b"<html>\n<title> - BOLSTERING THE GOVERNMENT'S CYBERSECURITY: LESSONS LEARNED FROM WANNACRY</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:\n                     LESSONS LEARNED FROM WANNACRY\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON OVERSIGHT &\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             June 15, 2017\n\n                               __________\n\n                           Serial No. 115-17\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n       \n                                    ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n26-234PDF                     WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n     \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  ALAN GRAYSON, Florida\nTHOMAS MASSIE, Kentucky              AMI BERA, California\nJIM BRIDENSTINE, Oklahoma            ELIZABETH H. ESTY, Connecticut\nRANDY K. WEBER, Texas                MARC A. VEASEY, Texas\nSTEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia\nBRIAN BABIN, Texas                   JACKY ROSEN, Nevada\nBARBARA COMSTOCK, Virginia           JERRY MCNERNEY, California\nGARY PALMER, Alabama                 ED PERLMUTTER, Colorado\nBARRY LOUDERMILK, Georgia            PAUL TONKO, New York\nRALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois\nDRAIN LaHOOD, Illinois               MARK TAKANO, California\nDANIEL WEBSTER, Florida              COLLEEN HANABUSA, Hawaii\nJIM BANKS, Indiana                   CHARLIE CRIST, Florida\nANDY BIGGS, Arizona\nROGER W. MARSHALL, Kansas\nNEAL P. DUNN, Florida\nCLAY HIGGINS, Louisiana\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                   HON. DRAIN LaHOOD, Illinois, Chair\nBILL POSEY, Florida                  DONALD S. BEYER, Jr., Virginia, \nTHOMAS MASSIE, Kentucky                  Ranking Member\nGARY PALMER, Alabama                 JERRY MCNERNEY, California\nROGER W. MARSHALL, Kansas            ED PERLMUTTER, Colorado\nCLAY HIGGINS, Louisiana              EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut\nSTEPHEN KNIGHT, California           JACKY ROSEN, Nevada\nDARIN LaHOOD, Illinois               SUZANNE BONAMICI, Oregon\nRALPH LEE ABRAHAM, Louisiana         AMI BERA, California\nDANIEL WEBSTER, Florida              DONALD S. BEYER, JR., Virginia\nJIM BANKS, Indiana                   EDDIE BERNICE JOHNSON, Texas\nROGER W. MARSHALL, Kansas\nLAMAR S. SMITH, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                             June 15, 2017\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Darin LaHood, Chairman, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................     4\n    Written Statement............................................     6\n\nStatement by Representative Donald S. Beyer, Jr., Ranking Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     9\n    Written Statement............................................    10\n\nStatement by Representative Ralph Abraham, Vice Chairman, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    12\n    Written Statement............................................    14\n\nStatement by Representative Daniel Lipinski, Ranking Member, \n  Subcommittee on Research and Technology, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    16\n    Written Statement............................................    18\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    20\n    Written Statement............................................    22\n\n                               Witnesses:\n\nMr. Salim Neino, Chief Executive Officer, Kryptos Logic\n    Oral Statement...............................................    24\n    Written Statement............................................    28\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology\n    Oral Statement...............................................    33\n    Written Statement............................................    35\n\nMr. Gregory J. Touhill, CISSP, CISM; Brigadier General, USAF \n  (ret); Adjunct Professor, Cybersecurity & Risk Management, \n  Carnegie Mellon University, Heinz College\n    Oral Statement...............................................    44\n    Written Statement............................................    46\n\nDr. Hugh Thompson, Chief Technology Officer, Symantec\n    Oral Statement...............................................    54\n    Written Statement............................................    56\n\nDiscussion.......................................................    64\n\n             Appendix I: Answers to Post-Hearing Questions\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology.....    82\n\nMr. Gregory J. Touhill, CISSP, CISM; Brigadier General, USAF \n  (ret); Adjunct Professor, Cybersecurity & Risk Management, \n  Carnegie Mellon University, Heinz College......................    84\n\nDr. Hugh Thompson, Chief Technology Officer, Symantec............    87\n\n            Appendix II: Additional Material for the Record\n\nStatement submitted by Representative Eddie Bernice Johnson, \n  Ranking Member, Committee on Science, Space, and Technology, \n  U.S. House of Representatives..................................    90\n \n               BOLSTERING THE GOVERNMENT'S CYBERSECURITY:\n\n                     LESSONS LEARNED FROM WANNACRY\n\n                              ----------                              \n\n\n                        Thursday, June 15, 2017\n\n                  House of Representatives,\n                      Subcommittee on Oversight and\n            Subcommittee on Research and Technology\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 10:05 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Darin \nLaHood [Chairman of the Subcommittee on Oversight] presiding.\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Chairman LaHood. The Subcommittee on Oversight and the \nSubcommittee on Research and Technology will come to order.\n    Without objection, the Chair is authorized to declare a \nrecess of the Subcommittee at any time.\n    Good morning, and welcome to today's hearing titled \n``Bolstering the Government's Cybersecurity: Lessons Learned \nfrom WannaCry.'' I recognize myself for five minutes for an \nopening statement.\n    I want to welcome the witnesses here today, and I would \nalso welcome Chairman Smith, Oversight Subcommittee Ranking \nMember Beyer, Research and Technology Subcommittee Vice \nChairman Abraham, Research and Technology Ranking Member \nLipinski, Members of the Subcommittees, our expert witnesses, \nand members of the audience.\n    Cybersecurity--a concept we hear mentioned frequently, \nespecially in this period of rapidly emerging threats--is an \never-evolving concept. Maintaining an effective cybersecurity \nposture requires constant vigilance as new threats emerge and \nold ones return. Too often, however, when we hear about the \nimportance of cybersecurity, we are left without concrete steps \nto take to ensure our systems are best positioned to defend \nagainst emerging threats.\n    One of the goals of today's hearing is to learn about real, \ntangible measures the government can take to ensure its IT \nsecurity systems are appropriately reinforced to defend against \nnew and emerging threats, including novel and sophisticated \nransomware threats.\n    The specific focus of today's hearing will be the recent \nWannaCry ransomware attack, a new type of ransomware infection, \nwhich affected over one million unique systems last month in a \nworldwide attack that impacted nearly every country in the \nworld.\n    Although the concept of ransomware is not new, the type of \nransomware employed by WannaCry was novel. WannaCry worked by \nencrypting documents on a computer, instructing victims to pay \n$300 in Bitcoin in order to regain access to their user's \ndocuments. Unlike typical forms of ransomware, however, \nWannaCry signaled the ushering in of a new type of worming \nransomware, which caused the attack to spread faster and more \nrapidly with each new infection.\n    In light of the novelty built into WannaCry's method of \nattack, cybersecurity experts, including those we will hear \nfrom today, have expressed significant concerns that WannaCry \nis only a preview of a more sophisticated ransomware infection \nthat many believe will inevitably be launched by hackers in the \nnear future.\n    Beginning May 12, 2017, the WannaCry ransomware infection \nmoved rapidly across Asia and Europe, eventually hitting the \nUnited States. The attack infected 7,000 computers in the first \nhour and 110,000 distinct IP addresses in 2 days and in almost \n100 countries, including the U.K., Russia, China, Ukraine, and \nIndia. Experts now believe WannaCry affected approximately 1 to \n2 million unique systems worldwide prior to activating the kill \nswitch.\n    In Illinois, my home state, Cook County's IT systems were \ncompromised by WannaCry, reportedly one of a few local \ngovernments subject to the attack. Although Cook County has \nworked to appropriately patch their systems, it is important \nthat we ensure that all vulnerabilities are appropriately \nremedied in the event of a more sophisticated attack.\n    Fortunately, the hackers responsible for WannaCry \nmistakenly included a kill switch, which was uncovered by an \nemployee of Kryptos Logic and used to terminate the attack. The \nKryptos Logic employee exploited a key mistake made by the \nhackers when he registered the domain connected to the \nransomware attack. Experts estimate that the kill switch \nprevented 10 to 15 million unique worldwide system infections \nand reinfections.\n    Although based on information available thus far the \nfederal government's systems were fortunately spared from \nWannaCry, we want to ensure that the government is sufficiently \nprepared in the likely event of a more sophisticated attack.\n    Additionally, the Committee wants to hear what Congress can \ndo to appropriately address this Committee--I'm sorry--this \nclimate of new and improving cybersecurity threats.\n    Through the lens of the aftermath of WannaCry, today's \nwitnesses will help shed light on key steps the government \nshould take to ensure its systems are protected. We will also \nhear today about how public-private partnerships are an \ninstrumental tool to help bolster the government's \ncybersecurity posture. Finally, we will learn about how the \nPresident's recent cybersecurity order, which makes NIST's \ncybersecurity framework mandatory on the Executive Branch, is a \nsignificant step toward ensuring the federal government's \ncybersecurity posture incorporates the most innovative security \nmeasures to defend against evolving threats.\n    It is my hope that our discussions here today will \nhighlight areas where improvement is necessary, while offering \nrecommendations as we move forward to ensure the federal \ngovernment is prepared to respond to emerging cybersecurity \nthreats. I look forward to hearing from our distinguished \nwitnesses.\n    [The prepared statement of Chairman LaHood follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman LaHood. I now recognize the Ranking Member of the \nOversight Subcommittee, Mr. Beyer, for an opening statement.\n    Mr. Beyer. Thank you very much, Mr. Chairman. I'd like to \nthank you and Chairman Comstock for holding this hearing.\n    Cybersecurity should be a chief concern for every \ngovernment, business, and private citizen. In 2014, the Office \nof Personnel Management's information security systems, and two \nof the systems used by OPM contractors, were breached by state-\nsponsored hackers, compromising the personal information of \nmillions of Americans. That same year, hackers released the \npersonal information of Sony Pictures executives, embarrassing \ne-mails between Sony Pictures employees, and even copies of \nthen-unreleased Sony movies. In 2015, hackers also took control \nof the power grid in western Ukraine and shut off power for \nover 200,000 residents. These three quick examples show the \nvaried and widespread effects of cybersecurity breaches.\n    So we know the cybersecurity breach that was the genesis \nfor this hearing was the WannaCry outbreak. WannaCry ransomware \ninfected at least 300,000 computers worldwide, and could have \nbeen much worse, so I want to thank CEO Neino, head of Kryptos \nLogic, for being wise enough to find an employee who found that \nkill switch, unless you did it yourself. And we're very lucky \nthat that was found quickly, and we are fortunate that federal \nsystems were resistant to WannaCry. But we know we may not be \nas lucky the next time. We must continue to strengthen our \ncybersecurity posture.\n    By the way, in preparing for this, I've learned from our \nwonderful staff that I really need to upload our security \nupgrades every time we get a chance on our personal computers \nand on our smartphones.\n    The May 11th Executive Order on strengthening the \ncybersecurity of federal networks seeks to build on the Obama \nAdministration's successes in the cybersecurity arena, and I'm \nhappy that the Trump Administration--I don't agree with them on \nevery topic--but they've taken this next good step. The \nExecutive Order calls for a host of actions and a myriad of \nreports on federal cybersecurity from every government agency.\n    Simultaneously, the Trump Administration has been slow to \nfill newly vacant positions in nearly every government agency, \nand my concern is that understaffed agencies are going to have \nsignificant difficulty meeting the dictates of the Executive \nOrder. Frankly, I'm also concerned that proposed budget cuts in \nthe original Trump-Mulvaney budget across all agencies will \nmake the task a lot harder to strengthen the security of \nfederal information systems. We've got to make sure that the \nfederal government has the resources and staffing to meet the \nneed in this vital area.