[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
THE CURRENT STATE OF PRIVATE-SECTOR ENGAGEMENT FOR CYBERSECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
MARCH 9, 2017
__________
Serial No. 115-7
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
______
U.S. GOVERNMENT PUBLISHING OFFICE
26-905 PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
__________
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
John Katko, New York Bonnie Watson Coleman, New Jersey
Will Hurd, Texas Kathleen M. Rice, New York
Martha McSally, Arizona J. Luis Correa, California
John Ratcliffe, Texas Val Butler Demings, Florida
Daniel M. Donovan, Jr., New York Nanette Diaz Barragan, California
Mike Gallagher, Wisconsin
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Brendan P. Shields, Staff Director
Kathleen Crooks Flynn, Deputy General Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Clay Higgins, Louisiana Val Butler Demings, Florida
Thomas A. Garrett, Jr., Virginia Bennie G. Thompson, Mississippi
Brian K. Fitzpatrick, Pennsylvania (ex officio)
Michael T. McCaul, Texas (ex
officio)
Brett DeWitt, Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 5
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 6
Witnesses
Mr. Daniel Nutkis, Chief Executive Officer, HITRUST Alliance:
Oral Statement................................................. 8
Prepared Statement............................................. 9
Mr. Scott Montgomery, Vice President and Chief Technical
Strategist, Intel Security Group, Intel Corporation:
Oral Statement................................................. 13
Prepared Statement............................................. 14
Mr. Jeffrey Greene, Senior Director, Global Government Affairs
and Policy, Symantec:
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. Ryan M. Gillis, Vice President of Cybersecurity Strategy and
Global Policy, Palo Alto Networks:
Oral Statement................................................. 27
Prepared Statement............................................. 28
Mr. Robyn Greene, Policy Counsel and Government Affairs Lead,
Open Technology Institute, New America:
Oral Statement................................................. 34
Prepared Statement............................................. 36
Appendix
Questions From Honorable James Langevin for Daniel Nutkis........ 61
Questions From Honorable James Langevin for Scott Montgomery..... 61
Questions From Honorable James Langevin for Jeffrey Greene....... 64
Questions From Honorable James Langevin for Ryan M. Gillis....... 66
Questions From Honorable Cedric Richmond for Robyn Greene........ 67
Questions From Honorable James Langevin for Robyn Greene......... 68
THE CURRENT STATE OF PRIVATE-SECTOR ENGAGEMENT FOR CYBERSECURITY
----------
Thursday, March 9, 2017
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:09 a.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding. Present:
Representatives Ratcliffe, Katko, Donovan, Gallagher,
Fitzpatrick, Richmond, Jackson Lee, Langevin, and Demings.
Mr. Ratcliffe. The Committee on Homeland Security
Subcommittee on Cybersecurity and Infrastructure Protection
will come to order.
The subcommittee is meeting today to receive testimony
regarding the current state of DHS's private sector engagement
for cybersecurity.
I now recognize myself for an opening statement.
Cybersecurity touches every aspect of the world that we
live in. It is central to every sector of our economy. It is
vitally important to the protection of all Americans' most
sensitive information and it is one of the foremost National
security challenges of our time.
Our collective ability to combat these threats with
Government and the private sector working together will be one
of the defining public policy challenges of our generation.
Today, the Homeland Security Subcommittee on Cybersecurity
and Infrastructure Protection meets to hear from key
stakeholders on the current state of private-sector engagement
for DHS's cybersecurity mission.
As Chairman of this subcommittee, I don't take the
responsibility that we as lawmakers in this room have lightly.
In a world of rapidly-evolving threats, we have been entrusted
to be part of the solution, and I believe that today's hearing
will be an important piece of this on-going effort.
DHS's cyber mission includes a robust portfolio of existing
private-sector partnerships, including information-sharing and
analysis organizations, the Cyber Information Sharing and
Collaboration Program, Sector Coordinating Councils and the
Automated Indicator Sharing Program.
Specifically, we hope to learn how these partnerships can
be improved and what more DHS can be doing to ensure that these
programs and activities are meaningful, substantive, and
effective.
Today, the private-sector entities, including U.S. critical
infrastructure owners and operators, are on the front line of
conflict in cyber space. Our civilian networks face countless
attacks every day from bad actors who seek to infiltrate our
trusted systems, cripple our commerce, and expose Americans'
personal information.
Every day, these bad actors are using more advanced
tactics, techniques, and procedures, and higher-quality
information. It is only through constant and vigilant
innovation that their attacks can be prevented, identified, and
mitigated.
While DHS has made headway in this space and has
strengthened many initiatives in its role as the civilian
interface and coordinator across 16 critical infrastructure
sectors for cybersecurity, very clearly more work needs to be
done. It is not enough to simply have programs in place.
Instead, we must be constantly measuring, benchmarking, and
setting goals associated with their outcomes.
Additionally, DHS needs to become fully operational so that
it can effectively carry out the cybersecurity authorities that
Congress deliberately gave the Department just over a year ago.
Today is the start of a new conversation that needs to
occur in a new world on this new battlefield, and the start of
a new administration provides a clean slate, a perfect
opportunity to regroup and reassess before moving forward, an
opportunity to ensure that our efforts and resources are
aligned with the threat landscape that we face right now.
Several weeks ago in a homeland security hearing in this
room, I was pleased to have the opportunity to discuss with
Secretary Kelly the importance of DHS's cyber mission. What I
told him and what I know the rest of this subcommittee joins me
in reinforcing is that we stand ready to pedal as fast as his
agency and the entire Trump administration demands because the
stakes are too high to do anything less right now.
In the cyber domain, we are constantly learning new
lessons. It is only by incorporating the knowledge into
existing programs and processes that we can continue to move
toward greater collaboration and better-secured networks.
Because, while the private sector is on the front lines of our
cyber challenges, the Federal Government, and DHS in
particular, has an important role to play as a force multiplier
to provide the private sector with every advantage available to
defend itself.
In the 115th Congress, this subcommittee will be
legislating and conducting rigorous oversight to further
strengthen DHS's civilian cyber mission. While the various DHS
touch-points with the private that we will discuss today range
in levels of sophistication and size of participant base, they
all depend on quality information flowing at a rate that makes
it timely and actionable.
Marked changes in the security of our country's
cybersecurity posture will only occur in concert with the
advancement of the collaborations that we are going to be
discussing today. The combination of information, capacity, and
technical expertise needs to be leveraged in partnership at
every turn.
We look forward to hearing from the witnesses on these
private-sector engagement efforts at DHS. Our goal on this
topic is to make sure that the private sector has every
opportunity and every reason to take full advantage of DHS's
cybersecurity programs so we can continue to work to secure
cyber space.
Again, thanks to our witnesses for your willingness to be
here today to share your expertise.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
Cybersecurity touches every aspect of the world we live in. It's
central to every sector of our economy. It's vitally important for the
protection of all Americans' most sensitive information, and it's one
of the foremost National security challenges of our time. Our
collective ability to combat these threats--with the Government and the
private sector working together--will be one of the defining public
policy challenges of our generation.
Today the House Homeland Security Subcommittee on Cybersecurity and
Infrastructure Protection meets to hear from key stakeholders on the
current state of private-sector engagement for DHS's cybersecurity
mission. As Chairman of this subcommittee, I don't take the
responsibility the lawmakers in this room have lightly. In a world of
rapidly-evolving threats, we have been entrusted to be part of the
solution, and I believe today's hearing will be an important piece of
this on-going effort.
DHS's cyber mission includes a robust portfolio of existing
private-sector partnerships--including Information Sharing and Analysis
Organizations, the Cyber Information Sharing and Collaboration Program,
Sector Coordinating Councils, and the Automated Indicator Sharing
Program. Specifically, we hope to learn how these partnerships can be
improved and what more DHS can be doing to ensure that these programs
and activities are meaningful, substantive, and effective.
Today, private-sector entities--including U.S. critical
infrastructure owners and operators--are on the front line of the
conflict in cyber space. Our civilian networks face countless attacks
every day from bad actors who seek to infiltrate our trusted systems,
cripple commerce, and expose Americans' personal and sensitive
information. Bad actors are using more advanced tactics, techniques,
and procedures, and higher quality information. It is only through
constant and vigilant innovation that their attacks can be prevented,
identified, and mitigated.
While DHS has made headway in this space and has strengthened many
initiatives in its role as the civilian interface and coordinator
across the 16 critical infrastructure sectors for cybersecurity, more
work needs to be done. It is not enough to simply have programs ``in
place.'' Instead, we must be constantly measuring, bench-marking, and
setting goals associated with their outcomes. Additionally, DHS needs
to become fully operational so it can most effectively carry out the
cybersecurity authorities Congress deliberately gave the Department
just over a year ago.
Today is the start of a conversation that needs to occur in this
new world with this new battlefield. And the start of a new
administration provides a clean slate--a perfect opportunity to regroup
and reassess before moving forward. An opportunity to ensure that our
efforts and resources are aligned with the threat landscape we face.
Several weeks ago in a Homeland Security hearing, I was pleased to
have the opportunity to discuss with Secretary Kelly the importance of
DHS's cyber mission. What I told him, and what I know the rest of this
subcommittee joins me in reinforcing, is that we stand ready to pedal
as fast as his agency and the Trump administration demands. Because the
stakes are too high to do anything less.
In the cyber domain, we are constantly learning new lessons, and it
is only by incorporating that knowledge into existing programs and
processes that we can continue to move toward greater collaboration and
better-secured networks. Because while the private sector is on the
front lines of our cyber challenges, the Federal Government, and DHS in
particular, has an important role to play as a force multiplier to
provide the private sector with every advantage available to defend
itself.
In the 115th Congress, this subcommittee will be legislating and
conducting rigorous oversight to further strengthen DHS's civilian
cyber mission. While the various DHS touchpoints with the private that
we will discuss today range in levels of sophistication and size of
participant base, they all depend on quality information flowing at a
rate that makes it timely and actionable.
Marked changes in the security of our country's cybersecurity
posture will only occur in concert with the advancement of the
collaborations that we will be discussing today. The combination of
information, capacity, and technical expertise needs to be leveraged in
partnership at every turn.
We look forward to hearing from the witnesses on these private-
sector engagement efforts at DHS. Our goal on this topic is to make
sure that the private sector has every opportunity and every reason to
take full advantage of DHS cybersecurity programs so we can continue to
work together to secure cyber space.
Again, thank you to our witnesses for your willingness to share
your expertise.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of the subcommittee, the gentleman from
Louisiana, Mr. Richmond, for his opening statement.
Mr. Richmond. Thank you, Chairman Ratcliffe, for holding
this hearing to examine how the Department and the private
sector work together on cybersecurity.
As this is the first subcommittee hearing, I would like to
start off by welcoming the gentlelady from Florida, Mrs. Val
Demings, to the subcommittee.
Cybersecurity issues dominated the 2016 election, from the
security of Secretary Clinton's server to Vladimir Putin
ordering cyber attacks on the U.S. election systems to
Wikileaks publishing the private emails of prominent Democratic
figures. America got a crash course in cybersecurity.
Before he was sworn in, President Trump said he would
direct the Department of Defense and the Joint Chiefs to
develop a comprehensive plan to protect America's vital
infrastructure from cyber attacks and all other forms of
attacks. This was on his first day in office.
While I share the President's desire to better protect
critical infrastructure, directing the Pentagon to take on
cybersecurity in the private sector would represent a radical
departure from how the Government manages cybersecurity.
Since 2001, DHS has been the lead agency responsible for
coordinating Federal efforts to protect critical infrastructure
and, in that capacity, has made major strides in cyber
information sharing among critical infrastructure owners and
operators.
Then, 2 years ago, with input from some of the witnesses
assembled on this panel, legislation was signed into law
codifying DHS's role as the lead civilian interface for
information sharing. Since that time, DHS has ramped up its
efforts to partner with critical infrastructure.
We often say on this committee that the threat landscape is
constantly evolving. When it comes to cybersecurity, the
volume, the complexity, and scale of attacks grow exponentially
with each passing day.
To meet this challenge, the culture around cyber
information sharing needs to shift, just as it needed to shift
after 9/11 when Federal law enforcement and intelligence
agencies moved from a need-to-know to a need-to-share culture.
As we work to enhance the quality of information sharing,
we must not lose sight of the obligations of all involved to
protect the personal information of Americans or impacted
networks.
I am glad to see that Ms. Greene is here to talk with us
about these obligations. I also look forward to talking with
all the witnesses about what, from their perspectives, DHS and
specifically NCCIC could be doing better.
Last year, Congress enacted legislation I authored to make
sure DHS is carrying out its diverse portfolio of cybersecurity
responsibilities in a strategic manner. In a couple of weeks,
DHS should be transmitting to Congress its first ever
Department-wide cybersecurity strategy. When we see the
strategy, I may want to engage with you all on your thoughts.
Finally, while I recognize that the long-awaited Executive
Order on cybersecurity has not yet been issued, it will be good
to hear your thoughts on what we have seen so far from
President Trump's administration on cybersecurity.
With that, Mr. Chairman, I yield back.
[The statement of Ranking Member Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
March 9, 2017
Cybersecurity issues dominated the 2016 election. From the security
of Secretary Clinton's server, to Vladimir Putin ordering cyber attacks
on U.S. election systems, to WikiLeaks publishing the private emails of
prominent Democratic figures--America got a crash-course in
cybersecurity.
Before he was sworn in, President Trump said he would direct the
Department of Defense and the Joint Chiefs to develop ``a comprehensive
plan to protect America's vital infrastructure from cyber attacks, and
all other form of attacks'' on his first day in office.
While I share the President's desire to better protect critical
infrastructure, directing the Pentagon to take on cybersecurity in the
private sector would represent a radical departure from how the
Government manages cybersecurity.
Since 2001, DHS has been the lead agency responsible for
coordinating Federal efforts to protect critical infrastructure and, in
that capacity, has made major strides in cyber information sharing
among critical infrastructure owners and operators.
Then two years ago, with input from some of the witnesses assembled
on this panel, legislation was signed into law codifying DHS's role as
the lead civilian interface for information sharing. Since that time,
DHS has ramped up its efforts to partner with critical infrastructure.
We often say on this committee that the threat landscape is
constantly evolving. When it comes to cybersecurity, the volume,
complexity, and scale of attacks grow exponentially with each passing
day. To meet this challenge, the culture around cyber information
sharing needs to shift--just as it needed to shift after 9/11, when
Federal law enforcement and intelligence agencies moved from a ``need
to know'' to ``need to share'' culture.
As we work to enhance the quality of information sharing, we must
not lose sight of the obligations of all involved to protect the
personal information of Americans on impacted networks. I am glad that
Ms. Green is here to talk with us about these obligations. I also look
forward to talking with all the witnesses about what, from their
perspectives, DHS (and specifically the NCCIC) could be doing better.
Last year, Congress enacted legislation I authored to make sure DHS
is carrying out its diverse portfolio of cybersecurity responsibilities
in a strategic manner. In a couple of weeks, DHS should be transmitting
to Congress it's first-ever Department-wide cybersecurity strategy.
When we see the strategy, I may want to engage with you on your
thoughts.
Finally, while I recognize that the long-awaited Executive Order on
cybersecurity has not yet been issued, it would be good to hear your
thoughts on what we've seen so far from President Trump on
cybersecurity.
Mr. Ratcliffe. I thank the gentleman.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statements of Ranking Member Thompson and Honorable
Jackson Lee follow:]
Statement of Ranking Member Bennie G. Thompson
March 9, 2017
Cybersecurity is at the forefront of American politics in a way
that, in my 24 years in Congress, I have never seen. On this committee,
we regularly gather to hear from cybersecurity leaders on the most
pressing security vulnerabilities to our Nation and the novel ways our
enemies seek to exploit them. This past fall, details began to emerge
about an entirely new attack vector--a hacking campaign designed to
impact the Presidential election.
Even before the election, the Secretary of Homeland Security and
the Director of National Intelligence warned that Russian President
Vladimir Putin directed hackers to penetrate the email accounts of
high-ranking Democratic party officials to acquire information to be
used to embarrass and undermine the candidacy of Secretary Clinton.
The full scale of this state-sponsored hacking campaign is still
not fully known but what we do know is that in addition to hacking
private email accounts of prominent Democrats, the Russian hackers
tried infiltrate vital networks and equipment maintained by state
election authorities.
