[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
PROMOTING SECURITY IN WIRELESS TECHNOLOGY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
JUNE 13, 2017
__________
Serial No. 115-38
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
26-576 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
TIM MURPHY, Pennsylvania ELIOT L. ENGEL, New York
MICHAEL C. BURGESS, Texas GENE GREEN, Texas
MARSHA BLACKBURN, Tennessee DIANA DeGETTE, Colorado
STEVE SCALISE, Louisiana MICHAEL F. DOYLE, Pennsylvania
ROBERT E. LATTA, Ohio JANICE D. SCHAKOWSKY, Illinois
CATHY McMORRIS RODGERS, Washington G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia PETER WELCH, Vermont
ADAM KINZINGER, Illinois BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York
GUS M. BILIRAKIS, Florida YVETTE D. CLARKE, New York
BILL JOHNSON, Ohio DAVID LOEBSACK, Iowa
BILLY LONG, Missouri KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana JOSEPH P. KENNEDY, III,
BILL FLORES, Texas Massachusetts
SUSAN W. BROOKS, Indiana TONY CARDENAS, California
MARKWAYNE MULLIN, Oklahoma RAUL RUIZ, California
RICHARD HUDSON, North Carolina SCOTT H. PETERS, California
CHRIS COLLINS, New York DEBBIE DINGELL, Michigan
KEVIN CRAMER, North Dakota
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
7_____
Subcommittee on Communications and Technology
MARSHA BLACKBURN, Tennessee
Chairman
LEONARD LANCE, New Jersey MICHAEL F. DOYLE, Pennsylvania
Vice Chairman Ranking Member
JOHN SHIMKUS, Illinois PETER WELCH, Vermont
STEVE SCALISE, Louisiana YVETTE D. CLARKE, New York
ROBERT E. LATTA, Ohio DAVID LOEBSACK, Iowa
BRETT GUTHRIE, Kentucky RAUL RUIZ, California
PETE OLSON, Texas DEBBIE DINGELL, Michigan
ADAM KINZINGER, Illinois BOBBY L. RUSH, Illinois
GUS M. BILIRAKIS, Florida ANNA G. ESHOO, California
BILL JOHNSON, Ohio ELIOT L. ENGEL, New York
BILLY LONG, Missouri G.K. BUTTERFIELD, North Carolina
BILL FLORES, Texas DORIS O. MATSUI, California
SUSAN W. BROOKS, Tennessee JERRY McNERNEY, California
CHRIS COLLINS, New York FRANK PALLONE, Jr., New Jersey (ex
KEVIN CRAMER, North Dakota officio)
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
GREG WALDEN, Oregon (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 1
Prepared statement........................................... 3
Hon. Michael F. Doyle, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 3
Hon. Leonard Lance, a Representative in Congress from the State
of New Jersey, opening statement............................... 5
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 6
Prepared statement........................................... 7
Witnesses
Bill Wright, Director, Government Affairs, and Senior Policy
Counsel, Symantec.............................................. 9
Prepared statement........................................... 11
Answers to submitted questions............................... 68
Amit Yoran, Chairman and Chief Executive Officer, Tenable........ 18
Prepared statement........................................... 20
Answers to submitted questions............................... 71
Charles Clancy, Ph.D., Director, Hume Center for National
Security and Technology, and Professor of Electrical and
Computer Engineering, Virgina Tech............................. 28
Prepared statement........................................... 30
Answers to submitted questions............................... 74
Kiersten E. Todt, Former Executive Director, Commission on
Enhancing National Cybersecurity; Managing Partner, Liberty
Group Ventures, LLC; and Resident Scholar, University of
Pittsburgh Institute for Cyber Law, Policy, and Security....... 34
Prepared statement........................................... 36
Answers to submitted questions............................... 77
PROMOTING SECURITY IN WIRELESS TECHNOLOGY
----------
TUESDAY, JUNE 13, 2017
House of Representatives,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:00 a.m., in
Room 2322, Rayburn House Office Building, Hon. Marsha Blackburn
(chairman of the subcommittee) presiding.
Members present: Representatives Blackburn, Lance, Shimkus,
Olson, Kinzinger, Bilirakis, Johnson, Flores, Brooks, Collins,
Cramer, Walters, Costello, Doyle, Welch, Clarke, Loebsack,
Ruiz, Dingell, Rush, Eshoo, Butterfield, Matsui, McNerney, and
Pallone (ex officio).
Staff present: Kelly Collins, Staff Assistant; Blair Ellis,
Press Secretary/Digital Coordinator; Chuck Flint, Policy
Coordinator, Communications and Technology; Gene Fullano,
Detailee, Communications and Technology; Jay Gulshen,
Legislative Clerk, Health; Kelsey Guyselman, Counsel,
Communications and Technology; Lauren McCarty, Counsel,
Communications and Technology; Paul Nagle, Chief Counsel,
Digital Commerce and Consumer Protection; John Ohly,
Professional Staff, Oversight and Investigations; Dan
Schneider, Press Secretary; Jeff Carroll, Minority Staff
Director; Alex Debianchi, Minority Telecom Fellow; David
Goldman, Minority Chief Counsel, Communications and Technology;
Jerry Leverich, Minority Counsel; Lori Maarbjerg, Minority FCC
Detailee; Jessica Martinez, Minority Outreach and Member
Services Coordinator; and Dan Miller, Minority Policy Analyst.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Go ahead and call our subcommittee to
order. And I will begin by thanking Mr. Doyle's Penguins for a
very fine hockey series against my Nashville Preds. I told him
I thought about bringing him a little bit of catfish today, but
we were sorry we didn't win but we think it was just a
fantastic series and we congratulate.
Mr. Doyle. Well, thank you.
Mrs. Blackburn. Yes. And now I recognize myself for 5
minutes for an opening statement. And I welcome each of you to
the subcommittee's hearing titled, Promoting Security in
Wireless Technology, and thank you to our witnesses for
appearing and for offering your testimony on this important
issue and thank you for submitting that testimony on time. We
appreciate that.
Mobile connectivity has become essential to our daily lives
as a result of technology and consumer demand. Unfortunately,
increasing reliance on wireless devices and networks has
provided more avenues for cybercriminals to compromise our
security and harm consumers. According to the 2017 Hiscox Cyber
Readiness Report, cybercrimes cost the global economy
approximately 450 billion, and over 100 million Americans had
their medical records stolen in 2016. I think that is such an
important stat. 100 million Americans had their medical records
stolen in 2016.
Threats to mobile devices and networks can run the gamut
from the use of ransomware and phishing schemes to packet
sniffing and attacks on encryption protocols used to protect
information sent over WiFi. These incidents have been occurring
with alarming frequency on scales large and small. The Harvard
Business Review wrote last September 22nd that--and I am
quoting--``Mobile devices are one of the weakest links in
corporate security,'' and that ``if mobile security isn't a
problem for your company yet, it will be.''
Hackers are smart. They are adapting. McAfee's 2016 Mobile
Threat Report notes mobile devices are quickly becoming the
cybercriminal's target of choice because of the abundance of
sensitive information individuals store on them. This is
corroborated by a Newsweek report from March that stated mobile
ransomware attacks had already grown over 250 percent in 2017.
The sophistication and frequency of cyber attacks against
mobile devices continues to escalate and we must meet this
challenge head-on.
Our hearing will also examine threats to wireless networks.
As the Majority Memorandum notes, mobile devices generate
numerous air interfaces to transmit data, with each interface
creating unique security vulnerabilities and attack methods.
Threats include packet sniffing, rogue access points, jamming,
and locating flawed encryption algorithms. These attacks can be
initiated by hackers to obtain financial information, user
passwords, and block legitimate network traffic. A recent
example of this was the DDOS attack against Dyn which disrupted
websites such as Twitter, Netflix, and Etsy last November. We
all remember that one.
I have often said that cyberspace is the battlefield of the
21st century. It is time to act. Hardworking taxpayers are
demanding leadership from Washington in the cyber arena and it
is our duty to provide it. Enhanced defensive capabilities
should be developed by promoting greater collaboration between
public and private entities.
CTIA has shown leadership through its Cybersecurity Working
Group. Their efforts have brought Federal agencies such as the
FCC and DHS together with the private sector to develop
solutions to the dilemma. Whether it is encryption, the use of
authentication standards, updating operating systems, or
rigorous implementation of antivirus software, we must have an
all-of-the-above approach when it comes to forging defensive
strategies against cybercriminals.
[The prepared statement of Mrs. Blackburn follows:]
Prepared statement of Hon. Marsha Blackburn
Welcome to the Communications and Technology Subcommittee's
hearing titled ``Promoting Security in Wireless Technology.''
Thank you to the witnesses for appearing to offer your
testimony on this important issue. Mobile connectivity has
become essential to our daily lives as a result of advances in
technology and consumer demand. Unfortunately, increasing
reliance on wireless devices and networks has provided more
avenues for cyber criminals to compromise our security and harm
consumers.
According to the 2017 Hiscox Cyber Readiness Report,
cybercrimes cost the global economy approximately $450 billion
and over 100 million Americans had their medical records stolen
in 2016. Threats to mobile devices and networks can run the
gamut from the use of ransomware and phishing schemes to packet
sniffing and attacks on encryption protocols used to protect
information sent over wi-fi. These incidents have been
occurring with alarming frequency on scales large and small.
The Harvard Business Review wrote last September 22nd that
``mobile devices are one of the weakest links in corporate
security'' and that ``if mobile security isn't a problem for
your company yet, it will be''.
Hackers are smart and they are adapting. McAffee's 2016
Mobile Threat Report notes mobile devices are quickly becoming
the cybercriminals target of choice because of the abundance of
sensitive information individuals store on them. This is
corroborated by a Newsweek report from March that stated mobile
ransomware attacks have already grown over 250 percent in 2017.
The sophistication and frequency of cyberattacks against mobile
devices continues to escalate and we must meet this challenge
head on.
Our hearing will also examine threats to wireless networks.
As the Majority Memorandum notes, mobile devices generate
numerous air interfaces to transmit data, with each interface
creating unique security vulnerabilities and attack methods.
Threats include packet sniffing, rogue access points, jamming,
and locating flawed encryption algorithms. These attacks can be
initiated by hackers to obtain financial information, user
passwords, and block legitimate network traffic. A recent
example of this was the DDOS attack against Dyn which disrupted
websites such as Twitter, Netflix, and Etsy last November.
I have often said that cyberspace is the battlefield of the
21st century. We must act now. Hard-working taxpayers are
demanding leadership from Washington in the cyber arena and it
is our duty to provide it. Enhanced defensive capabilities
should be developed by promoting greater collaboration between
public and private entities. CTIA has shown leadership through
its Cybersecurity Working Group. Their efforts have brought
Federal agencies such as the FCC and DHS together with the
private sector to develop solutions to the cybersecurity
dilemma.
Whether it is encryption, the use of authentication
standards, updating operating systems, or rigorous
implementation of antivirus software--we must have an ``all of
the above'' approach when it comes to forging defensive
strategies that will defeat and deter cyber criminals.
Thank you and I look forward to the testimony of our
witnesses.
Mrs. Blackburn. I thank you all for being here, and at this
time I yield 5 minutes to the ranking member, Mr. Doyle.
OPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Doyle. I thank you, Madam Chair, for holding this
hearing and for the witnesses for appearing today. Before I get
started I just want to reiterate a momentous occasion in our
city. The Pittsburgh Penguins have brought the Stanley Cup back
to Pittsburgh for the second year in a row. We beat back broken
bones and sideline starters and some ferocious play from the
Nashville Predators. I know the Predators aren't squarely in
the gentlelady from Tennessee's district, but I want to
congratulate her and their team on a hard-fought series.
Mr. McNerney. Will the gentleman yield to someone from the
Golden State?
Mr. Doyle. No. No, I will not. But I have time at the end.
You know, in Pittsburgh we could throw Primanti Bros.
sandwiches on the ice, but they taste so good we prefer to eat
them. So anyways, go Pens and congratulations to the Predators.
I also want to mark another milestone. As of today, there
are just under five million comments in the FCC's proceeding to
repeal net neutrality rules. With still months to go, we have
already far eclipsed the record-breaking 3.7 million comments
that were filed in 2015. The vast majority of these comments
are overwhelmingly in support of the current rules and opposed
to the Trump administration's effort.
And I would once again urge the chairman to bring the
Commission before this committee for oversight hearings so that
Congress can do its job and provide much needed oversight and
public scrutiny. I think it would be a dereliction of duty not
to provide oversight of an agency whose actions risk upending
the internet ecosystem, one of the primary drivers of our
economy.
Considering the number of oversight hearings held during
the previous administration, I am sure my colleagues on the
other side of the aisle appreciate this fact all too well and
will see fit to schedule oversight hearings of the Commission
as soon as possible.