\n    The Executive Order also calls for agencies to begin using \nthe NIST Framework for cybersecurity efforts, and I'm glad that \nwe have NIST here with us today. They play a very important \nrole in setting cybersecurity standards that could help thwart \nand impede cyber-attacks.\n    You know, NIST is world renowned for its expertise in \nstandards development, and federal agencies will be well served \nby using the NIST Framework. On a precautionary note, though, I \nbelieve some efforts to expand NIST's cybersecurity role beyond \ntheir current mission and expertise are well intentioned but \nperhaps misplaced. We recently had a debate of H.R. 1224 here, \nthe ``NIST Cybersecurity Framework, Assessment, and Auditing \nAct of 2017,'' which gives NIST auditing authority for all \nfederal civilian information systems. Currently, this is a \nresponsibility of the Inspector Generals at each agency. They \nhave the statutory authority, the experience, the expertise. \nThey respond directly, responsible to Congress. NIST has no \nsuch experience or expertise, and I at least remain concerned \nabout this proposal, and I'd be interested in any of the expert \nwitnesses' thoughts on NIST's role in cybersecurity and \nauditing.\n    So I look forward to hearing from all of you today. I \nespecially look forward to hearing from our General, the former \nfederal CISO, about his experience in these positions and \nthoughts.\n    One final note. Bloomberg reported this week that the \nRussian meddling in our electoral system was far worse than \nwhat's been previously reported. According to the report, \nhackers attempted to delete or alter voter data, accessed \nsoftware designed to be used by poll workers, and, in at least \none instance, accessed a campaign finance database. These \nefforts didn't need to change individual votes in order to \ninfluence the election, and we really should take these sorts \nof cyber threats very seriously. I think Vice President Cheney \ncalled this a war on our democracy.\n    So Mr. Chairman, this Committee held more than a half dozen \nhearings on cybersecurity issues during the last Congress, \nincluding one on protecting the 2016 elections from cyber and \nvoting machine attacks, so given what we now know about the \nhacking and meddling in 2016, I hope that this hearing today \nwill be a precursor to more hearings on how we can better \nprotect our voting systems.\n    Mr. Chairman, thank you so much, and I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Chairman LaHood. Thank you, Mr. Beyer, for your opening \nstatement.\n    I now recognize the Vice Chair of the Research and \nTechnology Subcommittee, Mr. Abraham, for an opening statement.\n    Mr. Abraham. Thank you, Mr. Chairman.\n    Over the last few years, we've seen an alarming increase in \nthe number and intensity of our cyber-attacks. These attacks by \ncyber criminals and by unfriendly governments have compromised \nthe personal information of millions of Americans, jeopardized \nthousands of our businesses and their employees, and threatened \ninterruption of critical public services.\n    The recent WannaCry ransomware attack demonstrates that \ncyber-attacks are continuing to go from bad to worse. This most \nrecent large-scale cyber-attack affected more than one to two \nmillion systems in more than 190 countries. Nevertheless, it \nappears that the impact could have been much more catastrophic \nconsidering how fast that ransomware spread.\n    And while organizations and individuals within the United \nStates were largely unscathed, due in part to a security \nresearcher identifying a web-based ``kill switch,'' the \npotential destructiveness of WannaCry warns us to expect \nsimilar attacks in the future. Before those attacks happen, we \nneed to make sure that our information systems are very ready.\n    During a Research and Technology Subcommittee hearing \nearlier this year, a witness representing the U.S. Government \nAccountability Office--the GAO--testified, and I quote, ``Over \nthe past several years, GAO has made about 2,500 \nrecommendations to federal agencies to enhance their \ninformation security programs and controls. As of February \n2017, about 1,000 recommendations had not been implemented.''\n    It is clear that the status quo in federal government cyber \nsecurity is a virtual invitation for more cyber-attacks. We \nmust take strong steps in order to properly secure our systems \nand databases before another cyber-attack like WannaCry happens \nand puts our government up for ransom.\n    On March 1, 2017, this Committee approved H.R. 1224, the \nNIST Cybersecurity Framework, Assessment, and Auditing Act of \n2017, a bill that I introduced as part of my ongoing interest \nover the state of our nation's cybersecurity. This bill takes \nconcrete steps to help strengthen federal government \ncybersecurity. The most important steps are encouraging federal \nagencies to adopt the National Institute of Standards and \nTechnology's (NIST) Cybersecurity Framework, which is used by \nmany private businesses, and directing NIST to initiate \nindividual cybersecurity audits of priority federal agencies to \ndetermine the extent to which each agency is meeting the \ninformation security standards developed by the Institute. \nNIST's in-house experts develop government-wide technical \nstandards and guidelines under the Federal Information Security \nModernization Act of 2014. And NIST experts also developed, \nthrough collaborations between government and private sector, \nthe Framework for Improving Critical Infrastructure \nCybersecurity that federal agencies are now required to use \npursuant to the President's recent Cybersecurity Executive \nOrder. I was very pleased to read that language.\n    Considering the growing attempts to infiltrate information \nsystems, there is an urgent need to assure Americans that all \nfederal agencies are doing everything that they can to protect \ngovernment networks and sensitive data. The status quo simply \nis not working. We can't put up with more bureaucratic excuses \nand delays.\n    NIST's cyber expertise is a singular asset. We should take \nfull advantage of that asset, starting with the very important \nstep of annual NIST cyber audits of high priority federal \nagencies.\n    As cyber-attacks and cyber criminals continue to evolve and \nbecome more sophisticated, our government's cyber defenses must \nalso adapt in order to protect vital public services and shield \nhundreds of millions of Americans' confidential information.\n    We will hear from our witnesses today about lessons learned \nfrom the WannaCry attack and how the government can bolster the \nsecurity of its systems. We must keep in mind that the next \ncyber-attack is just around the corner, and it could have a far \ngreater impact than what we have seen thus far. Our federal \ngovernment--our government systems need to be better protected, \nand that starts with more accountability, responsibility, and \ntransparency by federal agencies.\n    Thank you, and I look forward to hearing our panel.\n    [The prepared statement of Mr. Abraham follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n   \n    \n    Chairman LaHood. Thank you, Mr. Abraham.\n    I now recognize the Ranking Member of the Research and \nTechnology Subcommittee, my colleague from Illinois, Mr. \nLipinski, for an opening statement.\n    Mr. Lipinski. Thank you, Chairman LaHood, and I want to \nthank you and Vice Chair Abraham for holding this hearing on \ncybersecurity and lessons learned from the WannaCry ransomware \nattack last month.\n    The good news is that U.S. government information systems \nwere not negatively impacted by the WannaCry attack. This was a \nclear victory for our cyber defenses. However, I believe there \nare lessons to be learned from successes as well as failures. A \ncombination of factors likely contributed to this success, \nincluding getting rid of most of our outdated Windows operating \nsystems, diligently installing security patches, securing \ncritical IT assets, and maintaining robust network perimeter \ndefenses.\n    As we know, Microsoft sent out a security patch for this \nvulnerability in March, two months before the WannaCry attack. \nThese and other factors played a role in minimizing damage to \nU.S. businesses as well. However, WannaCry and its impact on \nother countries serves as yet another reminder that we must \nnever be complacent in our cybersecurity defenses. The threats \nare ever evolving, and our policies must be robust yet flexible \nenough to allow our defenses to evolve accordingly.\n    The Federal Information Security Modernization Act, or \nFISMA, laid out key responsibilities for the security of \ncivilian information systems. Under FISMA, DHS and OMB have \ncentral roles in development and implementation of policies as \nwell as in incident tracking and response. NIST develops and \nupdates security standards and guidelines both informing and \nresponsive to the policies established by OMB. Each agency is \nresponsible for its own FISMA compliance, and each Office of \nInspector General is required to audit its own agency's \ncompliance with FISMA on an annual basis. We must continue to \nsupport agencies in their efforts to be compliant with FISMA \nwhile conducting careful oversight.\n    In 2014, NIST released the Cybersecurity Framework for \nCritical Infrastructure, which is currently being updated to \nFramework Version 1.1. While it is still too early to evaluate \nits full impact, it appears the Framework is being widely used \nacross industry sectors.\n    Our Committee recently reported out a bipartisan bill, H.R. \n2105, that I was pleased to cosponsor, that would ensure that \nthe Cybersecurity Framework is easily usable by our nation's \nsmall businesses. I hope we can get it to the President's desk \nquickly. In the meantime, the President's recent cybersecurity \nExecutive Order directs federal agencies to use the Framework \nto manage their own cybersecurity risk. As we have heard in \nprior hearings, many experts have called for this step, and I \napplaud the Administration for moving ahead.\n    I join Mr. Beyer in urging the Administration to fill the \nmany vacant positions across our agencies that would be \nresponsible for implementing the Framework as well as \nshepherding the myriad reports required by the Executive Order.\n    Finally, I will take this opportunity to express my \ndisappointment in the Administration's budget proposal for \nNIST. The top-line budget cut of 25 percent was so severe that \nif it were implemented, NIST would have no choice but to reduce \nits cybersecurity efforts. This represents the epitome of \npenny-wise, pound-foolish decision making. NIST is among the \nbest of the best when it comes to cybersecurity research and \nstandards, and our modest taxpayer investment in their efforts \nhelps secure the information systems not just of our federal \ngovernment, but our entire economy. I trust that my colleagues \nwill join me in ensuring that NIST receives robust funding in \nthe fiscal year 2018 budget and doesn't suffer the drastic cut \nrequested by the President.\n    Thank you to the expert witnesses for being here this \nmorning, and I look forward to your testimony. I yield back.\n    [The prepared statement of Mr. Lipinski follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n  \n    \n    Chairman LaHood. Thank you, Mr. Lipinski.\n    At this time I now recognize the Chairman of the full \nCommittee, Mr. Smith.\n    Chairman Smith. Thank you, Mr. Chairman. I appreciate your \nholding this hearing as well as the Research and Technology \nSubcommittee Vice Chairman sitting next to me, Ralph Abraham, \nfor holding the hearing as well.\n    In the wake of last month's WannaCry ransomware attack, \ntoday's hearing is a necessary part of an important \nconversation the federal government must have as we look for \nways to improve our federal cybersecurity posture. While \nWannaCry failed to compromise federal government systems, it is \nalmost certain that outcome was due in part to a measure of \nchance.\n    Rather than seeing this outcome as a sign of bulletproof \ncybersecurity defenses, we must instead increase our vigilance \nto better identify constantly evolving cybersecurity threats. \nThis is particularly true since many cyber experts predict that \nwe will experience an attack similar to WannaCry that is more \nsophisticated in nature, carrying with it an even greater \npossibility of widespread disruption and destruction. Congress \nshould not allow cybersecurity to be ignored across government \nagencies.\n    I am proud of the work the Committee has accomplished to \nimprove the federal government's cybersecurity posture. During \nthe last Congress, the Committee conducted investigations into \nthe Federal Deposit Insurance Corporation, the Internal Revenue \nService, and the Office of Personnel Management, as well as \npassed key legislation aimed at providing the government with \nthe tools it needs to strengthen its cybersecurity posture.\n    President Trump understands the importance of bolstering \nour cybersecurity. He signed a recent Executive Order on \ncybersecurity, which is a vital step towards ensuring the \nfederal government is positioned to detect, deter, and defend \nagainst emerging threats.\n    Included in the President's Executive Order is a provision \nmandating that Executive Branch departments and agencies \nimplement NIST's Cybersecurity Framework. While continuously \nupdating its Cybersecurity Framework, NIST takes into account \ninnovative cybersecurity measures from its private-sector \npartners. NIST's collaborative efforts help to ensure that \nthose entities that follow the Framework are aware of the most \npertinent, effective, and cutting-edge cybersecurity measures. \nI strongly believe the President's decision to make NIST's \nFramework mandatory for the federal government will serve to \nstrengthen the government's ability to defend its systems \nagainst advanced cyber threats like with the recent WannaCry \nransomware attack.