The Russian cyber campaign sought to strike at the heart of our
democracy. As such, legitimate questions about contacts between
President Trump's inner circle and associates of the Putin regime need
to be brought to light. That is why I support an independent 9/11-style
commission to investigate the Russian cyber campaign.
It has been disheartening to see President Trump display a somewhat
dismissive attitude about this very significant cyber attack, even as
DHS and its Federal partners work to raise the level of cyber awareness
and hygiene across the country.
I continue to be troubled by how long it took President Trump to
accept the facts presented by the intelligence committee about the
Russians orchestrating the hacking campaign. What seems to be lost on
this man who has repeatedly expressed support for our Government using
cyber offensive capabilities is that there can be no retribution
without attribution.
I am pleased that we have with us today representatives from
private sector that know a thing or two about the nature of the
evolving cyber threat and the importance of attribution.
I would like to also take a moment to welcome Robyn Greene who this
committee has come to count on for counsel when it comes the privacy
challenges associated with cyber information sharing. I look forward to
hearing from the panel on how DHS helps private entities secure their
networks against intrusion.
______
Statement of Honorable Sheila Jackson Lee
March 9, 2017
Chairman Ratcliffe and Ranking Member Richmond, thank you for
convening this opportunity for the Homeland Security Committee
Subcommittee on Cybersecurity & Infrastructure Protection on the topic
of ``The Current State of DHS Private Sector Engagement for
Cybersecurity.''
Today's hearing will give Members an opportunity to hear from
individuals outside the Government about how the Department of Homeland
Security (DHS) works with private entities to improve their network
security and contribute to the overall health of the cyber ecosystem.
I thank today's witnesses :
Daniel Nutkis, CEO, HITRUST Alliance
Scott Montgomery, V.P. and Chief Technical Strategist, Intel
Security Group, Intel Corporation
Jeffrey Greene, Senior Director, Global Government Affairs &
Policy, Symantec
Ryan Gillis, V.P. of Cybersecurity Strategy & Global Policy,
Palo Alto Networks
Robyn Greene, Policy Counsel & Government Affairs Lead, New
America--Open Technology Institute (Democratic Witness).
In the first few weeks of this Congress I introduced a number of
measures on the topic of cybersecurity to address gaps in our Nation's
cyber defensive posture:
SCOUTS Act--H.R. 940;
CAPITALS Act--H.R. 54;
SAFETI Act--H.R. 950;
Terrorism Prevention and Critical Infrastructure--H.R. 945;
and
Cybersecurity and Federal Workforce Enhancement Act--H.R.
935.
H.R. 940, the ``Securing Communications of Utilities from Terrorist
Threats'' or the ``SCOUTS Act,'' directs the Secretary of Homeland
Security, in coordination with the sector-specific agencies, to work
with critical infrastructure owners and operators and State, local,
Tribal, and territorial entities to seek voluntary participation on
ways that DHS can best defend against and recover from terrorist
attacks that could have a debilitating impact on National security,
economic stability, public health and safety, or any combination
thereof.
H.R. 940, is relevant to today's hearing because it addresses the
need for a two-way communication process that enables private-sector
participants in information-sharing arrangements with DHS to
communicate their views on the effectiveness of the information
provided; the method of information sharing; and their particular needs
as time passes.
Specifically the bill establishes voluntary listening opportunities
for sector-specific entities to communicate their challenges regarding
cybersecurity, including what needs they may have for critical
infrastructure protection; and how DHS is helping or not helping to
meet those needs.
The Society of Maintenance and Reliability Professionals have
endorsed H.R. 940, and input on the legislation included the Edison
Electric Institute, an electric utility association.
H.R. 54, the Department of Homeland Security's Cybersecurity Asset
Protection of Infrastructure under Terrorist Attack Logistical
Structure or CAPITALS Act, which directs the Department of Homeland
Security (DHS) to produce a report to Congress regarding the
feasibility of establishing a DHS Civilian Cyber Defense National
Resource.
H.R. 950, requires a report and assessment regarding Department of
Homeland Security's response to terrorist threats to Federal elections.
The Comptroller General of the United States is directed to conduct an
assessment of the effectiveness of Department of Homeland Security
actions to protect election systems from cyber attacks and to make
recommendations for improvements to the actions taken by DHS if
determined appropriate.
H.R. 935, The ``Cybersecurity and Federal Workforce Enhancement
Act'' identifies and trains people already in the work force who can
obtain the skills to address our Nation's deficit in the number of
workers and positions available for those with needed skills.
H.R. 940, the ``Securing Communications of Utilities from Terrorist
Threats'' or the ``SCOUTS Act,'' is the relevant to today's hearing
because this bill focuses on the communications sent by DHS to sector-
specific entities and the ability of these entities to communicate to
the agencies their perspective on the usefulness of the information;
the form of communication that would be most helpful; and requires a
report to Congress by DHS on the views of critical infrastructure
owners and operators on the information-sharing process related to
cybersecurity.
Later today I will be introducing the Prevent Zero Day Events Act,
which will help DHS in working with sector-specific entities to better
understand the detection of undiscovered or unreported vulnerabilities
in software and firmware that if exploited could pose a serious threat
to our Nation's power grid; telecommunications systems; financial
system; health care delivery; water supply or disrupt the ability of
Federal agencies to function.
I look forward to your testimony and the testimony of the second
panel for today's hearing.
Thank you.
Mr. Ratcliffe. We are pleased today to have a very
distinguished panel of witnesses before us on this vitally
important topic. Mr. Daniel Nutkis is the chief executive
officer of the HITRUST Alliance.
Dan, good to have you back before our committee.
Mr. Scott Montgomery is the vice president and chief
technical strategist at Intel Security Group.
We are glad to have you, Mr. Montgomery.
Mr. Jeff Greene is the senior director of global government
affairs and policy at Symantec.
Jeff, good to see you again. Thanks for being here.
Mr. Ryan Gillis is the vice president of cybersecurity
strategy and global policy at Palo Alto Networks.
Mr. Gillis. welcome and we look forward to your testimony
today.
Last but not least, Ms. Robyn Greene is the policy counsel
and government affairs lead of the Open Technology Institute at
New America.
Welcome back, Ms. Greene.
I would now like to ask the witnesses all to stand and
raise your right hand so that I can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Please let the record reflect that the
witnesses all answered in the affirmative. You may be seated.
The witnesses' full written statements will appear in the
record. The Chair now recognizes Mr. Nutkis for 5 minutes for
an opening statement.
STATEMENT OF DANIEL NUTKIS, CHIEF EXECUTIVE OFFICER, HITRUST
ALLIANCE
Mr. Nutkis. Good morning, Chairman Ratcliffe, Ranking
Member Richmond, and distinguished Members of the subcommittee.
I am pleased to appear today to discuss the health
industry's experiences in engaging with the Department of
Homeland Security relating to cyber information sharing and
other cyber initiatives, and a role we believe provides the
greatest benefit to industry.
For a little context for the subcommittee, for the last 10
years we have developed and updated a privacy and security
framework and risk management practices for the health care
industry, which were the most widely adopted. Five years ago,
we established the HITRUST CTX which is the health care
industry's most active and robust information sharing and
analysis organization, or ISAO.
While I prepared my written statement for the record, in my
testimony today I will highlight how HITRUST helps elevate the
industry's cyber awareness, improves cyber preparedness, and
strengthens the risk management posture of the health care
industry.
At today's hearing, I would like to highlight three
programs we have pioneered with industry that showcase the
positive efforts under way in collaboration with DHS, and then
speak to our concerns over Government's interference and
disregard for key industry cybersecurity efforts.
The first is the enhanced indicator of compromise program,
the second is the sector guidance for implementing the NIST
cybersecurity framework, and the third is the automated
indicator sharing with DHS. I will touch on each one of these
briefly.
A review in 2015 highlighted a number of gaps and
deficiencies in our cyber information sharing approaches and
led to the development of an enhanced criteria to improve the
collection and sharing of IOCs and maximize its benefits. The
net results is that the HITRUST CTX, which is part of our ISAO,
continues to improve on the number of unique IOCs it shares
across the health care industry, going from 186 unique IOCs in
September 2015 to over 5,100 in September 2016. Additionally,
there were substantial improvements in timeliness, accuracy,
and usability.
I reference this program to illustrate that the private
sector is willing to do its part in facilitating the collection
and dissemination of IOCs and other cyber threat information. I
see DHS as having a vital role in facilitating the collection
and dissemination of other information-sharing organizations in
a streamlined, secure, and efficient manner.
Last year, the Health and Public Health Sector Coordinating
Council and the Government Coordinating Council with input from
HITRUST and other sector members, including the DHS critical
infrastructure cyber community, developed the health sector
implementation guide for the NIST cybersecurity framework.
DHS was an integral partner and commenter during the
development of the sector guide. It should be noted that the
HPHSCC, which was formed under the DHS Critical Infrastructure
Sector Partnership Program, is an example of industry
innovation, leadership, and collaboration across the entire
industry on a number of topics relevant to critical
infrastructure, including cyber.
The HITRUST CTX is fully integrated with AIS and supports
bidirectional cyber threat indicator exchange to better aid
organizations in reducing their cyber risk. In fact, HITRUST
was the first non-Government entity connected to and sharing
cyber threat indicators with DHS AIS program. HITRUST believes
DHS acting as the hub for cyber information sharing benefits
the entire industry. Our engagement with DHS has been both
collaborative and productive.
Despite all the progress the public/private sector has made
in recent years, there are Government efforts underway to
undermine private-sector information-sharing programs and ISAOs
like that of HITRUST.
Even though CISA and the Executive Order made clear that
ISAOs would be established and enable private companies to
decide which ISAO to engage when sharing with DHS, there are
efforts to require health care organizations to only share
information directly with the Department of Health and Human
Services or their designated ISAO, an agency not even
identified in CISA's affording safe harbor liability
protections.
This is certainly troublesome and we find these efforts
alarming and are contrary to the original intent of CISA. We
recognize that there is a large role for Government to play in
supporting information sharing. The private sector should be
considered an equal party and the Government partners should
take a universal and consistent approach when engaging with
industry.
We recognize that each industry is unique with regards to
CTI sharing. In health care, they include health information,
organizational size, technical maturity, control systems,
medical devices, but that doesn't warrant interjecting another
intermediary and certainly not one that regulates, audits, and
has responsibility for imposing fines and other financial
penalties.
The market should drive innovation and Government should
promote the role of industry without changing the rules.
Thank you again for the opportunity to share these
insights. With that, Mr. Chairman, I am pleased to answer the
committee's questions.
[The prepared statement of Mr. Nutkis follows:]
Prepared Statement of Daniel Nutkis
March 9, 2017
Chairman Ratcliffe, Ranking Member Richmond, and distinguished
Members of the subcommittee, I am pleased to appear today to discuss
the health industry's experiences in engaging with the Department of
Homeland Security relating to cyber information sharing and other cyber
initiatives and the role we believe provides the greatest benefit to
industry. I am Daniel Nutkis, CEO and founder of the Health Information
Trust Alliance, or HITRUST. HITRUST was founded in 2007, after industry
recognized the need to formally and collaboratively address information
privacy and security for health care stakeholders representing all
segments of the industry and organizational sizes. HITRUST endeavored--
and continues to endeavor--to elevate the level of information
protection in the health care industry and those it collaborates with,
ensuring greater collaboration between industry and Government, raising
the competency level of information security professionals, while
maintaining trust with consumers and patients regarding their health
information, and promoting cyber resilience of industry organizations.
In my testimony today, I will highlight how HITRUST helps elevate
the industry's cyber awareness, improve cyber preparedness and
strengthen the risk management posture of the health care industry. In
particular, I will explain how programs like cyber information sharing,
cyber threat catalogues, and guidance on implementing the NIST
Cybersecurity Framework\1\ are integral to this process, as is the role
for the Department of Homeland Security.
---------------------------------------------------------------------------
\1\ https://www.us-cert.gov/ccubedvp.
---------------------------------------------------------------------------
In 2012, HITRUST established the HITRUST Cyber Threat XChange or
CTX, the health industry's Information Sharing and Analysis
Organization, or ISAO. The HITRUST CTX has consistently and effectively
enabled cyber information sharing across the entire industry and with
Government, while continuously evaluating and enhancing its services to
ensure better collection, analysis, and consumption of actionable cyber
threat information.
At today's hearing, I would like to highlight three programs we
have pioneered with industry that showcase the positive efforts under
way in collaboration with DHS and then speak to our concerns over
Government's interference, underperformance or disregard as to the
industry's cybersecurity efforts. Concerns, I anticipate this committee
and the new administration will share and appropriately address.
The first of the programs is the Enhanced Indicator of Compromise
(IOC) Program; second, is Sector Guidance for Implementing the NIST
Cybersecurity Framework; and third, is Automated Indicator Sharing with
DHS. I will touch on each one of these briefly.
enhanced indicator of compromise (ioc) program
Since it began an IOC-sharing program over 6 years ago, HITRUST has
been a leader in information sharing and continuously evaluates the
effectiveness of its cyber information-sharing program against stated
goals. A review in 2015 highlighted a number of gaps and deficiencies
in our cyber information-sharing approaches, and led to the development
of an Enhanced IOC criteria to improve the collection and sharing of
IOCs and maximize its benefits. These criteria defined specific
requirements in terms of completeness, timeliness, and accuracy of IOCs
contributed. We then established a pilot to evaluate the effectiveness
of this approach, which demonstrated significant improvements,
highlighted in the findings below:
1. During the pilot period, over 80% of the IOCs collected were
unique and not seen or known by any other open-source,
commercial, DHS CISCP, or user-contributed feeds available to
the HITRUST CTX.
2. The pilot group of eight organizations using Enhanced IOC
sharing reported 45% more IOCs than a comparable group of over
800 existing CTX participants using current sharing practices.
3. 100% of organizations reported IOCs to the HITRUST CTX compared
to only a small percentage of organizations--5%--that
contributed using current sharing practices during the same
period.
4. IOCs were reported to the HITRUST CTX on average 13.1 days
before being seen or identified by any other open-source,
commercial, DHS CISCP, or user-contributed feeds to the HITRUST
CTX. Some indicators were seen in the pilot program up to 123
days before being reported by other feeds.
5. IOCs were submitted in a matter of minutes to the HITRUST CTX
compared to an average of 7 weeks after detection using current
sharing practices.
6. 95% of the IOCs contributed to the HITRUST CTX had metadata
(e.g., malicious IPs, URLs or domains) that made them
actionable for use by others, which is defined as being useful
in allowing preventative or defensive action to be taken
without a significant risk of a false positive. Using current
sharing practices, only 50% of the IOCs contributed to the
HITRUST CTX were considered actionable.
The net result is that the HITRUST CTX continues to improve on the
number of unique IOCs it shares across health care organizations each
month--going from 186 unique IOCs in September 2015 to 5,158 in
September 2016.
In addition, the enhanced IOC pilot improved situational awareness
and predictive threat modeling with the ability to correlate IOCs and
Indicators of Attack (IOAs) between organizations, identify attack
patterns, and alert participants about IOCs and IOAs. These results are
positive with regards to mitigating cyber risk, but don't speak to the
investment required.
To better understand the return on investment, HITRUST is
undertaking a study to quantify the value of information sharing as a
tool in mitigating cyber risk, to aid organizations in prioritizing and
justifying their participation. We are undertaking an ROI study to
evaluate information sharing and the incremental benefits of leveraging
the Enhanced IOC criteria. We look forward to updating the committee on
the results of this study in the near future.
Another important finding is that threat information sharing does
not need to be limited to the largest organizations and that the
scalable sharing of IOCs can be achieved throughout health care
organizations of varying size, intelligence appetite, and the maturity
of an organization's security program. This was evaluated by
integrating the HITRUST CTX with the CyberAid program.\2\
---------------------------------------------------------------------------
\2\ HITRUST CyberAid is an example of enabling information sharing
with smaller organizations--https://hitrustalliance.net/documents/
cyberaid/CyberAidInfographicPresentation.pdf.
---------------------------------------------------------------------------
The results of the Enhanced IOC Collection Pilot indicate that
health care organizations can dramatically improve the timeliness,
completeness, usability, and volume of IOCs contributed to the HITRUST
CTX by implementing the enhanced IOC criteria. In response to these
findings, HITRUST is expanding the Enhanced IOC program and announced
enhancements to the CTX platform to aid organizations in reducing their
cyber risk.