Now, on to the topic before us today, promoting online
security. Security is an absolutely critical issue. It enables
an environment where commerce, communication, and innovation
can flourish. However, increasingly, organizations are facing
mounting threats and greater challenges particularly as more
sectors of our economy come to depend on the digital
infrastructure.
These challenges are being compounded by highly
sophisticated online threats that are increasingly funded and
supported by hostile nations. As the witnesses point out in
their testimony, attacks we face today are highly sophisticated
and increasingly destructive, from Crash Override to Mirai
botnet, from the hacks of the DNC and the Russian meddling in
the U.S. election to WannaCry ransomware, these issues are only
escalating in their severity.
My colleagues, Representatives Clarke, Engel, and McNerney
have all introduced legislation in this committee to address
the threats we face. I would encourage the chairman to hold
legislative hearings on these bills. I would also add that we
need to use every tool in our toolbox to address cyber threats
we are facing.
In repealing the FCC's privacy rules using the CRA,
Congress also repealed data security protections contained in
those rules. While these rules were not a panacea, they
required reasonable steps to protect data and were a meaningful
step towards addressing this issue.
With that I would yield the remaining minute and 35 seconds
of my time to any one of my colleagues that desires to use it.
Mr. McNerney?
Mr. McNerney. Well, I thank the ranking member. And I don't
want to say too much more about the Golden State Warriors, so I
will move on. But I want to thank the Chair for today's
hearing.
The security is important. Last October we witnessed a
catastrophic attack that used the insecure Internet of Things
devices to cripple the internet. A weak device security poses
serious threats to our national security and to the economy.
That is why I introduced the Securing IoT Act which would
require that cybersecurity standards be established for IoT
devices and that these devices be certified to meet those
standards.
I am also disappointed that my Republican colleagues have
not shown any interest in this bill especially since 20 to 50
billion connected devices are expected to be in use by the year
2020. Meanwhile, my Republican colleagues passed the privacy
CRA, which leaves consumers more vulnerable to cybersecurity
attacks, and that is why I introduced MY DATA Act so that
consumers can have strong, data security protections.
I hope my colleagues can get behind these two important
bills, and I yield back to the ranking member.
Mr. Doyle. And Ms. Eshoo, would you like the remaining
time?
Ms. Eshoo. Well, you are nice, but there are 11 seconds
left, so I will weave my comments in later on. Thank you very
much. I appreciate it.
Mr. Doyle. OK, thank you. I will yield back. Thank you.
Ms. Eshoo. Thank you.
Mrs. Blackburn. The gentleman yields back. Mr. Lance, you
are recognized for 5 minutes.
OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Lance. Thank you, Chair Blackburn. And welcome to our
distinguished panel, thank you for appearing before us today.
Since the advent of the smart phone and network innovations
such as 4G LTE, consumers have become increasingly less
constrained by location when using the internet. Mobile
technology has changed the way consumers interact, freeing them
to conduct business, to shop, to have access to health and
financial records, to study and participate in countless other
activities almost anywhere in the country.
As more and more technological innovations such as 5G and
Internet of Things devices come to market, billions more
devices will become connected and continue to revolutionize the
way consumers and businesses behave. And we have just
participated downstairs in a forum regarding the Internet of
Things with many of the great companies in this country,
including Qualcomm and Panasonic and Siemens and Honeywell and
others.
However, with increased ease of access and reliance on
connected devices comes increased security risks as the Chair
has already indicated. We have already seen bad actors take
advantage of the flood of internet-connected devices in the
DDOS botnet attacks last year, and an increase of phishing and
malware attacks on mobile devices. Threats are constantly
evolving and increasing in sophistication and scope.
Cybersecurity needs to be a priority as we become more
dependent on connected devices. A large part of this is
educating consumers and businesses on how best to protect
themselves and their devices on the internet such as
recognizing an attempt to invade the internet and regularly to
change passwords.
There is also a responsibility for the Government and
industry to work together in making sure that networks and
consumers are protected without mandating innovation-stifling
technology or security standards that will become obsolete
quickly. And we have seen this across the last 20 years that
technology outstrips what we do here in Washington.
I thank our panel for your efforts in this important field
and look forward to the testimony. And I apologize. I will be
moving in and out. There are two subcommittees of importance
today from the Energy and Commerce Committee. Certainly this is
an incredibly important issue and I will certainly be here to
the greatest extent possible.
Welcome again to our distinguished panel, and I would yield
2 minutes, 20 seconds to any of our colleagues who wish to be
recognized.
Mrs. Blackburn. Anyone seeking time for an opening
statement? If not, the gentleman yields back.
Mr. Lance. I yield back, Madam Chair.
Mrs. Blackburn. Mr. Pallone, the ranking member of the full
committee, you are recognized for 5 minutes.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Madam Chairman.
Cyber attacks are one of the most serious threats to our
national security today. Every day, new information comes out
about how the Russians and other foreign actors are hacking our
institutions and our democracy. Just last week, former FBI
Director Comey testified, and I am quoting, ``The Russians
interfered in our election during the 2016 cycle. They did it
with purpose. They did it with sophistication. They did it with
overwhelming technical efforts. It was an active measures
campaign driven from the top of that government. There is no
fuzz on that.'' Unquote.
This committee has primary jurisdiction over the
communications networks that were used by the Russians to
commit these attacks. We should be focused like a laser on how
to stop them from happening again, but this committee has yet
to hold a single hearing on these Russian hacks. Worse still,
the only legislation House Republicans have pushed and
supported within this subcommittee's jurisdiction actually
makes us less safe, in my opinion.
With no hearings or advance notice, the leadership of this
committee led the charge to strip away Americans' privacy
rights and throw out some of the only protections on the books
to secure our data. These safeguards simply said that broadband
providers needed to take reasonable measures to secure
Americans' data. But despite the Russian hacks, congressional
Republicans eliminated those protections under the absurd
pretext that asking companies to act reasonably was Government
overreach.
This hearing today is another example of committee
Republicans simply not taking these issues seriously. Democrats
tried to invite another cybersecurity expert to testify here
today who could have helped us better understand the threats to
our country like the Russian hacks, but the majority made up
arbitrary and partisan reasons, in my opinion, to effectively
block us. This decision shortchanges our members' ability to
hear from the experts in this area.
These games have to stop because these issues are just too
serious to keep playing politics with our national security.
Now Democrats are trying to address these issues head on in a
nonpartisan way. We have put forward three bills--from Mr.
Engel, Mr. McNerney, and Ms. Clarke--to help fix some of these
problems.
These are good bills that were introduced more than 3
months ago and every day that goes by with no action is another
day that the American people are at risk. Republicans, as I
said before, should stop playing political games with national
security because the risks are too great.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
Thank you, Madam Chairman. Cyberattacks are one of the most
serious threats to our national security today. Every day new
information comes out about how the Russians and other foreign
actors are hacking our institutions and our democracy. Just
last week former FBI Director Comey testified, and I'm quoting:
``The Russians interfered in our election during the 2016
cycle. They did with purpose. They did it with sophistication.
They did it with overwhelming technical efforts. It was an
active measures campaign driven from the top of that
government. There is no fuzz on that.''
This committee has primary jurisdiction over the
communications networks that were used by the Russians to
commit these attacks. We should be focused like a laser on how
to stop them from happening again, but this committee has yet
to hold a single hearing on these Russian hacks.
Worse still, the only legislation House Republicans have
pushed and supported within this subcommittee's jurisdiction
actually makes us less safe. With no hearings or advance
notice, the leadership of this committee led the charge to
strip away Americans' privacy rights and throw out some of the
only protections on the books to secure our data.
Those safeguards simply said that broadband providers
needed to take ``reasonable measures'' to secure Americans'
data. But despite the Russian hacks, Congressional Republicans
eliminated those protections under the absurd pretext that
asking companies to act reasonably was Government overreach.
This hearing today is another example of committee
Republicans simply not taking these issues seriously. Democrats
tried to invite another cybersecurity expert to testify here
today who could have helped us better understand the threats to
our country, like the Russian hacks. But the majority made up
arbitrary and partisan reasons to effectively block us. This
decision shortchanges our members' ability to hear from the
experts in this area. These games have to stop because these
issues are just too serious to keep playing politics with our
national security.
Democrats are trying to address these issues head on in a
nonpartisan way. We have put forward three bills--from Mr.
Engel, Mr. McNerney, and Ms. Clarke--to help fix some of these
problems.
These are good bills that were introduced more than three
months ago. Every day that goes by with no action is another
day that the American people are at risk. Republicans must stop
playing political games with national security. The risks are
just too great.
Mr. Pallone. And with that, I would like to yield the time
that I have left to Ms. Clarke and Ms. Eshoo. I guess we will
split it evenly. We will start, I yield to Ms. Clarke.
Ms. Clarke. First, I would like to thank our ranking
member, Mr. Pallone, for yielding his time to me and thank
Ranking Member Doyle and Chairwoman Blackburn for holding this
important hearing. And I welcome our witnesses today for their
expert testimony, I look forward to hearing from today's
panelists.
Many of my constituents in the 9th congressional district
of New York have voiced their concerns on cybersecurity and
have asked that I and my colleagues what we can do to lessen
their vulnerability to cyber attacks which is why I introduced
the Cybersecurity Responsibility Act of 2017.
The Cybersecurity Responsibility Act of 2017 calls on the
Federal Communications Commission to take an active role in
protecting communications networks by carefully arranging,
organizing, and supervising cybersecurity risks to prevent
cyber attacks. As technology continues to develop and grow, so
must our rules and regulations on internet safety. It is our
duty not only as Members of Congress but as members of the
committee to protect Americans against cyber attacks by
ensuring that there are sufficient rules in place. With that,
Mr. Chairman, I yield back to you.
Mr. Pallone. I yield the remaining of the time to Ms.
Eshoo.
Ms. Eshoo. I thank the ranking member, and I thank all the
witnesses. Some of you have been here before, welcome back, and
to those who haven't, welcome.
It has been said but it needs to be restated,
cybersecurity, I think, is really one of the most pressing
national security issues, challenges for our country. Almost
everything that we do here in Congress relative to
cybersecurity is after there has been a breach, and I think
that we need to really drill down on prevention.
I have spoken to countless people in my Silicon Valley
district. Almost to a person they tell me that we need to
concentrate on prevention. Up to 90 percent of the breaches,
both Government and private sector--and 95 percent of this is
private sector, 5 percent is the Federal Government as
important as it is--say that there are two pillars to this. One
is cyber hygiene and the other is consistent security
management, so I am shortly going to be introducing legislation
that reflects that.
I think that NIST can set the standards and I think that
companies should have a set of good housekeeping seal of
approval and that as important as it is to take steps after
something has happened, I think that we need to start focusing
on prevention.
So we will talk more about it with our distinguished panel,
but I want to thank the ranking member for giving me some time
to make this brief statement. Thank you.
Mrs. Blackburn. The gentlelady yields back. The gentleman
yields back, and this concludes our opening statements. I will
remind all Members that their opening statements will be made a
part of the record.
And we do thank our witnesses for being here with us today.
We are going to give each of you the opportunity to make a 5-
minute opening statement.
And our witnesses: Mr. Bill Wright who is the director of
Government Affairs and Senior Policy Counsel, and we welcome
you; Mr. Amit Yoran, who is the chairman and CEO of Tenable;
Ms. Kiersten Todt, who is the managing partner at Liberty Group
Ventures and a resident scholar at the University of
Pittsburgh--I guess you are celebrating too--Institute for
Cyber Law, Policy, and Security; and Mr. Charles Clancy, who is
the director and professor at Hume Center for National Security
and Technology at Virginia Tech.
So we appreciate that you are each here. We will begin, Mr.
Wright, with you. You are recognized for 5 minutes for your
opening statement.
STATEMENTS OF BILL WRIGHT, DIRECTOR, GOVERNMENT AFFAIRS, AND
SENIOR POLICY COUNSEL, SYMANTEC; AMIT YORAN, CHAIRMAN AND CHIEF
EXECUTIVE OFFICER, TENABLE; CHARLES CLANCY, PH.D., DIRECTOR,
HUME CENTER FOR NATIONAL SECURITY AND TECHNOLOGY, AND PROFESSOR
OF ELECTRICAL AND COMPUTER ENGINEERING, VIRGINIA TECH; AND,
KIERSTEN E. TODT, FORMER EXECUTIVE DIRECTOR, COMMISSION ON
ENHANCING NATIONAL CYBERSECURITY; MANAGING PARTNER, LIBERTY
GROUP VENTURES, LLC; AND RESIDENT SCHOLAR, UNIVERSITY OF
PITTSBURGH INSTITUTE FOR CYBER LAW, POLICY, AND SECURITY
STATEMENT OF BILL WRIGHT
Mr. Wright. Chairman Blackburn, Ranking Member Doyle,
members of the subcommittee thank you for the opportunity to
testify today. The cyber threats that we face today and every
day are growing both in numbers and in sophistication. As the
chairman pointed out in her opening statement, cyberspace truly
is the battlefield of the 21st century.