\n    Similarly, the Committee's NIST Cybersecurity Framework, \nAssessment, and Auditing Act of 2017, sponsored by \nRepresentative Abraham, draws on findings from the Committee's \nnumerous hearings and investigations related to cybersecurity, \nwhich underscore the immediate need for a rigorous approach to \nprotecting U.S. cybersecurity infrastructure and capabilities.\n    Like the President's recent Executive Order, this \nlegislation promotes federal use of the NIST Cybersecurity \nFramework by providing guidance that agencies may use to \nincorporate the Framework into risk mitigation efforts. \nAdditionally, the bill directs NIST to establish a working \ngroup with the responsibility of developing key metrics for \nfederal agencies to use.\n    I hope that our discussions here today will highlight \ndistinct areas where cybersecurity improvement is necessary, \nwhile offering recommendations to ensure cybersecurity \nobjectives stay at the forefront of our national security \npolicy discussions.\n    And with that, I'll yield back, Mr. Chairman.\n    [The prepared statement of Chairman Smith follows:]\n    \n   \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n  \n    Chairman LaHood. Thank you, Chairman Smith.\n    At this time let me introduce our witnesses here today.\n    Our first witness is Mr. Salim Neino, Founder and Chief \nExecutive Officer of Kryptos Logic. Mr. Neino is credited with \ndiscovering new solutions for companies such as IBM, Dell, \nMicrosoft, and Avaya. He received his bachelor's degree in \ncomputer science from California State University at Long \nBeach. A Kryptos Logic employee, as we've discussed, in the \nU.K. is credited with largely stopping the WannaCry attack. \nWe'll hear more about that during Mr. Neino's testimony today.\n    Our second witness today is Dr. Charles Romine, Director of \nthe Information Technology Laboratory at NIST. Dr. Romine \nreceived both his bachelor's degree in mathematics and his \nPh.D. in applied mathematics from the University of Virginia.\n    Our third witness, Mr. Touhill, is a retired Brigadier \nGeneral in the United States Air Force. He is currently an \nAdjunct Professor of Cybersecurity and Risk Management at \nCarnegie Mellon University. Previously, he was chosen by \nPresident Obama to serve as the Nation's Chief Information \nSecurity Officer. Mr. Touhill received his bachelor's degree \nfrom Penn State University and a master's degree in systems \nmanagement and information systems from the University of \nSouth--I'm sorry--Southern California.\n    And our final witness today is Dr. Hugh Thompson, Chief \nTechnology Officer for Symantec. Dr. Thompson also serves as an \nAdvisory Board Member for the Anti-Malware Testing Standards \nOrganization and on the Editorial Board of IEEE Security and \nPrivacy magazine. Dr. Thompson received his bachelor's degree \nand master's degree and Ph.D. in applied mathematics from the \nFlorida Institute of Technology.\n    We're glad you're all here today and look forward to your \nvaluable testimony. I now recognize Dr. Neino for five minutes \nto present his testimony.\n\n                 TESTIMONY OF MR. SALIM NEINO,\n\n                    CHIEF EXECUTIVE OFFICER,\n\n                         KRYPTOS LOGIC\n\n    Mr. Neino. Thank you, Chairman. Chairman LaHood, Vice \nChairman Abraham, Chairman Smith, Ranking Member Beyer, and \nRanking Member Lipinski, thank you for the opportunity to \nappear before you today at this joint Subcommittee hearing. We \ngreatly appreciate your interest in cybersecurity and look \nforward to sharing our thoughts and perspectives with you and \nyour members.\n    On May 12, 2017, Kryptos Logic identified a high-velocity, \nhigh-impact global security threat with the immediate potential \nto cause an immeasurable amount of damage. While the intent of \nthis threat was unclear and its motives and origins ambiguous, \nit was immediately evident that its approach was unusually \nreckless. This threat has now popularly become known as \n``WannaCry.'' It was at this time that Marcus Hutchins, our \nDirector of Threat Intelligence for Kryptos Logic's Vantage, \nour breach monitoring platform, notified me of our team's \nactive monitoring of the developing situation. On this date at \napproximately 10:00 a.m. Eastern time, while investigating the \ncode of WannaCry, we identified what looked like an anti-\ndetection mechanism, which tested for the existence of a \ncertain random-looking domain name. Our team proceeded to \nregister the domain associated to this mechanism and directed \nit to one of the sinkholes controlled by and hosted on the \nKryptos Logic network infrastructure. We then noticed and \nconfirmed that the propagation of the WannaCry attack had come \nto a standstill because of what we refer to as its kill switch \nhaving been activated by our domain registration.\n    While our efforts effectively stopped the attack, and \nprevented WannaCry from continuing to deploy its ransom \ncomponent, we knew that by then the attack had already \npropagated freely for many hours, at minimum. Based on the \nvelocity of the attack, estimated by sampling data we collected \nfrom our infrastructure currently blocking the attack, we \nbelieve had that anywhere between 1 to 2 million systems may \nhave been affected in the hours prior to activating the kill \nswitch, contrary to the widely reported and more conservative \nestimate of 200,000 systems.\n    One month after registering the kill-switch domain, we have \nmitigated over 60 million infection attempts. Approximately 7 \nmillion of those in the United States, and we estimate that \nthese could have impacted at minimum 10 to 15 million unique \nsystems.\n    I will note that the largest attack we thwarted and \nmeasured to date from WannaCry was not on May 12th or 13th when \nthe attack started, but began suddenly on June 8th and 9th on a \nwell-funded hospital in the east coast of the United States. It \nis very likely the health system is still unaware of the event. \nWe measured approximately 275,000 thwarted infection attempts \nwithin a 2-day period. Another hospital was also hit on May \n30th in another part of the country. A high school in the \nMidwest was just hit at the beginning of June 9th.\n    Presumably every system at this location would have had its \ndata held hostage if not for Kryptos Logic's kill switch. \nMoreover, Kryptos Logic has been under constant attack by \nunidentified attackers attempting to knock our systems offline, \nthus disabling the kill switch and further propagating the \nattack. The earlier of these attacks came by the well-known \nMirai botnet which took down large portions of the United \nKingdom, Germany and parts of the East Coast of the United \nStates earlier this year. Despite these attempts, our systems \nremained resilient and we increased counter-intelligence \nmeasures to mitigate the amplitude of the attacks against us.\n    We believe the success of WannaCry illustrates two key \nfacts about our nation's systems: Vulnerabilities exist at \nvirtually every level of our computer infrastructure, ranging \nfrom operating systems to browsers, from media players to \nInternet routers. Exploiting and weaponizing such \nvulnerabilities has a surprisingly low entry barrier: anyone \ncan join in, including rogue teenagers, nation states, and \neveryone in between.\n    So, how do we adapt and overcome/mitigate these weaknesses? \nWhile many cybersecurity experts who have come before me offer \nthe usual gloomy ``there are no silver bullets,'' I've had the \nopportunity to play on both fronts; on offense, via penetration \ntesting and red team competitions, and on defense, providing \nprotection to Global 100 organizations with very high \nenterprise risks. Our attack responses must be more agile and \nwith higher velocity and intensity.\n    While the nation has considerable literature on risk, \nmaturity models and various frameworks, the actual resources \nfor cyber defense are scarce as there simply is not presently \nan adequate level of highly skilled, highly experienced, and \nhighly available operators in the cybersecurity field. While \nthere is no shortage of good ideas which claim to be able to \nsolve an infinite amount of problems, every subsequent idea \nneeds development, support, testing, maintenance, et cetera, \nall of which we characterize as developer debt.\n    Unfortunately, many of these solutions take too long to \nprocure and end up being outdated and essentially useless \nbefore the ink dries on the paper it is written on. I am \noptimistic, however, that there is a successful path and \nstrategy forward. Application and software-level mitigations \nwhich protect against the exploitation techniques used by \nhackers have moved the needle to protect against exploitation \nof the very fabric on which we build our defense assumptions. \nMitigations able and incomplete are nonetheless effective and \nhave increased the cost of identifying vulnerabilities in \nsystems and developing programs to exploit them. Other \nmitigations include various design approaches like \ncompartmentalization of data, systems and transmissions. Such \nmitigations have measurably raised the bar required for mass \nexploitation in critical communications software like Internet \nbrowsers, web servers, and other protocols which are \nfundamental to business continuity.\n    Investing in technology doesn't necessarily guarantee any \nactual improvement. In fact, one could argue that introducing \nmore technology stack exacerbates the maintenance debt and \ncreates immediate monetary loss because there are few metrics \nor analytics to actually measure the effectiveness of any \nparticular technology. This is because we are typically years \nbehind the attack in terms of the sword and shield battle.\n    As these resources ebb and flow, knowledge gaps are created \nand the loss of a domain knowledge specialists who cannot \nimmediately fill these gaps and replace them.\n    We also must be less risk averse in terms of the defensive \noperations we undertake, more open to failure, and ready to \nadapt and learn from these failures. We need a stronger focus \non threat modeling and fire-drill simulations that will be \nfocused on the events of a magnitude which would cause \nsignificant damage. A significant response with the WannaCry \nincident was that there was no real guidance or course of \naction that was well communicated. The media focused on the \npoints contrary to defense--whodunit?--and this incident could \nhave resulted in a complete breakdown of processes had this \nbeen an unpatched zero-day vulnerability and there was no \nluxury of a kill switch.\n    The largest success, though incomplete, was the ability for \nthe FBI and the NCSC of the United Kingdom to aggregate and \ndisseminate the information Kryptos Logic provided so that \naffected organizations could respond. Information sharing can \nbe valuable but our framework can be vastly improved by \ntriaging cybersecurity threats and events of magnitude in a \nclear and repeatable scale, not too dissimilar to the Richter \nscale, which measures the energy released in an earthquake. \nLikewise, a scale that takes the technical and social elements \nof a threat into account to evaluate its destructive power \nenables first responders--us--to better organize and mobilize \nfocus on the most important areas of risk.\n    While there do exist various scoring systems for evaluating \nthe purely technical element of a threat, they fall short in \nterms of clear and actionable information outside of \ninformation technology. We focus too much on application-\nspecific vulnerabilities with abstruse names like MS17-010, and \nnone of these values are effective in quantifying the overall \nimpact potential of a wider global environment. We need an \neasier-to-grasp method of prioritizing threats that have a \nlarge-scale destructive potential in context, like WannaCry.\n    To this end, once we have determined a method to evaluate \nthe risks with respect to the aforementioned technical and \ncontextual specifics, we can do--we can apply the appropriate \nmitigations.\n    In conclusion, one of the largest issues is the transitory \nnature of a crisis. This message still has not resonated of the \ndestructive potential of these attacks and the importance of \nits awareness. We think this can be explained simply by the \nfact organizations are too slow to adapt to such a volatile \nlandscape, there is a vast human resource shortage, and little \nby way of metrics to demonstrate return on investment in \ndefensive technologies.\n    Again, I thank the Subcommittee for inviting me to appear \ntoday to discuss Kryptos Logic's involvement in lessons learned \nfor WannaCry, and I welcome the opportunity to answer any \nquestions you may have when they're fielded.\n    [The prepared statement of Mr. Neino follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Chairman LaHood. Thank you, Mr. Neino.\n    I now recognize Dr. Romine for five minutes to present his \ntestimony.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n          INFORMATION TECHNOLOGY LABORATORY, NATIONAL\n\n             INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Chairmen LaHood and Abraham, Chairman Smith, \nRanking Members Beyer and Lipinski, and members of the \nSubcommittees, thank you for the opportunity to appear before \nyou today to discuss NIST's key roles in cybersecurity and how \nthey relate to recent incidents.