I reference this program to illustrate that the private sector is
willing to do its part in facilitating the collection and dissemination
of IOCs and other cyber threat information (CTI), and sees DHS as
having a vital role in facilitating the collection and dissemination
from other information-sharing organizations in a streamlined and
efficient manner.
sector guidance for implementing the nist cybersecurity framework
Last year, the Health and Public Health Sector Coordinating Council
(SCC) and Government Coordinating Council (GCC), along with input from
HITRUST, and other sector members including the DHS Critical
Infrastructure Cyber Community (C3) developed the Health Sector
implementation guide for the NIST Cybersecurity Framework, specifically
referred to as ``Healthcare Sector Cybersecurity Framework
Implementation Guide.''
The Sector Guide supports implementation of a sound cybersecurity
program that addresses the five core function areas of the NIST
framework to ensure alignment with National standards, help
organizations assess and improve their level of cyber resiliency, and
provide suggestions on how to link cybersecurity with other information
security and privacy risk management activities in the Health Care
Sector. The Health Care Sector leverages the HITRUST risk management
framework, including the HITRUST CSF and CSF Assurance Program to
effectively provide the sector's implementation of the NIST
Cybersecurity Framework.
DHS was an integral partner and commenter during the development of
the Sector Guide. The HPH SCC, which was formed under the DHS Critical
Infrastructure Sector Partnership Program, is an example of industry
innovation, leadership, and collaboration across the entire industry on
a number of topics relevant to the protection of critical
infrastructure including cyber.
automated indicator sharing (ais)
The HITRUST CTX is fully integrated with AIS and supports bi-
directional cyber threat indicator exchange to better aid organizations
in reducing their cyber risk. In fact, HITRUST was the first non-
Government entity connected to and sharing cyber threat indicators with
the DHS AIS Program.
AIS has the potential to facilitate the sharing of crucial cyber
threat information from across organizations, corporations, and Federal
agencies in real time. Given the recent rise in cyber threats targeting
the health care industry, HITRUST believes bi-directional integration
into the AIS program will ensure relevant and timely CTI from HITRUST
and Government is available to all industries--ultimately bolstering
the overall cyber posture of the Nation's critical infrastructure.
Of note, HITRUST's role as an ISAO with strong industry engagement
enabled us to quickly and efficiently address any concerns regarding
the liability of sharing with Government. It was also our continued
evaluation and enhancements to our infrastructure with our technology
partners that enabled us to integrate with AIS and meet the future
needs of information sharing. Both the Cybersecurity Act of 2015 (CISA)
and Executive Order (EO) 13691 intended ISAOs to take up this role in
an effort to help move the private sector in the right direction and
enable them to robustly engage with Government. AIS integration
demonstrates that HITRUST, with its DHS partnership, continues to
evolve, improve, and lead by innovating and ensuring cyber threat
information sharing is providing the most value to the broadest group
of constituents while reducing overall cyber risk.
As a non-Governmental organization, sharing with AIS was not
without initial challenges, we did encounter some technical and
operational issues. They have since been addressed, but we would
encourage greater engagement by DHS with AIS participants to ensure
alignment with on-going and future requirements.
HITRUST is of the opinion that DHS--acting as the hub for cyber
information sharing--benefits the entire industry, and our engagement
with the DHS AIS has been both cooperative and very productive.
However, despite all the progress the public and private sectors
have made in recent years, as I referenced earlier, there are
Government efforts underway to undermine private-sector information-
sharing programs and ISAOs like that of HITRUST. Even though CISA and
the EO make clear that ISAOs would be established and enable private
companies to decide which ISAO to engage when sharing with DHS, there
are efforts under way that will deviate from this effort by requiring
health care organizations to only share information directly with the
Department of Health and Human Services--an agency not even identified
in CISA as affording safe harbor liability protections.
This is certainly troublesome, as we can all agree that CISA placed
DHS at the center of information sharing with the private and civilian
sector. HITRUST supported this effort enthusiastically and continues to
do so. In fact, as we have outlined in our testimony, we have invested
heavily in elevating our information-sharing capabilities to help
industry achieve the goal of working collaboratively with the
Government.
Since HITRUST has led the industry in the collection of IOCs
through the development of enhanced standards and collection practices,
and was the first health care organization to begin sharing bi-
directionally with DHS's AIS program, we find these efforts unnerving
as they are certainly contrary to the original intent of CISA and
Government's commitment to partner with industry through the ISAO
program.
HITRUST has always approached its role as an ISAO with the
entrepreneurial spirit of innovation and leadership. While we recognize
that there is a large role for Government to play in supporting
information sharing and ensuring liability protection, the private
sector should be considered an equal partner, and our Government
partners should take a universal and consistent approach when engaging
with industry.
We appreciate and recognize that each industry has unique dynamics
and challenges with regards to CTI sharing, in health care they include
organizational size, technical maturity, medical devices, and other
control systems, but that doesn't warrant interjecting another
intermediary and certainly not one that regulates and has
responsibility for fines and other financial penalties.
HITRUST was an early supporter of CISA and continues to support the
role of Government to foster transparency by establishing guidance,
clarifying roles and responsibilities, and encouraging industries and
segments to determine how to engage more extensively based on their
value and performance. The market should drive innovation and
Government should promote the role of industry without changing the
rules. We are seeing the opposite occur, and this was never the intent
of CISA or the Executive Order. CISA established a role for the private
sector around cyber information sharing, a role for ISAOs and
associated liability protections offered through DHS. Unfortunately
after supporting, committing, and engaging along that path, we find the
Department of Health and Human Services establishing guidelines and
approaches that are inconsistent and without appropriate consideration
and recognition of industry activities in support of CISA and the
Executive Order.
HITRUST, through its many programs, remains committed to ensuring
the health care industry can properly address these challenges. Cyber
information sharing is, and will continue to be, a key component in
HITRUST's approach to cybersecurity and cyber risk management, and we
are excited about pioneering these approaches. Information sharing is
only one tool that impacts risk management for an organization. HITRUST
continues to develop innovations such as the Health Care Sector
Cybersecurity Framework Implementation Guide, and enhance its security
and privacy framework and assurance programs. We value the partnership
of DHS in these efforts and look forward to their continued support.
Thank you again for the opportunity to join you today and share
these insights. I look forward to your questions.
Mr. Ratcliffe. Thank you, Mr. Nutkis.
Mr. Montgomery, you are recognized for 5 minutes.
STATEMENT OF SCOTT MONTGOMERY, VICE PRESIDENT AND CHIEF
TECHNICAL STRATEGIST, INTEL SECURITY GROUP, INTEL CORPORATION
Mr. Montgomery. Good afternoon, Chairman Ratcliffe, Ranking
Member Richmond, and Members of the subcommittee.
Thank you for the opportunity to testify today.
Intel is global leader in computing innovation, designing
and building the essential foundational technologies that
support the world's computing devices.
Governments, businesses, and consumers face a cybersecurity
threat landscape that is constantly evolving with each new
technology that is brought to market at a faster pace than ever
before.
The challenges we face are too significant for one company,
even as large as Intel Corporation, or entity to address on its
own. Real change on cybersecurity requires leadership from
Washington and a true public/private partnership with industry.
Our own contribution at the new McAfee, currently known as
Intel Security, is based on an open communication fabric that
will enable all of us in cybersecurity, both public and
private, to work together in ways never before thought
possible.
Cyber defense technologies' effectiveness, it peaks really
shortly after it is released and degrades very, very quickly
after its initial release. Actors take little notice, but once
the technology is deployed at scale, they adopt evasion
techniques and countermeasures, causing the effectiveness to
significantly degrade quickly.
This creates situations where defenders are creating dozens
of disparate tools to solve for micro conditions rather than
macro conditions.
Technology efficiencies are already declining by the time
the lengthy purchase and integration cycles are complete and
trained labor is insufficient to deal with the complexity of
supporting all these technologies. It is a strong collaboration
that plays a key role in how we go forward.
Mobile threats, migration to the cloud, and in particular,
the explosion of the number of internet-enabled devices,
commonly known as IOT, the Internet of Things, are going to
test and exacerbate the limits of our ability to work in real
time rather than assist them.
With respect to the partnership model, Intel and Intel
Security have been active in public/private partnerships
managed by DHS and other agencies for more than 10 years. We
have leadership roles in the President's National Security
Telecommunications Advisory Committee, also known as NSTAC, the
Information Technology Information Sector Coordinating Council,
Information Technology Information Sharing and Analysis Center,
National Cybersecurity Alliance, and the National Cybersecurity
Center of Excellence.
With respect to a few policy recommendations to improve
public/private partnerships, the first one is a move toward
more real-time sharing.
As we talked about a little bit earlier, the drive and the
number of devices, the drive and the number of internet-enabled
technologies is going to scale quickly past our ability to
encompass them in real time as workers. We need these
mechanisms to be automated.
With the passage of the Cybersecurity Information Sharing
Act, DHS was directed to deploy the Automated Indicator Sharing
Program. The program allows both the private and public sectors
to share indicators of compromise, but these indicators of
compromise are like breadcrumbs. It is only when you aggregate
them in the context that you see what the meal is. The sharing
of individual indicators of compromise without context leaves
practitioners asking more questions than having them answered.
Second, the NIST cybersecurity framework process should be
used as the model--the model--for public/private partnerships.
The framework for improving critical infrastructure security,
known as the NIST cybersecurity framework, is widely
acknowledged as a highly successful model of public/private
partnership.
Here is our analysis of why. The need was real, the process
was open, NIST listened more than they talked. They were
prepared. They engaged stakeholders of a variety of different
sizes, of a variety of different financial investments, in a
variety of different sectors, both public and private.
The framework was voluntary, not regulatory. Very, very
important for private organizations to particulate.
Then last, we would like to seek innovative ways to further
grow the information-sharing ecosystem. When we share, for
example, with the Cyber Threat Alliance, including Check Point,
Cisco, Fortinet, Palo Alto, and Symantec, my erstwhile comrades
on the panel, the point of it was to share faster than we could
learn ourselves. It is for the whole to be greater than the sum
of the individualized parts.
Examples of successes include cracking the code on
CryptoWall version 3, one of the most lucrative ransomware
families in the world, totaling more than $325 million
ransomed.
Our disruption of the CryptoWall forced criminals to
develop a CryptoWall 4, which we uncovered quickly and it
resulted in a much less successful attack, a prime example of
where the whole was greater than the sum of the individual
vendor parts.
Given that the rapid change continues, public and private-
sector organizations cannot go it alone. We look for the
encouragement of DHS and their participation in helping us
drive to greater wholes and less individual parts.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Montgomery follows:]
Prepared Statement of Scott Montgomery
March 9, 2017
Good afternoon, Chairman Ratcliffe, Ranking Member Richmond, and
Members of the subcommittee. Thank you for the opportunity to testify
today. I am Scott Montgomery, vice president and chief technical
strategist, Intel Security Group, part of Intel Corporation.
I am pleased to address the subcommittee on the value and
effectiveness of current private-sector engagement with the Department
of Homeland Security (DHS) given its importance in helping DHS achieve
its mission of enhancing the security, resilience, and reliability of
the Nation's cyber and communications infrastructure. My testimony will
address Intel Security's commitment to cybersecurity, our assessment of
the global threat environment, the state of various DHS public-private
partnerships and private-sector partnership innovation. Finally, I will
make a number of public policy suggestions to help the new
administration shore up the capabilities and effectiveness of DHS
public-private partnerships.
First, I would like to provide some background on my experience and
Intel's commitment to cybersecurity. I work for the Intel Security
Group Chief Technology Officer (CTO) and manage the world-wide team of
experts that carry CTO titles. Together we drive the company's
technical innovation; evangelize our expertise, thought leadership, and
offerings to public and individual audiences; and work to increase the
public trust by cooperating with law enforcement on cyber criminal
investigations and disruption. With more than 20 years in content and
network security, I bring a practitioner's perspective to the art and
science of cybersecurity. I have designed, built, tested, and certified
information security and privacy solutions for such companies as
McAfee, Secure Computing, and a wide variety of public-sector
organizations.
intel security's commitment to cybersecurity
Intel is a global leader in computing innovation, designing and
building the essential foundational technologies that support the
world's computing devices. Combining Intel's decades-long computing
design and manufacturing experience with Intel Security's market-
leading cybersecurity solutions, Intel Security brings a unique
understanding of the cybersecurity challenges threatening our Nation's
digital infrastructure and global e-commerce. Governments, businesses,
and consumers face a cybersecurity threat landscape that is constantly
evolving with each new technology that is brought to market at a faster
pace than ever before. The sharp rise of internet-enabled devices
(known as ``Internet of Things'' or ``IoT'') in Government, industry,
and the home exacerbates this already difficult challenge. The
challenges we face are too significant for one company or entity to
address on its own. Real change on cybersecurity requires leadership
from Washington, DC, and a true public-private partnership with
industry.
Collaboration will be the driving force behind what soon will be
the new McAfee (currently known as Intel Security)--planned to be a
stand-alone company this year. It's also why we recently announced a
whole new ecosystem of integrated platforms, automated workflows, and
orchestrated systems based on an open communications fabric that will
enable all of us in cybersecurity to work together in ways never before
thought possible.
To be successful, it is important to understand the market-like
forces that drive the effectiveness of cybersecurity defense. Most
information technologies continuously improve over time. Paradoxically,
cyber defense technologies do not follow this pattern. Their
effectiveness peaks shortly after release and then degrades. When a new
defensive capability is first released, bad actors take little notice,
but once deployed at scale, they adopt evasion tactics and counter-
measures, causing the effectiveness to significantly degrade.
Where does that leave us? We see the current paradigm of constant
integration of point products--individual software applications--as
ineffective and unsustainable. Not only are technology efficiencies
already declining by the time the lengthy purchase and integration
cycles are complete, but organizations are unable to deal with the
complexity of supporting upwards of 30 to 40 independent tools and
technologies. That's a losing game, but it's the one security
practitioners find themselves playing.
We need a different approach where technology--enabled with strong
collaboration--can be deployed rapidly to security platforms so they
can communicate with each other over open communication protocols. Such
technology can be guided by the strategic intellect that only humans
can provide. Thus, the only way to have a winning cybersecurity
strategy is to bring technology, the cybersecurity industry, and the
efforts between Government and the private sector together. This is
what real collaboration is all about.
As we collaborate with our public partners, it's important to
highlight how the threat landscape has changed over the years. It's a
top-tier issue for Government leaders because of the critical role IT
systems play in our National security, economy, and daily lives.
the interconnected threat landscape
Increasing Sophistication of Attackers Threatens Organizations of Every
Size
The threat landscape is ever-changing, and it's getting only more
complex with the sharp rise in internet-enabled devices (IoT) and
industry's shift to new computing paradigms such as cloud computing.
What we call the ``attack surface'' continues to grow. This means that
organizations--and more importantly, individuals--are now more
vulnerable in more places. Adversaries are increasingly capable of
attacking strategic assets and critical infrastructure. Traditional
platforms such as phones, tablets, laptops, and servers continue to be
high-value targets, but we must expand our thinking to include all
devices that are ``smart'' and connected. Modern computing runs our
factories, flies our planes, drives our cars, and runs our homes.
Almost every aspect of what our country runs on is potentially
vulnerable to a cyber attack.
The attacker community has matured enough to support a vibrant
criminal underground economy. On-line web stores on the ``Dark Web''
now sell hacking tools to any would-be attacker, and on-line markets
make it easy and efficient to sell stolen credit card and other
personal information. Attackers are also busy developing new techniques
that are substantially more difficult to detect and stop, setting their
sights beyond the operating system or applications and instead focusing
on the underlying virtual machines, firmware, and hardware. The growing
sophistication of these tools and methods of attack has unsurprisingly
placed a tremendous amount of pressure on today's security processes,
tools, and people.
Innovative Technologies Bridge Resource Gaps for Public and Private-
Sector Organizations, but also Magnify Threats
It should come as no surprise that cyber criminals closely follow
the latest technology trends because that's where the targets are the
most promising. Technological innovations can help organizations
deliver better overall security and operations but can simultaneously
expose new avenues for attack, such as:
Mobile Threats.--All organizations are relying more on mobile
devices to improve communication and business processes, and this trend
will undoubtedly continue. At the same time, malware written
specifically to attack mobile devices is proliferating, creating new
challenges as organizations attempt to secure mobile as well as
traditional computing platforms.