And while global ransomware attacks and destructive malware
attacks tend to steal the headlines, it is other threats--
threats to mobile, threats to wireless, threats to IoT--that
are quickly gaining prominence. And no wonder, today more than
half of the world's web traffic originates from mobile phones
and nearly half of the people on the planet own a smart phone
today.
But I think calling it a phone doesn't quite do this
justice. This isn't a phone. It is a powerful, connected,
handheld computer and from time to time you can use it to call
your wife. We need to start viewing these as computers and we
need to protect them as computers. Our web searches, our
banking, our personal health information is all being
transmitted and stored on mobile devices. Our smart phones are
becoming an extension of ourselves and our identity.
We are also seeing a blurring of the lines between work-
issued devices and personal devices. Employees can and often
expect to be able to work from anywhere. Workers can
unwittingly introduce virus into an entire network system from
a single download of a malicious app. IT security is no longer
about just protecting the perimeter from attack because that
perimeter now covers the entire planet.
As we all rush and rush to connect more and more devices to
the internet we will undoubtedly improve our lives in many,
many ways, but we will also be greatly increasing the attack
surface. Last year's Mirai botnet DDOS attack was a sobering
wake-up call for how powerful IoT-based botnet could be. And it
was also a chilling reminder for what could happen if those bot
masters had trained their sights elsewhere, say on an
industrial control system.
Attackers are continuing to evolve their criminal tools and
getting better at avoiding detection and obfuscating their
actions. The incentives for criminals is very strong.
Cybercrime is more lucrative than ever. There is very little
risk in getting caught and the underground cybercrime
marketplace is booming, allowing even an art history major to
conduct highly sophisticated cyber attacks by renting crime as
a service by the hour or buying ransomware tool kits or mobile
banking trojans.
Mobile device manufacturers, particularly Apple, have done
a pretty good job at putting security into their products and
keeping malicious apps out of their stores. Android also has
made some great strides over the last year. However, the very
attributes that make mobile phones so attractive to consumers
also make them a very tempting target for cybercriminals
because unlike your desktop computer, your mobile device is
always active, always receiving and used for every aspect of
your life.
Increasingly, smart phones are used for authentication
purposes in various online accounts. A hacker only needs to
steal or access your mobile device to get past all the other
defenses that have been set up on the network side.
Unfortunately, the public's attitude towards securing their
devices has not kept pace with the potential threat. More than
a quarter of smart phone users do not even use the most basic
security feature, the screen lock, let alone applying timely
software updates.
And the criminals are following their victims onto these
new platforms. Over the last few years we have seen a dramatic
rise in malicious activity related to mobile devices driven by
cybercriminals using tried and true methods to monetize attacks
such as premium text messages, click fraud, and ransomware.
Last year, Symantec detected more than 18 million mobile
threats, an increase in 105 percent from the prior year. This
trend will only be exacerbated over the next few years when
tens of billions of connected devices are added to the
internet. Cybercriminals are only bound by their own
imagination and if there is a way to steal valuable data and
monetize it, they will find it.
As this subcommittee knows, we face significant challenges
in our efforts to secure wireless networks and mobile devices
and while there remains much work to be done we have made some
progress in some areas, for instance, how we share threat
information and when we share threat information with our
Government partners.
At Symantec we are committed to improving online security
across the globe, including wireless and mobile security, and
will continue to work collaboratively with our customers,
industry, and governments to do so. Thank you again for the
opportunity to testify and happy to answer any questions.
[The prepared statement of Mr. Wright follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. I thank you for the testimony.
Mr. Yoran, you are recognized for 5 minutes.
STATEMENT OF AMIT YORAN
Mr. Yoran. Chairman Blackburn, Ranking Member Doyle, and
members of the subcommittee thank you for the opportunity to
testify today in what promises to be the most exciting hearing
of the day. I am chairman and CEO of Tenable, the world's most
widely deployed vulnerability management solution including in
the Federal Government where the majority of Government
agencies use our technology to assess and manage their cyber
risk.
It is important to put mobility and wireless in the context
of modern computing enterprise environments which are dynamic
and borderless and virtually unlimited in connectivity. Mobile
devices, wireless networks, transient user populations, cloud-
based infrastructure, web applications, and the shift to DevOps
go hand in glove with the Internet of Things in invading our
computing environments.
Today's complex mix of computer platforms and applications
combine to represent the modern attack surface where the assets
themselves and their associated vulnerabilities are constantly
expanding, contracting, and evolving, almost like a living
organism, creating gaps in overall system understanding,
security coverage, and resulting in underestimated exposure.
Therefore, it is important that any approach to cybersecurity
for mobile devices or wireless networks not be done in
isolation but, rather, viewed as part of a holistic ecosystem.
In over 20 years practicing information security, the
following axiom proves true time and again. You cannot secure
what you don't know about. If there are elements of your
computing environment that are invisible or unknown to you,
chances are that they represent unaccounted-for risk.
Both the NIST Cybersecurity Framework and DHS's Continuous
Diagnostics and Mitigation program call for identifying assets
and vulnerabilities as the first step in cybersecurity.
Identifying assets not just once but continually is foundation
to assessing risk and developing effective security programs.
My written testimony includes policy recommendations, a few of
which I will highlight.
First, we need a bold, new cyber workforce strategy that
develops and advances the ranks of all people from different
walks of life. Only through increased inclusion and diversity
in perspective and thought can our industry achieve the greater
creativity, innovation, and develop new solutions to our most
vexing challenges.
At Tenable we have implemented a Rooney Rule to set an
example of greater diversity in our leadership ranks. I do want
to state, however, that our efforts to expand the workforce
will inevitably fall short of the insatiable demand for cyber
talent and we have to prepare for that with a complementary
focus on technology and automation.
Second, the Government should encourage the private-sector
companies to continually and fully assess their cybersecurity
risk just as the Federal agencies will be doing and many
regulatory requirements and best practices already mandate.
Today, all organizations are part of a global ecosystem with a
cyber hygiene responsibility to one another.
Simple malware like WannaCry demonstrated what a very
crippling cyber attack might do. The infection was spread
company to company, many of which simply failed to adequately
assess their cyber risk and act accordingly. Third, the Federal
Government should continue to promote the NIST Cybersecurity
Framework which, according to Gartner, will be adopted by 50
percent of organizations by 2020.
In closing, I want to emphasize the importance of taking an
agile, continuous, and holistic approach to cybersecurity and
technology policy. As we all know, IT is changing quickly
across so many different dimensions. Prudence would have us
look at mobile devices, wireless networks, and other
technologies gaining great adoption in the broader context of
our IT environments rather than in isolation.
I would like to thank Chairman Blackburn, Ranking Member
Doyle, and all the members of the subcommittee for their
attention to this important issue and I will be happy to
respond to your questions.
[The prepared statement of Mr. Yoran follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. I thank the gentleman and he yields back
and, Dr. Clancy, you are recognized for 5 minutes.
STATEMENT OF CHARLES CLANCY
Dr. Clancy. Thank you, Chairman Blackburn, Ranking Member
Doyle, and subcommittee members. I think we can all agree that
there are major vulnerabilities in the larger ecosystem of
wireless security that we have reason to be concerned about. I
would like to focus my opening remarks a bit on the wireless
infrastructure that underpins those networks.
Over the last decade we have seen a fundamental shift of
the DNA of the internet from the internet that connected
stationary computers to fixed server infrastructure to one that
is the social mobile internet. It is ubiquitous mobile
broadband that connects smart phones and users to social media
and the internet as a whole.
This has again fundamentally changed the makeup of the
traffic on the internet and the nature of the cybersecurity
threat to the internet. Over the next decade we will see
another titanic shift of the internet with the so-called
Internet of Things which has been referred by several others so
far, but the idea here is that we could see an increase of 20
billion devices connected to the internet; again another
fundamental titanic shift of the DNA of the internet.
The wireless industry is working aggressively to address
the needs of IoT with 5G wireless technology and is seeking to
make sure that there are security components that are built
into the infrastructure to address those needs. If you look at
our cellular infrastructure today, the majority of us have 4G
LTE coverage.
And 4G LTE learned from the mistakes of 3G, which learned
from the mistakes of 2G, which learned from the mistakes of 1G,
and for the most part has the needed building blocks to develop
and manage a secure, wireless, mobile broadband infrastructure.
The key challenge we have though is that while 4G LTE is
ubiquitously deployed, we still have 2G and 3G infrastructure
that is operating, and much of the rest of the world has 2G and
3G infrastructure operating that remains vulnerable to a wide
range of different attacks.
And in particular, in the last 12 months we have seen press
around IMSI catchers or so-called StingRays that are able to
compromise user privacy and the SS7 attacks that were able to
impact user privacy as well. And the big challenge is not that
4G LTE is insecure, it is just that we still have this legacy
2G infrastructure deployed that remains insecure.
Additionally, we have unlicensed bands, unlicensed
technology, wireless technology-fueled innovation over the last
decade or two, right. WiFi fundamentally transformed many
aspects of how we connect to the internet and how internet is
available to us. However, in the early days of WiFi there were
rampant security vulnerabilities. My Ph.D. dissertation was
studying those vulnerabilities and looking to address them in
the standards that ultimately became WPA and WPA2, which
ultimately shored up many of those vulnerabilities.
And while home users and residential WiFi networks are for
the most part secure through deployment of these new
technologies, hotspots at everywhere from your coffee shop to
airplanes remain insecure and are vulnerable to attacks that we
have known about for 2 decades. So that remains, I think, a
challenge as we look at the wireless ecosystem as a whole.
Third, I would look at the services that operate over these
networks, right. We have a very complex tapestry of members of
this ecosystem. We have the device manufacturers, we have the
operating system vendors, we have the people who write and
develop apps that run on these systems. We have the cellular
operators. We have the OEMs who build equipment for the
cellular operators. We have the cloud providers and we have the
median service entities that sit over top of all of it. And
each of one of these different groups has a different
regulatory focal point within the U.S. Government, whether it
be the Federal Communications Commission or the Federal Trade
Commission or DHS, and this creates a very complex ecosystem
when seeking to achieve cybersecurity because no one entity
across that entire continuum has enough control of the
ecosystem to achieve unilateral security.
So as a result, I think it is imperative that we look at
cybersecurity as a partnership where we need stakeholders
across all the, both Government and industry to be working
together on developing solutions and deploying those solutions.
And lastly, as a member of the academic community, I will
reinforce the points that have been made earlier around
workforce. There are over a million cybersecurity jobs here in
the United States of which 31 percent are vacant. The number of
new jobs in cybersecurity each year that become open exceeds
the total volume of computer scientists graduating across the
entire United States.
So we need to think more broadly about how we fill these
cybersecurity gaps, and we need to think of cybersecurity not
just as a subdiscipline of computer science, but something that
is fundamentally intrinsic to technology overall. And with that
I will thank the chairman and conclude my remarks.
[The prepared statement of Mr. Clancy follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. The gentleman yields back and we thank you.
Ms. Todt, you are recognized for 5 minutes.
STATEMENT OF KIERSTEN E. TODT
Ms. Todt. Good morning, Chairman Blackburn and Ranking
Member Doyle and members of the subcommittee. Thank you for the
opportunity to present my testimony on the promotion of
security in wireless technology. I am currently the managing
partner of Liberty Group Ventures and a resident scholar in
Washington, DC, at the University of Pittsburgh Institute for
Cyber Law Policy and Security.
I also serve on the Federal Advisory Board of Lookout,
Incorporated, and most recently served from March 2016 to March
2017 as the executive director of the presidential Commission
on Enhancing National Cybersecurity. This Commission was
bipartisan independent and was charged with developing
actionable recommendations for growing and securing the digital
economy as well as for creating a road map for the incoming
administration.
I appreciate this subcommittee's awareness of the need to
focus on the security of wireless and mobile technology. In a
world where first-to-market overrides secure-to-market and
every enterprise is seeking to make operations move more
quickly and be more convenient, addressing the security of
these innovations is critical and absolutely necessary. In
response to the questions posed by this hearing, my testimony
will primarily focus on mobile security and addressing the
growing threat around interdependencies in IoT.
Mobile devices are an attack vector that cannot be ignored
and they are increasingly targeted for access to sensitive
information or financial gain, as we have heard thoughtfully
from our other panelists. But mobility should not be at odds
with security and the reality is that cloud and mobile adoption
in the enterprise is just beginning.
Mobile devices are a part of every supply chain in your
home and in your office, and mobile devices have become much
more than communications devices. They are the access point to
our work and our personal lives. Additionally, with the rise of
two-factor authentication--an important step in ensuring
security, but not the ultimate solution--the smart phone has
become even more important than the password.