\n    In the area of cybersecurity, NIST has worked with federal \nagencies, industry and academic since 1972 starting with the \ndevelopment of the Data Encryption Standard when the potential \ncommercial benefit of this technology became clear.\n    NIST's role to research, develop, and deploy information \nsecurity standards and technology to protect the federal \ngovernment's information systems against threats to the \nconfidentiality, integrity, and availability of information and \nservices was recently reaffirmed in the Federal Information \nSecurity Modernization Act of 2014.\n    NIST provides resources to assist organizations in \npreventing or, at least, quickly recovering from ransomware \nattacks with trust that the recovered data are accurate, \ncomplete, and free of malware, and that the recovered system is \ntrustworthy and capable. NIST's Guide for Cybersecurity Event \nRecovery provides guidance to help organizations plan and \nprepare for recovery from a cyber event and integrate the \nprocesses and procedures into their enterprise risk management \nplans. The Guide discusses hypothetical cyber-attack scenarios \nincluding one focused on ransomware and steps taken to recover \nfrom the attack.\n    Three years ago, NIST issued the Framework for Improving \nCritical Infrastructure Cybersecurity, or the Framework. The \nFramework created through tight collaboration between industry \nand government consists of voluntary standards, guidelines and \npractices to promote the protection of critical infrastructure.\n    In the case of WannaCry and similar ransomware, the \nFramework prompts decisions affecting infection by the \nransomware, propagation of the ransomware, and recovery from \nit. While the Framework does not prescribe a baseline of \ncybersecurity for organizations, for instance, a baseline that \nwould have prevented WannaCry, it does prompt a sequence of \ninterrelated cybersecurity risk management decisions, which \nshould help prevent virus infection and propagation and support \nexpeditious response and recovery activities.\n    On May 11th, President Trump signed Executive Order 13800, \nstrengthening the cybersecurity of federal networks and \ncritical infrastructure that mandated federal agencies to use \nthe Framework. Under the Executive Order, every federal agency \nor department will need to manage their cybersecurity risk by \nusing the framework and provide a risk management report to the \nDirector of the Office of Management and Budget and to the \nSecretary of Homeland Security.\n    On May 12th, NIST released a draft interagency report, the \nCybersecurity Framework Implementation Guidance for Federal \nAgencies, which provides guidance on how the Framework can be \nused in the United States Federal Government in conjunction \nwith the current and planned suite of NIST security and privacy \nrisk management standards, guidelines and practices developed \nin response to the Federal Information Security Management Act, \nas amended, or FISMA.\n    Another NIST resource that can assist system administrators \nin protecting against similar future attacks is the most recent \nrelease of the NIST National Software Reference Library, or \nNSRL. The NSRL provides a collection of software from various \nsources and unique file profiles, which is most often used by \nlaw enforcement, government, and industry organizations to \nreview files on a computer by matching the profiles in the \nsystem.\n    NIST maintains a repository of all known and publicly \nreported IT vulnerabilities such as the one exploited by the \nWannaCry malware. The repository, called the National \nVulnerability Database, or NVD, is an authoritative source of \nstandardized information on security vulnerabilities that NIST \nupdates dozens of times daily. NIST analyzes and provides a \ncommon severity metric to each identified security \nvulnerability.\n    NIST recently initiated a project at our National \nCybersecurity Center of Excellence, or NCCOE, on data integrity \nspecifically focused on recovering from cyber-attacks. \nOrganizations will be able to use the results of the NCCOE \nresearch to recover trusted backups, roll back data to a known \ngood state, alert administrators when there is a change to a \ncritical system, and restore services quickly after a WannaCry-\nlike cyber-attack.\n    NIST is extremely proud of its role in establishing and \nimproving the comprehensive set of cybersecurity technical \nsolutions, standards, and guidelines to address cyber threats \nin general and ransomware in particular.\n    Thank you for the opportunity to testify today on NIST's \nwork in cybersecurity and in preventing ransomware attacks. I'd \nbe happy to answer any questions that you may have.\n    [The prepared statement of Dr. Romine follows:]\n    \n   \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Chairman LaHood. Thank you, Dr. Romine.\n    I now recognize Mr. Touhill for five minutes to present his \ntestimony.\n\n       TESTIMONY OF MR. GREGORY J. TOUHILL, CISSP, CISM;\n\n                 BRIGADIER GENERAL, USAF (RET);\n\n      ADJUNCT PROFESSOR, CYBERSECURITY & RISK MANAGEMENT,\n\n           CARNEGIE MELLON UNIVERSITY, HEINZ COLLEGE\n\n    General Touhill. Thank you. Good morning, Chairman LaHood, \nChairman Smith, Vice Chairman Abraham, Ranking Member Beyer, \nRanking Member Lipinski, and members of the Committee. Thank \nyou very much for the opportunity to appear today to discuss \ncyber risk management.\n    I'm retired Air Force Brigadier General Greg Touhill. I \ncurrently serve on the faculty of Carnegie Mellon University's \nHeinz College, where I instruct on cybersecurity and risk \nmanagement. Prior to my current appointment, I served as the \nUnited States Chief Information Security Officer, and before \nthat in the United States Department of Homeland Security, \nwhere I served as the Deputy Assistant Secretary for \nCybersecurity and Communications. During that period, I also \nserved as the Director of the National Cybersecurity and \nCommunications Integration Center, which is commonly referred \nto by its acronym, NCCIC.\n    During my Air Force career, I served as one of the Air \nForce's first cyberspace operations officers, and I currently \nmaintain both the Certified Information Systems Security \nProfessional and Certified Information Security Manager \nprofessional certifications.\n    Cybersecurity is a risk management issue. However, many \npeople mistakenly view it solely as a technology concern. \nCybersecurity indeed is a multidisciplinary risk management \nissue and is an essential part of an enterprise risk management \nprogram.\n    I recognize we have a very full agenda of topics today, and \nI'm sensitive to your time. I have submitted for the record a \nwritten statement, and in that statement, I discuss the recent \nWannaCry attack and my assessment of how future attacks may \nimpact the public and private sectors. In short, I view \nWannaCry as a slow-pitched softball whereas the next one may be \na high-and-tight fastball coming in. We need to be ready.\n    I also discuss and share recommendations on topics the \nCommittee has identified for today's agenda including the \nPresident's recent Cybersecurity Executive Order, public and \nprivate sector partnerships, the Cybersecurity Framework, and \nproposed legislation. In short, on that I urge the Congress to \ncontinue its great efforts to strengthen our enterprise risk \nposture. I urge you to authorize and empower the federal Chief \nInformation Security Officer position, which currently is not \nan authorized or specified position. I also suggest that \ninstead of calling it the NIST Cybersecurity Framework--and I'm \na huge fan of this Framework--I suggest we start calling it the \nNational Cybersecurity Framework to reinforce the fact that it \napplies to everyone, and further, NIST did a brilliant job in \ncrowdsourcing the development of this framework but it was \nreally people from around the country that brought to the table \nbest practices. NIST was a great trail boss for this but it \nreally is a national cybersecurity framework.\n    And then finally, in regards to the proposed H.R. 1224 \nlegislation, I congratulate the Committee and the Members of \nthe Congress for taking the initiative to really reinforce the \nneed to implement the Framework across the federal government.\n    I do suggest, based upon my experience in both the military \nand the government sectors of the federal government, that we \ndo two things with that Act. One is we amend that Act to make \nit apply to national security systems as well. Having served \nextensively in the military and in the federal government, I \nbelieve that the National Cybersecurity Framework applies \nequally to national security systems, and I recommend that you \nmake that amendment. Further, I concur with my colleagues who \nsuggest that let's leverage the Inspector General and auditing \ncommunities that are currently in the different departments and \nagencies and reinforce their need to conduct appropriate audits \nusing that Cybersecurity Framework.\n    Again, I thank you for inviting me to discuss cyber risk \nmanagement with you today, and I look forward to addressing any \nquestions you may have.\n    [The prepared statement of General Touhill follows:]\n    \n  \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n  \n     \n    Chairman LaHood. Thank you, Mr. Touhill.\n    I now recognize Dr. Thompson for five minutes to present \nhis testimony.\n\n                TESTIMONY OF DR. HUGH THOMPSON,\n\n               CHIEF TECHNOLOGY OFFICER, SYMANTEC\n\n    Mr. Thompson. Good morning. Thanks for having me, and \nChairman LaHood, Vice Chairman Abraham, Chairman Smith, Ranking \nMember Lipinski, and Ranking Member Beyer, I really appreciate \nthe opportunity to be here today to talk about what is a \ncritical subject.\n    Understanding the current threat environment is essential \nto crafting good policy and effective defenses, and last \nmonth's WannaCry ransomware attack is just one of the latest \nmanifestations of the kinds of disruptive attacks that we are \nnow facing.\n    The timeline of WannaCry I think has been well covered by \nthe other folks on this panel, but I did want to share with you \na graphical timeline that hopefully you can see in the monitor. \nApologies for the small print. What's interesting I think about \nthat and where I'd like to add some color is to give you \nSymantec's perspective on the events as they unfolded, and to \ngive you some context, Symantec is the world's largest \ncybersecurity company with technology protecting over 90 \npercent of the Fortune 500 and being used extensively by \ngovernment agencies around the world. In addition, we protect \ntens of millions of home users through our Norton and LifeLock \nbranded products.\n    The threat telemetry we get from these deployments \nrepresents the largest civilian threat intelligence network in \nthe world. WannaCry was unique and dangerous because of how \nquickly it could spread. It was the first ransomware as a worm \nthat had such a rapid global impact. Once on a system, it \npropagated autonomously by exploiting a vulnerability in \nMicrosoft Windows. After gaining access to a computer, WannaCry \ninstalls the ransomware package. This payload works in the same \nfashion as most crypto-ransomware. It finds and encrypts a \nrange of files and then displays essentially a ransom note to \nvictims demanding payment, this time in Bitcoin. Symantec \nworked closely with the U.S. Government from the first hours of \nthe outbreak. We connected DHS researchers with our experts, \nprovided indicators of compromise and analysis to DHS, and \nreceived the same back. During the outbreak, DHS had twice-\ndaily calls with private sector to coordinate operational \nactivities. From our perspective, this was one of the most \nsuccessful public-private collaborations that we've been \ninvolved in.\n    Our analysis of WannaCry revealed that some of the tools \nand infrastructure it used have strong links to a group \nreferred to as Lazarus by the security community, which the FBI \nhas connected with North Korea. Lazarus was linked to the \ndestructive attacks against Sony Pictures in 2014 and also the \ntheft of approximately $81 million from the Bangladesh Central \nBank last year. The links we saw between WannaCry and Lazarus \nincluded shared code, the reuse of IP addresses, and similar \ncode obfuscation techniques. As a result, we believe it is \nhighly likely that the Lazarus group was behind the spread of \nWannaCry.\n    Beyond WannaCry, the threat landscape continues to evolve \nvery quickly. We're seeing attacks become more sophisticated, \nnot just in technology but in social engineering approaches \nthat these attacks use. We're also seeing more attacks being \nleveraged against IOT devices such as the massive weaponization \nof IOT devices that we saw the Mirai botnet last fall. Mirai \nlaunched one of the largest distributed denial-of-service \nattacks on record and led to significant disruption of major \ncloud services. The explosive growth of attacks like WannaCry \nand Mirai I think underscores the need for preparation and \ndeploying integrated and layered defenses.\n    These attacks also show the response and recovery planning \nand tools is an essential part of cyber risk management because \nwhen good defenses will stop many attacks, we have to be \nprepared that a determined adversary may get through those \ninitial defenses and we must lay a foundation for recovery.