Migration to the Cloud.--Organizations can reduce costs, improve
offerings, eliminate complexity, and reduce reliance on on-site
technical staff by outsourcing their IT and communications systems to
the cloud. At the same time, however, they must be careful not to
sacrifice security to achieve these new efficiencies.
IoT and the Explosion in Number of Devices.--The exponential
increase of Internet-enabled and networked devices known as the
Internet of Things (IoT) is expanding both risks and rewards.
Organizations are using networked metering devices, sensors,
appliances, and point-of-sale systems to deliver better customer
service and streamline business processes, but must also be aware that
many IoT devices were not designed with security in mind and could
introduce unnecessary risk to vital IT networks and systems.
Bring Your Own Device (BYOD) Environments.--Given the mobile nature
of today's workforce, as well as the increasing use of BYOD programs,
employees at companies of all sizes commonly access organizational
resources from external networks such as hotspots and home networks.
The result is often that company-owned network equipment will be simply
unable to inspect the growing amount of traffic and devices connected
to internal IT networks.
Performance Issues Preempt Security.--Customers are increasingly
choosing to forego bulkier security features like firewalls in favor of
maximizing network performance levels, creating a tug-of-war between
security and performance priorities.
Adversaries Enjoy Significant Advantages.--Our research and
analysis reveals that cyber adversaries benefit from and exploit
several key advantages, including:
The ability to enhance the tools and capabilities used in an
attack quickly through a community of innovators and service
providers. This has an outsized impact on small organizations,
who may not have the resources to deploy the latest adaptive
technologies, or are not deploying risk management-based
solutions at all.
A working knowledge of how organizations implement defenses,
including knowledge of specific product deployment models,
industry architectures and even specific vulnerabilities. While
an attacker only has to be right once, organizations must be
impenetrable 100 percent of the time--a statistic that is
unrealistic even for the most well-resourced security vendors
or large corporations.
intel security's view of public-private partnerships
Our Commitment to the Partnership Model
Given the current cybersecurity threat environment, organizations
across the spectrum cannot manage their protective defenses alone.
Security is a shared goal carrying a shared responsibility. As a
result, the strategic partnerships that have grown between public and
private-sector entities over the last two decades have never been more
important.
At a National level, critical industry sectors supporting the
safety, security, and economic growth of the United States were among
the first to self-organize in partnership with Government agencies to
assess and mitigate threats to U.S. critical infrastructure. These
public-private partnerships are fueled by a joint commitment to defend
critical infrastructures against increasingly sophisticated cyber
attacks, and they thrive on sharing threat indicators, best practices,
and incident response in a mutual, non-regulatory environment.
Intel and Intel Security have been active in public-private
partnerships managed by DHS and other agencies for more than 10 years.
We have leadership roles in the President's National Security
Telecommunications Advisory Committee (NSTAC), Information Technology
Information Sector Coordinating Council, Information Technology
Information Sharing and Analysis Center, National Cyber Security
Alliance, and National Cybersecurity Center of Excellence (NCCoE).
Through these partnerships, Intel Security works to provide hardware,
software, and training to advance the rapid adoption of secure
technologies around the country. In addition, we remain actively
engaged in the development of new cybersecurity guidelines to help
public and private-sector organizations evaluate their security
postures and conduct risk assessments, regardless of size or
sophistication.
As these partnerships grow and mature, our company will continue to
invest, engage, and contribute. The challenge is never-ending, but we
have no doubt the public-private partnership model will continue to
protect and serve our National interests well into the future. However,
public-private partnerships, as any partnership, benefit from regular
reviews, gap analyses, and a commitment to continual improvement.
Policy Recommendations to Improve Public-Private Partnerships
1. Move to Real-Time Threat Information Sharing
The administration needs to solidify its information-sharing
strategy. Sharing threat information has been a necessity since I
started in cybersecurity, yet we still are not focused on sharing
threat information that will provide real benefits in a meaningful way.
With the passage of the Cybersecurity Information Sharing Act (CISA),
DHS was directed to deploy the Automated Indicator Sharing (AIS)
program. This program allows both the private and public sectors to
share indicators of compromise (IOC) and mitigation with each other.
CISA also does an admirable job of requiring companies and Government
agencies to strip out personal identifiable information (PII) and put
in place thoughtful processes and policies to protect citizen privacy.
While the overall program has been a strong step in the right
direction, it still provides far too little real value. IOCs are just
the breadcrumbs that network security staff look for to uncover clues
as to what may be occurring inside their organizations. Typical IOCs
are registry keys, MD5 hashes of potential malware, IP addresses, virus
signatures, unusual DNS requests, URLs, etc. While these can be useful,
they are really not enough to provide the defensive information needed
to protect an organization. Today, AIS does not provide a means for
enriching the information it shares. It simply shares minimal IOC
information.
To defend our institutions properly, defenders need to understand
cybersecurity threats and their components as a whole. Indicators,
incidents, tactics, techniques, and procedures used, threat actors,
associated campaigns, what is being targeted, malicious tools being
used, software vulnerabilities being exploited, courses of action to
mitigate the threat, are all components of a cyber threat that need to
be understood. Instead of trying to share simple breadcrumbs, we need
to be sharing with a focus on providing a platform for enriching
specific threat information so we can see and understand more about the
threat.
Often one company may discover an IOC, another may be able to
associate it with a specific vulnerability, and still another may be
able to provide a correlation between the known threat items and a past
or similar attack that could lead to a potential remediation, thus
mitigating the threat. Today we have no way to share enriched threat
data effectively. We need information sharing with a focus on enhancing
our abilities to protect our organizations. The administration should
double down on working with the private sector to further evolve the
way cyber threat information is represented, enriched, and distributed
in a timely fashion. Cyber criminals are excellent at information
sharing; the Government and private sectors must be as well.
2. Encourage Full Utilization of and Update Government
Procurement Rules to Enable DHS to Compete with
Hackers
There are significant gaps at DHS that preclude it from competing
with hackers, cyber criminals, and other bad actors who innovate and
share information quickly, often using state-of-the-art technology.
Thus, it is critical that DHS and other Federal agencies have access to
the same tools. This can only be achieved by encouraging full use of
current procurement rules, and by looking for opportunities to update
those rules where necessary. Currently, there are five ways Federal
agencies can acquire products and services rapidly:
Under the Federal Acquisition Streamlining Act of 1994
(FASA), Congress mandated, to the maximum extent practicable,
the use of simplified acquisition procedures (SAPs) for
products and services not exceeding the simplified acquisition
threshold.
The Competition in Contracting Act of 1984 (CICA) allows
Federal agencies to accelerate the acquisition process where
there is an urgent need, or where requiring full and open
competition could compromise National security.
The U.S. General Services Administration (GSA) maintains a
supply schedule for information technology (Schedule 70), where
pre-vetted vendors with pre-negotiated terms offer
cybersecurity products.
Congress authorized the Continuous Diagnostics and
Mitigation (CDM) program at DHS, which allows Federal agencies
to expand their CDM capabilities through the acquisition of
commercial off-the-shelf tools, with robust terms for technical
modernization as threats change.
Congress has granted 11 agencies (including DHS) the ability
to enter into ``other transaction agreements,'' which generally
do not follow a standard format or include terms and conditions
normally found in contracts or grants, in order to meet project
requirements and mission needs.
In addition to encouraging Federal agencies to fully use these
procedures, procurement policy and acquisition procedures must evolve
more rapidly to match the pace of information technology development
and adoption by hackers, criminals, and other bad actors. Currently,
little guidance exists in the Federal Acquisition Regulations (FAR)
regarding the procurement of cybersecurity technology; rather, the FAR
leaves cybersecurity implementation to each individual Federal agency.
Agency officials and contractors must consult a myriad of different
agency regulations to ascertain if and how other agencies have
implemented their acquisition regulations regarding cybersecurity. This
diversity in agency cybersecurity regulations undermines security
requirements and policies governing Federal procurements. Harmonizing
cybersecurity acquisition requirements would allow agencies to: (i)
Target security to highest-priority data and threats; (ii) obtain
greater value through reduced compliance obligations and increased
contractor focus on high-value cybersecurity investments; and (iii)
enhance agency cybersecurity through the adoption of best practices,
tempered through public review and comment.
3. Create Additional Incentives to Participate in
Information-Sharing Partnerships
A critical provision of CISA is that it gives liability protections
to private companies that share cyber threat information (CTI) and
defense measures (DM) on a voluntary basis with DHS. Recent guidance
from DHS on CISA clarifies that private entities also receive liability
protection under section 106(b)(1) for sharing CTI and DM information
with other private entities. Policy makers have done an admirable job
of using the incentive of liability protections, and relaxing antitrust
rules, to help incent broad-based information sharing between the
private sector and the Government, and among private-sector entities.
However, too few companies are actively sharing threat information with
DHS and among themselves to fully realize the aim of CISA--a high-
functioning eco-system of information sharing that enables the public
and private sectors to compete with global networks of sophisticated
hackers.
We need to recognize the disincentive that threat intelligence's
``free rider'' problem has imposed on public and private-sector
information sharing. Every organization benefits from consuming threat
intelligence but gains no direct value from providing it unless the
right organizational structure and incentives are put in place to
eliminate the free rider problem.
While DHS has made progress, it still needs to improve the quality
and the quantity of the threat data it shares with the private sector
to address this issue of the free rider. DHS should thus declassify
larger categories of threat data and actively share them with the
private sector. DHS should issue many more security clearances to
qualified company representatives to enable access to the most
sensitive, and potentially most valuable, pieces or classes of threat
data.
Finally, the new administration should pass into law The Cyber
Information Sharing Tax Credit Act--sponsored by Senators Moran and
Gillibrand--that would incentivize businesses of all sizes to join
sector-specific information-sharing organizations, known as Information
Sharing and Analysis Centers (ISACs), by providing refundable tax
credits for all costs associated with joining ISACs. The effort should
not just focus on ISACs but should also include Information Sharing and
Analysis Organizations (ISAO) as well. ISAOs are not limited to
individual critical infrastructure sectors as ISACs are, and they allow
diverse organizations to share cyber-related threat information.
4. Use the NIST Cybersecurity Framework Process as a Model
for Public-Private Partnerships
The Framework for Improving Critical Infrastructure Cybersecurity,
known as the NIST Cybersecurity Framework, is widely acknowledged as a
highly successful model of public-private partnership. The Office of
Management and Budget is already working to encourage Federal agencies
to adopt the Framework, the new administration's draft Executive Order
mandates Government agencies to deploy the Framework, and the private
sector is rapidly adopting it. Here's our analysis of why:
The need was real;
The process was open;
NIST listened first;
They were prepared;
They engaged all stakeholders;
The framework was voluntary--not regulatory.
I'd like to expand on each of these aspects, not simply to
compliment NIST but to offer the process as a model for future public-
private partnerships.
The need was real
PPPs created around a topic or issue that is real to both the
public and the private sectors has a much better chance of getting the
exposure and participation needed to achieve the goal of the
partnership. In the case of the Cybersecurity Framework, it was obvious
to both groups that the need existed. While NIST had a hard time frame
to be successful in--1 year--they had a long history in risk management
and understood the need well. For too long regulatory compliance had
forced industry to spend valuable security dollars to prove something
to the regulators instead of using those resources to help protect
enterprises. The cost of compliance was impacting our ability to secure
ourselves.
Openness of the process
From the very beginning, NIST made it clear this was going to be a
very open process. In the initial meeting, NIST staff described what
would be occurring, from the RFI-submitted comments being made public
on a NIST project website, to the anticipated workshop process and
general time line for various milestones. Along the way, NIST staff
were quick to ensure that industry participants understood what was
happening so there would be no surprises. This created a growing sense
of trust as the effort evolved and made the process more effective
during the development of the Framework.
Listening
One of the more interesting and effective parts of the development
was the way NIST staff listened to the workshop participants. They used
a moderated dialog approach that allowed all attendees to voice their
opinions to a set of topics the NIST staff wanted to learn about. There
were very active discussions that were highly informative from members
of various sectors and industries. Dr. Gallagher, NIST's Director at
the time, stated quite clearly this was not NIST's Framework; this was
the community's Framework. Having the public side of a public-private
partnership listen instead of dictate allowed private-sector
participants to voice their opinions in a much more open and direct
way. This too built trust as the effort went along.
Being prepared
Each of the workshops seemed very well organized, and the topics,
panels, questions and outcomes were well thought-out before each
workshop began. This gave participants reassurance their time was being
well spent. Open forums with no direction or planning do not give those
involved much confidence the effort will succeed. Being prepared also
meant participants needed to do their homework as well. While not
always the case, as the workshops advanced, they did so.
Engaging all
One of the smartest things NIST did as part of the Framework
development process was to understand they needed to get outside the
Beltway for the effort to be successful. They held the workshops in
different locations around the country so the local owner/operators of
the critical infrastructure could have their voices heard. This ensured
there was a diverse group at each of the workshops and all were able to
participate. The processes used during the workshops encouraged all in
the room to contribute and they did. A highly interactive,
collaborative environment is one where real dialog can occur and
produce positive results.
Voluntary, non-regulatory nature
The fact that NIST is a non-regulatory body also helped their
credibility and the private sector's attitude toward participating and
contributing. This was a topic area that had a lot of people concerned
initially, but as the effort progressed, more and more private-sector
participants relaxed and believed in the voluntary intent of the
effort. NIST also made it clear in each workshop that they were
requiring a non-attribution from any and all regulators in the room.
Each agreed to the rules, making it much more comfortable for real open
and honest dialog to occur.
While others have tried to copy the NIST success, often they have
left out one or more of the characteristics that made the Cybersecurity
Framework effort a success. In reality, both the public and the
private-sector participants must buy in. To do so requires trust in the
process, the effort and the vision for the outcome to be successful
5. Seek Innovative Ways to Further Grow the Information-
Sharing Eco-System
Company-to-company information sharing is growing in certain parts
of the economy. An example is the Cyber Threat Alliance (CTA). Intel
Security, along with Check Point, Cisco, Fortinet, Palo Alto Networks
and Symantec, worked together to start and build the CTA. This is a
group of cybersecurity practitioners from organizations that have
chosen to work together in good faith to share threat information for
the purpose of improving defenses against advanced cyber adversaries
across member organizations and their customers. The key to the success
of this effort is that each organization must supply threat information
to all the members in order to receive threat information. This allows
each of the member organizations to incorporate the others' threat
information into their products' protection mechanisms. This is an
example of valuable and actionable shared threat information having a
direct and positive impact on improving their customers' environments.
The member organizations have decided to participate in the Alliance
for the betterment of the ecosystem they serve.
The CTA is also showing that with the right organizational
construction--with the right incentives to collaborate--real progress
in private-sector information sharing can be made. Examples of
successes include cracking the code on Crypto Wall version 3, one of
the most lucrative ransomware families in the world, totaling more than
US$325 million ransomed. CTA's disruption of Crypto Wall 3 forced
cybercriminals to develop Crypto Wall version 4, which the CTA also
uncovered and resulted in a much less successful attack. This is a
prime example where creating an operationally holistic view of the
threat and how to address it has had an extremely positive impact on
our ability to protect ourselves.
To further incentivize companies to share threat information among
themselves, policymakers should amend The Cyber Information Sharing Tax
Credit Act. Such an incentive would help speed the growth of existing
private sector-to-private sector information-sharing coalitions and
help start news ones, particularly in some sectors of the economy that
have been slow to realize the benefits of sharing threat information
with partners and competitors.
conclusion
Given the rapidly-changing threat environment, public and private-
sector organizations cannot go it alone. The challenge is never-ending,
but I have no doubt that the public-private partnership model will
continue to protect and serve our National interests well into the
future. Public-private partnerships benefit from regular reviews, gap
analysis, and a commitment to continual improvement. The subcommittee
should be commended for taking such a thoughtful approach to reviewing
the successes and challenges of DHS-managed public-private
partnerships.
As stated earlier, DHS deserves much praise. It manages a thriving
number of public-private partnerships that serve the National interest.
At the same time, real-time information sharing needs to be implemented
on a grand scale, IT procurement rules should be updated, DHS
partnerships need to be benchmarked against other successful ones on a
regular basis and additional incentives should put in place to help
grow the information-sharing eco-system. Intel Security--soon to become
McAfee--is committed to continue to invest, engage, and contribute to
support the long-term success of the partnership model. Our collective
security depends on making the promise of ``together is power'' a
reality.