A compromised device could hand over to an attacker an
authentication code and thus access to an individual's most
personal information as well as any work related sensitive
information. All mobile products have latent security
vulnerabilities that could be exploited by bad actors and many
users ignore security policies and download apps from
unofficial sources.
According to a recent Ponemon study, 67 percent of the
Global 2000 reported that a data breach occurred as a result of
employees using mobile devices to access the company's
sensitive and confidential information. Last summer, Lookout
and Citizen Lab detected the Pegasus spyware. Pegasus took
advantage of three zero-day vulnerabilities in the iOS devices
to take complete control of a device.
The attack was capable of getting messages, calls, emails,
logs, et cetera from apps including Facetime, Facebook,
WhatsApp, Viber, Skype, Gmail and others. This threat
represents the first time anyone has seen a remote jailbreak of
an Apple device in the wild and shows us that highly resourced
actors see the mobile platform as a fertile platform for
gathering information.
Historically, Government agencies have been restrictive
about the use of mobile devices in the workplace. Perhaps
because agencies now recognize that mobility is happening with
or without their permission, we are beginning to see a shift
towards prioritizing mobility initiatives in the Federal
Government. The bottom line is that smart phones are
essentially a super computer, as my colleague Mr. Wright noted,
and today most have absolutely no security software on them.
Mandates or policies stipulating that mobile devices must have
an agent on the device that does predictive analytics should be
considered.
I would like to take this opportunity to commend John
Ramsey the CISO of the U.S. House of Representatives for his
focus and recent action on mobile security. This example is one
where Congress is ahead of the executive branch in implementing
a cybersecurity best practice, and I encourage this committee,
perhaps in collaboration with the House Homeland Security
Committee, to hold a hearing on and to examine how Federal
agencies can do a better job to defend against mobile security
risks and to take a page from the U.S. House of
Representatives.
Our interconnections and interdependencies are becoming
more complex and now extend well beyond critical
infrastructure. These interconnections reduce the importance of
the critical infrastructure label because by association all
dependencies may be critical as we saw with the Dyn/Mirai
attack last fall. The proliferation of IoT devices is a growing
challenge, and for the purpose of this hearing I offer the
automobile as an example of interconnected devices.
A Tesla is really a giant phone and battery on wheels. The
base technology for connected cars originates from the smart
phone revolution. And IoT and all of the technology that goes
into connected cars, for example, is based on open source code
that is genetically related to smart phones.
We need to recognize that neither the Government nor the
private sector can capably protect systems and networks without
close and extensive cooperation. The mobile environment only
adds to the challenge and urgency to develop an approach that
emphasizes pre-event collaboration, which I describe in my
written testimony, to more effectively manage our collective
cybersecurity risk.
As Representative Eshoo noted, Government does instant
response well, but we need to be doing more to focus on
prevention and collaboration before an event actually occurs.
Information sharing is a byproduct of trust that develops
through that type of collaboration. We now recognize mobile
security as one of the greatest risks affecting all enterprises
and we therefore need to treat mobile devices as an endpoint
priority equal to, if not more important than, traditional
endpoints such as desktops and laptops.
Thank you for the opportunity to testify in front of you
today. I look forward to answering your questions.
[The prepared statement of Ms. Todt follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. Thank you so much. That was wonderful
testimony, zipping right through it. And so we will begin with
questions and I will yield myself 5 minutes and begin the
questions.
Mr. Wright, I am going to start right there with you. We
know and you all have referenced some of the public-private
partnership, the Government-industry partnerships that have
moved forward and attempted to look at best practices in the
mobile cyberspace. NIST, we have mentioned that a couple of
times their framework and CTIA Cyber Working Group.
So is standard setting enough, is best practices enough, or
do we still need to have a statutorial legislative solution?
Mr. Wright. I think it might be a little early to tell.
Right now following some of the NIST and cybersecurity
framework guidelines I think is working. I think there are a
lot of private sector that are currently adopting part of the
executive order. It is going to get more of the Government
using the NIST Cybersecurity Framework, but there is a lot of
other cooperation going on between public and private sector as
well.
I think if WannaCry had happened 2 years ago, it would have
been a much different story. Today, this time you had
Government and the private sector coming together immediately
within hours of the outbreak starting, sharing information,
sharing indicators of compromise, and you ended up getting sort
of a much, much better result.
At Symantec, I know we take our Government and our private-
sector relationships very seriously, most oftentimes focused on
law enforcement. But that sort of private-sector industry and
Government partnering, I think, really is the key to this.
There is no government around that is going to be able to fight
this problem alone and there certainly is no private company
that is going to be able to fight this alone.
Mrs. Blackburn. OK. Anyone else want to add something? Ms.
Todt?
Ms. Todt. If I may. So I had the privilege of working with
NIST on the development of the Cybersecurity Framework, and one
of the reasons why it continues to be so successful is it was
developed by industry for industry, so then there is an
approach that industry is then allowed to take to understand
how to manage its risks.
And I think one of the strong points to the executive order
that President Trump released was the focus on risk management,
and I think when you are looking for industry and Government to
come together having that focus on risk management from a
collaboration perspective helps to develop those standards.
What we concluded in the Commission report was that private
and public sector they should work together. When they don't
work together we should create incentives and when those
incentives don't work then we should interfere with regulation
and other types of official standards.
Mrs. Blackburn. OK, anyone else?
Dr. Clancy, let me ask you. You talked a little bit about
the Internet of Things and the connected devices. And of course
we have a forum going on today, a showcase dealing with some of
that. I want you to expand a little bit on the challenges of
securing the IoT devices, especially the wearable technologies,
and what would be some of the consequences of our failing to
adequately secure IoT devices if you have 20 billion such
devices connected to the internet in a few years, and what do
you see that framework, those challenges?
Dr. Clancy. Well, I think that IoT represents a breadth of
different products and technologies. You have your internet-
connected----
Mrs. Blackburn. Right, let's focus on the wearable
technologies.
Dr. Clancy. OK. So with respect to wearable, I think some
of the chief concerns are privacy of individual users. And we
want to make sure that data that is collected from those
devices and ingested into the cloud and used as part of whether
it is some health app or some other service to consumers that
that data remains private and isn't used to compromise the
privacy that use that information.
I think some of the challenges we have are that much of the
devices are manufactured overseas. We have supply chain
challenges and code quality challenges with the software that
is in those devices and that results in devices that we don't
know if are robust or not. Many times they connect through
unlicensed WiFi devices and there is no strong credentials or
authentication that can be used to provide real governance over
those devices. There is no way to push out software updates,
for example, in a deterministic way if there are
vulnerabilities that are discovered.
So I think those are some of the challenges that we face
and particularly in the wearable space of IoT.
Mrs. Blackburn. Thank you. Before I yield back my time I
will, my colleagues across the aisle have mentioned Russia a
couple of times. And I would just like to highlight that we
have in times past tried to raise Russia and our concerns there
is an issue and indeed with items manufactured offshore, I
think Huawei. We did a hearing on cyber and Huawei and concerns
with Russia and then even in the 2012 Presidential Mr. Romney
raised Russia as a concern.
I would also highlight with my colleagues we have privacy
and data security legislation we would love to move forward on.
We look forward to having them join us in working on these
issues. And with that I yield back my time and recognize the
gentleman from Pennsylvania for 5 minutes for questions.
Mr. Doyle. Thank you, Madam Chair. So as the threats we
face continue to evolve and grow it seems that we not only need
to step up our basic practices of cyber hygiene and best
practices, but we need to look to the future. And the
witnesses, all of you in your testimony, refer to the shortfall
in the workforce for cybersecurity positions.
I know that DARPA in 2016 had the Cyber Grand Challenge and
they challenged researchers to create autonomous systems that
could defend against cyber attacks. Actually, a team from
Carnegie Mellon won that challenge, a victory that we are proud
of in Pittsburgh.
But I am curious. How does the panel see autonomous
defensive systems addressing this escalation in threats in our
workforce shortfalls? And we can just start at Mr. Wright and
go down. Please.
Mr. Wright. Certainly the shortage in qualified cyber
personnel is a problem today. It is going to be a problem in
the future. I think the more that we can move toward autonomous
defenses the better off we are going to be. I don't think the
technology is there today, but it is getting better every day.
That type of innovation I know is a huge focus for not just for
Symantec but for other vendors as well.
Mr. Doyle. Thank you. Mr. Yoran?
Mr. Yoran. I think that there is great promise and
certainly progress being made in autonomous defenses, a lot of
work going on in the cyber domain around artificial
intelligence. From my perspective, the key to success is to
scale the talent that we have asymmetrically. Part of that
would be through autonomous defense, part of it would be
through other technologies which provide the limited number of
network defenders to cover more ground.
Dr. Clancy. I would agree with that. I think the major
opportunity with autonomous defense is to act as a force
multiplier for those human analysts who ultimately are making
decisions about what defenses to deploy and how to manage them.
We are seeing a renaissance of artificial intelligence right
now with deep learning and early research. Applying that to
cybersecurity looks very, very promising. But that will help
make existing analysts and cyber defenders more efficient, but
they will always still need to be part of the equation.
Mr. Doyle. Sure.
Ms. Todt. I would like to just approach it from a little
bit of a different perspective in the sense that from the
workforce we look at the fact--what we heard on the Commission
particularly is that there are two issues. The current
workforce that we have isn't trained effectively for the skill
sets that are needed and we also need to be bringing in
additional individuals into the workforce.
But this needs to happen while automation, AI, big data
machine learning, are all being developed and so what we have
to understand is that the culture of cybersecurity that is
being created covers everything. And arguably, everybody is a
part of the cyber workforce, so while developing that workforce
we are also being able to invest in the innovation that can
contribute to the autonomous defense that you mentioned.
Mr. Doyle. Thank you. Let me ask the panel this also. You
know, as we look to the range of threats by government,
industry, institution to individuals, we acknowledge we all
have a shared responsibility to defend and protect this
infrastructure. So what role do you think ISPs can play in
mitigating cyber threats whether it be a botnet, malware, or
some other threat, do you think Federal agencies should have
more authority to mandate either concrete steps or risk
mitigation frameworks to ensure that these companies take
sufficient steps to protect these networks if they are not
doing it on their own? And for anyone on the panel.
Mr. Yoran. Sounds like a dangerous question. I will take a
stab at it. I think that there is an opportunity for service
providers to differentiate themselves based on security service
levels and we have seen a number of service providers take a
very proactive approach to their security programs and offer
security services and protective services as part of these
packages and using it as a differentiation.
When you get to a point of mandating security, I think you
are on a very slippery slope and potentially dangerous scenario
where the service providers don't necessarily own the
applications. They don't understand the ways the systems are
being used and what impact might occur if they choose to block
certain types of traffic or not.
So there is merit in further investigating the concept, I
just think it should be done very cautiously.
Ms. Todt. And I just would like to add, from the executive
order this was one of the key issues that was raised and it was
also something that created a lot of initial tension with the
Commission to understand whose role, who is responsible for
what. As Amit said, I mean this is dangerous territory and
there was a lot of discussion and debate.
But what the executive order lays out and I think what
industry has said is essentially we need to come together to
understand where the responsibilities lie and how to create a
road map for moving forward. This is clearly an issue for
collaboration between industry and Government.
Mr. Doyle. Thank you. Thank you, Madam Chair. I yield back.
Mrs. Blackburn. The gentleman yields back. Mr. Lance, for 5
minutes.
Mr. Lance. Thank you. I promise no dangerous questions and
you have all answered them very beautifully and very adeptly in
my judgment.
Dr. Clancy, you mentioned in your testimony that 5G
technologies have the opportunity to close current
cybersecurity gaps. Can you please expand on what these
cybersecurity gaps are and how the industry 5G innovations can
help close the gaps?
Dr. Clancy. I think that as you look at the shift, the
technology shift that has happened as we move from the 3G and
2G core network infrastructure to the 4G core network
infrastructure, we have moved away from the old circuit switch
technology and into all IP-based cell phone backhaul and
backbone.
This is creating a range of new opportunities for new
technologies and new services that can be provided through this
infrastructure and it also exposes much of the cellular
infrastructure to the same sorts of risks that you face on the
internet. Before, we had a closed circuit switch network that
was isolated from the internet; now the barrier between the
internet and the cell phone core infrastructure begins to get
blurry because of the structure of the 4G infrastructure.
5G actually blurs the line even further with technologies
like edge computing, a cloud-based Radio Access Network
technology. However, these are new tools in the toolbox that
could be used to construct a better set of layered cyber
defenses on behalf of subscribers, but we still haven't yet
from a research and standards perspective really figured out
how all of that will fit together.
Mr. Lance. Thank you. Mr. Yoran, as we saw with the attack
last year, unsecured Internet of Things devices, can pose a
threat to the other areas of the internet ecosystem. With
billions of IoT devices expected to come to market in the
coming years, it is essential that this vulnerability be
addressed. Do you see the NIST Cybersecurity Framework as the
best approach to address Internet of Things security?
