills that should be shared to 
help defend our nation against the many cybersecurity threats 
that confront us. However, I will be watching out for the 
slightest hint that such collaborations in any way compromise 
NIST's independence or the integrity of their work.
    With that, I want to thank the witnesses again for your 
time and contributions to this Committee's discussion about 
cybersecurity, and I yield back.
    I thank you, Madam Chair.
    [The prepared statement of Ms. Johnson follows:]
    
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
    Chairwoman Comstock. Thank you.
    Our first witness today is Dr. Charles Romine, Director of 
the Information Technology Lab at the National Institutes of 
Standards and Technology. This program develops and 
disseminates standards for security and reliability of 
information systems including cybersecurity standards and 
guidelines for federal agencies. Dr. Romine has previously 
served as a Senior Policy Analyst at the White House Office of 
Science and Technology Policy and as a Program Manager at the 
Department of Energy's Advanced Scientific Computing Research 
Office. Dr. Romine received his bachelor's degree in 
mathematics and his Ph.D. in applied mathematics from the 
University of Virginia.
    Our second witness today is Mr. Iain Mulholland, Industry 
Member of the Center for Strategic and International Studies 
Cybersecurity Task Force and Chief Technology Officer of 
Security for VMware, Inc. A 20-year veteran of the software 
security space, Mr. Mulholland was an early member of the 
Microsoft Trustworthy Computing Group where he led the 
Microsoft Security Response Center. Mr. Mulholland is also a 
member of the U.S. Delegation to the Wassenaar Plenary in 
Austria in charge of negotiating international cybersecurity 
protocols. Mr. Mulholland has received degrees from the Royal 
Military Academy in the United Kingdom as well as from Stanford 
University Graduate School of Business' Executive Leadership 
Program.
    Our third witness today is Dr. Diana Burley, Executive 
Director and Chair of the Institute for Information 
Infrastructure Protection, and Professor of Human and 
Organizational Learning at the George Washington University. 
Prior to joining GW, Dr. Burley managed a multimillion-dollar 
computer science education and research portfolio and led the 
CyberCorps Program for the National Science Foundation. Dr. 
Burley holds a B.A. in economics from the Catholic University 
of America, M.S. in public management and policy, M.S. in 
organization science, and Ph.D. in organization science and 
information technology from Carnegie Mellon University, where 
she studied as a Woodrow Wilson Foundation fellow.
    Our final witness today is Mr. Gregory Wilshusen, Director 
of Information Security Issues at the U.S. Government 
Accountability Office. Prior to joining GAO in 1997, he was a 
Senior Systems Analyst at the Department of Education. He 
received his bachelor's degree in business administration from 
the University of Missouri and his master of science and 
information management from George Washington University.
    Thank you all for joining us this morning, and now I'll 
hear five minutes from Dr. Romine.

         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,

                  INFORMATION TECHNOLOGY LAB,

     NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)



    Dr. Romine. Chairwoman Comstock, Ranking Member Lipinski, 
and Mrs. Johnson, and Members of the Subcommittee, thank you 
for the opportunity to discuss NIST's activities that help 
strengthen the nation's cybersecurity capabilities.
    In the area of cybersecurity, NIST has worked with federal 
agencies, industry and academia since 1972. Our role to 
research, develop and deploy information security standards and 
technology to protect the federal government's information 
systems against the threats to the confidentiality, integrity 
and availability of information and services, was strengthened 
through the Computer Security Act of 1987, broadened through 
the Federal Information Security Management Act of 2002, and 
reaffirmed in the Federal Information Security Modernization 
Act of 2014, or FISMA.
    In addition, the Cybersecurity Enhancement Act of 2014 
authorizes NIST to facilitate and support the development of 
voluntary, industry-led cybersecurity standards and best 
practices for critical infrastructure.
    Recently, the independent bipartisan Commission on 
Enhancing National Cybersecurity released its report, which 
provides detailed recommendations to strengthen cybersecurity 
in both the public and the private sectors. NIST is active in 
many areas addressed by the Commission report.
    Three years ago, NIST issued the Framework for Improving 
Critical Infrastructure Cybersecurity, or the ``Framework,'' 
which was created through collaboration between industry and 
government, and consists of standards, guidelines, and 
practices to promote the protection of critical infrastructure. 
The prioritized, flexible, repeatable, and cost-effective 
approach of the Framework helps owners and operators of 
critical infrastructure to manage cybersecurity-related risk.
    Last month, NIST released a draft update to the Framework 
for public comment. The Framework continues to be voluntarily 
implemented by industry and adopted by infrastructure sectors, 
and this is contributing to reducing cyber-risks to our 
nation's critical infrastructure.
    NIST works with stakeholders to cultivate trust in the 
Internet of Things, or IoT. NIST performs fundamental research, 
contributes to the development of consensus standards, and 
issues guidance that addresses security of IoT.
    NIST's applied research for IoT security addresses market-
focused applications such as healthcare, vehicles and 
transportation, smart home, and manufacturing. NIST carries out 
its responsibilities under FISMA through Federal Information 
Processing Standards and associated guidelines and practices. 
NIST provides management, operational, and technical security 
guidelines for federal agencies covering a broad range of 
topics. NIST stresses that the authorization of a system by a 
management official is an important quality control under 
FISMA. By authorizing operation of a system, the manager 
accepts the associated risk, formally assuming responsibility 
for operating an information system at an acceptable level of 
risk to agency operations, agency assets, or individuals.
    NIST is considering additional steps to assist federal 
agencies, including how best to align the Cybersecurity 
Framework with our FISMA suite of standards and guidelines. 
Applying the Cybersecurity Framework across the federal 
government complements and enhances rather than duplicates or 
conflicts with the existing statute, executive direction, 
policy and standards.
    NIST is active in other areas identified in the Commission 
report, such as authentication and identity management, 
privacy, and cybersecurity education, training and workforce 
development. NIST recognizes that it has an essential role to 
play in helping industry, consumers and government to counter 
cyber threats and strengthen the nation's cybersecurity 
capabilities.
    NIST is extremely proud of its role in establishing and 
improving the comprehensive set of cybersecurity technical 
solutions, standards, guidelines, and best practices and the 
robust collaborations with its federal government partners, 
private sector collaborators, and international colleagues.
    Thank you for the opportunity to testify today on NIST's 
work in cybersecurity, and I'd be delighted to answer any 
questions that you may have.
    [The prepared statement of Dr. Romine follows:]
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
      
    Chairwoman Comstock. Thank you, Doctor.
    And now we'll hear from Mr. Mulholland.

               TESTIMONY OF MR. IAIN MULHOLLAND,

         INDUSTRY MEMBER, CSIS CYBER POLICY TASK FORCE;

              CHIEF TECHNOLOGY OFFICER, SECURITY,

                          VMWARE, INC.