Mr. Ratcliffe. Thank you, Mr. Montgomery.
Mr. Greene, you are recognized for 5 minutes.
STATEMENT OF JEFFREY GREENE, SENIOR DIRECTOR, GLOBAL GOVERNMENT
AFFAIRS AND POLICY, SYMANTEC
Mr. Jeffrey Greene. Thank you. Chairman Ratcliffe, Ranking
Member Richmond, Members of the committee, thank you for the
opportunity to testify today.
As Mr. Montgomery mentioned, the threat landscape is
constantly evolving. In the current situation, there is no
company or no government that can go it alone. We are therefore
pleased to see your continued focus on how DHS can work with
the private sector in new and innovative ways.
I want to start by talking briefly about the current cyber
threat environment. You will see a lot of headlines about cyber
attacks focused on massive data breaches or cyber espionage,
but it is important not to lose sight of the other types of
attacks that can have major consequences.
The incidents we see today range from increasingly
sophisticated forms of ransomware, in particular ransomware
being targeted at the enterprise as opposed to the individual,
to massive distributed denial-of-service attacks, DDoS attacks,
that were launched from connected or internet-of-things, IOT,
devices.
We at Symantec have a long-standing relationship with DHS.
From our perspective, the Department has made significant
progress engaging with the private sector over the past few
years.
The Cyber Information Sharing and Collaboration Program, or
CISCP, allows participants to share information about
incidents, cyber threats, and known vulnerabilities.
One example I would point to is last October we shared
research from a group that we had discovered that was trying to
steal money from banks by exploiting the SWIFT messaging
system. This is the same attack that was used to steal $81
million from the Bangladesh central bank.
CISCP managers took the information that we provided,
developed an indicator bulletin, and pushed that out to all
CISCP participants.
CISCP also convenes practitioners at quarterly advanced
technical threat exchanges. For the most part, we have found
the exchanges useful. Last year, we did a presentation at one
of them focused on new and emerging ransomware. Included in
this presentation was in-depth analysis and specific indicators
of compromise that were then available to all participants to
use to try to upgrade their systems if necessary.
But also beyond the technical information that is shared,
these are opportunities for Government and industry to sit down
face-to-face, develop trusted relationships, both between
Government and the private sector and also within the private
sector itself.
Many of DHS's reports and bulletins include substantive
analysis and actionable information, but at times some do fall
short. In some cases, reports have included indicators of
compromise that were not fully vetted or, as Mr. Montgomery
mentioned, didn't have the context around them. Sometimes some
private-sector companies have used these without proper
research on their end, and there has been in a couple of
instances a high degree of false positives based on them.
To DHS's credit, though, when that has happened they have
been responsive to industry concerns and at times have issued
revised reports.
As DHS moves to machine-speed sharing through the Automated
Indicator Sharing Program, the need for context and vigorous
vetting is just going to grow. This is going to put something
of a burden on DHS and its partner agencies because, on the one
hand, they are being told to share more and to share faster,
but on the other hand they are being told to be very careful
about what you share and vet it before you do so. So this is a
balance that is not easy to strike and it is going to require
constant tuning.
We also engage with DHS informally. An example, last week
we had 10 of DHS's cyber analysts out at our operations center
in Herndon to discuss a few specific threats. Face-to-face
meetings like this can alleviate another concern that you may
have heard that too often the information flow is one way just
from the private sector to the Government. In-person
discussions can lead to a more complete and bilateral exchange
of ideas.
In addition to DHS, we work with the FBI and other agencies
to assist efforts to fight cyber crime and take down botnets.
There is more information in our written testimony, but I do
want to highlight one case. This is our work on unearthing an
international criminal gang that was called Bayrob.
Bayrob evolved over a decade. We spent a year tracking them
and, in part based on the information we provided to the FBI,
they built a case that led to the arrest and extradition from
Romania of three of Bayrob's key actors. So I think we need to
consider broader than just DHS and how DHS works with other
agencies as well.
Finally, the partnership among private-sector companies is
alive and well. As Mr. Montgomery mentioned and Mr. Gillis may
discuss, we are part of what is called the Cyber Threat
Alliance that shows how even competitors can work together to
improve the overall safety and security of the internet and
that of our customers.
As Members of this committee know better than most, we
still face significant challenges in our efforts to improve
cybersecurity and to fight cyber crime. Cybersecurity is first
and foremost a team sport, and at Symantec we are committed to
improving the internet security and will continue to work with
industry and Government collaboratively on ways to do so.
Thanks again for the opportunity to be here. I am happy to
take any questions.
[The prepared statement of Mr. Greene follows:]
Prepared Statement of Jeffrey Greene
March 9, 2017
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, my name is Jeff Greene and I am the senior director, global
government affairs and policy at Symantec. I am responsible for
Symantec's global public policy agenda and Government engagement
strategy, and represent the company in key public policy initiatives
and partnerships. I also serve as a member of the National Institute of
Standards and Technology's (NIST) Information Security and Privacy
Advisory Board (ISPAB), and recently supported the President's
Commission on Enhancing National Cybersecurity. Prior to joining
Symantec, I served as senior counsel with the U.S. Senate Homeland
Security and Governmental Affairs Committee, where I focused on
cybersecurity and homeland defense issues.
Symantec Corporation is the world's leading cybersecurity company.
We help organizations, governments, and people secure their most
important data wherever it resides. Organizations across the world look
to Symantec for strategic, integrated solutions to defend against
sophisticated attacks across endpoints, cloud, and infrastructure.
Likewise, a global community of more than 50 million people and
families rely on our Norton and LifeLock product suites to protect
their digital lives at home and across their devices. Symantec operates
one of the world's largest civilian cyber intelligence networks,
allowing us to see and protect against the most advanced threats. We
maintain nine Security Response Centers and six Security Operations
Centers around the globe and every day we scan 30 percent of the
world's enterprise email traffic and process more than 1.8 billion web
requests. All of these resources combined allow us to capture world-
wide security data that give our analysts a unique view of the cyber
threat landscape.
No government or company can go it alone in this environment, and
we are happy to see the subcommittee focusing on how the private sector
engages with DHS and other government agencies to help defend against
growing cyber threats. Lasting improvements in cybersecurity require
the combined efforts of Government and industry together. In my
testimony today, I will discuss:
The current and emerging threat landscape;
DHS and Private-Sector Engagement; and
How we partner with our industry counterparts to stop cyber
attacks.
i. the current and emerging cyber threat landscape
Many of the recent headlines about cyber attacks have focused on
massive data breaches and cyber espionage across the spectrum of
industries and governments. These headlines remind us that no
organization or government entity is impervious when targeted by a
motivated and skilled attacker. Yet while the focus on data breaches
and the personal information exposed is certainly warranted, we also
must not lose sight of the other types of cyber attacks that are
equally concerning and that can have damaging consequences. There is a
wide set of tools available to the cyber attacker, and the incidents we
see today include increasingly sophisticated forms of ransomware,
massive distributed denial of service (DDoS) attacks by ``Internet of
Things'' (IoT) devices, sophisticated (and potentially destructive)
intrusions into critical infrastructure systems, and the weaponization
of personal information. The economic impact to an organization can be
immediate, through the theft of money or the payment of ransom, or more
long-term and structural, such as through the theft of intellectual
property. It can ruin a company or individual's reputation or finances,
and it can impact citizens' trust in the internet and their Government.
The attackers run the gamut and include highly-organized criminal
enterprises, nation-states, disgruntled employees, individual cyber
criminals, so-called ``hacktivists,'' and state-sponsored groups. The
motivations vary--criminals generally are looking for some type of
financial gain, hacktivists are seeking to promote or advance some
cause, and state actors can be engaged in espionage (traditional
spycraft or economic) or infiltrating critical infrastructure systems.
These lines, however, are not set in stone, as criminals and even state
actors might pose as hacktivists, and criminals often offer their
skills to the highest bidder.
Attack methods vary, and the only constant is that the techniques
are always evolving and improving. Spear phishing, or customized,
targeted emails containing malware or malicious links, is the most
common form of attack. Many of these attacks are extremely well-
crafted; in the case of one major attack, the spear-phishing email was
so convincing that even though the victim's system automatically routed
it to junk mail, he retrieved it and opened it--and exposed his company
to a major breach. Social media is an increasingly valuable tool to
criminals as people tend to trust links and postings that appear to
come from a friend's social media feed and rarely stop to wonder if
that feed may have been compromised or spoofed. We have also seen the
rapid growth of targeted web-based attacks, known as a ``watering
hole'' attack. Like the lion in the wild who stalks a watering hole for
unsuspecting prey, cyber criminals lie in wait on legitimate websites
that they compromise and use to try to infect visitors. Most of these
attacks rely on social engineering--simply put, trying to trick people
into doing something that they would never do if fully cognizant of
their actions. For this reason, we often say that the most successful
attacks are as much psychological as they are technological.
One particularly concerning trend is the recent use of IoT devices
in DDoS attacks. By taking advantage of poor security and design
practices, criminals were able to compromise hundreds of thousands, if
not millions, of devices and aggregate them as a single army of zombie
devices--the world's first major IoT botnet, known as Mirai. In October
2016, cyber criminals used the Mirai botnet to launch a massive DDoS
Attack on DNS provider Dyn, which disrupted some of the internet's
biggest websites, including Spotify, Twitter, PayPal, Reddit, and
others. Mirai's ``bots'' were primarily compromised webcams and digital
video recorders, but also included routers and other internet-connected
devices. This attack was quickly followed by at least two others, each
record-breaking in its size.
How did these IoT-based attacks happen? Very easily, unfortunately.
The average IoT device is scanned for vulnerabilities just 2 minutes
after it is connected, and when one is found that device is promptly
compromised. The most common method is simple--criminals take advantage
of pre-programmed, default usernames and passwords and simply log onto
devices and commandeer them. With the explosion of insecure internet-
connected devices hitting the market, this type of attack will only
continue to grow and become more effective.
ii. dhs and private-sector engagement
The Department of Homeland Security has made considerable progress
in recent years engaging with the private sector, especially in the
area of information sharing. The Cyber Information Sharing and
Collaboration Program (CISCP) is DHS's primary structure for private
companies to share information about incidents, cyber threats and known
vulnerabilities. This information is then shared among participating
industry partners in an anonymized fashion to help secure their own
networks. In addition, CISCP convenes cybersecurity practitioners at
quarterly Advanced Technical Threat Exchanges (ATTE). We have been
active in these exchanges, and late last year presented our research on
ransomware, which included an in-depth analysis of new infection trends
and payload execution. We provided a list of specific indicators that
participants could use to further research and ensure their own systems
were protected. We have also presented on how companies and governments
can leverage threat intelligence to reduce ``Indicator of Compromise
(IoC) noise.'' Beyond the technical information shared, the ATTEs are
helpful in building trusted relationships and contacts between
Government and private industry, and even within the private sector
itself. These exchanges often lead to follow-on collaboration and, in
some cases, joint research.
Another notable example of effective information sharing through
the CISCP program came in October of last year when Symantec published
a report exposing a hacking group that was trying to steal money from
banks by exploiting the financial-based SWIFT messaging system used to
identify electronic transactions in the global financial system. In one
of the highest-profile attacks of the year, attackers used this same
method to steal $81 million from the Bangladesh Central Bank. Similar
to the Bangladesh attack, Symantec found a previously-unknown malware
variant (called Odinaff) being used against financial institutions.
This particular malware can delete customer logs of SWIFT transactions,
allowing attackers to hide their tracks. We passed along our in-depth,
technical research to CISCP managers along with a list of indicators
including hashes, command-and-control nodes, and domains. The CISCP
team then used our indicators to create an Indicator Bulletin (IB) and
pushed it out to all CISCP participants for their use.
The quality of DHS's analysis reports can vary. Many reports
include substantive analysis and actionable information, while some
have fallen short. In those instances, many of the IoCs included in the
report were unvetted, and companies that used them without proper care
saw a high volume of false positives. In some cases the IoCs proved to
be unrelated to the threat itself. To its credit, DHS is generally
responsive to industry concerns and has on occasion issued updated
reports with more information.
The importance of carefully vetting indicators is of increased
importance as DHS moves to Automated Indicator Sharing (AIS). The AIS
program allows the two-way exchange of cyber threat indicators between
the Federal Government and the private sector at machine speed. This
means that as soon as a company or a Federal agency identifies a
threat, that indicator is shared in real time with all of the AIS
participants. However, with an emphasis on velocity and volume,
appropriate context and more vigor in vetting is necessary. Added
context allows recipients to understand how to use an IoC or how to
calibrate their internal response. To be sure, DHS and its partner
agencies are in a difficult spot--the private sector is demanding both
timely and vetted information, and this balance is not easy to strike.
Industry has conveyed these concerns to DHS, which has worked to
improve both its analysis and the quality of the indicators.
Another program DHS has implemented to engage with industry is the
Critical Infrastructure Cyber Community or C\3\. The C\3\ is a
voluntary program that helps critical infrastructure operators improve
their cybersecurity and actively encourages the adoption of the
Framework for Improving Critical Infrastructure Cybersecurity, commonly
known as the NIST Cybersecurity Framework (CSF). The CSF was developed
in collaboration with the private sector, and Symantec was part of that
effort. We began using the CSF when it was still in draft form and was
one of the first companies to map our internal security to it. We
support DHS's efforts to encourage use of the CSF, both for companies
with existing cybersecurity programs and for those who are building one
from scratch.
In addition to the Department's formal programs, we work with DHS
informally. For instance, just last week, we hosted a group of ten
cyber threat analysts at our Herndon Security Operations Center to
discuss specific threats and to explore potential areas to coordinate
in the future. Among other topics, we discussed Shamoon, a family of
destructive malware that we have tracked for years. Shamoon was used in
attacks against the Saudi energy sector in 2012\1\ and recently we have
been tracking a fresh wave of attacks hitting the Middle East.\2\ The
opportunity to sit face-to-face and discuss threats often alleviates
another concern among many private-sector security companies, that too-
often the information flows just one way--from industry to the
Government. In-person exchanges often lead to a more complete and
bilateral interchange of ideas.
---------------------------------------------------------------------------
\1\ The Shamoon Attacks, Symantec Security Response, 8/16/12;
https://www.symantec.com/connect/blogs/shamoon-attacks.
\2\ Shamoon: Multi-staged destructive attacks limited to specific
targets, Symantec Security Response, 2/27/17; https://www.symantec.com/
connect/blogs/shamoon-multi-staged-destructive-attacks-limited-
specific-targets.
---------------------------------------------------------------------------
Other Government Partnerships
Partnerships can lead to concrete results. One recent example came
in December 2016, when Symantec concluded a decade-long research
campaign that helped unearth an international cyber criminal gang
dubbed ``Bayrob.'' The group is responsible for stealing up to $35
million from victims through auto auction scams, credit card fraud and
computer intrusions. Through our research, we discovered multiple
versions of Bayrob malware, collected voluminous intelligence data, and
tracked Bayrob as it morphed from on-line fraud to a botnet consisting
of over 300,000 computers used primarily for cryptocurrency mining.
Over time, Symantec's research team gained deep technical insight into
Bayrob's operations and its malicious activities, including its
recruitment of money mules. These investigations and countermeasures
were crucial in assisting the Federal Bureau of Investigation (FBI) and
authorities in Romania in building their case to arrest three of
Bayrob's key actors and extradite them to the United States.
Indeed, in recent years we have seen a string of successful arrests
and prosecutions of some of the most notorious cyber criminals in the
world. In July 2015, a New York judge sentenced Alexander Yucel, the
creator of the ``Black Shades'' Trojan to 5 years in prison and the
forfeiture of $200,000. Yucel was swept up by the FBI and Europol last
year along with dozens of other individuals in the United States and
abroad. Symantec worked closely with the FBI in this coordinated take-
down effort, sharing information that allowed the agency to track down
those suspected of involvement. In June 2015, Ercan ``Segate''
Findikoglu, who prosecutors say orchestrated one of the biggest cyber
bank heists in American history, was extradited to the United States to
stand trial for stealing more than $55 million by hacking bank
computers and withdrawing millions in cash from ATMs.