\n    There's no question that WannaCry was an important event \nbut unfortunately, it will not be the last of its kind. In \nfact, it's more likely an indicator of what's to come. Good \nfortune played a significant role in minimizing its impact, \nparticularly in the United States, but we will not always have \nluck on our side, which is why we must learn the lessons of \nWannaCry and make the necessary improvements to our defenses \nand response capabilities.\n    This hearing is an important part of that effort, and we \nappreciate the opportunity to be here. I look forward to \nanswering any questions that you may have. Thank you.\n    [The prepared statement of Mr. Thompson follows:]\n    \n    \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    Chairman LaHood. Thank you, Dr. Thompson, and thank all the \nwitnesses for your testimony. The Chair recognizes himself for \nfive minutes, and we'll begin questioning.\n    As I talked about in the beginning, the title of this \nhearing today is ``Lessons Learned from WannaCry,'' and we've \ntalked a lot this morning about WannaCry and how that played \nout across the world, but in terms of what we've learned about \nthe genesis and origin of where this came from, I know the \nWashington Post came out with an article yesterday that the NSA \nhas linked the WannaCry computer worm to North Korea. I'm \nwondering if, Dr. Neino, you can talk a little bit about the \ngenesis and origin of where this came from, particularly \nbecause it appears it's from a nation-state, and I know there's \nreferences to what occurred with Sony Pictures and also with \nthe Bangladesh Bank, and what we know about it and what's being \nimplemented I guess on the government side to prevent this or \nhold an entity or the government accountable.\n    Mr. Neino. Thank you, Chairman. I think if I understand \nyour question, you're asking about, one, the origin, and our \nconjecture to that, and number two, perhaps, if I understood \nalso correctly, what would be the rules of engagement for \nsomething like that if it was another nation-state. While I may \nnot be--while we think it's ambiguous to conjecture over the \norigins of WannaCry, there are tails of code in there that \nsuggest one way or another that some nation-state could have \nbeen responsible. Unfortunately, and as I said in my written \ntestimony, anyone could have created this level of attack, and \noften misdirection is found typically in binaries like these \nattacks we see. I would compare it perhaps an analogy to \nphotoshopping a program to look a certain way or it could have \nsimply just been what it is, which is exactly what we see. It's \nhard to tell so we won't--I won't say that I know the origin of \nthe attack nor should I conjecture on it but what I can say is \nthat these attacks are very difficult to attribute, and Kryptos \nLogic is a cybersecurity company, not an intelligence agency, \nso it would be very difficult for us to pursue an answer to \nthat.\n    As far as rules of engagement, I also think that the \nquestion segues the same way. It would be difficult to create \nattribution or origin to any attack and therefore rules of \nengagement would be very difficult for us to give any kind of \nassessment on.\n    Chairman LaHood. Dr. Thompson?\n    Mr. Thompson. This was truly an interesting attack. We \nspend a lot of time in our research labs looking at both the \ncode that was used in WannaCry but also where WannaCry \ncommunicated out to, and there were very, very close \nsimilarities to other kinds of attacks that we've seen, \nspecifically attacks that we attribute to a group called \nLazarus, and these attacks, this malware, the reuse of strings \nin that malware, the reuse of command-and-control \ninfrastructure out on the internet by that malware led our \nresearchers to believe that this is strongly linked to the \nLazarus group.\n    Now, similar to my colleague on the end, we're not the \nintelligence community either, and I agree with those comments \nthat attribution is often difficult, but what we've seen leads \nus to believe that it was a part of this Lazarus Group and \nseparately the FBI has linked the Lazarus group with North \nKorea, and I think, Chairman LaHood, the article that you're \nreferring to from yesterday is another potential evidence point \non that as well from the NSA.\n    Chairman LaHood. Thank you.\n    Dr. Neino, we talked about the kill switch and how that \nstopped the attack, but we also reference the fact that last \nweek a hospital on the East Coast and a high school were \nsubject to attack. Can you explain how if the kill switch was \nimplemented correctly, how the hackers responsible for WannaCry \nwere able to continue to perpetuate the attack despite the \nregistration of the kill switch.\n    Mr. Neino. Absolutely. Although I'd like to be a doctor, \nit's Mr. Neino.\n    So you have to understand the material makeup of the actual \nmalware and how it works. Why WannaCry was so significant is \nthat it's self-propagating. That's what gives it the title a \nworm, if you will, meaning the actors don't need to even be in \nexistence, and sometimes we refer to these things as zombies, \nzombie botnets, because they continue to proliferate regardless \nof the actors or parents or creators of the particular attack. \nIn the case of the examples I gave in the testimony regarding \nthe health system, of which there are many, that was just, \nlet's say, a corner case that was very significant. The worm \ncontinues to propagate because it is scanning and seeking to \nexpand itself, and that portion of the worm is not subject to \nthe kill switch so its expansion and spreading which in effect \nis still exploiting systems worldwide. What it's not triggering \nis the payload, if you will, the ransom component, and that \ncomponent therefore doesn't trigger. Most of these \norganizations worldwide right don't know they're getting \nactively exploited still because it's because they don't see \nthe ransom portion of it, so that's why we have 60 million \nattacks thwarted to date, if not more, and just nobody knows \nit's still happening, and that's why I said it was--I don't \nthink the message has resonated given those figures that this \nstill needs to be patched and this again points to the point of \nresources.\n    Chairman LaHood. Thank you, Mr. Neino.\n    I'm out of time. I will yield to the Ranking Member, Mr. \nBeyer.\n    Mr. Beyer. Thank you, Chairman LaHood, very much, and I'm \nso impressed by our panel today. There's so much information \nhere, and I congratulate Dr. Romine and Dr. Thompson for being \nPh.D. mathematicians. That's wonderful. Jerry McNerney was here \njust a little while ago, a Member of Congress, who's I believe \nour only mathematician in Congress. And Mr. Neino, \ncongratulations on winning the hacking tournament. I never had \na chance to say that before, but that's very cool. And General \nTouhill, it's very cool that you're now after all the things \nyou've done in your life, combat and diplomacy and first CISO \nto be up there at Carnegie Mellon with their buggy races around \nChandlee Park. Every university has something that makes them \ncooler than everyplace else.\n    And General, I want to start with you. You talked in your \nlong written testimony about H.R. 1224 cosponsored by--a \nbipartisan bill here, but we have expressed a lot of concern \nabout the audit function that NIST would be asked to take on, \nand I was particularly fascinated by your points which we \ndidn't raise when we had the hearing here that it would make it \nmuch more difficult for NIST to be viewed as an honest broker \nthat this would change their perceptions about the current and \nfuture roles and have a chilling effect on many of the \nrelationships that NIST has within government and industry that \na lot of these relationships are, quote, unquote, learning \nrelationships based on a common quest to identify and \nincorporate best practices, and NIST would change those \nrelationships and not in a good way. It might inhibit or stifle \nthe free exchange of information from public and private \nentities to NIST. Can you expand on that at all? This seems to \nbe a pretty powerful argument against that audit function.\n    General Touhill. Yes, sir. You know, frankly, I'm a fan of \nthe intent of the legislation. Section 20(a) in making sure \nthat folks are in fact using the Cybersecurity Framework across \nfederal government I think is brilliant. We need to follow \nthrough on that big time, and frankly, it was something I was \npromoting while I was the United States Chief Information \nSecurity Officer. As a matter of fact, in my last federal Chief \nInformation Security Officer Council meeting in January of this \nyear, I proposed and we had a unanimous vote amongst the \ncouncil to do a risk assessment for the federal government \nbased on the Framework. That portion of the legislation I'm \nwholly supportive of.\n    Section 20(b), the proposal to do the auditing and \ncompliance activities, I'm also a fan of. I think it's \nimportant that we do auditing and compliance. However, I do \nstand by what I wrote in the written testimony that I think \nthat NIST is not the best place to put that. It doesn't have \nthe culture, it doesn't have the mission, it doesn't have the \npersonnel to do it as effectively as the existing Inspector \nGeneral and auditing functions. And from a practical \nstandpoint, NIST is a great organization that I've been working \nwith for the last 35-plus years, and the relationships that \nNIST has is in fact as a neutral party that is on the quest to \nchoreograph efforts to find the best ways of doing things. An \nauditing function or a compliance function on the other hand is \nlooking to see if you are in fact following the checklist. I \nthink that if we want to have an auditing and compliance \nfunction, which I definitely think that we should be doing, we \nshould be giving direction to those folks whose job it is to do \nthat auditing and compliance function. Frankly, this is an \noperational issue, and Inspector Generals have always been in \nmy book the folks that do performance inspections, that are the \nones that are going to help those commanders in the field in \nthe military as well as the executives in the federal \ngovernment do their job better and have better visibility into \ntheir risk posture. I believe we need to have the Inspector \nGenerals and auditing functions that are currently in place be \nthe ones who execute the intent of the Committee and the \nCongress.\n    Mr. Beyer. Thank you, General, very much.\n    Mr. Neino, based on your testimony, you should be a doctor. \nIt's filled with really interesting things, and your three-part \nconclusion that the largest issues were A, that organizations \nare too slow to adapt; B, that we have a vast human resource \nshortage; and C, there are little by way of metrics to \ndemonstrate return on investment, and you talk about creating a \nmethod to prioritize threats, something like the Richter Scale, \nmagnitude and a clear and repeatable scale. Who should put this \ntogether? Who should manage it? Who should maintain it? How do \nwe make this happen?\n    Mr. Neino. I think it would be interesting to see NIST \nparticipation in something of this where it's basically \ncrowdsourced through various academics and commercial and \nprivate entities that could look together and see how they're \nprioritizing risks and threats, and then see if that could be \nin some way put into some sort of simulation system that allows \nto be scalable where people as a resource is not scalable, \ntechnology can be, and that would be an effective area.\n    I also see that the commercial sector alone can produce \nthat as well and that could be adopted, but I think that any \ntime you have some sort of regulatory mandate, it's taken much \nmore seriously, and what I mean by that is, for instance, if we \nhad an event of magnitude that was measured and if we put an \narbitrary number on WannaCry, let's say it was a 7.5 magnitude \nby some arbitrary figure, shouldn't that particular event be \nrequired to be fixed by organizations whereas right now it's \nmostly voluntarily. So if a water system or a power grid \ndoesn't fix it even after WannaCry, shouldn't we see that sort \nof mandate where we can know that that is regulated because \nthat event of magnitude has context versus you can't boil the \nocean when it comes to patching vulnerabilities. We're not \ngoing to win that war; it's infinite. But we should be able to \nwin the war of at least the attacks we know about.\n    Mr. Beyer. Thank you very much.\n    Mr. Chair, I yield back.\n    Chairman LaHood. Thank you, Mr. Beyer.\n    I now recognize Vice Chairman Abraham.\n    Mr. Abraham. Thank you, Mr. Chairman. I also stand in awe \nof the brain cell power on our panel. We could probably use a \ncouple of guys as mathematicians when we work through our \nbudget process.\n    And Dr. Thompson, if indeed North Korea has a role in this \nvirus exploitation, I find it ironic that a country as North \nKorea that not only suppresses but quashes religious freedom \nwould use a biblical name, Lazarus, as its codename, so just an \naside.\n    Dr. Romine, my question is to you. When news of WannaCry \nstarted spreading, what, if any, steps did NIST take to ensure \nfederal agencies information systems were protected and was \nNIST involved in any government meeting that took place around \nthat time?\n    Dr. Romine. Thank you very much for the question. The \nresponse for an event like WannaCry from the NIST perspective, \nthe primary goal as a scientific institution and as an \ninstitution that provides guidance is to learn as much as we \ncan about the incident and about the origin--not the origin \nfrom a country point of view but the technical origins, and to \ndetermine whether the guidance that we issue is sufficiently \nrobust to help organizations prevent this kind of attack.