    Mr. Mulholland. Chairwoman Comstock, Ranking Member 
Lipinski, Mrs. Johnson, other Members of the Committee, thank 
you for the opportunity to testify today.
    I'm Iain Mulholland, a member of the Center for Strategic 
and International Studies Cyber Policy Task Force and the Chief 
Technology Officer for Security at VMware.
    VMware is the fourth largest software company in the world 
with 2016 revenues of over $7 billion and over 19,000 employees 
globally.
    The U.S. Government is dependent on a vast cyber world of 
interconnected networks, data centers, cloud, mobile platforms, 
and other assets. Because we require cyber infrastructure to 
perform the modern-day functions of government, sophisticated 
and aggressive cyber-attacks perpetuated by criminal entities 
and foreign government agencies represent a clear and present 
national security threat to the U.S. Government.
    We are also experiencing an unprecedented level of cyber-
attacks and sophistication in the private sector. The reality 
is that global technology companies like VMware not only 
receive an unprecedented amount of information in regards to 
cyber threats from inside the U.S. but we also receive a large 
number from overseas as well. The fact is, with data moving 
across borders instantly, the digital devices and technologies 
associated with this ecosystem and therefore with cybersecurity 
are not confined to physical borders.
    In order to continue to provide world-class secure 
services, we must be able to act on a moment's notice whether 
that information is coming from the U.S. or from abroad. We 
must have the tools and resources on hand to act immediately.
    Building on the 2009 Commission on Cybersecurity, the 
Center for Strategic and International Studies established the 
Cyber Policy Task Force to lay out practical steps for policy, 
resources and organization that the new Administration can use 
to build better cybersecurity. In the eight years since that 
report was published, there has been much activity and an 
exponential increase in attention to cybersecurity. However, we 
are still at risk and there's still much that this new 
Administration can do.
    Specifically, CSIS believes that there are five core areas 
that require renewed focus. Firstly, the development of a new 
international strategy based on partnerships with like-minded 
nations to improve the ability of deterring attackers.
    Secondly, there must be a serious effort to reduce 
cybercrime to build international cooperation to fight botnets 
and sophisticated financial crime. Part of this effort must be 
to penalize countries that won't cooperate in the effort to 
reduce and control cybercrime.
    Thirdly, we must prepare our critical infrastructures and 
services for attack and improve cyber hygiene. Greater use of 
shared, managed and cloud services can make government agencies 
more secure.
    Further, we must identify where federal action and resource 
issues such as research or workforce development is necessary. 
And finally, we must streamline White House bureaucracy, 
increase oversight of federal cybersecurity, and clarify the 
rules of DOD and other agencies. A stronger DHS is crucial, and 
the new Administration must strengthen DHS's role in 
cybersecurity.
    Promoting good cyber hygiene should also be a key standard 
that helps agencies, consumers, and businesses better protect 
their information and networks from hackers. One of the best 
ways for the federal government to be proactive is by deploying 
microsegmentation technology that offers the ability to segment 
their networks in the event of a breach. Let's use the example 
of the cybersecurity breach at OPM. The nature of the security 
breach at OPM was not particularly unique. Hackers were able to 
penetrate perimeter network security systems and gain access to 
OPM and Department of Interior systems where they were free to 
roam around the internal networks and steal sensitive data over 
a period of months. In order to effectively prevent an attacker 
from moving freely around the network, agencies must 
compartmentalize their network perimeters by adding zero trust 
or microsegmented networks within the data center. A zero-trust 
environment prevents unauthorized lateral movement within a 
data center by establishing automated governance rules that 
manage the movement of users and data between systems and 
applications.
    Lastly, I'd like to touch on another topic that is 
important to securing the cyber ecosystem, the internet of 
things. As we saw from the distributed denial-of-service 
attacks in October, there are security vulnerabilities that 
must be addressed to advance the IOT economy. A way to better 
secure the IOT ecosystem is by ensuring flexible and isolated 
connection points through secure managed infrastructure such as 
edge systems, which include but are not limited to IOT 
gateways.
    As Congress and the Administration continue to work on 
policies to promote the IOT economy, we believe that some 
consideration should be given to developing some rules of the 
road, standards for IOT moving forward. Among others, we would 
agree with the CSIS recommendation calling on NIST and other 
federal agencies to cooperate with industry stakeholders to 
develop a set of standards and principles for IOT security.
    Lastly, another security issue looming that could have 
significant impact on the cyber ecosystem is the 2013 Wassenaar 
Arrangement. I've included more on this topic in my written 
testimony. My hope is that the new Administration will continue 
to view this as a leadership opportunity for the U.S. to ship 
international cyber norms and support ongoing renegotiations at 
the Wassenaar Arrangement. The continued U.S. renegotiation 
efforts in partnership with the U.S. technology industry and 
bipartisan support from Congress can ensure a signed Wassenaar 
cyber agreement that enhances our nation's cyber posture and 
ultimately strengthens our defense against attacks.
    Thank you for the opportunity to testify today, and I look 
forward to answering the Committee's questions.
    [The prepared statement of Mr. Mulholland follows:]
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Chairwoman Comstock. Thank you.
    And now we will hear from Dr. Burley.

                 TESTIMONY OF DR. DIANA BURLEY,

                 EXECUTIVE DIRECTOR AND CHAIR,

   INSTITUTE FOR INFORMATION INFRASTRUCTURE PROTECTION (I3P);

         PROFESSOR, HUMAN AND ORGANIZATIONAL LEARNING,

                THE GEORGE WASHINGTON UNIVERSITY

    Dr. Burley. Good morning. Chairwoman Comstock, Ranking 
Member Lipinski, and Mrs. Johnson, Members of the Committee, I 
am honored to appear before you today to discuss strategies for 
strengthening U.S. cybersecurity capabilities.
    Recommendations from the recent reports serving as the 
foundation of this Committee hearing highlight the critical 
importance of developing a cybersecurity workforce of 
sufficient quality and quantity to meet the global threat 
environment. The workforce need is acute and immediate with a 
projected shortfall of nearly 1.5 million professionals by the 
year 2020.
    Yet despite significant effort and steady progress, the gap 
between supply and demand is widening. Of the recommendations 
offered in the recent reports, I will briefly address two.
    The first, to develop a comprehensive cybersecurity 
education and workforce development model that standardizes 
interdisciplinary curricula, that serves as a foundation for 
accreditation, and integrates with existing programs and 
taxonomies. To implement this recommendation, I suggest that 
the federal government leverage the work of the Association for 
Computing Machinery, the ACM Joint Task Force on Cybersecurity 
Education. I serve as Co-Chair of this task force, and our 
work, which is developing the first set of global curricular 
guidelines in cybersecurity education, structuring the 
cybersecurity discipline and providing comprehensive and 
flexible curricular guidance, will be complete late this year.
    Several points drive my recommendation. First, with over 
100,000 members, the ACM is the largest computing society in 
the world, and the framework is being developed by global 
subject-matter experts across academia, government and 
industry. The ACM has nearly 50 years of experience developing 
curricular guidance, and the document will be endorsed by major 
computing societies, the ACM, the IEEE Computer Society, the 
Association for Information Systems, and the International 
Federation for Information Processing.
    The framework is grounded in both the interdisciplinary 
nature of cybersecurity and the inherently technical foundation 
of the field. It facilitates the alignment between curricular 
content and workforce frameworks including the National 
Cybersecurity Workforce Framework developed through the U.S. 
National Initiative for Cybersecurity Education, and it forms 
the foundation for emerging accreditation standards currently 
under development by ABET.
    The second recommendation from the reports is to add new 
credentialing requirements and to develop a network of 
credentialing associations. The call for additional 
credentialing requirements is not new. I support the need to 
ensure cybersecurity professionals maintain the highest level 
of competency but caution against blanket professionalization 
requirements that do not consider differences in occupational 
needs. Cybersecurity is a broad field with many occupations and 
the needs of those occupations must be considered separately. I 
co-chaired the 2013 National Research Council Committee on 
Professionalizing the nation's Cybersecurity Workforce that 
addressed this issue. As we state in our report, before new 
credentialing requirements are added, workforce developers 
should review specific occupational characteristics, identify 
the associated workforce deficiencies, and consider the 
tradeoffs associated with implementing additional requirements. 
I urge the federal government to continue to catalyze 
activities and to leverage existing multisector stakeholder 
groups like the Institute for Information Infrastructure 
Protection (The I3P) to integrate, accelerate and guide 
existing cybersecurity workforce development initiatives. These 
initiatives should leverage existing and scalable models, 
emphasize both evidence-based short-term interventions that 
address immediate needs, and strategic long-term initiatives 
that address the entire ecosystem; expand the pipeline by 
engaging a broad cross-section of society to include women, 
ethnic groups typically underrepresented in this workforce, 
veterans, and even special-needs populations who possess 
targeted skill sets, to lengthen the pipeline by engaging 
students early in their education, and including K-12 teachers 
who will largely influence those students' choices.
    A coordinated and comprehensive cybersecurity workforce 
development strategy that supports our ability to scale is a 
critical success factor for strengthening U.S. cybersecurity 
capabilities.
    Again, I am honored to appear before the Committee, and I 
look forward to your questions. Thank you.
    [The prepared statement of Dr. Burley follows:]
    
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  
    
    Chairwoman Comstock. Thank you, Doctor.
    And now we'll hear from Mr. Wilshusen.

         TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,

                INFORMATION SECURITY ISSUES, GAO

    Mr. Wilshusen. Chairwoman Comstock, Ranking Member 
Lipinski, Mrs. Johnson, and Members of the Subcommittee, thank 
you for the opportunity to discuss ways to strengthen U.S. 
cybersecurity.
    As recent cybersecurity attacks have illustrated, the need 
for robust and effective cybersecurity has never been greater. 
Today I will provide an overview of our work related to 
cybersecurity posture of the federal government and the 
nation's critical infrastructure.
    At your request, I will also identify areas of consistency 
between our recommendations and those made in recent reports by 
the Commission on Enhancing National Cybersecurity and CSIS.
    Before I do, if I may, I'd like to recognize for the record 
Mike Gilmore, Kush Malhotra, Nancy Glover, and Scott Pettis for 
their significant contributions to helping develop my written 
statement.
    Madam Chairwoman, GAO has consistently identified 
shortcomings in the federal government's approach to protecting 
its computer systems. This year marks the 20th anniversary of 
GAO designating federal information security as a government-
wide high-risk area. We expanded this area to include the 
protection of cyber critical infrastructure in 2003 and 
protecting the privacy of personally identifiable information, 
or PII, in 2015. Federal agencies in our nation's critical 
infrastructures are dependent upon computerized systems, 
networks and electronic data to carry out operations yet these 
systems and networks are inherently at risk and cyber threats 
continue to evolve and become more sophisticated. While 
agencies in previous Administrations have acted to improve the 
protections over systems supporting federal operations of 
critical infrastructure, the government needs to take 
additional actions to bolster U.S. cybersecurity. These include 
effectively implementing risk-based entity-wide information 
security programs consistently and over time improving its 
cyber incident detection, response and mitigation capabilities, 
enhancing its cybersecurity workforce planning and training 
efforts, expanding efforts to fortify cybersecurity of the 
nation's critical infrastructures, and better overseeing 
protection of personally identifiable information.
    Over the last several years, GAO has made about 2,500 
recommendations aimed at improving the security of federal 
systems and information. We have identified how agencies can 
tighten technical security controls, fully implement 
information security programs, and better protect the privacy 
of PII held on their systems. Many agencies continue to be 
challenged in safeguarding their computer systems and 
information, in part because many of these recommendations have 
not yet been implemented. As of January 2017, about 1,000 of 
our recommendations had not been implemented.
    Regarding recommendations made by the Cybersecurity 
Commission and CSIS, several are generally consistent with or 
similar to previous GAO recommendations. In particular, certain 
recommendations pertaining to the establishing of an 
international cybersecurity strategy, protecting critical cyber 
infrastructure, promoting use of the NIST Cybersecurity 
Framework, prioritizing cyber research and expanding 
cybersecurity workforces share common traits.
    In summary, the dependence upon the federal government and 
the national critical infrastructure on information and 
communications technologies makes them potentially vulnerable 
to a wide and evolving array of cyber-based threats. Securing 
these technologies is vital to the nation's security, 
prosperity and well-being. Nevertheless, the security over 
these systems is inconsistent and additional actions are needed 
to address ongoing cybersecurity and privacy challenges. We at 
GAO will continue to work with the Congress and federal 
agencies to address these challenges and strengthen our 
nation's cybersecurity capabilities.
    Chairwoman Comstock, Ranking Member Lipinski, members of 
the Subcommittee, this concludes my statement, and I'd be happy 
to answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
  