Mr. Yoran. I think the NIST Cybersecurity Framework is
probably the best place to begin the dialogue around Internet
of Things security. At the end of the day, we have to take a
holistic approach to cybersecurity. We can't look at multiple
devices independently, we can't look at wireless networks
independently or Internet of Things independently. These things
are completely intertwined. Internet of Things most frequently
rely on wireless networks for their communications so they have
to be looked at.
And I think the most important thing from my perspective
that the Cybersecurity Framework pushed toward was taking a
risk-based approach, because no use of technology is risk-free
so understanding it from a risk perspective is really helpful.
Mr. Lance. Would anyone else on the panel like to comment?
Ms. Todt. Just a quick comment. That is one of the issues
that was brought up also in the executive order and from the
Commission which is to bring together, as Amit said, bringing
together industry and Government based off of the platform. So
I think there is motion already in place at NIST to move
forward with this to be able to create a set of standards that
industry creates for itself.
Mr. Lance. I couldn't agree with that more in that industry
is often ahead of us in Government and we want to work in a
cooperative way. But my belief, based upon the last 20 years,
is that we are innovative because of the way we have approached
this and certainly we want the United States to continue to be
the innovative center of the world regarding these matters.
I represent a district that is very heavily involved in
technology and in the internet and we want that to continue. We
don't want to lose leadership to some other place around the
globe. Thank you, Chair, and I yield back a minute.
Mrs. Blackburn. And we will take it. And Mr. McNerney, 5
minutes.
Mr. McNerney. I thank the chairwoman. Ms. Todt, in your
written testimony you talked about the world where first to
market overrides secure to market. Would you agree that we are
currently faced with a market failure since those who buy and
sell insecure devices now have to bear the full cost of those
devices?
Ms. Todt. So I think you have asked a question that is
really at the crux of the IoT debate, because as long as we are
pushing out innovation without any security guidelines or
boundaries we are in this second phase.
A colleague of Mr. Wright's at Symantec was part of the
NSTAC report who talked about this first 18-month window that
we have passed on the proliferation of IoT devices. And where
we are now is that we heard from, in one of our Commission
hearings, the CIO of Intel who said we want regulations and
standards around IoT devices because we can't possibly compete
in this realm where you have small businesses pushing out the
innovation.
So we have to think thoughtfully about incentives,
penalties, and being able to truly develop secure by design,
which is unfortunately becoming one of those terms that is
losing its meaning because it is such a common term. But the
idea of building security in and having to build software and
hardware to certain standards around security has to be a
priority right now with, as we have heard, all of the
statistics the proliferation of IoT devices that is only going
to increase.
Mr. McNerney. Well, you sort of answered my follow-up
question already which was I proposed legislation that would
require cybersecurity standards to be developed for the devices
and for the devices to be certified to meet those standards.
Would that help decrease the threat?
Ms. Todt. So I think it actually connects back to an
earlier question which is how do we build out the IoT
standards? And I would offer that where we have seen such
success with the NIST Framework is the fact that industry and
Government have worked together and so really looking at that
collaboration first and foremost and then being able to inform
any legislation.
I think the sequence of that is important because we learn
from what industry has done and we have to come together to
then develop the standards that you reference.
Mr. McNerney. OK, thank you. Mr. Wright, Symantec's
Internet Security Threat Report points to a growing number of
attacks on IoT devices. Would requiring the IoT devices to meet
baseline cybersecurity standards help decrease that threat? Is
your microphone on?
Mr. Wright. It certainly would be something to look into. I
also agree that the NIST Cybersecurity Framework is a good
place to begin a lot of those discussions. IoT is a little bit
strange. The consumer isn't really playing the role of
demanding secure products at this point. Some of that could be
around awareness. Thirty six percent of the devices that are
being manufactured and pushed out there right now have a
default password of ADMIN. Some of these are very simple fixes.
I think when the consumers are armed and aware of the dangers
they have a better chance of driving some of those markets.
Mr. McNerney. Well, although the WannaCry ransomware attack
was not the result of insecure IoT devices, I am curious about
what lessons we can apply from the attack to IoT device
security. How susceptible are IoT devices to ransomware
attacks?
Mr. Wright. So we have seen some preliminary more like
research around IoT. We did a research project where a smart TV
was hacked in ransomware. Like I said earlier in my testimony,
criminals are looking for ways to monetize these attacks. They
are only bound by their imagination and it is a matter of time
before they are able to figure out how to monetize ransomware
attacks on devices, on IoT devices.
Mr. McNerney. Well, are there a way that an IoT security or
insecurity could result in physical harm?
Mr. Wright. Certainly. IoT devices that are infected can
have real-world consequences, absolutely.
Mr. McNerney. And just to explain, how come it is difficult
to patch IoT devices?
Mr. Wright. Well, a lot of times these are being shipped
out without any possibility of sending out firmware changes. In
fact, most of them cannot receive patches or updates.
Mr. McNerney. So could we, in your opinion, rely on
voluntary IoT device security from the manufacturers?
Mr. Wright. Well, I do think this needs to be sort of a
consensus-driven standard. We need to have private sector
involved. We need to have Government involved and sort of find
that middle ground, otherwise it is not going to work.
I will point out one thing. The Mirai botnet that we were
discussing today, those devices were not manufactured in the
U.S. but rather the vast majority of them were manufactured
overseas, specifically in China.
Mr. McNerney. OK. Before I yield I just want to say I
appreciate Ms. Todt's remark that Government does respond well
but needs to do prevention better. Thank you. I yield back.
Mrs. Blackburn. Mr. Shimkus, you are recognized for 5
minutes.
Mr. Shimkus. Thank you, Madam Chair. And this is an
excellent hearing. I do want to thank you all for coming. This
is like an arms race. And the reason why I have always enjoyed
this committee is that, you know, technology moves faster than
we can regulate, hence it is very successful. Well, and that is
part of this debate.
I mean, do we do Federal standards and really almost slow
up the ability for expansion and new applications or, and so
that is why I think most people are talking about consensus
base working with the sector, because if we don't we will trip
over ourselves and we will slow applications, we will slow
development. And that is why I think you see us kind of doing
this little kabuki dance between the sides because it is just a
very exciting, but there is a lot of dangers out there and
people are going to take as was just said, you can't control
what the bad actors are going to try to do to get access.
But I also appreciated the comment that for a manufacturer
or a provider they can, having secure information is marketable
and should be, they could market it as a premium for the
services they are providing and I think we have some businesses
here that wrap around this. I think the average individual, we
understand having a security office in a corporate setting and
probably a sub under the security is data security and
obviously, you know, this wireless technology and all these
things as a subsection.
So when we hire, when you are looking for a computer
programmer to go in cyber, in the cyber world, what is a new
engineering computer programmer, what are they going to be
doing? I am sure there is a plethora of things, but I mean are
they just going to be sitting at a screen watching interactions
and trying to pick out and identify an attack?
I mean we have all been in, I have been in nuclear, you
know, power plants. I have been in data centers. I have been
with screens all over the place. Is that what they are doing?
Is that what a computer programmer in cybersecurity ends up
doing?
Mr. Yoran, do you want to answer that?
Mr. Yoran. I will take a crack at it. In my experience, the
best cybersecurity professionals are the ones that just show a
tremendous amount of intellectual curiosity in what they are
looking at, and sometimes it comes through formal training and
discipline and frequently it doesn't. It is usually not the
analyst who is sitting behind a screen watching logs go by and
trying to pick and choose which one to dig into that is going
to make the difference or that is going to scale our industry.
If I could, I think the comment that you made and the
Congressman from California are, I won't say two sides of the
same coin, but they point to this foundational question of, you
know, is there a market failure and what can and should
Congress do about it. And from my experience, I think it would
be hard to argue that a market, you know, we are not at a point
of market failure, everything from, you know, the election to
the hack that you see in every newspaper or news distribution
point, even real news distribution point on a daily basis.
In order for free markets to work you have to have an
educated populous and you have to have a high degree of
transparency and I think in the cyber domain we lack that
transparency. There is a general lack of appreciation for what
the threat environment looks like. There isn't a consistent
understanding of what good cybersecurity looks like, what is
working in our domain. There is a lack of transparency when
breaches occur outside of ones that impact PII.
And so there isn't a common appreciation for what is not
working and also I think what is at stake and what is at risk
in using various products. So I think that there is a role for
Congress to play around helping to raise awareness and create
greater transparency.
Mr. Shimkus. Let me go to just Dr. Clancy real quick
because my time is running out. When we travel, which we as
Members get a chance to do, we are visiting troops, many times
we are asked to leave our computer at home and we are given a
little dinky one to be able to continue to communicate. How are
we, how secure is the U.S. wireless system versus places else
around the world?
Dr. Clancy. I would say the United States has the most
secure wireless infrastructure in the world. I think the things
that lead to insecurity in other countries' networks have to do
with deployment and use of old technology, a workforce that is
managing those networks that is not aware of the latest
threats, and the influence of authoritarian regimes over state-
owned telecom infrastructure providers in many of those
countries.
Mr. Shimkus. Thank you very much. Thank you, Madam
Chairman.
Mrs. Blackburn. Ms. Matsui, you are recognized for 5
minutes.
Ms. Matsui. Thank you, Madam Chair, for having this hearing
and I thank the witnesses for being here today. Wireless
technology and connectedness and of data and information have
huge potential to move us forward in a variety of industries.
Ms. Todt, you mentioned in your testimony that you recently
had blood work done and were told the only way you could access
the results was by downloading an app on your smart phone. I
see both potential for good and for danger in this situation.
It may be much more convenient for you to receive your test
results visually on your phone rather than via snail mail or
fax or a phone call. This could result in you acting on that
information in a more timely or consistent manner, potentially
improving your health.
However, that also means that your data is potentially
vulnerable. We saw the risk with the recent malware attacks
that brought down hospital systems. Without access to the
information that the doctors and nurses relied on to treat
their patients they could no longer do so effectively.
Our healthcare system is uniquely at risk of attacks. Most
professionals who go into the healthcare field often including
administrators don't have a cybersecurity background. We need
to work to ensure that our healthcare providers have the
technological infrastructure and workforce to manage the
complex data that they need to best serve patients.
Last week, the Department of Health and Human Services
released its Healthcare Industry Cybersecurity Task Force
Report. Among other things, the report recommended executive
education about the importance of cybersecurity. Ms. Todt and
any of the other witnesses, what recommendations do you have
for developing cybersecurity leadership in industries such as
health care?
Ms. Todt. Thank you. I am now convinced given what the
chairman said that I was one of the 100 million that got my
healthcare records breached last year, but that is something
else for me to figure out. I think that what you ask is a great
question in relation to also the other questions that have been
posed around IoT and workforce, because we tend to think of
cybersecurity workforce as those with the engineering degrees.
But what we have to understand in the workforce that we are
creating is that everybody has to be educated on cybersecurity.
This is not an expertise; it crosses every enterprise. And
arguably, I would think that human resources professionals,
those who are hiring, have to have a baseline level of
knowledge. The other issue is that when you are a manager you
have to be trained in cybersecurity so that you know what you
are doing regardless of whether or not your function is cyber
related.
And I think enterprises need to be looking at cybersecurity
education the way, as an onboarding process, the way they look
at ethics and integrity and basic company protocols and
procedures. We have to be incorporating cybersecurity awareness
and education from the ground up to create this culture and I
think that this is something as we move forward to emphasize.
The other issue that this is more of a technical response
but we talk about the education of user awareness. From a
technology perspective while we are educating the consumers and
the individuals and industries and enterprises, we also need to
be thinking about moving security away from the end user from
an innovation perspective.
Ms. Matsui. OK. Thank you very much and let me move on to
Dr. Clancy. Dr. Clancy, according to one study, none of
America's top-10 computer science programs as ranked by the
U.S. News and World Report in 2015 required graduates to take
one cybersecurity course. Three of the top 10 programs didn't
offer an elective in cybersecurity.
But with the rise of cyber attacks and security breaches in
our networks and the shortage of cybersecurity professionals,
it is imperative that our students graduate with the course
work needed to be able to tackle security issues. Dr. Clancy,
how can Congress encourage our colleges and universities to
prepare students either through expanding courses, hiring more
faculty, or other innovative solutions for careers in
cybersecurity?
Dr. Clancy. So I think the reason you may see that in some
of the top-ranked programs is it is the traditional academic
culture that cybersecurity is a buzz word and is a fad, and
myself and others in academia are working very hard to convince
them otherwise that this is a fundamental problem that is going
to be with us indefinitely. I think there are a number of
programs that are very positively impacting this ecosystem to
include NSA's Centers of Academic Excellence program and the
CyberCorps Scholarship for Service program.