\n    I'm not aware of specific meetings that we were involved in \nthat were discussing the operational side of WannaCry. I think \nthe law enforcement and intelligence communities were certainly \nmeeting. You heard reference to DHS being quite active in \nhelping the private sector to deal with this issue. From our \nperspective, it's more learning whether we can improve the \nguidance that we make available to entities to try to not only \nprevent these attacks but also recover from them and to be \nprepared for them in the future.\n    Mr. Abraham. Okay. And I'll stay with you for my second \nquestion. In your testimony, which I did read, you said that \nNIST recommendations in the NIST guide for the cybersecurity \nevent recovery and Cybersecurity Framework would sufficiently \naddress the WannaCry incidents. Will the requirement in the \ncyber Executive Order to agencies to implement the Framework \nhelp them be better prepared in the future to defend against \nthese types of incidences and will this be enough or should \nmore be done?\n    Dr. Romine. Thanks for the question. It's difficult to know \nwhether it will be enough for the next event, but I can say \nthis. One of the important things that emerged in our \ndiscussions with the private sector during the development of \nthe Framework was that we are often thinking about detection \nand prevention of attacks. Sometimes, we don't pay enough \nattention to response and recovery, and so one of the things \nthat the Framework does is to spell out the five functions--\nidentify, protect, detect, respond and recover--and we're \nproviding a lot of guidance now with the incident response \nguidance, for example, to help different organizations be \nbetter prepared to respond and recover. One of the analogies \nthat I've drawn recently is the Boy and Girl Scouts are right: \ntheir motto is ``be prepared.'' And the fact is, the better \nprepared an organization is through its risk management \nactivities, which we think the risk management framework from \nFISMA coupled with for federal agencies and under the umbrella \nof the Cybersecurity Framework now, we think those are the \ntools that are necessary to implement the kind of preparedness \nthat organizations should have.\n    Mr. Abraham. One quick follow-up. What specific steps in \nlieu of this WannaCry should NIST take to help federal and \nstate agencies be better prepared as well as the private \nsector?\n    Dr. Romine. So we're already looking at some of the \nconsequences associated with it, some of the incident response \nwork that we have, some of the data integrity work that I \ntalked about earlier. We launched the Data Integrity Project at \nthe National Cybersecurity Center of Excellence, which has a \nvery strong tie-in with ransomware-type attacks. We launched \nthat actually before the WannaCry came out but in light of this \nnew event, we're accelerating the work that's going on in the \nNCCOE so we hope to be able to provide very practical guidance \nor practical examples of how to be prepared so that \norganizations can see how it's done.\n    Mr. Abraham. Thank you.\n    And General, thank you for your service to the country.\n    Mr. Chairman, I yield back.\n    Chairman LaHood. Thank you, Vice Chairman Abraham.\n    I now recognize Ranking Member Lipinski for his \nquestioning.\n    Mr. Lipinski. Thank you, Mr. Chairman. I want to thank the \nwitnesses for their testimony and for all the work that you do.\n    We are I think finally beginning to take cybersecurity more \nseriously here in Washington although there's much more that I \nthink we need to do. Part of the problem is understanding what \nthis really means and the impact that it can have. We also need \nto make sure that the American public knows the significance of \ncybersecurity and what could happen.\n    We know when we're dealing with cybersecurity that \ntechnology is just part of the solution. What often matters \nmore is we saw with WannaCry is personal behavior and \norganizational behavior. Individuals and information systems \nmanagers must regularly install security patches and phase out \noutdated software. Organizations must prioritize cybersecurity \nand have plans in place for quick response when there are \nattacks. These are social-science issues.\n    Another social-science angle is understanding criminal and \nterror networks as well as foreign state actors, and using that \nunderstanding to help inform our intelligence gathering and our \ncyber defenses.\n    So I'd like to hear from each of our witnesses your \nthoughts on whether we're investing enough in the human factors \nof cybersecurity and what more can be done, what more would you \nlike to see us do to--so that we are taking care of these \nissues? We'll start with Mr. Neino.\n    Mr. Neino. Thank you, Mr. Lipinski. I think it's a great \npoint that you bring up. There are other issues other than \ntechnology at play. Cybersecurity is hard. It really is. \nSoftware is hard; security is hard. When you put them together, \nit's very hard. One thing that we know will be quite difficult \nis resources. Resources will maintain their need for quite some \ntime, and technology is rapidly evolving. We have eroding \nboundaries. Systems are changing. We have digital \ntransformation that continuously happens so we have to relearn \nour resources and people. This makes it very difficult for \nthose responsible in those areas to manage risk to actually \nkeep up with the actual threat, the pragmatic threat, not just \nthe way we measure our own threats but in reality like \nWannaCry. In that case, I think that we could see a huge value \nif we were to see investments in things that allow for threat \nprioritization, again going back to the events of magnitude \nexample. You can't boil the ocean but you can look at the areas \nthat can hurt you the most and the people that will hurt you \nthe most, and investigating those things and putting them \ntogether allows you to start to formulate a picture that allows \nyou to prioritize threats. Once you prioritize threats, the \ninvestments you make in those people and those resources will \nbe maximized and we'll have a better chance of being more \nresilient.\n    Mr. Lipinski. Thank you.\n    Dr. Romine?\n    Dr. Romine. I'd like to describe two important NIST \nprograms that directly address the human part of this problem. \nOne is that NIST is privileged to home the program office for \nthe National Initiative for Cybersecurity Education, or NICE, \nwhich is an interagency program that's dedicated to building a \nlarger cybersecurity workforce, and we've made great strides in \nthat area. I'm very proud of the work that we've done there.\n    The second part of the program is, and you're absolutely \nright, that one of the key components in achieving true \nsecurity is understanding how humans interact with technology. \nYou can be theoretically secure through technology but if the \npeople that are trying to get their jobs done are focused on \nthat and not taking advantage of, or in some cases, even \ncircumventing security that's in place in order to get their \njobs done, you have to know about that and you have to \nunderstand how to build systems that have the human in the \nloop. NIST views a systems-level approach for cybersecurity but \nwe think people, the users, are part of the system and so we \nhave an active research program in understanding. We have \npsychologists, sociologists, human factors engineers on our \nstaff whose entire mission is to understand how people interact \nwith technology so that we can do better in areas like security \nand usability.\n    Mr. Lipinski. General Touhill?\n    General Touhill. Thank you very much. When I was at--still \nin public service as the U.S. Chief Information Security \nOfficer, I applied about five strategic lines of effort. One \nwas harden the workforce; two, treat information as an asset; \nthree, do the right things the right way and at the right time; \nfour, make sure that you're continuously innovating and \ninvesting wisely; and then five; make sure that you're making \nrisk management decisions at the right level.\n    The first one was harden the workforce. If you gave me an \nextra dollar in cybersecurity, I'm always going to spend it on \npeople, and frankly, your people are your greatest resource but \nthey're also your weakest link. We see it time and time again, \nand 95 percent of the incidents my U.S. ICS, Industry Control \nSystem CERTs responded to you could track back to a human \nfailure--failure to patch, failure to configure correctly, \nfailure to read the instruction book. So I think hardening the \nworkforce should be a strategic priority, and it was one of my \ntop ones and actually was the top one.\n    Further, you know, if you ask for where else could we \ninvest well: exercises. People should not necessarily be \nconfronting crises without having practiced ahead of time, and \nmy friend, Admiral Thad Allen, likes to say the time to \nexchange business cards is not a time of crisis. We should be \ndoing exercises more often than we are, and we should be \ninvesting more into them.\n    And then further, everybody needs to play. Too often we see \nsenior executives who go dismiss that off to the younger folks \nand the kids in the server room to play. It's a risk issue, and \nrisk decisions are made at the board level.\n    So I think we need to invest in exercises. We already are \ndoing a lot. During the time I was at DHS when I first got \nthere, the year before we had done 44. By the time I left two \nyears later, we were up to 270 exercises. But I think more \nneeds to be done, and I encourage the Committee and the \nCongress to help reward these type of practices because I think \nit'll buy down our risk.\n    Mr. Lipinski. And if the Chairman will indulge me, Dr. \nThompson?\n    Mr. Thompson. Thank you. Thanks for that question because I \nthink what you're hitting on is probably one of the most \nimportant and underinvested areas in cybersecurity in general. \nThis human element cannot be separated from the technology. \nOften in the security community we talk about advanced \npersistent threats, and most people when they think about that \nthink about very sophisticated code, malware, but in fact, what \nwe're seeing is the root of many of these advanced persistent \nthreats is the initial way a company got infected or a person \ngot infected was that an individual made in retrospect a bad \nchoice--they clicked on a link, they downloaded a file--and \nwe're seeing attackers becoming more socially sophisticated in \nthe way they attack. We're seeing them personalize attacks \nlooking for information on social networking sites, for \nexample, so that they can create credibility in an email or a \ntext message that they may send you so that you're convinced \nthat this is a reasonable thing to go and do. And I think from \nan industry perspective, it is a place that we desperately need \nfocus.\n    I want to give you one data point that I think may be \nuseful. So I've had the pleasure to serve as the program \ncommittee chairman for RSA Conference for the past ten years. \nThat conference had 40,000 people, security professionals that \nshowed up last year, which is a sign of how important I think \nthis industry's become, and three years ago we started a track \ncalled the Human Element, and it has become one of the most \npopular tracks for cybersecurity professionals because I think \nwe all realize--and I love the comments that the general made \nabout this topic. I think we all realize that is one of the \nmost critical areas that we need to focus on going forward, \nhuman element of the people that are responsible for \ncybersecurity but also the human element of users.\n    And I'll make a final comment here. It is very easy for a \nuser to understand that there's an increase in utility. I know \nit's easier to get in my house if I leave the door unlocked, \nvery easy. You don't have to carry any keys around. If I make \nit more secure, generally people's viewpoint is you make it \nmore secure, you make it more painful. There are more things \nthat you have to do. So they can easily measure utility but \nthey can't easily measure risk, and we need to do a better job \nat helping the individual, the citizen recognize risk.\n    Mr. Lipinski. Thank you very much.\n    Chairman LaHood. Thank you, Mr. Lipinski.\n    I now recognize Congressman Higgins for his questions.\n    Mr. Higgins. Thank you, Mr. Chairman.\n    Mr. Neino, congratulations on shutting down WannaCry. That \nwas a big mistake by whoever designed that worm, was it not, to \nleave the domain unregistered?\n    Mr. Neino. It's hard to say what it is. It could have been \nintentional, it could have been non-intentional. We think it \nwas non-intentional but it's hard to say. But it definitely was \na mistake in any regard.\n    Mr. Higgins. Well, congratulations on discovering it. What \nwould WannaCry had done to the world had that kill switch not \nbeen----\n    Mr. Neino. I can only give a thumbnail of what that might \nlook like but given today, you know, we're seeing millions of \nthwarted attacks per day, you also have to realize that the \nvelocity of the attack of WannaCry had slowed significantly as \na result of the kill switch. So generally mathematicians will \nsay these are exponential attacks, things like that. This could \nhave been a very, very massive attack. Most systems were \naffected.\n    Mr. Higgins. I concur. Most cyber experts agree that it \nappears that North Korea was behind WannaCry. Do you agree?\n    Mr. Neino. I think that there are tails in the software \nprogram that you could use to associate it but I do believe \nthat intelligence is cumulative behind cyber. Cyber is very \ndifficult to attribute. You need other areas to attribute a----\n    Mr. Higgins. What's your opinion? Was North Korea behind \nWannaCry?