    
    Chairwoman Comstock. Thank you.
    I'll now yield myself five minutes, and I appreciate the 
witnesses' testimony.
    Mr. Wilshusen, as you noted, 1,000 of the recommendations 
have not been implemented. That's about 40 percent. What are 
some of the most common reasons for that lack of 
implementation, and what steps might Congress take to help 
encourage agencies to implement these recommendations?
    Mr. Wilshusen. Well, I think the recommendations in some 
instances require a longer period of time to actually implement 
consistently throughout the organization, and that may be one 
factor. Another factor is that agencies often will close a 
recommendation as implemented when they may have a plan to 
implement the recommendations and not when they take the action 
needed to implement the recommendation across the enterprise. 
We often find that when we go back to an agency that has 
indicated that it has implemented the recs. We go out and re-
test the systems across the organization, the conditions still 
exist. They may have implemented it on a couple of the systems 
but not throughout the organization. So that's another factor.
    Chairwoman Comstock. Should there be some self-testing then 
on that so you have your plan and then you have tests that each 
agency is doing on their own, or do you have recommended 
policies on that front?
    Mr. Wilshusen. Right, most definitely. In fact, FISMA 
requires agencies to test and evaluate the security of their 
systems frequently, at least once a year, to assure that their 
controls are adequately implemented, but----
    Chairwoman Comstock. But that is not being done?
    Mr. Wilshusen. Well, it may be done but we have also found 
that agencies' security tests and evaluation processes may not 
be that comprehensive. In some cases, they may rely on 
interviews or document reviews but not dig down to look to see 
how systems and their settings are actually configured. That's 
vital with information security because so many controls, 
particularly the technical security controls, are implemented 
in the systems that have to be configured in a certain way. So 
that's one of the key areas that we consistently find as a 
reason for these outstanding recommendations.
    Chairwoman Comstock. Thank you.
    And Dr. Burley, I really appreciate your focus on the need 
for education, and 1.5 million jobs you said are needed?
    Dr. Burley. Yes.
    Chairwoman Comstock. And so that certainly is a good growth 
area that people should be focused on, appreciate GW's focus on 
that and many of our universities in the region.
    What type of practices even earlier on can get people into 
the pipeline? To get young students in this can we be focusing 
on really in earlier grades to make this really be kind of a 
lifestyle and understanding that this is something that 
everybody needs to be engaged in?
    Dr. Burley. I think that there are two different approaches 
that we can take. One is certainly getting students into the 
technology areas earlier - so teaching them how to code and to 
understand what that means. Moving computer science down into 
the K-12 classrooms is critical. But we also need to focus on 
more general skills like analytical ability, critical thinking, 
communication, those types of skills, teamwork, team building. 
All of those different skill sets are critical for 
cybersecurity professionals and so we need to consider those as 
well.
    Chairwoman Comstock. And even for people who aren't going 
into that field, I mean, obviously, with 1.5 million jobs 
needed, that is a good field for them to go into, but what type 
of--should there be classes maybe in grades for qualification 
for just basic understanding for people even who aren't in the 
field?
    Dr. Burley. Absolutely. So you're talking about awareness 
programs?
    Chairwoman Comstock. Yes.
    Dr. Burley. We certainly need to make sure that everyone 
understands what cybersecurity is, and what role they play as 
individuals in that workforce. Not all of the cybersecurity 
careers are solely focused on only doing cybersecurity. There 
are a lot of what we consider to be hybrid roles so that if 
someone is going into healthcare, they may have an opportunity 
to work with electronic medical records or need to understand 
privacy considerations and so it is very important that the 
awareness programs aren't just general blanket broad awareness 
programs but that they also contain elements that specifically 
link cybersecurity concepts and ideas to all of the disciplines 
across the curriculum as early as we possibly can do it.
    Chairwoman Comstock. So it sounds like we need something 
akin to a continuing education program for everybody in various 
fields on the need to be aware of this, and Mr. Mulholland, I 
noticed you're nodding too. If you wanted to----
    Mr. Mulholland. Yeah, if I could just add to that, you 
know, as someone who hires and over the last 20 years has hired 
many, many security engineers, certainly I would support, you 
know, enhancement of skills. We find it incredibly difficult to 
hire well-qualified security engineers, but also more broadly 
in some of the software security programs that we run, I end up 
spending a lot of time just teaching known security software 
developers about security. I would love to see basic security 
skills to be part of every computer science degree, you know, 
in the curriculum moving forward so I can invest my time in 
being proactive and defending rather than having to teach all 
of my known security colleagues about the basics of security.
    Chairwoman Comstock. Excellent. Thank you all, and I now 
yield to Mr. Lipinski for five minutes.
    Mr. Lipinski. I want to thank you all for your testimony, 
and just very briefly, education, workforce. Dr. Burley, you 
were speaking about that. I just want to say that as Co-Chair 
of the STEM Ed Caucus, I think there's more that we need to be 
doing to encourage STEM education. Next week is National 
Engineers Week. I know one of those days is Introduce a Girl to 
Engineering Day and there's a lunch up here tomorrow about 
that. We need to get as many people as we can into the 
pipeline. And also, we need to have general education on things 
like cyber hygiene.
    I wanted to--there's so many things we could talk about. I 
have some questions for the record. But I wanted to ask Mr. 
Mulholland, you had spoken a little bit about the internet of 
things and what needs to--you started touching on what needs to 
be done. Both the Commission and the CSIS focused on security 
of IOT devices, and in his testimony, Dr. Romine discussed the 
steps NIST is already taking to address security for IOT in 
different sectors.
    Now, I assume that the CSIS task force took into account 
the efforts already underway at NIST to develop security 
standards. Would you have any thoughts on how NIST should 
prioritize their IOT work in the next couple years given 
limited resources?
    Mr. Mulholland. You know, I think all of us in the CSIS 
cyber task force felt that IOT is really critical in terms of 
priorities. The speed and acceleration of things is quite 
phenomenal, and the spectrum that they cover is quite 
considerable. If you look at, you know, IOT as a concept, it is 
not necessarily new. We've had industrial control systems for a 
very long time in the power and the energy sectors but if you 
look at--you know, I'm wearing a watch today that's probably as 
powerful as my iPhone was ten years ago--the proliferation of 
these devices is critical, and I think NIST's involvement in 
setting some basic rules of the road are going to be critical, 
particularly actually in the consumer segment around how these 
devices are actually manufactured and supported over the 
lifecycle of those.
    Mr. Lipinski. Anything--nothing more specific on where you 
would direct NIST to go?
    Mr. Mulholland. I think that there are a couple of specific 
areas. I think first of all, you need to look at it from a 
sector-specific point of view. If you look at industrial 
control systems, for example, or healthcare advices or 
manufacturing, certainly I think some of the work NIST has 
already done should be accelerated around how do we actually 
connect these systems through things like internet gateways and 
edge-type devices, what are, you know, appropriate 
architectures and controls for those.
    But I think the other area that can't be forgotten is the 
consumer side. If we look at the attacks in October last year, 
that was predominantly consumer devices where there really 
aren't any standards or any recommendations around how a 
consumer device should be developed or, you know, some basic 
kind of frameworks for how it should be supported over its 
lifecycle. If we don't look at that full spectrum, you know, 
much more prescriptive around, you know, more kind of 
manufacturing, industrial, but also a consumer, then we're 
going to continue to see attacks like that.
    Mr. Lipinski. Thank you. And since we're going down that 
road, let me finish with a question about privacy.
    Last week, Vizeo agreed to pay $2.2 million settlement for 
charges that TVs collected owners' information without their 
knowledge. We have devices like Amazon Echo, Google Home, all 
these listening devices that are proliferating. We have facial 
recognition technologies that are getting better and better. So 
the issue of privacy, cybersecurity, privacy is also very 
important. Are there any recommendations that any of you have 
for how the Science Committee or Congress in general should 
thoughtfully address both the cybersecurity and privacy issues 
and balancing them?
    Mr. Mulholland. So certainly at CSIS, we made a set of 
recommendations again specifically around the definition of PII 
and some recommendations that NIST should revisit the 
definition both on kind of reestablishing a baseline but also 
on an ongoing basis. I think what is considered PII 
historically is rapidly, rapidly evolving. One of the things 
that we discussed quite a lot about was that five years ago, 
none of us would have considered that we'd have a device in our 
pocket that is tracking every move or we might have a 
television that's listening to our every conversation, and you 