While the CyberCorps program provides scholarship money for
students to pursue careers in Government upon graduation like a
cyber ROTC program, the funding helps the university establish
a platform that can educate students in cybersecurity who go
into many different careers, not just into Federal Government.
We saw that directly at Virginia Tech as part of our receipt of
a CyberCorps grant. I think more initiatives and further
investment in programs like that is a great place to start.
Ms. Matsui. OK, thank you. And I have run out of time, I
yield back.
Mrs. Blackburn. Mr. Olson, you are recognized.
Mr. Olson. I thank the Chair and welcome to all of our
witnesses. Mr. Yoran, thank you, sir, for your service to our
country in our United States Army, West Point graduate.
Heartfelt congratulations as well, because with assist from
Temple for the first time in 15 years your Navy beat my Army in
football. Bravo Zulu.
Your testimony talks about elastic attack surface that
includes a growing number of information technology devices.
Being the vice chairman of the Energy Subcommittee, I worry
about cyber attacks on our power grid. December 23rd, 2015,
230,000 people in the Ukraine were without power for 1 to 6
hours, a cyber attack likely coming from Comrade Putin in
Russia. It was very low tech. They simply remotely flipped some
switches.
What kind of advice does your company provide to critical
infrastructure companies in our electric grid regarding how to
best protect their systems for cyber attack?
Mr. Yoran. Thank you, Congressman. I think that is an
ongoing challenge. As early as last night, the US-CERT program
issued additional warning and guidance to energy and critical
infrastructure companies around the Crash Override piece of
malware which is affecting power companies around the world.
From a security perspective there is a great challenge in
that industry in that the systems are incapable of being
updated or there is tremendous risk in updating those systems
which, unlike our mobile phones or desktop PCs, have a life
span measured in decades. From a best practices perspective
these organizations have historically left those critical
networks in the standalone state, but increasingly they are
interconnected.
We offer technologies and other companies offer
technologies that help monitor these networks on a passive
basis, so without introducing additional risk, additional
packets, or probing those networks you can see what they are
vulnerable to and you can create a series of compensating
controls to protect those systems from internet compromise.
Mr. Olson. Also you brought up artificial intelligence. And
as a co-chair of the recently launched Artificial Intelligence
Caucus, I believe it is important that we use cybersecurity
technology to complement the work of the talented human brains
that make this happen.
We know that technology alone won't solve the cybersecurity
issues we have, but can you elaborate on how leveraging this
technology for the growing AI field will work do you think,
cybersecurity in the AI field--or Mr. Wright, Dr. Clancy, Ms.
Todt? Somebody want to take that? It is not bomb, not a
grenade.
Dr. Clancy. I am happy to take a stab at that. I think the
DARPA Cyber Grand Challenge that we saw last year is an example
of a first step in being able to accomplish that. As I
mentioned earlier, I think that AI will become initially a tool
that helps analysts do their job more effectively and more
scalably to deal with the growing threat and larger and larger
amounts of data.
There is an AI renaissance that is happening, right. There
are fundamental advancements that are happening that are
completely changing the world of image processing and search
that Google and others are leading. And I think there are many
in the cybersecurity community that are hoping that those
technologies can be applied to the cyber problem, but that is
still an early research area that many people are sort of
feverishly working on right now in academia.
Mr. Olson. Ms. Todt, you look like you are chomping at the
bit to comment. Am I reading that wrong?
Ms. Todt. Just in support I think that we need to be
investing obviously in innovation. I was on a panel with
somebody who used to work at DARPA who essentially talked about
the fact that there are functions that really aren't meant for
humans and that our ability to automate and make those
functions more capable through super-computing will help our
systems work more effectively.
Mr. Olson. One final question for you, Mr. Yoran. We are
seeing an explosion of free WiFi hotspots all around the
country, whether they are there at the corner coffeehouse, the
Starbucks, the airport, the airplanes you mentioned; heck, the
Mr. Carwash right down the street from my house. My daughter
and wife go there all the time. It has a free hotspot just for
the 20 minutes you are there.
Do they offer unique challenges to safeguard? If so, what
should be done on the network side as opposed to the user side?
Mr. Yoran. Well, I think the most important thing is to
recognize that whether you are going to a public hotspot or you
get fooled into connecting to a rogue hotspot or you are
connected to a corporate network which is already compromised
and frequently is, the most important thing that you can do and
that organizations can do is better assess the vulnerability
and exposure of their systems and make sure that they are
applying the latest patches and they don't fall victim. A vast
majority of the attacks that we see come from well-known, well
established vulnerabilities to which patches are readily
available.
Mr. Olson. Good luck, Army. I yield back.
Mrs. Blackburn. Mrs. Dingell, you are recognized.
Mrs. Dingell. Thank you, Madam Chair, and thank you for
doing this hearing and to all of the witnesses. There are so
many questions. Cybersecurity is something that should concern
all of us. And as somebody who has been hacked more than
anybody would want to be I can tell you it is a pain to have to
change your password and switch to two-factor authentication
and worry about personal information being compromised.
I think what--and not even what I prepared--what is really
worrying me is some of the factoids that you have raised here
today. I think one of the issues is training people. Even when
you have trained IT people and you go to them and you ask a
question--ask John Podesta, myself have done this--``Should I
do this?'' And they say, ``Oh yes,'' and then it turns out not
to be the right thing. I think I got one last night that I have
now been burnt so much I was smart enough to wait and talk to
somebody today.
And I really worry about, as we start to talk about
autonomous vehicles, as an example, if people don't--how are we
going to make sure patches that need to occur occur, and when
they don't, even when we look at the health care, what happened
on the health care situation, there were simple patches
available that users aren't using. How do you legislate that?
These are real issues.
But for these 5 minutes, which are now down to 3 minutes
and 45 seconds, let's talk about mobile phones, which as you
said, Mr. Wright, are basically super computers we have in our
pockets. Our phones are always by our sides. We store our most
intimate and personal details in them. And it is happening now
and in the near future people are going to be locked out of
their phones and in turn will be locked out of personal,
social, financial information. That is a new experience for
everyone. We are going to see this high level of hysteria, and
we have got to pay attention to it.
So this question is for the entire panel. Ransomware is now
available as a service making it incredibly easy for criminals
to carry out an attack. What can Government do from a policy
perspective to increase barriers to entry and the cost of
carrying out ransomware attacks, and do you think the threat of
a ransomware attack on a mobile device will only continue to
increase if the Government doesn't do something, any of the
panel?
Mr. Wright. I can start out here. Starting with your last
question I think that mobile ransomware will probably increase
no matter what is done. Again the criminals follow the money
and right now your handheld computer is where that money or
where that data is. When they can figure out how to monetize
locking up that phone or encrypting that data on your phone
enough to the point where you will pay to get it back, then in
that case mostly not get the data back, they will exploit that.
Mr. Yoran. I don't think any of us are comfortable with the
state of security on mobile phones, but I think a lot of
progress has been made. A lot of lessons have been learned in
the--some have not, but a lot of lessons have been learned in
the mobile domain from decades of mistakes and accidents in
operating systems and in compute platforms from the desktop
paradigm.
So I am confident that we will see an increase in
ransomware no matter what is done on mobile platforms given how
attractive they are as a target, but I think the industry is
making progress to make that more and more challenging over
time.
Dr. Clancy. I think that if you look at ransomware it is
leveraging the same vulnerabilities that people have used to
exploit mobile devices for the last decade. So continued work
to make sure patches are deployed and apps are updated is
critical to closing the front door, if you will, to ransomware.
I think other areas that are somewhat unique to ransomware
have to do with educating users about the importance of backing
up their data so if they are a victim of ransomware attack they
are able to recover their data. Many cellular providers offer
free services to back up your data on your phone to the cloud
and consumers need to take advantage of that.
Secondly, I think there is really the forensic and law
enforcement side of being able to follow the money and be able
to take down the ransomware networks which is increasingly
difficult with the rise of bitcoin and other crypto currencies,
but that is perhaps a larger question.
Ms. Todt. I think ransomware represents sometimes a little
bit of the flavor of the day in that we have these problems
that continue to evolve, but the solutions for them are the
same when we look at WannaCry which was, you know, essentially
not updating with patches that are there. So it is a lot of the
cyber hygiene that we have talked about and the regular
download.
I think it is also important, you raise an interesting
element to this which it is often important to remember that
attacks and when data is compromised or manipulated it is not
usually because there is some engineering expertise or genius,
it is really about opportunism and being able to access and
exploit that opportunism. And so that is why education, backing
up, all of those very basic actions can really cover about 80
percent of the solution.
Mrs. Dingell. I had more questions, but I am out of time.
Thank you, Madam Chair.
Mrs. Blackburn. And we will give the opportunity to submit
those questions in writing. Mr. Johnson, you are recognized, 5
minutes.
Mr. Johnson. Thank you, Madam Chairman.
Mr. Yoran, in your testimony you note that there is a
shortage of skilled labor in the cybersecurity workforce. How
acute is that shortage? Has it manifested itself in your
company? Do you have a problem hiring those kind of people in
your own business?
Mr. Yoran. That is a great question. It is extremely
competitive to hire experienced cybersecurity professionals.
The compensation is great and as they continue to gain
experience, you know, their expectations continue to rise.
Mr. Johnson. On the technical or the strategic side,
because I mean there is a big difference between people that
understand what cybersecurity is and those people that can get
down to the ones and zeros and kind of do the technical
wherewithal to find out who the bad guys are.
Mr. Yoran. I think there is really a shortage on both
fronts, which is why I think the importance of Dr. Clancy's
comments around the multidisciplinary approach to
cybersecurity. What we found is in addition to compensation
there is two other critical aspects to attracting and retaining
cybersecurity talent. One is in providing them intellectually
stimulating work. It is an exciting field and if you don't give
them exciting problems they will go elsewhere to find them. And
the other is in creating a culture that is dynamic and one that
is enjoyable to be part of.
Mr. Johnson. OK. Do you think we have the same level of
expertise shortage in finding skilled workforce in Government
agencies or departments? Is it worse, the same?
Mr. Yoran. I don't know that I have the data in front of me
to comment whether it is worse or the same. I do know that a
tremendous amount of expertise in the private sector starts out
getting its experience in public service which is costly to the
Government in terms of losing that talent, but I think it
provides tremendous value to the private sector in terms of the
level of maturity and understanding of very sophisticated cyber
threats.
Mr. Johnson. OK, all right. Thank you.
Dr. Clancy, what a name for a topic like cybersecurity. And
if your first name was Tom you would be----
Dr. Clancy. It actually is.
Mr. Johnson. Yes. I would consider changing it if I were
you.
Dr. Clancy. No, no, seriously, my name is Tom Clancy.
Mr. Johnson. OK, all right. Will the real Tom Clancy please
stand up?
Dr. Clancy. I go by my middle name Charles. It causes too
much confusion.
Mr. Johnson. Well, Dr. Clancy, how soon should we expect
biometric tools to supplant the traditional pin and password
approach to device security?
Dr. Clancy. So biometrics have offered a tremendous
opportunity to fundamentally change how we authenticate people.
I think there are still challenges. The joke in the biometrics
community is that if I am using a fingerprint as my password I
can only change my password nine times before I run out of
fingers.
So there are some challenges there. If your fingerprint
data is compromised because it is stored in a database then
your credential is sort of irrevocably lost and you can't
change it like you can change a password.
Mr. Johnson. So in that regard then, in that vein do you
think biometric tools are going to make us more secure or are
we going to happen upon the same kinds of problems that we have
now if we file them away?
Dr. Clancy. I believe that biometrics will be a critical
part of multifactor authentication. If combined with a password
and a mobile device, right, you can fuse these things together
in order to significantly improve the security of a particular
authentication to some online service.
Mr. Johnson. All right. Secondary question, do you think it
is right to think of every connected device as a potential
vulnerability and, if so, what freedom or flexibility should
network operators have to promote security when device owners
fail to do so? And I guess we are sort of getting into the
Internet of Things, you know.
Dr. Clancy. Certainly. So the internet service providers
have an increasingly challenging time. Because of the rise of
technologies like end-to-end encryption, it is very difficult
for internet service providers to tell the difference between a
botnet command and control packet or a standard IoT web service
traffic just because they don't have the visibility that they
would otherwise have.
So I think that that creates problems for them that makes
it a challenge for the entire ecosystem, where you need the IoT
service providers and the device manufacturers and all of them
to come together to come up with a common solution for securing
IoT.
Mr. Johnson. OK. Ms. Todt, I apologize. I had a question
for you but I have run out of time. Madam Chair, I yield back.
Mrs. Blackburn. Well, we will also let you submit that
question in writing. OK, Ms. Clarke, you are recognized for 5
minutes.
Ms. Clarke. Well, thank you, Madam Chair. The FCC just
announced the newest members of the Communications Security,
Reliability and Interoperability Council, a council established
to make recommendations about the security, reliability, and
resiliency of our communications systems. But as I have
reviewed the names of the new members, I am disappointed to see
a lack of cybersecurity expertise on the council.