\n    Mr. Neino. I don't really want to comment. I've seen other \npeople make very good conjectures about it being China. I've \nseen other conjectures as of just being random people. But I \ndon't think it's worth commenting because I'm just not a \nsubject domain expert in intelligence.\n    Mr. Higgins. Intelligence is a safe answer, sir.\n    When security software is designed, how easy is it for the \ndesigner to build a backdoor access that would be virtually \nundetectable within that cybersecurity software?\n    Mr. Neino. We've seen that a multitude of times, and \nthere's very good studies from a variety of areas. The level of \nentry to do that is very low.\n    Mr. Higgins. Thank you for concluding that.\n    Brigadier General, my question is to you, sir. Thank you \nfor your service. Are you familiar with Kaspersky Labs out of \nMoscow?\n    General Touhill. I am familiar with Kaspersky.\n    Mr. Higgins. Manufacturer of cybersecurity products, a long \nlist of cybersecurity products, that top intelligence officials \nat the FBI, the CIA, the NSA and others advise this body that \nthey don't trust Kaspersky, that they would not use their \nproduct on their personal devices. However, it's still used \nwidely across the United States Government in various \ndepartments. Can you explain that to this Committee?\n    General Touhill. Well, sir, I don't know what kind of \nconversation, you know, my colleagues from those agencies had \nwith this Committee. However, as I go and I take a look at the \ndifferent products that are in the market today, I believe that \nthe American products are the best ones out there, and just on \na value proposition, I buy American.\n    Mr. Higgins. I concur. That's a brigadier general speaking \nright there.\n    General Touhill. That's an American speaking, sir.\n    Mr. Higgins. Let me say that although there's no public \nevidence of collusion between Kaspersky Labs and the Russian \ngovernment, it's not a large leap, and Eugene Kaspersky has \nsuggested that his products have no ties to the Russian \ngovernment. However, as part of the national conversation, Mr. \nChairman, and it's widely known that the Russians have been \ninvolved in efforts to influence governments across the world \nwith cyber-attack, and Mr. Kaspersky has suggested that he \nwould testify before this body. I strongly suggest that we take \nhim up on his offer. I'd sure like to talk to him regarding the \nkill switch in North Korea, that having been a rather glaring \nerror on the part of the designer of that worm cyber-attack.\n    Mr. Neino, what do you think that happened to that guy in \nNorth Korea? It was a kill switch, wasn't it? So this message, \nshould it get to any of the cyber-attack cyber experts in North \nKorea, if you can get out of the country, you're welcome in the \nWest. We'd love to have you before this Committee. We'll give \nyou some real good food.\n    Mr. Chairman, I yield back.\n    Chairman LaHood. Thank you, Congressman Higgins.\n    I now yield to Congresswoman Esty.\n    Ms. Esty. Thank you very much. This has been very \nenlightening and extremely helpful.\n    There are a couple of points I want to return to and maybe \ndrill down on. One is on the human element, which I think is \nunbelievably important because you can buy all the great \nequipment in the world, and as you said, Dr. Thompson, if you \nleave the door open, it doesn't do you any good, and I think a \nlittle bit about the analogy in hospitals about getting people \nused to washing their hands, and it may be low-tech but it \nworks, and so one of the things I think we need to emphasize \nfor all Americans is hygiene. It's just what are proper hygiene \npractices, so that's one, and getting people's thoughts and how \nwe make that absolutely standard operating procedure for all \norganizations, government and non-government.\n    Number two, we have an issue in the federal government in \nparticular at all levels of government of really old systems. \nSo we look at the fact that this was exploiting a \nvulnerabilities in Windows. Who's still using those systems? \nOverwhelmingly I can tell you it's local and state governments \nthat don't have any money and they're still using these old \nsystems, so that makes it an even greater issue.\n    Mr. Neino, your point about threat assessment and \nunderstanding levels of assessment, we need triage help. You \nknow, we need triage help to recognize what defcon level is \nthis because, you know, everybody gets those notes on their \nphones and we're looking at our phones like I don't have time \nto upgrade my system, and that's the reality of human behavior. \nSo I'd suggest a couple of things. We ought to be getting \nbehavioral economists and social-media experts to your point, \nDr. Thompson, and I think that needs to be part of what the \nfederal government, part of what NIST is doing is to stay ahead \nof the game we need to do that.\n    A number of us were at an Aspen briefing a couple of months \nago with some of the folks from the top levels of the private \nsector talking about how so much of our emphasis at the federal \ngovernment has been and frankly the incentives have been for us \nto be on attack mode. We're developing our attack cyber \ncapability out of the federal government. We've left it to the \nprivate sector to do defense. Obviously we need to be doing \nmore defense. So that's--you know, how do we incentivize \ndefense attention? It's less sexy but frankly a lot more \nimportant. So what can we do as a culture change? Where does \nthat have to come out of? Is that out of NIST? Is that out of \nDOD, NSA to put the incentives there? How do we make sure we're \ngetting the broader sector of talent pool.\n    Again, it may not strike people bringing in, you know, \npeople who do Snapchat for figuring out how do we make sure \npeople don't click on that link but it strikes me over and over \nagain if we don't do that, if we look at what happened in the \nhacking on the electoral system and last year what happened, it \nwas John Podesta's email where someone clicked on a link, and \nit is going to be the weakest link and the strongest link at \nthe same time.\n    So anyone who has thoughts on that whole bunch of stuff I \njust dumped, that's what happens when you're at the end of the \nhearing, you know, you're batting clean-up and want to raise a \nnumber of issues. But again, thank you very much. I look \nforward to following with all of you, and thank you for your \nefforts and in joining with us in figuring out how we can do \nbetter for America. Thanks.\n    Dr. Romine. Thank you, Congresswoman. I'll just make two \nvery quick points. One is, we have active research going on now \nunder the program that I just talked about to understand human \nbehavior, trying to understand susceptibility to phishing \nattacks, and what are the things that factor into people not \nrecognizing that something is a phishing attack. And so there's \nresearch coming out about that.\n    With regard to culture change, I think maybe it's \nunderappreciated sometimes the culture change that's going on \nin boardrooms and among CEOs who in light of the Framework as a \ncatalyst for this but I think this might have been on their \nradar anyway, but the Framework is a means of catalyzing the \nunderstanding on the part of boardrooms and CEOs that manage \nrisk to reputation, financial risk, and business operational \nrisk and all of the other risks that you're already managing as \na CEO, you now have the tools that you can use to incorporate \ncybersecurity risk into that entire risk management.\n    General Touhill. I'd like to pile onto that. First of all, \non the cyber hygiene, we all need to do better, and we work \nvery closely with NIST to help promote the national cyber \neducation programs that we have, and I think we really need to \ndo better on that. As a matter of fact, I propose that we \nprobably need a Woodsy Owl, Smokay the Bear type of thing. You \nknow, I call it Byte. Let's get kids out there fully educated \nand bring that pipeline up. And we've been working with NIST \nand across the interagency to do that.\n    And we also need to incentivize. We shouldn't necessarily \nbe seen as the government that's here to help but not really \nhelp but to overregulate. We need to encourage and incentivize \nfolks to do the right thing, to buy down their enterprise risk. \nBut we also have to recognize that risk is an intrinsic part of \nany management of any business, and we have to be very careful \nthat we don't have hamshackle the different boards and C suites \nfrom actually managing their risk, and we need to give them the \ntools and the support to be good wingmen to help them make \nthose risk decisions.\n    And then finally, you know, we've had a lot of discussions \npublicly in this town over the last two, three, four years \nabout roles and missions as to who does what in helping folks. \nAs for me, having served in uniform for over 30 years and then \nhaving done some public service on top of that, I think it \nreally takes teamwork, and I view the DOD and NSA and \nintelligence community's mission to help us with deterrence and \ninterdiction. Let's stop them and take the fight to the bad \nguys out to foreign shores. But when it comes to protecting \nhometown America, I believe that that's more appropriate for \nDHS and the work that's being currently done in the NCCIC to \nchoreograph different activities across the federal government \nin better serving the citizens.\n    Mr. Thompson. Just a quick comment. First, I support the \nGeneral's suggest that we resurrect Smokay the Bear. I think it \nwould be great to see him again and maybe kind of repurpose him \nfor this effort. But I will say first, Congresswoman, thank you \nso much for your comments. I very much agree with what you said \nabout this human element. I can tell you that the practice of \nsecurity I think is changing very much because of that, and I \nthink about the folks that we hire at Symantec as an example. \nThe kinds of folks that are hunting down the malicious networks \ntoday aren't just the computer scientists and mathematicians \nbut there are computational linguists, there are behavioral \npsychologists, there are anthropologists. There are people that \nare looking at the human behavior of an attack group, so that's \none side.\n    On the consumer side, which we sell to with Norton, we \nspend an amazing amount of time thinking about how do we make \nsecurity similar to the iPad, and I call it the iPad because \nit's the only piece of technology I think I've ever given to my \nmom and I didn't have to give her any instruction about how to \nuse it. She just understood it. And we spend a massive amount \nof time now today on design. How do we make it intuitive? How \ndo we make it easier to be more secure than less secure? And I \nthink that is where a lot of effort must go in in the security \ncommunity today. How do we make it easier to be more secure \nthan less secure?\n    Chairman LaHood. Thank you, Congresswoman Esty.\n    I was just thinking as you referenced Smokay the Bear, \nmaybe a new company, Smokay the Bear Malware would be \nsomething----\n    Mr. Thompson. We'll register the domain, Mr. Chairman.\n    Chairman LaHood. Thank you.\n    I now recognize Mr. Palmer for his questions.\n    Mr. Palmer. Mr. Neino, first, accept our thanks for the \nquick thinking that allowed the kill switch to prevent so many \ninfections, but with regard to your measurements, however, you \nsuggest that the number of 200,000 infections is too low, and \nthat before the implementation of the kill switch, there may \nhave been 1 to 2 million infections. In that regard, how do you \nthen explain that practically no one tried to pay the ransom if \nthere were that many more?\n    Mr. Neino. I think there were some who tried to pay the \nransom be it the measure of success of that is hard to \ndetermine. I think we also----\n    Mr. Palmer. Well, what you've got is that from many studies \nthat a large portion of the companies do pay the ransoms when \ntheir computers are encrypted, but monitoring the Bitcoin \nwallets advertised in the WannaCry malware, it seems that less \nthan 500 people did, so that's two one-hundredths of 1 percent.\n    Mr. Neino. Sure. Well, I think----\n    Mr. Palmer. That's very inconsistent with your----\n    Mr. Neino. Yeah, I think----\n    Mr. Palmer. --with what you're saying.\n    Mr. Neino. I think that when you look at--it's hard to \nassociate the payments to the actual spread, and I'll tell you \nfor a variety of reasons. One, when you look at the actual \nattack and the magnitude of the attack and you try to trace it \nto the payment, if you look at the mechanisms to make the \npayment, it was, one, not clear whether you would get your \nsystems back anyways, and at this point the attacks have been \nabandoned, so we know that if you pay the ransom, you didn't go \nanywhere. Most of the media and many of the experts were \nsuggesting not to pay the attack. We were asked the same \nquestion and we said you would have to base your own risk \norganization and determine if you should pay the attack. \nHowever, what I can say is the data that we are receiving is \nabsolute. When we get this data--we've been doing this. It's \nnot just WannaCry. We've been doing this for close to a decade. \nWe see and visibly analyze data that comes in. It is accurate.\n    Mr. Palmer. I'd like to address this question to General \nTouhill, and again, as many of our members have said, thank you \nfor your service, sir.