Additionally, Government and private-sector cooperation has led to
take-down operations against prominent financial fraud botnets. In June
2014, the FBI, the United Kingdom (UK) National Crime Agency, and a
number of international law enforcement agencies mounted a major
operation against the financial fraud botnet Gameover Zeus and the
ransomware network Cryptolocker. Gameover Zeus was the largest
financial fraud botnet in operation in 2014 and is often described as
one of the most technically sophisticated variants of the ubiquitous
Zeus malware. Symantec provided technical insights into the operation
and impact of both Gameover Zeus and Cryptolocker, and worked with a
broad industry coalition and the FBI during this case. As a result,
authorities were able to seize a large portion of the infrastructure
used by the cyber criminals behind both threats.
iii. private-sector partnerships to enhance cybersecurity--the cyber
threat alliance
While DHS continues to engage industry, the private sector is not
just waiting on the Government to solve the problem. Industry
partnerships have proven to be highly effective in fighting cyber
crime. The Cyber Threat Alliance (CTA) is an excellent example of the
private sector banding together to improve the overall safety and
security of the internet. In 2014, Symantec, Fortinet, Intel Security,
and Palo Alto Networks formed the CTA to work together to share threat
information. Since that time, Cisco and Checkpoint have joined the CTA
as founding members. The goal of the CTA is to better distribute
detailed information about advanced attacks and thereby raise the
situational awareness of CTA members and improve overall protection for
our customers.
Prior industry-sharing efforts were often limited to the exchange
of malware samples, and the CTA sought to change that. Over the past 3
years the CTA has consistently shared more actionable threat
intelligence such as information on ``zero day'' vulnerabilities,
command-and-control server information, mobile threats, and indicators
of compromise related to advanced threats. By raising the industry's
collective intelligence through these new data exchanges, CTA members
have delivered greater security for individual customers and
organizations. In short, the CTA is not about one vendor trying to gain
advantage--we are all contributing and sharing with the community.
Because of the success of the CTA, the founding members decided to
take it to the next level and earlier this year formally incorporated
it as a non-profit organization. Working together, CTA members have
developed a new platform designed to automate intelligence sharing in
near-real time. Through this effort we hope to solve some of the
problems created by isolated and manual approaches to cyber threat
intelligence. The new CTA has three purposes:
1. To share threat information in order to improve defenses against
advanced cyber adversaries across member organizations and
their customers;
2. To advance the cybersecurity of critical information technology
infrastructures; and
3. To increase the security, availability, integrity, and
efficiency of information systems.
CTA is also committed to engaging in discussions around policy
initiatives that will improve cybersecurity for individuals and
governments. As CTA moves forward with its mission, it intends to
explore how to best partner with U.S. and international Government
organizations in furtherance of its mission.
conclusion
As the Members of this subcommittee know better than most, we still
face significant challenges in our efforts to improve cybersecurity and
fight cyber crime. Cybersecurity is a team sport and effective public-
private partnerships with DHS and other Government agencies are
essential. DHS and industry have made notable progress over the last
several years--trust has improved--but there is still room for growth.
Attackers are always evolving, becoming more sophisticated, and both
Government and industry recognize the imperative for cooperation to
fight cyber crime. At Symantec, we are committed to improving internet
security across the globe, and will continue to work collaboratively
with industry and Government partners like DHS on ways to do so. Thank
you again for the opportunity to testify, and I will be happy to answer
any questions you may have.
Mr. Ratcliffe. Thank you, Mr. Greene.
Mr. Gillis, you are recognized for 5 minutes.
STATEMENT OF RYAN M. GILLIS, VICE PRESIDENT OF CYBERSECURITY
STRATEGY AND GLOBAL POLICY, PALO ALTO NETWORKS
Mr. Gillis. Chairman Ratcliffe, Ranking Member Richmond,
Members of the committee, it is an honor to be here today to
discuss DHS's interface with the private sector.
It is tough to go forth after this group of individuals. I
would like to start by thanking the committee for your
leadership in cybersecurity. The legislation that you have
helped lead over the last several years has not only helped
foster responsible cyber threat information sharing, it has
also strengthened the statutory responsibilities and statutory
authorities that DHS has to execute its mission, both within
the Federal Government and to interface with the private
sector. So that has been a critical challenge that DHS has
faced in standing up its cyber capabilities.
My name is Ryan Gillis. I am pleased to represent Palo Alto
Networks. We are newer than some of our other industry
colleagues up here, but within the 10 years since we have
shipped our first product we have become one of the largest
cybersecurity companies in the world.
Also happy to offer some historical perspective as I spent
over a decade within the National Security Council at the White
House and Department of Homeland Security. So this public/
private experience that I have gone through I think represents
the broader operational reality which is that, as you said,
Chairman, cybersecurity is a fundamentally distributed
responsibility. There are capabilities in the private sector
and authorities within the U.S. Government and governments
around the world that can complement each other. DHS is central
to that.
DHS's role in not only protecting civilian networks and
interfacing with the private sector, helping to secure critical
infrastructure, is essential. That is a policy decision that
has been made by consecutive administrations and in a
bipartisan way through Congress to ensure that there is a
civilian interface for that role and mission and to build-up
the capability within DHS, whether it is through informal
sharing examples I will go through, as well as programs such as
CISP and AIS.
Let me give you a quick perspective that we have on the
cyber threat landscape, which is that right now attacks are
overly automated. The bad guys are working together. They are
using free tools and cheaply available tools to launch
automated attacks. So the cost is too low right now to be
successful.
The business model is frequently, whether you don't have
the capability to develop your own attacks, but you are using
those freely available things that can bring you into the
ecosystem, or if you are a sophisticated nation-state, you are
generally going to use the least sophisticated attack that can
accomplish your goal. So what we need to do is flip that cost
curve by automating defenses and making sure that we are
collectively working together.
On a company level, we deploy technology that stops attacks
at certain points within the attack life cycle. It constantly
requires updates, as Scott talked about earlier. So just on a
corporate level, we provide 1.1 million new preventative
measures to our technology around the world on a weekly basis,
pushed out in as little as 5 minutes. One company alone, as you
have heard today, can't do that adequately, so we need to find
partnerships throughout the ecosystem.
On an industry level, you have heard about the Cyber Threat
Alliance. To give a little bit more of an example of how the
Cyber Threat Alliance worked on this CryptoWall example that
Scott talked about, $300 million had been extorted in
ransomware through this CryptoWall campaign. The vendor
community, through the Cyber Threat Alliance, came together and
shared what we knew about the infrastructure, defended all of
our collective clients against those attacks. Prior to
publishing that report, we called up Department of Homeland
Security to ensure that we were collaborating on that.
DHS had FBI on the phone that night. They made sure that
U.S. Government networks were similarly protected against those
types of attack. They did notifications to internet service
providers and to victims to help clean up. Most of the attacks
were coming from unknowing victims that didn't know that their
systems were being repurposed for attack.
Then in an actual, quantifiable example of information
given back from the Government, we got an additional 170
command-and-control nodes, parts of the infrastructure that we
as vendors had not identified as part of the context of that
attack, and we were able to further protect all of our
collective customers.
So it is one example of how we can share, as Scott said,
more context and become more effective overall. What we need to
move to is in programs like CISP and AIS, getting closer to
machine speed with those types of examples.
So there is opportunity to expand on the nascent
capabilities that DHS has rolled out through AIS and CISP and
make us more effective overall.
I think the other thing that you are going to see as well
is that I believe the U.S. Government is never going to be
quick at declassifying some of its most valuable information.
What the U.S. Government may not realize, however, is that we
in the vendor community may see trial balloons of that most
sophisticated technology in a few places and in unclassified
ways.
If we can share that with the U.S. Government, we can
obviate that whole what they call the tear line process, where
the U.S. Government has to declassify that information, and the
U.S. Government can point to the financial sector or the energy
sector, whoever they think may be targeted by that particularly
pernicious campaign, and say you need to focus on this, we have
seen it out in the wild, and we think bad guys are going to go
after it.
So this collective public/private, DHS will be at the
center of that. Ultimately, we think things like the Cyber
Threat Alliance are crucial to taking that next step.
[The prepared statement of Mr. Gillis follows:]
Prepared Statement of Ryan M. Gillis
March 9, 2017
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee: Thank you for the opportunity to appear before you today to
discuss how the Department of Homeland Security engages with the
private sector. My name is Ryan Gillis, and I serve as the vice
president of cybersecurity strategy and global policy at Palo Alto
Networks.
I would like to begin today by recognizing the tremendous
leadership this committee has shown on the issue of cybersecurity. I
have seen first-hand this committee's central role in passing a range
of cybersecurity legislation that promotes responsible cyber
information sharing and strengthens the Department of Homeland
Security's (DHS) statutory authority to execute its mission. The
committee is directly responsible for helping shape legal clarity to
expand cyber information sharing, provide appropriately targeted
liability protections for companies, and establish necessary privacy
protections in the Cybersecurity Act of 2015. The end result reflects
this committee's sound understanding of how critical public-private
trust and cooperation is to effective information sharing, and I'm
honored to support this committee's continued oversight
responsibilities. So, let me first say thank you for your leadership
and for the opportunity to speak with you today.
For those not familiar with Palo Alto Networks, we have become one
of the world's largest cybersecurity companies just 10 years after our
first product shipped, actively preventing successful cyber attacks for
more than 37,000 corporate and Government enterprise customers in more
than 150 countries world-wide. Our collaboration with DHS ranges from
strategic policy development to operational initiatives, starting with
a commitment from the top of our organization. Our CEO and chairman,
Mark McLaughlin, just completed consecutive 2-year terms as chairman
and vice chairman of the President's National Security
Telecommunications Advisory Committee (NSTAC). Founded during the
Reagan Administration and administered by DHS, NSTAC brings industry
chief executives together to provide counsel on National security
policy and technical issues for the president and other U.S. Government
leadership.
Since joining Palo Alto Networks in January of 2015, my principal
role has been to work with governments, companies, and organizations
around the world to develop and implement strategies, policies, and
operational partnerships that prevent successful cyber attacks.
Candidly, this approach to cybersecurity builds naturally upon the
years I spent at the DHS and on the National Security Council at the
White House, and it reflects the operational reality that cybersecurity
is fundamentally a shared and distributed challenge that can only be
effectively addressed through collaboration, which leverages the unique
capabilities and authorities of companies, individuals, and
governments.
To that end, we maintain a regular cadence with appropriate
government and law enforcement stakeholders around the world. The U.S.
Department of Homeland Security is the cornerstone of these government
engagements because of its mission to collectively prevent, protect
against, mitigate, respond to, investigate, and recover from cyber
incidents. Our robust and multi-faceted partnership with DHS includes
participation in formalized programs, as well as more informal
collaboration mechanisms built on trust and personal relationships. We
engage with DHS as an individual company and as part of broader
collectives of private-sector entities.
My testimony today will address the full spectrum of this DHS
relationship, framing why public-private sector collaboration is so
critical to improving our cybersecurity as a Nation--and what
collective actions we believe private industry and Government must take
to effectively leverage information sharing as a tool to achieve the
desired outcome of increased cybersecurity. Finally, I'll outline
specific examples of our collaboration with DHS--including information
sharing, policy development, and cybersecurity exercises. In doing so,
I'll highlight several tangible success stories of public-private
partnerships; opportunities for potential improvements; and, not only
what Congress has done to incentivize these partnerships, but also what
can be done to further enable progress in these areas.
why public-private sector cybersecurity collaboration is important
Before providing an assessment of the current state of DHS and
private-sector cybersecurity collaboration, it is critical that we
clearly define the objectives we are seeking to achieve through this
partnership. As arguably the most developed mechanism of public-private
sector cooperation, cyber information sharing provides a valuable use
case for this discussion.
As the concept of information sharing has received wide-spread
attention in recent years, the term has adopted an increasingly broad
and varied definition. Because of this, it is critical to clearly
define how Palo Alto Networks approaches information sharing, and how
it fits into our broader mission of raising costs for our adversaries
and actively preventing cyber attacks. This approach recognizes that
cyber threat information sharing, while critical, is not a panacea.
Information sharing is one necessary tool within a much larger strategy
that leverages people, process, and technology to tangibly reverse the
attackers' current advantage in cyber space.
The Palo Alto Networks perspective on cybersecurity is built on a
relatively simple premise: We believe that cybersecurity is a
correctable math problem that, at present, overwhelmingly favors the
attackers. As the cost of computing continues to decline, our
adversaries have been able to conduct increasingly automated,
successful attacks at minimal cost. In fact, many free and open-source
tools are available on-line that enable repeatedly successful attacks
against poorly-defended networks. In the face of this automated
onslaught, the network defender is generally relying on legacy security
technologies, often cobbled together as multiple layers of ``point''
products that solve discreet problems but do not interoperate in a way
that can holistically reduce priority risks across an organization's
entire network infrastructure. This increased technological complexity
creates a dependence on people--one of the least scalable resources in
any organization--to manually defend against automated, machine-
generated attacks. Network defenders are simply losing the economics of
the cybersecurity challenge.
To flip this equation and gain back leverage against our
adversaries, we need to collectively embrace integrated approaches that
simplify and automate network defense to actively prevent cyber
attacks. This is a critical point: If we focus on preventing attacks in
the correct locations--informed by sophisticated and integrated
detection capabilities--we can deter malicious activity by making it
more expensive in terms of resources, time, and personal impact for our
adversaries to launch a successful attack. True integration across the
cybersecurity ecosystem--leveraging initiatives like automated
information sharing and technology orchestration--can be the catalyst
in reversing this current unsustainable dynamic that exists in cyber
space.
Our approach to automated integration begins within our own
technology platform. We build technology that prevents attacks at the
key tactical and strategic places where cyber attackers need to take
action to be successful, and we update our global customer base with
the latest protections in as little as 5 minutes. As a matter of scope,
we generate more than 1 million new preventive measures each week as we
identify new, or ``zero-day,'' cyber threats. This is not to imply that
we--nor any one company or Government--can alone see and prevent all
the evolving automated threats facing network defenders. Consequently,
we partner with other companies and appropriate Government agencies
whose competencies complement ours to help gain the leverage required
to disrupt attackers and their tools.
At its core, our company's network defense and information-sharing
philosophy closely mirrors the ultimate vision for information sharing
championed by this committee. Our approach is focused on three primary
objectives: (1) Protect against all known cyber threats; (2) turn
unknown threats into known threats as quickly as possible; and (3)
automatically leverage this new threat knowledge to create preventive
countermeasures that are shared broadly within the ecosystem to prevent
other entities from falling victim to similar attacks. This last
component is critical. As this committee knows well, information
sharing is too often a time-intensive process that requires a human to
read, interpret, and manually create prevention controls based on
technical cyber threat indicators provided in a non-machine-readable
format like a PDF or email. This manual process simply can't scale to
the speed and sophistication of the modern cyber threat environment.
Sophisticated cybersecurity companies can uniquely contribute to
this challenge because we collectively have the physical infrastructure
and processing ability to automatically deploy preventive measures
based on new threat information to a broad customer base across
multiple sectors. For these reasons, Palo Alto Networks and other
sophisticated cybersecurity companies can bring a degree of
actionability to information sharing that is critical for achieving our
ultimate goals of raising adversary costs and tangibly improving
cybersecurity across the ecosystem.
Our approach to automated integration doesn't end with our own
platform or even our own company. In 2014, Palo Alto Networks was a
founding member of the Cyber Threat Alliance (CTA). The CTA was
incorporated in January 2017 as an independent, non-profit organization
focused on cybersecurity information sharing. It is the first
information-sharing organization specifically among cybersecurity
vendors. Michael Daniel, the former special assistant to the President
and White House cybersecurity coordinator, was just appointed as the
CTA's first president. The CTA now includes six of the largest global
cybersecurity companies as founding members--Check Point, Cisco,
Fortinet, McAfee, Palo Alto Networks and Symantec--underscoring the
philosophy that we can be force multipliers in support of a coordinated
threat-sharing effort against cyber adversaries.
To fulfill its core mission, the CTA has built an automated
information-sharing platform with the goal of enabling and
incentivizing the sharing of high-quality, actionable threat
information. The CTA and its platform embody a major step forward in
transforming shared threat information into effective preventive
measures that can automatically be deployed by CTA members to their
respective customers. This isn't purely conceptual; the CTA platform is
actively working to protect its members and their customers in near-
real-time.