know, the data that those devices create does not necessarily 
fit under the traditional definition of PII. So we had a 
recommendation that NIST should specifically look at what the 
definition of PII is but see that as a moving target that needs 
to be so that we can set some acceptable norms around, you 
know, privacy and private information.
    Mr. Lipinski. All right. Thank you.
    I yield back.
    Chairwoman Comstock. Thank you.
    I recognize Mr. Webster for five minutes.
    Mr. Webster. Thank you, Madam Chair.
    I have a question, I believe, for Dr. Romine. So we have 
this--if we looked at the negative side of cybersecurity and 
all the things that are happening, the attacks from other 
governments and even in the private sector and things that are 
all going on, it seems like just from what I've heard today 
that that's an issue that's moving at light speed, and yet 
we're not here in this body known for moving at snail speed, 
and I guess my question is, you had testified that there have 
been three modifications in 30 years of the document that 
pretty much tells you what you should be doing and how you 
should be doing it, and so we're walking along and yet we have 
something moving three times ten to the eighth meters per 
second. And so my question, I believe, is there an 
infrastructure that you're a part of and others that are part 
of who have testified--we've got this whole list of acronyms of 
organizations that are working on this. Is that infrastructure 
that's there combined fast enough and good enough to catch it?
    Dr. Romine. Thank you for the question. Let me address it 
in this way. One of the reasons that NIST is as effective as it 
is in this space is our deep and longstanding partnerships with 
the private sector, the folks who are moving at light speed, 
and so I think the idea that we maintain that connection with 
them, that we provide input to them on priorities that the 
federal government has, that they provide us with a partnership 
working collaboratively on solving some of these really 
challenging technical problems in security, frankly I think is 
the only way that we can maintain the kind of pace and to 
anticipate some of the challenges that we have down the road to 
remain relevant.
    We have deep technical expertise ourselves but we rely 
entirely on that connection that we have with industry and with 
academia to maintain our awareness and engagement at the speed 
that's necessary.
    Mr. Webster. Do you think that there is too many or too few 
kingdoms that are addressing this issue, or do they--maybe if 
there are too many, are they bleeding over into each other and 
maybe doing things that the other might be doing?
    Dr. Romine. Well, I'm not exactly sure how to interpret 
your question but----
    Mr. Webster. I'm only looking at the structure to see if 
this is the right structure or there should be something else.
    Dr. Romine. Oh, I see.
    Mr. Webster. That's what I'm thinking about.
    Dr. Romine. Right. Yes, I can really address only NIST's 
role with regard to how we provide guidance and standards in 
this space, and I think the statutory role that we have is 
essential for us. It's--you alluded to the fact that there----
    Mr. Webster. Is it more defensive in that the agency--let's 
say the federal agencies, do they have to come to you before 
you give them or are you aggressive in----
    Dr. Romine. No, we have partnerships. I alluded to the 
partnerships with the private sector but we also have strong 
engagement in the public sector as well with other federal 
agencies and even with state and local governments in some 
cases.
    From my perspective, you alluded to the fact that there are 
only three updates to the governing legislation of FISMA in the 
last 30 years. I view that in many ways as a strength because 
the legislation actually sets the structure, the very high-
level components, and if that were to change rapidly, I think 
it would be much more difficult for us. Whereas putting the 
structures in place and providing roles and responsibilities 
clearly in legislation gives us the opportunity to then operate 
effectively in that structure.
    Mr. Webster. Thank you very much. That was helpful.
    I yield back.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Bera for five minutes.
    Mr. Bera. Thank you, Madam Chairwoman, and the Ranking 
Member.
    You know, just listening to the testimony, Mr. Mulholland, 
in your opening statement, you talked about how cyber-attacks 
represent a clear and present security threat, and I think each 
of you, you know, alluded to the sense that the federal 
government is pretty vulnerable to cyber-attacks. Would any of 
you dispute that statement? So we've got vulnerabilities there.
    I think, Dr. Burley, in your opening statement, you talked 
about the workforce need being acute and immediate, and I think 
you mentioned over a million jobs, maybe 1.5 million vacancies. 
Now, that's not just federal government, that's the need that 
exists in the private sector, and so there's this acute need, 
and unfortunately, I would bet that it's going to get worse 
before it gets better because we're not training that 
workforce.
    If we look at the federal government, maybe Mr. Wilshusen, 
I would imagine we've got critical hiring needs in the federal 
government that we can't fill. Would that be correct? In the 
thousands?
    Mr. Wilshusen. I hesitate to give a specific number but 
with the work we've done and the surveys where we've gone out 
to the agencies, it was pretty much across the board that they 
all felt they were very challenged to attract and retain the 
cyber skill sets that they needed.
    Mr. Bera. So we recognize we're vulnerable as the federal 
government. We've got critical vacancies and needs that we need 
to hire for. We understand that our salaries, you know, 
compared to just looking at simple rules of supply and demand 
cannot compete with what folks in the private sector may be 
paying so we have difficulty retaining and recruiting those 
individuals. Would that be an accurate statement? So that, you 
know, obviously is a critical need, and a critical security 
need. Recently a few weeks ago, the President signed a broad, 
sweeping federal Executive Order freezing the hiring of federal 
employees. Do we know if these critical IT, critical 
cybersecurity jobs are exempt from that federal order, Dr. 
Romine?
    Dr. Romine. We're seeking clarification on that now just to 
make certain because we do want to know whether we're going to 
be able to continue to recruit in this space.
    Mr. Bera. I mean, I guess I would go on the record along 
with my colleagues in a bipartisan way that, you know, we ought 
to send a strong message to the Administration that these are 
clearly critical jobs that need to be filled that are in our 
national security interest and we would provide you with 
whatever support you need might in that clarification, but my 
sense is, if it's already hard enough to recruit these 
individuals and hard enough to retain these individuals, let's 
not make it any more difficult, and, you know, that broad order 
in my mind is making us less secure and certainly it's 
worrisome.
    You know, maybe, Mr. Wilshusen, if we were thinking about 
strategies to recruit and retain some of these individuals, 
we've introduced a couple bills. One was the Tech Corps Act in 
the last Congress which would try to work with universities to 
help offset the cost of tuition. I'm a physician by training. 
Much as doctors can go back and fill critical needs and serve 
their country and community, perhaps that's one idea. You know, 
we've also considered prioritizing hiring of veterans and 
getting them into quick technical training skills--we know 
they're already patriotic--in order to fill some of these 
needs. What would be some other ideas that could help us fill 
these needs?
    Mr. Wilshusen. Well, I think the one you mentioned too 
about reimbursement of student--well, one of the things would 
be reimbursement of student loans. That's one that we use at 
GAO, and it's a very useful and effective way of helping to 
recruit staff, particularly in the IT security realm where we 
perform these IT audits. So that has been very helpful in being 
able to reimburse and help those individuals to pay off their 
student loans would be one thing.
    Another, of course, is just the focus on the civic 
responsibility and I would say the satisfaction of doing 
federal work. That's been very effective for us as well because 
of the type of work that we do.
    Mr. Bera. Dr. Romine, do you have any suggestions?
    Dr. Romine. I agree with Mr. Wilshusen that one of the 
secret weapons we have in recruiting top-notch staff is the 
fact that our mission is so compelling and interesting and we 
work in a really terrific place. I'm guessing GAO would make 
that same claim.
    So people who do feel a sense that they want to contribute 
through public service, we're able to be competitive with that 
segment of the population.
    I also want to point out one of the things that really 
needs to be understood well is that cybersecurity as it's 
currently constituted is interdisciplinary, and by that I mean 
people from economists, sociologists, psychologists, electrical 
engineers, computer scientists, across the board, these folks 
have roles to play in cybersecurity that are really compelling, 
and so we find that we're able to attract those folks.
    Mr. Bera. I realize I'm out of time so I'll yield back.
    Chairwoman Comstock. And I now recognize Mr. Abraham for 
five minutes, the new Vice Chair of the Subcommittee. Welcome.
    Mr. Abraham. Thank you, Mrs. Chair.
    Mr. Wilshusen, as far as--give me the advantages and 
disadvantages from your perspective as an auditor, when the 
federal government and the private sector, they take the same 
approach, in this case using NIST Cybersecurity Framework for 
securing their information and information systems, the good, 
the bad, the uglies?
    Mr. Wilshusen. Well, one of the benefits of the NIST 
Cybersecurity Framework is its flexibility. The way that it can 
be used by different organizations, whether they're federal 
government organizations or private sector organizations who 