\n    Your testimony refers to people who were infected by \nrunning Windows 95 but published industry reports are saying \nthat almost everyone that was infected was running Windows 7. \nSo isn't it true that the main reason people were infected was \nbecause an intelligence community vulnerability was leaked to \nthe public? Turn on your mic, please.\n    General Touhill. Thanks. Sir, thanks for the question. You \nknow, just for clarity's sake, the--in my written testimony I \nhighlighted Windows 95 as being used as an exemplar. However, \nthere was plenty of other different operating systems that were \nvery susceptible to this type of attack including Windows ME, \n7, you know, a lot of unpatched systems.\n    Mr. Palmer. But I'm asking about an intelligence community \nvulnerability that was leaked to the public.\n    General Touhill. I think that if we take a look at it from \nthat standpoint, yeah, I'm very concerned about that, and I \nthink that this highlights a couple of things. First of all, \npatch your systems. We've been telling you all along to do \nthat. Second of all, I think that as we take a look at, you \nknow, the leakage of information or the attribution of leakage \nof information, that's very serious and unacceptable.\n    Mr. Palmer. Well, in regard to the patch, the reality is \nthat a team of actors calling themselves shadow brokers \npublished an NSA exploit called EternalBlue on the Internet, \nand that happened in January 2017, and Microsoft released a \npatch that addressed that vulnerability 3 months later in \nMarch, a patch called MS17-010, so it was not a problem of \nmachines being out of date. The problem was that if you hadn't \nput all of the Microsoft recommended patches on all the \nmachines within 60 days, you would become a victim, and it was \na zero-day attack because when EternalBlue code was released in \nJanuary, there was no way to protect a computer from it.\n    General Touhill. I don't believe I would characterize this \none necessarily as a full-zero-day attack. From my perch, you \nknow, frankly, because the fact that we had some patches that \nhad been put out, and Microsoft went through extraordinary \nmeasures, by the way, to go out and create those patches for \noperating systems that had previously been declared \nunsupportable many years before, and I use Windows 95 in my \nwritten testimony as an exemplar because Windows 95 had been \nonline for about 19 years before it was retired, and for the \nlast three years, Microsoft had not been supporting it, and \nthen for them to come back and put out that patch in March was \nextraordinary, and through the federal government and other \norganizations around the world, we went out and we clearly \ncommunicated, and Carnegie Mellon's C-CERT was one of them, \nclearly communicated to all of the communities of interest, \npatch your systems, this is an important patch, and it was \nlabeled as a critical patch, sir.\n    Mr. Palmer. If I may, I have one more question for Mr. \nThompson. Could you address the double pulsar feature that you \nmentioned? Since no one was actually paying the ransoms, it is \npossible that the real goal of the attack was to allow remote \naccess to the machines that the double pulsar was installed on \nby becoming infected?\n    Mr. Thompson. Thanks for your question. It's difficult to \nanticipate what the true intention was of this attack, whether \nit was ransomware, whether it was a test, whether it was the \nability to propagate some kind of back door, but what is, I \nthink, interesting as a characteristic of the attack, which I \nthink goes back to your first question of why didn't we see, \nquote, normal or expected rates of ransomware payment. The \nbackend infrastructure that was set up was very weak compared \nto the typical piece of ransomware that we see out there in the \nwild, and it is pretty incredible. Many of these ransomware \nattacks have a very robust infrastructure behind them. They \nhave almost the equivalent of customer support for people that \nhave been infected with the ransomware. We didn't see that \nlevel of sophistication here in the back end.\n    Mr. Palmer. I thank the witnesses for their answers. I \nyield back.\n    Chairman LaHood. Thank you, Mr. Palmer.\n    I now yield to Congressman Webster for his questions.\n    Mr. Webster. Thank you, Mr. Chairman. Thank for you having \nthis meeting, a joint meeting, and thank each of you for \ncoming, but I'll tell you, my mind has been on something else, \nand the statements that were given here were similar to that in \nthat they fit. There was an attack yesterday, and I thought \nabout how the fact it was an advanced, persistent threat, and \nnot only that, was it a personalized attack, and there's some \npeople, in fact, my seatmate here, who acted heroically to turn \nit around, and so I just--that's what was on my mind, these \nCapitol Police whose service protected life yesterday along \nwith the heroic acts of many of the Members of this Congress. \nMaybe it's a different kind of threat but it was real, and in \nthis particular case, there was no human error, and so I just--\nI wanted to take this time that I have, just a few minutes, and \nsay thank you for our people who work there and for the members \nwho serve here who prove there still are heroes in our country \nand they just haven't been exposed yet, and there was some \nyesterday that were exposed, so thank you, Mr. Chairman. I \nyield back.\n    Chairman LaHood. Thank you. I think we have a couple more \nquestions. We're going to go just for a short second round \nhere. I'll yield myself five minutes.\n    Dr. Romine, you note in your written testimony that the \nNational Vulnerability Database, NVD, that NIST maintains and \n``updates dozens of times daily'' of all known and publicly \nreported IT vulnerabilities documented that vulnerability that \nthe WannaCry malware exploited. A recent report notes that 75 \npercent of the vulnerabilities documented last year were \ndisclosed elsewhere first and that it takes on average 7 days \nbetween the discovery of a vulnerability and its reporting on \nthe NVD. What is the reason for the delay there if you could \ntalk about that, and is NIST working to get rid of that lag \ntime?\n    Dr. Romine. Thank you for the question. We're always \ninterested in trying to shorten time to deliver really \nimportant information to our stakeholders. In the case of NVD, \nour goal is not first to disclose or first to disseminate the--\nalthough we want to do as early as we can. Our real goal is \naccurate curation, including an assessment of the impact that a \nvulnerability might have, and that assessment requires a \ncertain amount of analysis that has to be done before we can \ninclude something in the National Vulnerability Database.\n    The other reason for that is that the disclosures are often \nfrom sources that are not necessarily reliable from our \nperspective, and including information about vulnerabilities \nfrom sources that we don't view as authoritative would not be \nin our best interest for the NVD.\n    Chairman LaHood. And was there a delay in reporting the \nvulnerability that the WannaCry malware exploited?\n    Dr. Romine. I don't know the exact duration between the \ntime that we received the report and the time that we put it in \nthe NVD. I'm sure it was a matter of days.\n    Chairman LaHood. Thank you. Those are all my questions.\n    I yield to Mr. Beyer.\n    Mr. Beyer. Thank you, Chairman, very much.\n    General, you are the first Chief Information Security \nOfficer, and you took that position, I guess, last September \nunder the Obama Administration?\n    General Touhill. Yes, sir.\n    Mr. Beyer. Do you believe the federal government should \nhave this federal CISO position? I know the Trump \nAdministration hasn't filled it yet, but do you--any reason why \nyou left at the time that you did, and any concerns about \nwhether it will be refilled?\n    General Touhill. Well, first of all, thank you for the \nquestion. I believe that this is a best practice to have a \nChief Information Security Officer in different organizations. \nThe first Chief Information Security Officer position was \ncreated in the private sector over 20 years ago, and it took \nabout 20 years for the federal government to create one. I \nthink it is critically important as part of an enterprise risk \nmanagement approach that you do in fact have someone who is \nfocused on information security and the risk to the enterprise \nand advising the corporate community as it were up, down and \nacross as far as what those risks are and best practices to buy \ndown and manage that risk. Within the federal government, we \nstill don't have an authorization for a federal Chief \nInformation Security Officer in statute. My position was \nappointed as an administrative appointment, and I think that as \nwe take a look at--as we move forward--and the Executive Order \nthat just recently came out is a great step forward. I think we \nneed to firm up and make sure that this position is an enduring \nposition but we also need to authorize and empower the position \nsuch that Chief Information Security Officer can in fact have \nthe authorities to choreograph and direct activities that are \nnecessary to better manage our risk.\n    As far as the appointment goes, I look forward to seeing \nwho the Administration brings forward, and I will coach and \nserve as wingman for that person.\n    Mr. Beyer. Great. While we're talking Executive Orders, you \nmade the really interesting case that we overclassify, that the \ndefault position right now is to make everything the highest \nthing, and that we should instead make the default position the \nlower level of classification and argue our way up. How do we \noperationalize that? Is this Executive Order, legislation, \nmemorandum of understanding?\n    General Touhill. I thank you for that question. I'm very \npassionate about it because I was responsible for public and \nprivate sector partnerships while I was at DHS and the \ninformation sharing between the public sector and the private \nsector, and frankly, we overclassify too much time-sensitive \ninformation in the federal government, in my view, and I \nbelieve that the solution set is going to have to be a \ncombination of legislation as well as executive action. So I \nthink that really both branches of government are going to need \nto partner up as far as--to determine a best means of getting \ninformation out faster to folks so that we can timely and \nactionable actions in this fast-paced cyber environment.\n    Mr. Beyer. Thank you.\n    Mr. Neino, you had one very intriguing, or many intriguing \nlines in your testimony. One said that ``points contrary to \ndefense (who did it)'' and what I understood from that is we \nspent too much time trying to figure out who is Lazarus or who \nis Bayrob rather than defend ourselves. Can you expand on that? \nBecause I confess, as a naturally curious person who watches \nLaw and Order and CSI and all the stuff, I want to know who did \nit.\n    Mr. Neino. I think that the barrier of entry at this point \nis that anyone could do it, so conjecturing over who has done \nit is a very difficult task because cybersecurity is something \nthat could be easily misdirected. You never really know who the \nattack is, and focusing on that doesn't solve the problem that \nwe're vulnerable. We are vulnerable. So if you leave the door \nopen, there could be thousands of people that walk by your \nhouse every day. Would it really matter if it's because you \nleave yourself exposed who has done it? They do it because they \ncan, and we should not make it that way. We should make it so \nthat we are resilient and we are a very strong nation in \nregards to defense.\n    Mr. Beyer. Thank you.\n    Dr. Thompson, do you want to pile on at all?\n    Mr. Thompson. I do. Thank you. You know, it's interesting. \nWe don't spend very much time looking at who did it and who is \nthe country behind it, who is the enterprise behind it, who is \nthe person behind it, but it's very critical for us to \nassociate patterns of behavior. So if we associate attack A \nwith attack B and then believe that these two things are \nconnected, it will let us learn more about that group, the \ntactics that they use, and make is better prepared to protect \nagainst a new attack sight unseen, and that was the case with \nSymantec's AV engines and our artificial intelligence engines \nbecause of previous training on this against the WannaCry \nmalware. So it's critical for us to have that grouping together \nand we'll leave it up to the intelligence community to decide \nwho that group actually belongs to.\n    Mr. Beyer. Great. Thank you very much, Mr. Chair.\n    Chairman LaHood. Mr. Lipinski, do you have any follow-up \nquestions?\n    Mr. Lipinski. No, I think I took plenty of time on my first \nround. I thank the witnesses for your testimony, all the work. \nAs I said, I'm sure we'll be continuing this discussion, so \nthank you.\n    Chairman LaHood. In closing, I want to thank all of the \nwitnesses here today for your important, insightful and \nimpactful testimony here today, and as our two Subcommittees \nlook at legislation and public policy as it relates to \ncybersecurity and the ancillary issues of national security, \neconomic vulnerabilities, privacy, we look forward to \ncontinuing to work with you on those issues and appreciate you \ntaking time out of your busy schedule to be here today.\n    And the record will remain open for two weeks for \nadditional written comments and written questions from Members, \nand at this time the hearing is adjourned.\n    [Whereupon, at 11:51 a.m., the Subcommittees were \nadjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n                                 \n                                 \n</pre></body></html>\n"