As the author of the Cybersecurity Responsibility Act, my
bill makes it clear that the FCC has a role in ensuring our
commercial sector has protections in place to secure our
communication networks from malicious cyber attacks. So Ms.
Todt, what role do you believe the Federal Government, in
particular the FCC, has in protecting our Nation's
communication networks?
Ms. Todt. Well, I think again we can look to the executive
order that was released by President Trump in May which
specifically calls out the FCC as having a role in protecting
the communications infrastructure and working with the
secretary of commerce and the secretary of the Department of
Homeland Security to initially look at that botnet mitigation,
but then also looking at clean pipes and where that goes. And
so clearly, I think the Government, the executive office as
well as industry, believes that there is a role that it needs
to play.
Ms. Clarke. So then it would be prudent to have some
cybersecurity expertise on this council, wouldn't it?
Ms. Todt. That would appear to be the case, absolutely. I
don't know who those individuals are, so I don't know if they
have them in any----
Ms. Clarke. Just generally speaking.
Ms. Todt. But I would say, I mean, this is the issue, the
broader issue, is that we have to be bringing cybersecurity
expertise into all of these areas and that we have to be
looking for that because that knowledge and that expertise has
to be informing our policies, because they don't even have to
be cybersecurity policies but they have an impact.
Ms. Clarke. Absolutely, thank you.
Dr. Clancy, as part of Congress' resolution of disapproval
that overturned the FCC's privacy protections, Congress also
stripped away consumers' data security protections. As I noted
before, my bill, the Cybersecurity Responsibility Act, would
ask the FCC to take some action, any action to protect our
networks. Did Congress' rollback of these data security rules
do anything to make America's personal information more secure?
Dr. Clancy. So I think the rollback of the cybersecurity
provisions in the FCC rulemaking from 2018 was, actually
happened before Congress acted, right. The FCC removed those
provisions and stayed those portions of the regulation, and
then ultimately Congress rescinded the entire order which was
focused more on the privacy aspects of that rulemaking.
Of course the state of rationale was that it was
inconsistent with the Federal Trade Commission's view of
privacy and opt-in versus opt-out when it comes to consumer
privacy. I don't know that I am in a position to declare
whether opt-in or opt-out is a more appropriate way to protect
consumer privacy, but I think it represents some of the
regulatory challenges we have in asserting that one particular
regulator has authority over a very complex ecosystem.
Ms. Clarke. Or the question was more about security. And
just looking at the ecosystem, if you sort of strip those or
rollback those security rules, we are trying to figure out
whether people's personal information it becomes, did we open
up vulnerabilities? Let's put it that way.
Dr. Clancy. So based on my experience working with the
cellular industry and some of the major internet service
providers, the big companies are already doing those best
practices. The large ISPs, the large wireless carriers are
already doing that. Where the gap is is the smaller and more
rural internet service providers and the more niche wireless
carriers who don't have as much infrastructure or resources
themselves to deploy those best practices.
Ms. Clarke. Yes. So when there is a vulnerability even in
the smallest of these providers, doesn't that open up
opportunities to get at grander----
Dr. Clancy. Certainly, it does given the interconnectedness
of the different telecom providers. I think what we are seeing
in industry is strong collaboration though, with the big guys
looking out for the small guys and doing what they can to help
quickly remediate through information sharing that was really
accelerated by the past----
Ms. Clarke. Anyone else have any thoughts on that?
Ms. Todt. I think the supply chain is a huge issue and even
if you are sharing those practices we have to be looking at
baseline level of standards. And I think that you are, oh, it
is always going to be the weakest link and we have to do a
better job within our sectors of actually informing and helping
to share those best practices and lessons learned.
One of the things that we have learned is that small
businesses across sector have a lot more in common with each
other than the small businesses and the large businesses within
their sector and there is a lot of evidence right now around
that. And so being able to look at this more thoughtfully and I
think it goes again to this issue of collaboration and pre-
event planning would be the actions that we need to be taking.
Ms. Clarke. Very well. Madam Chair, I yield back. Thank
you.
Mrs. Blackburn. And Mr. Bilirakis, you are recognized for 5
minutes.
Mr. Bilirakis. Thank you, Madam Chair. I appreciate it so
much. And I appreciate your testimony today.
As more IoT devices enter the market industry has seen a
rise in tech support scams, unfortunately. Symantec's 2016
Threat Report found a 200 percent rise in tech support scams in
a 2-year period. With these types of threats the best defense
is with the end user. Mr. Wright, how can an end user
distinguish between a legitimate help desk and a tech support
scam and can you describe how Symantec has responded to the
increased threat?
Mr. Wright. Yes. So these types of social engineering
attacks as you just mentioned the tech support are particularly
vexing. They depend on the consumer to somehow be able to
intuit or to understand whether or not they are being, whether
they are being scammed. There is not a lot of sort of
technology that can fix that. A lot of it comes back to raising
awareness of the user of what those threats could be, those
users being more careful and perhaps having a more keen eye on
to pick up signs. But it is a very, very difficult problem when
it comes down to the user themselves.
Mr. Bilirakis. Yes, thank you. For years people have been
told to check for the https identifier in their browser before
accessing personal websites such as for banking or health care.
Mr. Wright again, your 2016 Threat Report states that relying
on the https marking provides a false sense of security. Can
you expand upon that?
Mr. Wright. I am sorry?
Mr. Bilirakis. Your findings. No, let me say it again. Your
2016 Threat Report states that relying on the https marking
provides a false sense of security. Can you expand on that
finding?
Mr. Wright. I know that https is more protected, but I am
sorry I cannot sort of expand on the Internet Security Threat
Report piece there. I am not prepared for that. Anybody on the
panel have----
Mr. Bilirakis. OK. Can maybe anyone else on the panel? Yes,
please.
Dr. Clancy. So https implies that the session is
authenticated and encrypted, but the concern is to whom you are
authenticated. There are many scams that can change a letter in
the name of the domain name such that you wouldn't notice the
difference but could still present a secure credential to you
as a user.
So I think https is a first step, and if you don't have
that then you definitely need to be concerned. You need to look
at the spelling of the domain name to make sure that it is
spelled accurately and there aren't strange characters in
there, that those are the sorts of things that undermine the
security of simply looking for the https.
Mr. Bilirakis. Any other suggestions?
OK, thank you very much. Let's see, I still have a little
time. Mr. Wright, according to Symantec 2016 Threat Report, the
Apple iOS system faced its first widespread threat with the
XcodeGhost attack. This malware has infected over 4,000 apps
which leaves unsuspecting devices vulnerable. In response to
cyber threats success largely depends on speed of response. How
has industry responded to threats via apps since it first took
hold in 2015 and have efforts met the success?
Mr. Wright. Yes, good question. So apps certainly represent
a potential threat vector especially for mobile devices. I
would say that Apple has done a pretty good job making sure
that malicious apps are not included in their app store.
Android is doing a better job at trying to ensure that their
apps aren't malicious. So those two providers I think have come
a long way. Apple has always been pretty good, but the other
provider has come a long way.
In addition, there is some security solutions to this. Not
plugging Symantec, but we do produce technology that can scan
for apps and look for possible malicious apps or grayware apps
which sometimes can leak information. So there is a technology
solution, and then also the providers are doing a lot of work
in that area as well.
Mr. Bilirakis. Anyone else want to add something? I know I
only have 15 seconds. OK, very good. Thank you, Madam Chair. It
is a very informative hearing. Thanks for calling the hearing.
Thank you.
Mrs. Blackburn. Thank you. Ms. Eshoo, 5 minutes.
Ms. Eshoo. I thank the chairwoman and I thank all the
witnesses. I think you have given very important testimony.
First of all, to Mr. Wright, I am very proud to represent
Symantec.
Mr. Wright. Thank you.
Ms. Eshoo. I have had a long, long, long-term relationship
going back to the days of John and how he really helped build a
new Symantec and you keep going and you are a real asset to the
country.
And to Mr. Yoran, you get the prize for the best dressed
before this subcommittee every time you come. One of the
members said, do you think he lost his suitcase? I said, no, he
hasn't lost his suitcase. That is his tuxedo for this
committee.
There has been a lot of discussion about a lot of things
here. The title of the hearing is Cybersecurity Risks to
Wireless Networks, but this is an entire ecosystem. And I think
we have made real progress in many areas and I think that
obviously we are lacking in others. I want to thank Symantec
for working with me on the legislation that I mentioned in my
brief opening statement.
But I want to go to something else first and then a
question to each one of you. Last year the FCC put into place
data security rules that apply to wireless carriers as part of
its privacy proceeding. And Dr. Clancy, you just gave some kind
of, I don't know really what it was, but I am going to find out
more, press you for more.
These rules asked ISPs, really, something very simple and
that is to take, quote, reasonable measures, reasonable
measures to protect consumer data. Now there was the
monetization of information and the monetization of attacks
that has been brought up by more than one panel member this
morning. Do any of you think that the FCC went too far in
asking ISPs to act reasonably to protect consumer data?
There is a little bit of, if I might suggest this,
politically cross-dressing that is going on here, because the
Congress ripped away all privacy protections on the internet
and that is on the computer that I have in my purse. That is
for everyone in the country. So we are talking about, I think
cybersecurity is all about privacy. It brings about privacy.
So maybe a yes or no to each one of you, and if you don't
know, then say that. Do you think the FCC went too far in
asking for reasonable measures to protect consumer data? I am
going to start with----
Mr. Wright. So I will have to say I don't know too much
about that----
Ms. Eshoo. OK.
Mr. Wright [continuing]. Specifically, but I will say, you
know, it appears to be reasonable to protect user data.
Mr. Yoran. I can't comment specifically to FCC's issue, but
reasonable does sound reasonable.
Dr. Clancy. Indeed. I mean it was a complicated set of
circumstances, but----
Ms. Eshoo. What is so complicated about it? What is
complicated about it? I have it right here what they put
forward. They are really simple things.
Dr. Clancy. Reasonable is reasonable.
Ms. Todt. I will ditto my colleagues. I mean, reasonable
protections are reasonable.
Ms. Eshoo. I think what I would like to do in writing,
because I don't have time for it, is to ask each one of you so
you can be prepared for it, what is your top line
recommendation to the subcommittee relative to cybersecurity in
our country? Just one thing, top line, from each one of you.
You are all experts and I will look forward to sending that to
you and getting your responses. Thank you for what you are
doing for the American people. I appreciate it.
Mrs. Blackburn. All right. Let's see, Mr. Flores, you are
recognized.
Mr. Flores. Thank you, Madam Chair, and I want to thank the
panel for being here today.
Ms. Todt, unlike other types of crimes, when we talk about
cybercrime we always seem to focus on the need to protect
against the attacks rather than prosecute the bad actors. And
can you tell us what the Federal Government is doing to
actively work on cybercrime attribution and also what are the
limitations of trying to track down our cyber adversaries?
Ms. Todt. So right now I believe the executive order has
laid out--I am not as familiar with the criminal angle. I know
we worked with the Department of Justice with the Commission on
being able to look at malicious actors and where the crime
plays a role, and I think one of the key things that a lot of
the commissioners talked about is you have to have penalties
for those bad actors. But I apologize, I can't talk
extensively, but I am happy to get back to you with an answer
in writing.
Mr. Flores. OK, yes. If you could do that, that would be
great.
Dr. Clancy, in your testimony today and from testimony
across the panel it sounds like we have got a skills gap when
it comes to protecting ourselves from cybercrime. And of course
in order to fill the pipeline we are going to have to be able
to get our educational institutions to produce the people
resources to be able to do with this.
I represent three world-class universities back in my
district, Texas A&M University, Baylor University, and the
University of Texas. What could the Federal Government be doing
to help ensure that pipeline is filled with quality skilled
individuals?
Dr. Clancy. I think that most of the efforts to date have
focused on the tail end of the pipeline.
Mr. Flores. Right.
Dr. Clancy. Getting students out of college and into jobs,
I think the pipeline starts much earlier than that.
Mr. Flores. Exactly.
Dr. Clancy. When students are coming into college they need
to want to major in cybersecurity and more broadly in STEM
fields, so I think additional initiatives that are focused on
the K-12 outreach and engagement to bring cybersecurity down to
the middle school level or even sooner, just basic digital
hygiene at the elementary school level would be a great
starting point and build up from there. If you want to build a
pipeline you need to start at the beginning.
Mr. Flores. OK. Now Mr. Yoran, you and I both have business
backgrounds and I mean you hire a lot of these types of
individuals. What would your key recommendations be?
Mr. Yoran. I think it is important for employers to look
for the intellectual curiosity around cyber. And as Dr. Clancy
said earlier, you know, I think you have to start at an earlier
age and part of it may be through cyber hygiene. I know I could
talk to my kids about cyber hygiene and they still don't apply
their patches, so I think we have to find things that are more
interesting, more intriguing ways of creating excitement and
creativity around cybersecurity education.