apply the techniques. The guidance in that document is very 
useful. Certainly, over the years NIST has issued a complete 
and comprehensive set of cybersecurity guidelines and standards 
that could be used by the private sector and indeed many do. 
They certainly are required for the federal agencies. We use 
that criteria in our audits, and we think that NIST does a very 
good job of identifying those.
    Mr. Abraham. Mr. Mulholland, your take on the advantages 
and disadvantages of taking that same approach?
    Mr. Mulholland. Well, I would actually second that the NIST 
Framework, even within the private sector is still seen as 
being a very compelling standard. There are many standards out 
there, and NIST is certainly one of the most compelling.
    I'll add a different spin to my answer, though, which is 
that because it is a compelling framework, it actually means 
it's software manufacturers like ourselves who actually build 
our software so that it can conform to the standard and make 
implementing the standard a little easier for people who are 
using our software. So by having that kind of standard somehow 
float to the top actually, you know, a rising tide lifts all 
boats, so to speak.
    Mr. Abraham. Let me stay with you, Mr. Mulholland. In your 
testimony, you said that there may be a need to increase 
federal oversight or increase oversight of the federal 
cybersecurity by creating a special GAO office, would you 
elaborate on that? What does that entail?
    Mr. Mulholland. That's certainly one of the CSIS 
recommendations that I'm less familiar with so I'll defer to my 
written testimony if that's okay.
    Mr. Abraham. Mr. Wilshusen, give me your take on that. I'll 
ping pong between you guys.
    Mr. Wilshusen. Okay. Well, with respect to GAO assessing 
agencies' implementation of cybersecurity, that's something we 
do already. One of our roles is to provide and help Congress 
provide the oversight over federal agencies' implementations of 
cybersecurity. So that recommendation in terms of having GAO 
conduct reviews is something that we do and we'll continue to 
do.
    Mr. Abraham. Mrs. Chairman, I yield back.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Beyer for five minutes.
    Mr. Beyer. Thank you, Chairman Comstock.
    Last week, Ranking Members Lipinski and Johnson and I sent 
a letter to Chairmen Smith, LaHood and Comstock calling on them 
to investigate President Trump's cybersecurity practices, and 
my friend, Chairman Smith, was quoted in the press as saying 
that this is hypocritical since we didn't support the 
Committee's investigation of Hillary Clinton's email server. I 
just want to highlight a few facts.
    Number one is that by the time Science Committee launched 
its investigation of former Secretary Hillary Clinton's emails, 
three government agencies--the FBI, the State, Inspector 
General, et cetera--had already completed investigations of 
Clinton's emails and five other Congressional committees were 
investigating the same issue, and the Committee essentially 
dropped all interest in Hillary Clinton's emails right after 
the presidential election.
    There's also a quote in The Hill yesterday from an 
anonymous Science Committee staffer claiming Science Committee 
Democrats refused to support past investigations into cyber 
hacks, specifically mentioning the OPM hack and breaches at the 
FDIC, and I'd like to submit two documents for the record that 
dispute these alternative facts. The first is my letter to 
Chairman Smith, which requested the hearing into the OPM hack, 
and the second was any opening statement--my opening statement 
from the FDIC hearing in which I voiced explicit support for 
the inquiry into the FDIC breaches. I also don't remember any 
of the Democrats defending Secretary Clinton's email server.
    And I believe really that members of both parties are 
deeply concerned about cybersecurity, and I look forward to 
continuing to work together with my Republican friends on this.
    This past week, the Trump Administration revised and then 
delayed the release of a new Executive Order on cybersecurity. 
It was reported that the Chief Information Security Officer in 
charge of cybersecurity for the White House and the President 
was fired. As I pointed out in the letter with Ranking Members 
Johnson and Lipinski, in the few short weeks in office, 
President Trump and some of his senior staff appear to be 
struggling with implementing proper and appropriate 
cybersecurity practices. The President still apparently uses 
his easily hackable personal cell phone, his Android, not an 
iPhone, which of course opens it up to the foreigners who could 
use foreign intelligence services who can tracking location, 
can log keystrokes, could use the camera.
    The official Twitter account has been linked to unsecure 
private Gmail account, and just this weekend it was widely 
reported that the President held conversations and reviewed 
documents about the North Korean missile launch in the middle 
of Mar-a-Lago's restaurant, potentially within earshot of 
waiters and fellow diners, and according to eyewitnesses and 
pictures we've all seen, aides used their phones as flashlights 
to illuminate the documents, which could let hackers if they 
had compromised these phones to read the materials because the 
phones' cameras were pointed right at them.
    So these actions give the appearance that the Trump 
Administration's cybersecurity policies are in disarray and 
that the personal cybersecurity practices of the President and 
senior staff are both unwise and insecure. And by the way, if 
we're concerned--you know, the security of the President's 
Twitter account is not trivial. I mean, his tweets have given 
rise to a drop in Toyota stock, the Mexican peso to devalue, 
the best subscription day ever on Vanity Fair, the scuttling of 
the Mexican president's trip to the United States.
    So Dr. Burley, could you speak to this issue, particularly 
about how effective cybersecurity policy requires buy-in from 
the top of the organizational chart, whether it's from a CEO or 
agency head or even the President of the United States?
    Dr. Burley. Thank you for that question. I would say two 
things. One, certainly when we're dealing with cybersecurity 
culture within any organization, it is important that all 
levels of the organization buy in and employees are certainly 
driven by what the top of the organization pushes forward.
    With regard to awareness and understanding how our 
individual behavior impacts the security of our enterprise and 
our personal security, I would say that this is something we 
need to address in the redevelopment of cybersecurity awareness 
programs. We need to move beyond simply trying to make people 
aware of the issues and move toward helping them understand 
what their particular behavior does in terms of making a 
situation more or less secure, and that's something that needs 
to happen across all levels of organizations and even starting 
with some of the programs that we were talking about earlier in 
terms of going down into the K-12 range because awareness is 
one thing but understanding the implications of your behavior 
that then lead to behavioral changes is another matter.
    Mr. Beyer. Thank you very much.
    And Dr. Romine, we know how powerful the President's 
Twitter account is. It's an important way for him to 
communicate. What should the Administration do to secure his 
important Twitter account?
    Dr. Romine. Well, that verges on a certain oversight 
function in a specific case like this, and NIST is a non-
regulatory agency with no oversight role or capabilities. I 
think the oversight typically for federal cybersecurity rests 
with the Inspectors General, with the GAO and with OMB who has 
the policy lever for ensuring cybersecurity of systems. So 
beyond that, I don't think I can really comment.
    Mr. Beyer. Madam Chair, I yield back.
    Chairwoman Comstock. Thank you, and I'd also like to enter 
into the record Chairman Smith's letter responding to Mr. 
Beyer's letter, and I'm sure he welcomes your newfound interest 
in oversight, and you obviously have a role on the Oversight 
Subcommittee and this Committee, but I would like to also enter 
into the record Mr. Beyer's August 22nd, 2016, press release 
that was critical of the full Committee and the email 
investigation and your quote here, ``The House Science 
Committee must focus on its role promoting science and ensuring 
that America is the global leader in research and development 
rather than scoring cheap political points.'' And I'd also 
enter into the record an October 2016 interview that was on a 
local TV show which was critical of the FBI Director in that 
regard also.
    [The information appears in Appendix I]
    Chairwoman Comstock. I will now yield five minutes to Mr. 
LaHood, the Chairman of the Oversight Subcommittee.
    Mr. LaHood. Thank you, Madam Chair, and I want to thank the 
witnesses for being here today and for your valuable testimony.
    I do want to make a couple observations in response to my 
friend Mr. Beyer. I would first say that there's no evidence 
that President Trump is using his personal phone. In contrast 
to what was said, the New York Times has reported that he 
traded in his Android phone for a secure encrypted device 
authorized by the Secret Service, which is protocol for all 
Presidents, and he is abiding by that protocol by having an 
authorized phone.
    I would also dispute the assertion that somehow the 
allegations of what occurred with former Secretary of State 
Hillary Clinton which was brought up, you know, in that case, I 
think it is really apples and oranges in terms of the activity 
that went on there and the allegations there. You know, the FBI 
in that case found multiple violations of federal law on 
national security, cybersecurity and criminal statutes. The FBI 
Director said in his press conference that there were 
violations of federal law there. There's currently an active 
Department of Justice investigation and a grand jury looking 
into that, and I think the underlying circumstances and facts 
there are completely different than a Twitter account. And 
let's remember, Twitter is by its nature a service meant to 
provide information to the public, and there is again no 