For example, recently, a single shared sample from one CTA member
allowed another member to build protections before that organization's
customers were targeted--preventing successful attacks against 29
subsequent organizations. In another instance, data shared through the
CTA from one member allowed another member to identify a targeted
attack against its customer and release additional indicators to defend
that organization. The CTA and its platform have shown that a well-
designed and well-built information-sharing program can foster the
sharing of high-quality threat information among competitors, with
members finding that 40 to 50 percent of shared data is new and
directly actionable.
The CTA model directly addresses many of the aspects that have
limited the effectiveness of other information-sharing relationships,
both formal and informal. First, the CTA addresses the problem of
information-sharing ``free riders'' that join information-sharing
groups and simply receive information without sharing. Universal
contributions are achieved by establishing mandatory sharing minimums
for CTA members: Initially on a quantitative basis (1,000 unique cyber
indicators/per day) and now evolving into a scoring system that
measures the qualitative value of shared data. Second, the CTA is
focused on sharing indicators related to an adversary's playbook--a
more limited and predictable series of steps an adversary must take to
complete a successful cyber attack. This is a key departure from many
information-sharing organizations, which focus instead on sharing
malware samples that can be polymorphic and exist in an exponentially
larger quantity than the number of unique adversary playbooks. Third,
because the CTA members' collective customer base spans all industry
sectors, the impact of sharing can protect a large percentage of the
global ecosystem. This type of broad-based sharing of widely-used
threat techniques can help neutralize unsophisticated actors and force
sophisticated adversaries, such as nation-states, to develop new (and
therefore costlier) techniques. This narrowing of the threat landscape
can make attribution easier and enable governments to more effectively
target high-priority and advanced persistent adversaries and threats.
Government has a complementary and equally critical role to play in
fostering information sharing across the ecosystem by leveraging its
unique authorities and capabilities. DHS, for example, has the ability
to amplify and distribute cyber threat information to a wide cross-
section of industry and critical infrastructure operators.
Historically, there have been many efforts by the U.S. Government
to more quickly declassify cyber threat information for distribution to
the broader community. However, given the rapid pace in which cyber
threats mutate and spread, the largely manual declassification process
is rarely fast enough to simultaneously outpace the threat and avoid
disclosures of intelligence sources and methods. Infused with a much
wider set of Unclassified information from the private sector,
Government could be able to more quickly add valuable insight and
perspective without declassifying information. Leveraging the unique
visibility they possess from Classified information, governments can
instead help direct private-sector attention and resources to publicly
available information on priority threats, such as nation-state
activity that may target a particular sector, like energy or finance,
in a way that doesn't reveal Classified information.
palo alto networks engagements with dhs on cybersecurity issues
The Palo Alto Networks collaboration with DHS takes many forms--
both formal and informal--and is related to a broad range of policy and
operational activities. Operationally, our formal and informal
collaboration with DHS has ranged from programmatic relationships to
targeted sharing of threat intelligence reports generated by Unit 42,
the Palo Alto Networks threat intelligence team. These efforts
highlight threat information sharing conducted as an individual company
and as a founding member of the Cyber Threat Alliance.
Cyber Threat Sharing Examples.--Prior to our joining the two DHS
formal sharing programs, the Cyber Information Sharing and
Collaboration Program (CISCP) and the Automated Indicator Sharing (AIS)
program, we established informal processes to share threats,
vulnerabilities, and malicious cyber threat campaign information with
DHS based on personal relationships and our knowledge of their mission
and capabilities. When appropriate, we share advanced copies of
significant threat reports with DHS cyber policy leadership and
operational teams at the National Cybersecurity and Communications
Integration Center (NCCIC). I'd like to highlight just a few specific
examples of these information-sharing success stories that embody the
type of public-private cooperation this committee has sought to
encourage.
In December 2016, Palo Alto Networks threat intelligence
team, Unit 42, discovered new samples of Disttrack--an
evolution of the same malware that was used in the August 2012
``Shamoon'' cyber attack that destroyed over 30,000 hard drives
at a Saudi Arabian energy company. The original Shamoon attack
is widely considered one of the most significant and
destructive cyber attacks in history. Prior to our report's
public release, we coordinated with DHS to enable them to take
preventive action. Based on several reports by Palo Alto
Networks and other researchers, DHS: (1) Issued two Information
Bulletins to the CISCP community of network defense
stakeholders, (2) updated their Indicators of Compromise (IOC)
databases, and (3) created EINSTEIN signatures related to the
threat to protect other Federal Government civilian agencies.
In early 2016, the Palo Alto Networks threat intelligence
team released a report entitled Scarlet Mimic, identifying a
long-running cyber campaign targeting minority activists in
China, as well as Russian and Indian government organizations
responsible for tracking activist and terrorist activities.
Palo Alto Networks reached out directly to DHS to share
indicators related to Scarlet Mimic, allowing them to deploy
preventive countermeasures across their community of network
defense partners. Specifically, DHS indicated its intention to:
Update their Indicators of Compromise databases, vet IOCs
against the intelligence community's Classified databases to
determine threat group attribution, create EINSTEIN signatures
to protect other Federal civilian agencies, and generate
STIXTM files for automated distribution to their
private-sector CISCP partners.
In other instances, we coordinate our outreach to DHS as
part of remediation efforts with public disclosure of new
vulnerabilities that our threat intelligence team discovers in
publicly-available technology across the ecosystem. For
example, in early 2015, our threat intelligence team identified
a new vulnerability in AndroidTM operating systems.
We rapidly shared the information with Google�, so they could
take steps to remediate the vulnerability, and then contacted
DHS as we published the report. DHS used the provided
information to generate a US-CERT alert and push the
notification to their public website and their broad community
of network defender partners.
As part of the Cyber Threat Alliance, Palo Alto Networks
coordinated with DHS as well as other U.S. and international
government stakeholders to share threat information about
CryptoWall v3--a ransomware campaign that had extorted over
$300 million from victims in under 1 year. Based on CTA's
shared cyber threat indicators, DHS and the FBI were able to
notify victims whose websites were unknowingly compromised;
contact internet service providers to disrupt compromised
infrastructure; and send alerts to their network defense
partners, including the international CERT community, to
protect against CryptoWall v3 tactics. Subsequently, the U.S.
Government shared back 170 unique CryptoWall indicators with
the CTA, beyond the roughly 850 indicators the CTA report
initially identified. This CryptoWall example is distinct as a
tangible illustration with quantifiable metrics of two-way
sharing of cyber threat information between the Government and
private sector.
While each of these represents an individual success story and an
illustrative use case, we need to focus our collective effort on
ensuring these success stories are the rule rather than the exception.
We can accomplish this by continuing to build trust among partners,
refining the processes, enhancing the existing sharing infrastructure,
and remaining committed to automating threat sharing in a way that can
effectively scale to the pace of the cyber threats.
DHS Cyberthreat Sharing Programs.--Regarding formal information-
sharing partnerships, Palo Alto Networks is a member of DHS's two
primary cybersecurity information-sharing programs: The Cyber
Information Sharing and Collaboration Program (CISCP) and the Automated
Indicator Sharing (AIS) program.
CISCP is a program established to promote robust
information-sharing and analytic collaboration between DHS and
vetted private-sector partners, especially the critical
infrastructure community.
Implemented in accordance with the Cybersecurity Act of
2015, AIS is a DHS-developed capability to enable the automated
exchange of anonymized cyber-threat indicators among a wider
range of private-sector entities and the U.S. Federal
Government.
AIS is intended to provide threat indicators at ``machine speed''
aligns directly with our efforts to increasingly automate threat
sharing, as outlined above. We applaud the concept of AIS and view it
as both complementary and reinforcing to the type of automated
information sharing that is already responsibly occurring at Palo Alto
Networks and within entities like the Cyber Threat Alliance. DHS should
be commended for their continued progress in maturing these
information-sharing program capabilities, but there are certainly
tangible opportunities for improvement.
As discussed with DHS, we believe that the administrative process
for joining these programs could certainly be easier and more
efficient. Because programs like AIS are dramatically enhanced by the
number of contributing members, DHS would benefit from investing in
resources that streamline on-boarding processes and generally make
these private sector-interfacing programs more customer service-
focused. Specifically, DHS should develop a clear step-by-step guide
for on-boarding, publish those requirements broadly, and promote a
singular ``help desk''-type contact for all questions related to the
programs. To their credit, DHS senior officials recognize these
shortcomings, and plan to take concrete steps to implement personnel
and process reforms that should ultimately make the AIS program more
customer service-centric.
Operationally, both AIS and CISCP have initial baseline
capabilities and value, but they also could benefit from incorporating
best practices from industry information-sharing efforts, such as the
Cyber Threat Alliance's platform. According to DHS, AIS has delivered
over 218,000 unique indicators since March 2016. Additionally, CISCP
published 283 Indicator Bulletins in 2016, including nearly 1,300
indicators of compromise, with a recognition they need to refine their
ability to provide useful, Unclassified context. However, DHS could
further engage industry to leverage vendor-neutral technology and
techniques that more rapidly share larger volumes of actionable cyber-
threat information with context about how individual malware is used as
part of broader campaigns.
Information-Sharing Analysis Organizations (ISAO).--Regarding
cyber-threat information-sharing policy development, Palo Alto Networks
had a leadership role in DHS's effort to establish and identify
standards and best practices for Information-Sharing Analysis
Organizations (ISAO), following a 2014 Presidential Executive Order
establishing ISAOs. Specifically, our chief security officer, Rick
Howard, led the effort on information privacy and security in one of
six working groups that wrote and published the official ISAO standards
in September 2016.
National Security Telecommunications Advisory Committee (NSTAC).--
Previously, I referenced our broader policy engagements with DHS, such
as our CEO Mark McLaughlin's current membership and former leadership
roles in the President's National Security Telecommunications Advisory
Committee (NSTAC). Administered by DHS, the NSTAC has recently grown to
become an increasingly relevant policy forum for collaboration between
private industry and the U.S. Government. Senior cybersecurity
officials representing the White House and the Department of Homeland
Security have repeatedly acknowledged the direct impact of NSTAC
studies on the formulation of U.S. policy. The NSTAC has also played an
important role in fostering relationships between Government and the
private-sector technology community. For example, in mid-2016, the
NSTAC hosted the first-ever meeting in its 34-year history in Silicon
Valley, with significant U.S. Government participation, including the
Secretaries of Commerce, Defense, and Homeland Security, as well as
Admiral Rogers, Director of NSA and Commander of U.S. Cyber Command.
Information Technology Sector Coordinating Council (IT-SCC).--Palo
Alto Networks is an Executive Committee member of the IT-Sector
Coordinating Council, the principal entity for coordination between the
Department of Homeland Security and IT sector companies and
associations on a range of critical infrastructure protection and
cybersecurity issues. The IT-SCC provides another official mechanism
for Palo Alto Networks to collaborate with IT sector companies and DHS
senior cyber officials on a range of sector-relevant policy, and
cybersecurity issues.
Cyber Storm V.--Palo Alto Networks was also actively engaged in the
planning and execution of Cyber Storm V in early 2016. The biannual
National cyber exercise is led by DHS and brings together over 1,100
U.S. Government and private-sector participants to test the cyber
incident coordination processes that helped test and inform operational
procedures and subsequent National policies. We commend DHS for their
leadership and execution of these complex exercises, and would like to
increasingly add realistic technical components to future iterations.
Planning for Cyber Storm VI in 2018 has recently commenced, and we look
forward to again working closely with DHS on this critical initiative.
legislative successes and congressional oversight of dhs information-
sharing initiatives
As discussed in my introduction, this committee has played a
central role in passing a range of cybersecurity legislation that
promotes responsible cyber-threat information-sharing and strengthens
DHS's statutory authority to execute its mission.
The information-sharing portion of the Cyber Act (Title I)
understandably garners most of the attention, and today's hearing
demonstrates the need for oversight to ensure that Congress and DHS
continue to identify areas of both progress necessary further
improvements in its implementation.
In general, efforts to promote more direct engagement between DHS
and the private-sector technology community to address homeland
security mission requirements should be encouraged. This can take the
form of new legislation, such as Chairman Ratcliffe's recently
introduced bill on leveraging emerging technologies, to oversight of
existing laws, such as Title II of the Cybersecurity Information
Sharing Act of 2015.
Thank you very much for the opportunity to testify before you
today. I look forward to any questions you may have and your continued
partnership on this critical issue.
ATTACHMENT 1.--Lucrative Ransomware Attacks: Analysis of the Cryptowall
Version 3 Threat \1\
---------------------------------------------------------------------------
\1\ https://www.cyberthreatalliance.org/pdf/cryptowall-report.pdf.
---------------------------------------------------------------------------
ATTACHMENT 2.--Shamoon 2: Return of the Disttrack Wiper \2\
---------------------------------------------------------------------------
\2\ https://researchcenter.paloaltonetworks.com/2016/11/unit42-
shamoon-2-return-disttrack-wiper/.
---------------------------------------------------------------------------
ATTACHMENT 3.--Scarlet Mimic: Years-Long Espionage Campaign Targets
Minority Activists \3\
---------------------------------------------------------------------------
\3\ https://researchcenter.paloaltonetworks.com/2016/01/scarlet-
mimic-years-long-espionage-targets-minority-activists/.
---------------------------------------------------------------------------
ATTACHMENT 4.--Android Installer Hijacking Vulnerability Could Expose
Android Users to Malware \4\
---------------------------------------------------------------------------
\4\ https://researchcenter.paloaltonetworks.com/2015/03/android-
installer-hijacking-vulnerability-could-expose-android-users-to-
malware/.
Mr. Ratcliffe. Thank you, Mr. Gillis.
Ms. Greene, you are recognized for 5 minutes.
STATEMENT OF ROBYN GREENE, POLICY COUNSEL AND GOVERNMENT
AFFAIRS LEAD, OPEN TECHNOLOGY INSTITUTE, NEW AMERICA
Ms. Robyn Greene. Thank you, Chairman Ratcliffe, Ranking
Member Richmond, and Members of the committee for the
opportunity to testify today.
As a policy council and government affairs lead at New
America's Open Technology Institute, I specialize in issues
related to privacy, cybersecurity, and surveillance.
My statement today will cover three subjects: First,
outstanding privacy concerns in the Cybersecurity Information
Sharing Act, CISA; second, how DHS's balanced approach to
implementing CISA has improved cybersecurity and protected
privacy; and third, that a more holistic approach to
cybersecurity, beyond information sharing, is essential.
CISA provides important improvements for many previous
iterations of information-sharing legislation. Many of those
improvements are the result of this committee's hard work and
leadership to protect privacy while improving cybersecurity.
But despite this committee's laudable efforts, certain
privacy concerns remain unaddressed, like imprecise definitions
for the terms like ``cybersecurity threat'' and ``cyber threat
indicator,'' and a weak requirement for the removal of personal
information.
These shortfalls raise concerns that CISA may threaten
privacy and undermine security by resulting in the sharing of
unnecessary information, like information related to false
alarms or communications content and other irrelevant personal
information.
Also troubling are CISA's over-broad use authorizations for
law enforcement to use information it obtains from companies
shred for a cybersecurity purpose, for investigations and
prosecutions that are entirely unrelated to cybersecurity.
This undermines Fourth Amendment protections because it
allows law enforcement to use information that it would obtain
ordinarily pursuant to a warrant or a court order.
Finally, CISA includes a provision that allows the
President to undermine DHS's role as the lead portal for
information sharing by establishing a second portal, possibly
at a law enforcement or intelligence oversight agency, like the
FBI or the Office of the Director of National Intelligence.
This would harm civil liberties and threaten user trust, which
is essential for companies to feel comfortable participating in
the information-sharing program.
With all of that said, DHS has done a good job of
promulgating guidelines and procedures under CISA that protect
privacy and strengthen cybersecurity. DHS has provided clear
interpretations and applications of vague definitions and
requirements.
Additionally, DHS leveraged STIX in its automated
indicator-sharing system to establish standardized fields of
information sharing and it retained human review of personal
information that is shared.
With these steps, DHS has minimized the risk of unnecessary
sharing and dissemination of Americans' personal information.
The committee should continue to support DHS in this important
work.
Since information sharing is not a panacea, more must still
be done to improve cybersecurity. The Government must take a
multi-pronged, holistic, and outcomes-based approach. DHS must
increase the amount of information it shares with the private
sector, including getting more threat indicators declassified.