Mr. Flores. OK, thank you.
Dr. Clancy, you mentioned the need for the Federal
Government to continue to act as a convener and to set
priorities based on its unique knowledge of cyber threats, but
for national security reasons the Government doesn't always
share the full extent of its knowledge of those threats. How
significant is this limitation and how can Congress be helpful
in encouraging more transparent threat intelligence sharing?
Dr. Clancy. So I think from a convening perspective, groups
like the FCC CSRIC organization is a great way for the
Government, for the Federal Communications Commission, to sort
of set priorities and identify areas of concern and work
collaboratively with industry to identify solutions. I think
that that goes to a certain extent hand in hand with the
challenges of cyber information sharing.
You have the national security agencies who are generating
detailed information on cyber threat, but that is due to the
sources and methods involved. It is held at a classified level
and can't be shared and that creates a barrier to sharing. The
thought is that if we have sufficiently large cyber threat
brokerage houses sort of emerging that there can be enough data
that the Federal Government could anonymously share data that
would obscure sources and methods with those brokerages and it
wouldn't be attributable to specific sensitive aspects of how
that data was arrived at.
Now we are not there yet, but I think there is some hope
that that may be a solution moving forward long term.
Mr. Flores. OK, thank you. If any of you have any
supplemental comments on any of these questions and you could
submit those, that would be great. Thank you, and I yield back
the balance of my time.
Mrs. Blackburn. Mr. Rush, you are recognized for 5 minutes.
Mr. Rush. I want to thank you, Madam Chair, and I want to
commend you for holding this hearing.
Dr. Clancy, Tom, you are concerned that the Internet of
Things, the IoT, where everything from home appliance to
industrial infrastructure devices connected to the internet is
not secure enough to withstand a cyber attack. What is the
biggest challenge you see in securing this complex mobile
ecosystem?
Dr. Clancy. Well, I think that just the breadth, as you
stated, is part of the challenge. The threats to an internet-
connected home appliance are very different than the threats to
an internet-connected nuclear reactor and the technologies
involved are very different.
So at one end of the spectrum in the consumer technology
space we have the key challenge, I think, is supply chain and
inexpensive goods, inexpensive IoT devices coming from overseas
that were not designed with security as part of the fundamental
component. I think at the other end of the spectrum you have
industrial infrastructure, industrial control systems. There
the challenge is more that the desire to gain efficiencies from
aging infrastructure and be able to support more users with the
same power grid and more peak demand requires us to use
artificial intelligence to orchestrate much of our
infrastructure which necessitates connecting that
infrastructure to the cloud in order to do the needed big data
processing on the data.
So you end up drawing this sort of series of events that
necessitates for business reasons connecting this industrial
infrastructure to the cloud, which then fundamentally exposes
it to risks it had never faced before. And that is a whole
separate set of challenges that requires the key components of
that industry to figure out how to work together to solve those
challenges.
Mr. Rush. Are you concerned that the Federal Government is
inadequate and then presently is organized that we are, are we
prepared to deal with this broad threat, a cybersecurity
threat? I mean we have different centers of responsibility or
authority and power located in many different places from
Homeland Security to the FCC. Are we prepared in a streamlined
way to respond to a cyber attack using these IoTs?
Dr. Clancy. I think we are never going to be as prepared as
we would like to be, but I think our level of preparedness is
steadily increasing. I think the NIST Cybersecurity Framework
that many have referenced throughout this hearing is a great
example of a tool that we can use to develop a common
understanding of how to respond to these threats and we need
more things like that to help improve our ability to respond.
Mr. Rush. I want to thank you. I want to move to Mr.
Wright. Mr. Wright, how vulnerable is the U.S. power grid to a
similar power grid attack that Ukraine suffered last year?
Mr. Wright. Excuse me. Yes, you are referring to what we
have called Sandworm threat. It attacked the Ukraine two
different times over the last year shutting down power.
Interestingly, they got back online relatively fast because
they went back to manual movements.
Here in the U.S. I think we are probably more advanced on
our security of those power grids. More than that, I think that
our people are trained to be able to get back online manually
because of threats in storms and natural disasters that they
have trained to be able to get back online and to be able to do
that manually.
That said, there is always going to be susceptibility, and
with the latest Ellen Nakashima article that came out yesterday
advising of a new more advanced threat, I am sure that our
power grid operators and Government are looking at how to
protect against those.
Mr. Rush. I want to thank you, Madam Chair, and I yield
back.
Mrs. Blackburn. I thank the gentleman. Mrs. Brooks, you are
recognized for 5 minutes.
Mrs. Brooks. Thank you, Madam Chairman, and thank you to
all of our panelists for sharing your background and your
wisdom with us. It seems that part of the problem we face is
that cyber attacks when we talk about cybersecurity it is
moving far faster, it seems, than our cyber defenses and the
bad guys only have to be right once while the good guys have to
be right all of the time.
I am a former U.S. attorney and but from '01 to '07 when we
were really standing up cyber teams and I certainly know the
FBI and obviously NSA and others have really beefed up their
cybersecurity, but yet I am a bit troubled that--because I was
just, you know, Googling big cyber cases and so forth and they
seem to be happening more in other countries than they are
happening in our country.
And I am just curious how much cooperation is there with
the private sector lending your advice to the Government sector
in prosecuting and enforcing our cyber laws. And I am concerned
that your expertise and the expertise of those in your
industry, it is hard for Government to bring folks in. As you
said, I believe, Mr. Yoran that often it goes the other way.
They start in Government and then go out to the private sector.
But yet if we aren't cooperating and I think at a very
different level than we currently are, and I appreciate your
work and what the commissions have done and recommendations and
so forth, but I think we need to accelerate it in a much
greater way of how we can prevent, not just prevent because you
are all focused on preventing, but if we don't actually
prosecute. And Mr. Wright, would you like to start us out?
Mr. Wright. Sure.
Mrs. Brooks. And I really need to hear what your thoughts
are about the level of Government's willingness to bring your
expertise to the table to help us, you know, stop these people
by actually prosecuting.
Mr. Wright. Yes, I think you are making an absolute,
excellent point there. There is a focus on protection, whereas
rarely do we speak about deterrents. One of the main deterrents
is prosecuting. I would say that the FBI in particular has
gotten much better. In fact, I would put them at very good at
this point. They are recruiting the right people. They are
going after the cybercriminals. And maybe if you don't read
about it as much here in the United States it is because a lot
of our adversaries, cybercrime adversaries, are sitting
overseas; very tough to prosecute in those cases.
But I will tell you one good story that happened right at
the beginning of this year. Symantec partnered with the FBI and
worked on a case we referred to as Bayrob. It went on for 9
years. We had finally culminated in the arrest and extradition
of three Romanian citizens that are currently sitting here in
the U.S. awaiting trial.
Those connections that private-sector companies are making
with law enforcement are getting better every day. They are
getting more and more trusted. I actually think that is a good
news story for us now. But I think focusing on some sort of
deterrents is really important because today cybercrime has all
upside and no downside. There are no risks, very few risks
involved in being in cybercrime.
Mrs. Brooks. Thank you. Mr. Yoran, any comments you might
have and should we be looking at a different model of how
Government is working with the private sector to bring people
to justice? Because 9 years and three defendants doesn't sound
like enough to me, but I applaud it--but 9 years and three
defendants.
Mr. Yoran. And I am sure there is a lot of detail to that
case and will point to many follow-on cases and other
investigations. I think you bring up a very important point.
There are many cooperative efforts between law enforcement and
private industry.
A few areas where private industry has really augmented
what has been traditional Government function is in the area of
attack attribution and threat intelligence of which Symantec,
you know, is a very active participant. And that can aid and
assist law enforcement and also help create deterrents whether
it is through naming and shaming or other means.
There also remains, I think, a reasonable gap between the
interest of law enforcement and those trying to defend networks
where there are instances where, you know, law enforcement
officials would like to, for the purposes of prosecuting a
crime, leave systems open and to continue to monitor how a
crime is unfolding, whereas those trying to defend networks
frequently care a little bit less about who is doing it and
more about cleaning up their systems.
Mrs. Brooks. My time is up, but if any of you would have
any other comments you would like to make, I would certainly
appreciate any written comments on it. Thank you. I yield back.
Mrs. Blackburn. Thank you, gentlelady, and Mr. Costello for
5 minutes.
Mr. Costello. Thank you. Mr. Wright, from your experience
working on both the Federal side and industry sides of
cybersecurity, I want to ask you this question. And this comes
from a conversation I had with somebody pretty high up the food
chain on this issue. Mobile device hardware, how serious of a
problem is it that DOD and the U.S. Government rely on foreign
IT hardware as well as just the consumer products that we
utilize in that space? Many of it is foreign manufactured or
foreign designed and specifically I have heard that there are
times when the capacity or capability of a particular device
far exceeds, the potential for it far exceeds what the
realization of that device is actually for. Does that make
sense?
Mr. Wright. So I think the capacity and capability----
Mr. Costello. In other words you can have more with----
Mr. Wright. Far exceeds, I am sorry? What----
Mr. Costello. Far exceeds what a consumer is actually
intending to utilize it for.
Mr. Wright. Well, I think that certainly on this side,
mobile phone consumers are sort of just hitting the beginning
of what they eventually are going to do with mobile devices. As
far as concern about where those mobile devices are being
built, you know, I think that some of these supply chains are
always going to be important and can open up some possible
vulnerabilities.
So we need to be able to have an understanding of where not
only the device is put together but where those individual
pieces are manufactured and pulled into the device, because
they can certainly open yourself up to vulnerabilities.
Mr. Costello. I want to pick up on the line of inquiry that
Mrs. Brooks was pursuing and that is, it seems to me
distinguishing between lawful legitimate activity and unlawful
activity, someone engaged in a cybersecurity crime is often
difficult to discern until it is too late. And whether it is
the cloud, whether it is wireless access points, I was reading
a little bit in the testimony about the mobile device
management solutions.
The question I have here is, is our criminal code, does it
reflect the technological capacity of cybercrime as it stands
today or are we sort of, is it antiquated? Does it need to
evolve or does it need to be, does it need to reflect the way
that criminal activity occurs, because often times a crime
could be happening and yet we are not able to call it a crime
because the actual malware or the actual money hasn't been
stolen or the last piece of the crime which would actually make
it criminal hasn't yet occurred. Does that make sense?
And so my question to any of you is, be it with wireless
access points, be it with just how often we use the cloud, do
you see certain types of cybercriminal activity where our
criminal code does not properly reflect what is happening day
in and day out in such a manner that we are able to go and
prevent crimes from happening because our criminal code does
not have the elements to be able to have us sufficiently charge
them with a crime early enough before it is too late, anyone?
Ms. Todt. I think the industry, obviously industry has a
thoughtful perspective on this and I know Symantec has done
some tremendous work in this space. There is an entity called
the National Cyber-Forensics & Training Alliance center which
works with the FBI with consumers with law enforcement to
understand where the criminal code is aligned with cybercrime.
And I know that they are working on revising it where
necessary, because I think, you know, to the point that was
made, rightly, it is this deterrents effort. But updating just
as we need to do across all elements of cybersecurity we tend
to have a physical approach to cybercrime sometimes and
understanding that the NCFTA, I believe, is looking at that
specifically.
Mr. Costello. Yes.
Mr. Wright. I would just say, yes, I agree there are some
sort of unique things about pursuing and prosecuting a cyber
case, chain of custody of evidence is one of them.
Mr. Costello. Right.
Mr. Wright. I can't think of sort of specific incidences
where we are crosswise with the laws, but that is certainly
something I think they could look into. There is one area, the
way that we share information, prosecutorial information with
other countries, our MLAT process, our Mutual Legal Assistance
Treaties, I believe are outdated. They need to be, they
probably need to be revised so that we can share information,
we could have information shared with us so that we can
prosecute better.
Mr. Costello. The concern I have--and my time is over--is,
just given the lack or small number of instances where we are
able to prosecute on this, tells me that there is just too
much, there is no risk. I think that was the term you used.
There is no risk to not engage in cybersecurity crimes when you
are these actors. And that is terribly concerning, and it just
raises the question to me on the criminal side of it: Is there
more that we can do to enable the prosecution of this more
easily? I yield back.
Mrs. Blackburn. The gentleman yields back, and there are no
further Members seeking time for questions. Pursuant to
committee rules, I remind Members that they have 10 business
days to submit additional questions.
And I think you all are probably aware you have got written
questions coming to you. We would ask that you respond to those
written questions within 10 business days, and get that back to
us. It is a hearing where there is a good bit of interest, and
we look forward to moving forward on this issue this year.
So, seeing no further business to come to the subcommittee
today, the committee is adjourned.
[Whereupon, at 12:04 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]