information that somehow the tweets that are being put out by 
the President are done by a private phone. They can clearly be 
done by a secure, authorized phone, and I think we live in a 
unique age with technology. The fact that the President 
communicates every day with 20 to 25 million people by Twitter 
in an unfiltered, raw manner I think is unique, but that's the 
age that we live in now. But to make the comparison to what 
happened with Hillary Clinton I think is really disingenuous to 
this discussion, and I think the facts bear that out.
    I guess in looking at our hearing here today and how we can 
improve on cybersecurity at the federal level, I'm very 
interested, and I've talked about this in previous hearings, 
looking at the private sector and what has been beneficial in 
the private sector, what has worked there, and public-private 
partnerships specifically, and I guess I would start with Mr. 
Mulholland.
    In looking at the private sector, how do we look at metrics 
or effective strategies that have worked, Mr. Mulholland, that 
we can implement, learn from, and then how do we--how do we in 
an effective way put together a framework or metrics to judge 
that moving forward?
    Mr. Mulholland. Thank you for the question. I think in 
terms of metrics, we can have metrics for metrics sake, or we 
can have metrics that are actually measuring outcomes. I think 
in the private sector, actually to refer back to something that 
Dr. Burley mentioned earlier, we've moved from basic awareness 
to understanding. So sometimes metrics can be the kind of 
outcome of a checklist of items that people can complete 
without necessarily actually understanding what they're doing 
or why they're doing it. So certainly in the private sector, 
we've moved from, you know, predominantly checklists to really 
focusing on what outcomes are on how do you measure and use 
metrics to measure those outcomes. So specific examples might 
be actually looking at what are our threat models so what is 
the actual threat that we are subject to and then focusing and 
prioritizing around that. So for example, we're a Silicon 
Valley-based technology company. A big threat to us is the 
theft of intellectual property so a lot of the metrics and a 
lot of the outcomes we're looking at is, how do we protect our 
intellectual property. Perhaps some other pieces of data are 
less important to us than, you know, the lifeblood of our 
company. So we focus our metrics on outcomes and not so much on 
checklists for checklists' sake.
    Mr. LaHood. Thank you for that.
    The Cybersecurity Commission report recommends that the 
President issue a national cybersecurity strategy within the 
first six months of the Administration. I guess, Mr. Wilshusen, 
what might you--I guess what might you wish to see reflected in 
that strategy and what advice would you give?
    Mr. Wilshusen. Well, I think a couple things. One would be 
just to come to an agreement on what the norms of behavior 
should be within the cybersecurity realm across the various 
different nations. As you know, norms differ in many different 
ways across nations. Coming to some sort of understanding of 
what's acceptable behavior, what is not when using the internet 
and cyberspace would be one of those areas that should be 
discussed.
    And also how to go about raising that discussion with the 
different nations who have different values and mores would be 
another key area as part of that strategy.
    Mr. LaHood. Thank you.
    Those are all my questions. Thank you.
    Chairwoman Comstock. And I now yield five minutes to Ms. 
Rosen, a new member of the Committee.
    Ms. Rosen. Thank you, Madam Chairwoman.
    I have to tell you that I started my career as a computer 
programmer in the 1970s with a card deck and a mainframe, and 
oh, how I long for those days when no one could break into the 
system. It was very difficult. We had a phone with a modem. 
Remember that was the only way in? And there weren't the 
possibility for attacks in those kinds of ways.
    So I couldn't agree more that we need to have the 
analytical and teach the analytical and critical thinking 
skills that are needed of course to move us forward in all jobs 
across all platforms for this sector and that as you so 
eloquently said, the computer industry, engineering sciences, 
we have to take a multifactorial approach to be able to 
dynamically respond across all platforms to the challenges that 
we're facing, and nobody knows this better than you, and like I 
said, as I wrote software trying to keep that secure and safe, 
so I have a different perspective maybe than some people on 
this panel. I could talk to you all all day.
    But what I find most important, as I started as a woman in 
technology in the 1970s, it's still not so popular but more 
popular. How do we teach and train--how do we promote the 
education? First of all, I think it starts with our teachers 
and our educators. How do we get them trained to inspire the 
students that understand that computers and all these things 
are very creative? It's not dull and boring. It's extremely 
creative and innovative. And then teachers can take those to 
our schools K-12 and above.
    And then also my second part of the question is the general 
public when you begin to talk about computer things, our eyes 
roll back. They don't want to hear about cyber hygiene. They 
don't get it. They just want to use their social media, Twitter 
or Facebook or whatever. How do we educate the public about how 
easy it is for them to be used as a target into things with 
phishing and all those? How do we make them--give them the buy-
in to do something?
    Dr. Burley. Well, with your first question, thank you. I 
would say that we have to target all of the K-12 teachers 
instead of just focusing on those who have self-identified as 
being interested in computer science or in cybersecurity. So I 
would say that we need to start to work with the schools and 
colleges of education so that when the teachers are in their 
developmental process that they begin to understand 
cybersecurity concepts and that they understand how to 
integrate those concepts into what they're doing in their 
fifth-grade English classroom or what they're doing in ninth 
grade biology because there is an aspect of cybersecurity that 
pervades across the curriculum. But in order for the teachers 
to be able to do that, we have to educate them as such, so I 
would say that that's a part of what we need to do and focusing 
on them.
    The other thing with regard to getting more women and young 
girls into STEM in general and certainly cybersecurity is in 
role models, understanding that there are people who look like 
them and who do this job and what that really means. We talk 
about cybersecurity as if it is one thing when it's really not, 
and so--but we do ourselves a disservice because we don't 
really help people to understand what it means and what it can 
mean to be a cybersecurity professional. So we need to do a 
better job of that. And I would say that that also adds into 
this notion of the general public and awareness and 
understanding. That we're not talking about something that only 
people down in the corner are doing or that those guys over 
there will keep us safe but that we really understand as 
individuals what our role is, how we interact with things, that 
we understand the tradeoffs that come along with convenience so 
that we understand what we're giving up when we're getting 
something, and as a society we don't really have that 
understanding and so we need to do more to educate the public 
on what those tradeoffs are and what their role is in making 
sure that they are safe and that collectively the society is 
safe.
    Ms. Rosen. Thank you. I appreciate that.
    I yield back.
    Chairwoman Comstock. Thank you, and I now recognize Mr. 
Marshall for five minutes, and welcome to the Committee, our 
new member from Kansas.
    Mr. Marshall. Thank you so much, Chairman.
    I'm a physician and had the pleasure of leading a hospital 
and a group of physicians through meaningful stages 1 and 2, 
been using an electronic medical record now for a couple years. 
I'm intrigued with the value. Someone here in the review 
mentioned that medical record is worth ten times more than some 
other records you would hack. What brings the value to people? 
What's in there that brings value to start with? And I'm not 
sure who could answer that question the best.
    Mr. Mulholland. If I can clarify, do you mean in terms of 
the value of a medical record versus, say, a tax record or a 
credit card?
    Mr. Marshall. I guess so. In one of the testimonies, 
someone said that the--on the black market, it would be worth 
ten times than other type of record.
    Mr. Wilshusen. What I would say is that one of the benefits 
with electronic health records and information is the fact that 
the accessibility of that information not only to patients if 
they're able to access it but to other healthcare providers can 
help to assure that the treatments, the drugs prescribed to 
particular patients, you know, if they have a full view of the 
individual's overall health records that that can be very 
positive and beneficial to the healthcare of that individual.
    But at the same time, what we have found in our audits of 
reviewing the security and the privacy controls over that 
information is that while the Centers for Medicaid and Medicare 
Services have come up with guidelines for that through HIPAA 
and the security and privacy rules, the actual use and 
implementation of controls on certain health information 
technology has not been adequately reviewed in some respects to 
assure that those capabilities have been designed into the 
technology and that in fact at some of the healthcare providers 
that that information and those controls are effectively 
implemented.
    Mr. Marshall. Yeah, I guess----
    Mr. Wilshusen. I'm not sure if----
    Mr. Marshall. --I'm not explaining my question very well. I 
certainly understand about physician-to-physician transfer of 
records and that we used to go from one page of information, 
now it's 40 pages and it's almost a worthless piece of 
document. My question is on the black market. When people are 
hacking medical records, what makes it ten times more valuable 
than a credit card or other things they hack into? What do they 
do with it?
    Mr. Mulholland. I think I'll take an attempt at that. 
Something like a medical record, to your point about, you know, 
the 40 pages of information, that's going to contain a lot of 
effective metadata that perhaps would not be available in, you 
know, just a credit card-type hack or whatever, so, you know, 
you're going to be able to get a person-- probably be able to 
get a person's Social Security number, their date of birth, 
their address, so that can be used for other attacks. You might 
then be able to use that to hack a person's credit card details 
or their tax return, but also you're going to have a list of 
medical conditions that can be used for, you know, extortion 
purposes in the most extreme case but also basic things like 
prescription fraud. You can see who is the--you know, does the 
patient have any controlled substances prescribed to them, 
where their pharmacy is, and you've also got all the 
information to be able to impersonate that person and 
potentially go and steal their records. So it's a little bit of 
a goldmine. You've got a lot of information in the same place 
that can be very valuable used----
    Mr. Marshall. I mean, my big--one of my bigger concerns 
would be Medicare fraud, Medicaid fraud, people pretending like 
they're a physician. They've got this person's health record 
and they bill Medicare and Medicaid for procedures never done. 
Are we seeing much of that now or how big of an issue do you 
think it actually is today?
    Mr. Mulholland. I can't personally speak to that but it's 
certainly very feasible with the information available.
    Mr. Marshall. Okay. When someone made the statement that it 
was ten times more valuable to have that record than other, 
say, a credit card record, is it ten times 10 cents? Is it ten 
times a dollar? Give me a--what's a black-market value of 
something like this?
    Mr. Mulholland. Well, I can't tell you the exact value of a 
Medicare record--or sorry, a medical record but I will tell you 
to calibrate that credit card information goes for cents. It is 
that much of a commodity. So your credit card details are 
probably, you know, worth 10 or 20 cents.
    Mr. Marshall. And this might be theoretically then worth 
$10 or $20. If you could hack into my physician's office and I 
have 5,000 records there that it might be worth 5,000 times $10 
to somebody?
    Mr. Mulholland. Conceivably. I couldn't give you an exact 
figure, but yes.
    Mr. Marshall. Thank you. I yield back.
    Chairwoman Comstock. Thank you. I now recognize Ms. 
Bonamici for five minutes.
    Ms. Bonamici. Thank you very much, Chair Comstock and 
Ranking Member Lipinski, and thank you to our witnesses for 
testifying today. I've been in a hearing in the Education and 
Workforce Committee, which explains my absence for the 
beginning of this, but I did read your testimony and really am 
particularly concerned that we are falling short when it comes 
to developing adequate cybersecurity personnel both in quantity 
and quality, and I know that the NIST report recommends that 
federal programs supporting education at all levels should 
incorporate cybersecurity awareness for students as they're 
introduced to and provided with internet-based devices, and I 
know this has been discussed already here this morning but I 
really want to emphasize that especially with my concerns about 
education and workforce issues as well that these programs be 
developed as the report says and focused on children as early 
as preschool and throughout elementary school, and we also need 
programs to better prepare our teachers, and I know that that's 
been discussed.
    So I wanted to talk a little bit about the tremendous 
potential for community and technical colleges, community 
colleges to have an increased role in preparing the workforce. 
What more can we be doing to create an environment that 
supports this? And then also if you'll address public-private 
partnerships as well. My State of Oregon has been working on a 
Center for Cyber Excellence, which is a collaboration with 
private sector as well as our universities and community 
colleges. So can you talk about what sorts of roles community 
and technical colleges can play as well as public-private 
partnership?
    Dr. Burley, I'll start with you.
    Dr. Burley. Community and technical colleges play an 
incredibly important role in developing the cybersecurity 
workforce. They are often more flexible than four-year 
institutions and so they're able to integrate curriculum a 
little bit faster. They are often where we turn to for more of 
the hands-on technical training that we are not necessarily as 
equipped to provide as rapidly in the four-year space but it 
really is a collaboration across all of the different levels of 
the academy because while the community and technical colleges 
are possibly able to help us develop technical skill sets a 
little bit faster, there are other aspects that perhaps they 
are not as well versed in doing and so we really have to 
continue to enable and push partnerships across all the levels 
of academia, and that also gets to your second question about 
the public-private partnership. Because we're dealing with an 
environment where the needs are very broad and very rapidly 
evolving, it is critical that all of the different sectors play 
a role and collaborate to make sure that the programs that 
we're developing have all of the different components that are 
necessary and that we are really getting at holistically 
looking at the development of the workforce, and it's not a 
situation where we can simply focus on one part of the 
ecosystem at the expense of another because we'll only grow a 
portion of the workforce.
    Ms. Bonamici. I'm going to ask the others to respond as 
well, but before I do, would you please talk a little bit about 
how we can get more girls, young women and minorities involved?
    Dr. Burley. A couple of things. I mean, first we have to 
begin to really push forward role models so that people 
understand that there are people in the workforce that look 
like them and that are doing these jobs. That's very important, 
and evidence has shown that across all of the STEM disciplines, 
that that's an important consideration.
    Ms. Bonamici. And I'll put in a little plug for Hidden 
Figures if nobody else has done that.
    Dr. Burley. Absolutely. We also need to unbundle what it 
means to be a cybersecurity professional. It really is a very 
broad field with many, many different occupations and different 
roles that people can play, and while you may not see yourself 
in one type of role, there are a thousand other roles that you 
could see yourself in and so we really have to do a better job 
at explaining what it means to be a part of the cybersecurity 
workforce.
    Ms. Bonamici. And you say ``we.'' Who would that be? 
Teachers----
    Dr. Burley. All of us, the government, academia, anybody 
who is developing or working on developing the cybersecurity 
workforce. This is part of what awareness programs ought to do 
but it's all of those who are involved in the development, the 
education of future professionals.
    Ms. Bonamici. Terrific. I have a little bit more time left 
if somebody wants to jump in. Dr. Romine?
    Dr. Romine. I'd like to just make two very quick points. 
NIST, specifically my laboratory's, privileged to house the 
Program Office for the National Initiative for Cybersecurity 
Education, which is an interagency program with a lot of 
agencies committed to working together to help solve this 
problem, workforce problem and awareness problem, and certainly 
community colleges are one area where we have touch points and 
are engaged.
    With regard to your public-private partnership, we're also 
privileged in my laboratory to house the National Cybersecurity 
Center of Excellence, the NCCOE. I'm delighted to learn that 
your State of Oregon is doing an analogous thing. I'd love to 
learn more about it.
    Ms. Bonamici. Terrific. Thank you very much.
    Mr. Wilshusen. And if I may just add one comment real quick 
from a personal note? I took a community college course at PG 
Community--Prince Georges County Community College on network 
defense about a year and a half ago. It was very rigorous and 
it was very informative for me, and I used that as part of my 
continuing professional education. So there's definitely a very 
useful place for community college to provide technical skill 
sets to the federal workforce.
    Ms. Bonamici. Thank you very much. I see my time is 
expired. I yield back. Thank you, Madam Chair.
    Chairwoman Comstock. Thank you, Ms. Bonamici, and I believe 
we will continue on that education front and have future 
hearings, and I agree very much with you on the role of 
community colleges, you know, online classes, and a lot of 
these approaches, and we are very pleased that the Hidden 
Figures are not as hidden anymore, and it's a fabulous movie, 
and I'll just take the--since I have a young women's leadership 
program, I hope Dr. Burley can come and join us in highlighting 
the importance of this because STEM education and STEM careers 
are something that we very much try and promote with young 
people, and since I have a daughter in that field, I always 
appreciate getting mentors out there in front of young women, 
and it's exactly what you say. They need to see other people in 
that role so that they can relate and understand the job, so it 
is very apropos.
    So I thank all of the members of the panel this morning for 
their testimony and their insight and their passion on this 
very important issue, and I know we will continue to have a 
number of hearings on this front.
    The record will remain open for two weeks for additional 
written comments and written questions from members.
    And this hearing is now adjourned.
    [Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]

                               Appendix I

                              ----------                              


                   Additional Material for the Record


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]