To protect ourselves from another OPM-style data breach,
Congress must ensure that the Federal Government has the
resources needed to modernize its IT infrastructure, to
maintain up-to-date and secure devices and systems, and to hire
a robust work force of security and technology policy experts.
Recent reporting suggests that the Government is struggling
to fill open cybersecurity positions and that this shortage may
be threatening collaboration with industry.
The Federal Government can also help to improve overall
security by finding ways to incentivize the private sector and
individuals to update software with patches for vulnerabilities
and by formalizing its approach to vulnerabilities management.
Wikileaks' disclosure of CIA hacking tools earlier this
week highlight that it is possible for vulnerabilities to be
publicly released and for individuals, industry, and the
Government alike to be left exposed to malicious actors when
this happens. This drives home how important it is for Congress
to codify a process for the Government to disclose zero-day
vulnerabilities as soon as possible so that they can be
patched.
The Government should also help to shrink the size of the
zero-day market by minimizing its participation in it.
Last, the Government should use its bully pulpit to
champion the wide-spread use of security tools, like two-factor
authentication and encryption, and it should incentivize
companies to offer those tools by default, along with automatic
software updates, as part of an effort to encourage privacy and
security by design.
Thank you very much, and I look forward to your questions.
[The prepared statement of Ms. Greene follows:]
Prepared Statement of Robyn Greene
March 9, 2017
Thank you for the opportunity to testify today on ``The Current
State of DHS Private-Sector Engagement for Cybersecurity.'' I represent
New America's Open Technology Institute (OTI), where I am a policy
counsel and Government affairs lead on privacy, surveillance, and
cybersecurity issues.
New America is a nonpartisan, nonprofit, civic enterprise dedicated
to the renewal of American politics, prosperity, and purpose in the
digital age through big ideas, technological innovation, next
generation politics, and creative engagement with broad audiences. OTI
is a program at New America that works at the intersection of
technology and policy to ensure that every community has equitable
access to digital technology and its benefits. We promote universal
access to communications technologies that are both open and secure,
using a multidisciplinary approach that brings together advocates,
researchers, organizers, and innovators. Our current focus areas
include surveillance, privacy and security, net neutrality, broadband
access, and consumer privacy.
In December 2015, Congress passed the Cybersecurity Information
Sharing Act (CISA).\1\ The law provides private-sector entities with
liability protection for sharing information about cybersecurity
threats with one another and with the Government. Throughout the debate
over information-sharing legislation, OTI voiced significant concerns
about the scope of sharing permitted and the insufficient privacy
protections for internet users both before and after information is
shared. We also urged Congress to take a more holistic approach to
cybersecurity policy, rather than focus solely on information
sharing.\2\
---------------------------------------------------------------------------
\1\ Cybersecurity Information Sharing Act, 6 U.S.C. 1501 et. seq.,
Public Law No: 114-113, H.R. 2029 Division N, Title I, 114th Cong.
(2015), https://www.Congress.gov/114/plaws/publ113/PLAW-114publ113.pdf.
\2\ Robyn Greene, Congress Must Focus on More Than Information
Sharing, The Hill, Jan. 30, 2015, http://thehill.com/blogs/congress-
blog/technology/231190-congress-must-focus-on-more-than-information-
sharing.
---------------------------------------------------------------------------
My testimony will cover three topics: (1) OTI's outstanding privacy
concerns related to how much information can be shared, with whom, and
how it can be used under CISA; (2) the ways in which the Department of
Homeland Security (DHS) has worked in its implementation of the law to
protect privacy and simultaneously enhance cybersecurity, and (3)
additional steps that the Government could take to strengthen public-
private partnerships related to cybersecurity, and to incentivize or
encourage the private sector to adopt best practices, to meaningfully
protect privacy and improve overall security.
outstanding concerns regarding the cybersecurity information sharing
act (cisa)
Information-sharing legislation was extremely controversial for the
entire time that Congress debated it, even up to the point that CISA
became law. The most significant point of contention was always how to
adequately protect privacy and civil liberties. CISA's predecessor, the
Cyber Intelligence Sharing Protection Act (CISPA), contained no
meaningful privacy protections when it was first introduced.\3\ After
years of advocacy by privacy and security experts, and several
iterations of legislation, the final version of CISA included important
improvements and protections. Nevertheless, certain privacy concerns
were left unaddressed or inadequately addressed. Those shortfalls
include imprecise definitions, a too-weak requirement to remove
personal information before sharing cyber threat indicators, overbroad
allowances for law enforcement to use shared data for purposes
unrelated to cybersecurity, and the possibility that the President will
undermine DHS's role as the lead information-sharing portal by
establishing a second authorized portal.\4\
---------------------------------------------------------------------------
\3\ Cyber Intelligence Sharing and Protection Act, H.R. 3523, 112th
Cong. (2011), https://www.Congress.gov/112/bills/hr3523/BILLS-
112hr3523ih.pdf; see also Letter from the ACLU to Hon. Mike Rogers &
Hon. C.A. ``Dutch'' Ruppersberger, Dec. 1, 2011, https://www.aclu.org/
other/aclu-opposition-hr-3523-cyber-intelligence-sharing-and-
protection-act-2011.
\4\ Robyn Greene, The Knock-Down, Drag-Out Fight Over Cybersecurity
Legislation, Slate, Jan. 15, 2016, http://www.slate.com/articles/
technology/future_tense/2016/01/how_the_pri-
vacy_community_made_cyber_security_legislation_better.html.
---------------------------------------------------------------------------
CISA's overbroad definitions threaten privacy because they can
result in over-sharing of personal or otherwise unnecessary
information. This is the case for the definition of ``cybersecurity
threat,'' which triggers the authorization to share. The law defines a
cybersecurity threat as anything that ``may result in an unauthorized
effort to adversely impact'' a device or system.\5\ It covers any
potential threat and does not require that a company make a
determination that the purported cyber threat is likely to cause harm
before sharing their users' information.
---------------------------------------------------------------------------
\5\ Supra note 1 at � 1501(5).
---------------------------------------------------------------------------
This low threshold could spur sharing of unnecessary information,
like that concerning false alarms, which would threaten privacy if the
sharer transmits personal information as part of the cyber threat
indicators shared. It could also undermine security. Unnecessary
sharing of personal information can expose internet users to new
threats should their information be successfully targeted and
exfiltrated by malicious actors after being shared under CISA.
Additionally, it can undermine security by creating ``white noise''
that distracts from imminent threats.\6\
---------------------------------------------------------------------------
\6\ See Letter from security experts to Sen. Dianne Feinstein, et
al concerning information-sharing bills (Apr. 16, 2015), https://
cyberlaw.stanford.edu/files/blogs/technologists-
_info_sharing_bills_letter_w_exhibit.pdf.
---------------------------------------------------------------------------
Over-sharing could also result from the insufficiently narrow
definition for ``cyber threat indicator'' and the inadequate
requirement to remove personal information before sharing. Cyber threat
indicators include ``information that is necessary to describe or
identify . . . the actual or potential harm caused by an incident . . .
[or any] attribute of a cybersecurity threat'' so long as disclosure of
the underlying attribute is not otherwise legally prohibited.\7\
---------------------------------------------------------------------------
\7\ Supra note 1 at � 1501(6).
---------------------------------------------------------------------------
A broad interpretation of this definition could include personal
information or content of on-line communications that is not needed to
detect or protect against a threat. This is because information that
could be deemed necessary to describe a threat or potential harms
caused by an incident could still be unnecessary to identify or protect
against the threat. For example, while it might be reasonable to share
an IP address that is associated with malicious activity, the breadth
of this definition might also permit a company to share any information
they might have associated with that IP address that identifies a
particular account holder or location because they claim it is
necessary to describe the IP address. In the case of botnets, this
identifying information might not necessarily belong to the malicious
actor; it could belong to a botnet victim.
Similarly, under the law, companies can share any personal
information so long as it is ``directly related to a cybersecurity
threat.''\8\ This could be interpreted in a manner that undermines
privacy by allowing a company to share victim information or other
personal information unnecessary to identify or protect against a
threat. For example, a broad interpretation of this requirement could
allow for a company to share the personal information of the victim of
a cyber incident, like information about the recipient of a phishing
email, since that information could be deemed to be ``directly
related'' to the threat, even though it may not be necessary to
identify or protect against the threat.\9\
---------------------------------------------------------------------------
\8\ Supra note 1 at � 1503(d)(2).
\9\ As I discuss in the next section of this statement, DHS has
done a good job of protecting privacy in its promulgation of guidance
to companies on information sharing. It addresses this specific
concern, making clear that companies should not share this kind of
victim information. However, that guidance, and thus DHS's strict
interpretation of the requirement to remove personal information, is
subject to change. To better protect privacy, Congress should amend the
law to address this concern. See Dep't of Homeland Security & Dep't of
Justice, Guidance to Assist Non-Federal Entities to Share Cyber Threat
Indicators and Defensive Measure with Federal Entities under the
Cybersecurity Information Sharing Act of 2015 5 (2016), https://www.us-
cert.gov/sites/default/files/ais_files/Non-
Federal_Entity_Sharing_Guidance_(Sec%20- 105(a)).pdf [hereinafter
``Company Guidance''].
---------------------------------------------------------------------------
In addition to insufficiently narrow definitions and weak front-end
privacy protections, CISA overbroadly authorizes law enforcement to use
the shared information for non-cybersecurity investigations. Under the
statute, any information that is shared with the Government for a
cybersecurity purpose may be used by law enforcement in investigations
and prosecutions entirely unrelated to cybersecurity or computer
crimes. Authorized uses include investigations and prosecutions into
Trade Secrets Act and Espionage Act violations, undefined ``serious
economic harms,'' and certain violent crimes irrespective of whether
the threat is imminent.\10\ This undermines Fourth Amendment
protections because it allows law enforcement to use information in
investigations and prosecutions that it would ordinarily only be able
to obtain pursuant to a warrant issued by a judge based on a finding of
probable cause. Information sharing is subject to no judicial
oversight, and thus no judge ever makes a finding of probable cause
before law enforcement uses the information it receives under CISA,
even where investigations are unrelated to cybersecurity.
---------------------------------------------------------------------------
\10\ Supra note 1 at � 1504(d)(5)(A).
---------------------------------------------------------------------------
Finally, CISA includes a provision that could call into question
DHS's important and proper role as the lead civilian portal for
private-sector information-sharing with the Government. Under CISA, if
a company wants to receive liability protection for sharing cyber
threat indicators with the Federal Government, it must share that
information through an authorized portal.\11\ Currently, DHS is the
only authorized information-sharing portal. However, CISA authorizes
the president to establish a secondary portal at any Federal entity
except for the Department of Defense and the National Security
Agency.\12\
---------------------------------------------------------------------------
\11\ Supra note 1, at � 1505(b).
\12\ Id. at � 1504(c)(2)(B).
---------------------------------------------------------------------------
If the President were to exercise this authority at a law
enforcement or intelligence oversight agency like the Federal Bureau of
Investigation or the Office of the Director of National Intelligence,
it would significantly threaten privacy and undermine Americans' trust
in the Federal Government's information-sharing program. Additionally,
it would introduce operational weakness by further decentralizing
information sharing and undermining DHS's role and authority as the
Federal Government lead on domestic cybersecurity and private-sector
engagement, which Congress just formally established in 2014.\13\
---------------------------------------------------------------------------
\13\ Robyn Greene, Dangerous for Cybersecurity and Privacy: Cotton
Amendment No. 2581, New America's Open Technology Institute (Aug. 25,
2015), https://www.newamerica.org/oti/blog/dangerous-for-cybersecurity-
and-privacy-cotton-amendment-no-2581/ [analyzing a proposed amendment
to CISA that would have authorized the FBI as an additional covered
information-sharing portal]; and National Cybersecurity Protection Act
of 2014, 6 USC 148 note, et seq., Public Law No: 113-282.
---------------------------------------------------------------------------
OTI believes that these outstanding flaws in CISA pose a clear
threat to both privacy and effective cybersecurity practice, and hopes
that Congress will consider amending it to address those concerns.
However, despite those flaws, on the whole, DHS has done a good job of
promulgating guidelines and procedures under CISA that protect privacy
and strengthen cybersecurity. Congress should support DHS in this
important work.
dhs implementation of cisa has been effective and privacy-protective,
but more should be done to improve information sharing
DHS has taken a reasonable and measured approach to implementing
CISA that balances privacy and security. This is clear from how DHS set
up its Automated Indicator Sharing system (AIS), and how its
promulgation of procedures and guidelines clarified ill-defined terms
and standards in the statute.
When DHS rolled out AIS, it leveraged Structured Threat Information
eXchange (STIX) to establish standardized fields of information that
can be shared and Trusted Automated eXchange of Indicator Information
(TAXII) as the secure, automated method for sharing information.\14\
This was an important step, because by setting out specific,
standardized fields of information that can be shared, STIX limits the
potential for sharing unnecessary personal information.
---------------------------------------------------------------------------
\14\ Company Guidance, supra note 9 at 22.
---------------------------------------------------------------------------
It is still possible for unnecessary personal information to be
shared under CISA, because there are STIX fields that could include it
or that allow a submitter to copy and paste communications content, and
because a submitter could choose to send an email in lieu of submitting
information via AIS. DHS mitigates this privacy risk by ensuring that
any personal information included in one of those three types of
submissions is subject to human review to determine if it is necessary
to describe or identify the threat. The personal information is then
either removed if it does not meet the standard or further disseminated
if it does. DHS also discourages the use of e-mail to submit cyber
threat indicators.\15\
---------------------------------------------------------------------------
\15\ Dep't of Homeland Security & Dep't of Justice, Final
Procedures Related to the Receipt of Cyber Threat Indicators and
Defensive Measures by the Federal Government 8, 10 (2016), https://
www.us-cert.gov/sites/default/files/ais_files/
Operational_Procedures_(105(a)).pdf [hereinafter ``Final
Proocedures''].
---------------------------------------------------------------------------
Additionally, DHS guidance on how to determine if personal
information must be removed is effective at protecting privacy,
considering the requirements of the statute. DHS establishes a clear
application of the test for removal of such information in its guidance
to Federal entities. It lays out the critical three-part test: (1) Do
you know it is ``personal information of a specific individual or
information that identifies a specific individual''? (2) If yes, is it
directly related to the threat? (3) If yes, then the entity may share
it, and if no, then it must be removed prior to dissemination.\16\
---------------------------------------------------------------------------
\16\ Dep't of Homeland Security & Dep't of Justice, Privacy and
Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act
of 2015 12 (2016), https://www.us-cert.gov/sites/default/files/
ais_files/Privacy_and_Civil_Liberties_Guidelines_(Sec%20105(b)).pdf
[hereinafter ``Privacy Guidelines''].
---------------------------------------------------------------------------
Importantly, DHS also narrowly interprets the standard for removal
of personal information in company guidance and in privacy guidelines
for Federal entities. It does so by offering a clear explanation of
what is ``directly related'' to a cybersecurity threat. DHS provides
that ``Information is not directly related to a cybersecurity threat if
it is not necessary to detect, prevent, or mitigate the cybersecurity
threat.''\17\ It also offers examples to illustrate what kinds of
personal information can and cannot be shared. Both documents highlight
that personal information related to victims of cyber attacks, such as
information that identifies the recipient of a phishing email, is not
directly related to a cybersecurity threat, and must be removed before
sharing or dissemination.\18\
---------------------------------------------------------------------------
\17\ Company Guidance supra note 9, at 5.
\18\ Id. See also Privacy Guidelines supra note 16, at 12.
---------------------------------------------------------------------------
The standard for removal of personal information before sharing or
dissemination of cyber threat indicators was one of the most
contentious aspect of the debate. Opponents of a strict removal
requirement were concerned that a higher standard would slow down
sharing and raise questions about when liability protections under the
law are triggered. These concerns have been largely put to rest. In the
vast majority of cases, speed of information sharing is not a
determining factor in preventing an attack. The most recent Verizon
data breach report concluded that 93 percent of successful attacks took
minutes to breach a device or network, but organizations took weeks to
discover them, leaving ample time for the attacker to have identified
and stolen the sought-after data in most cases.\19\
---------------------------------------------------------------------------
\19\ Verizon, 2016 Data Breach Investigations Report: Executive
Summary 2 (2016), http://www.verizonenterprise.com/resources/reports/
rp_dbir_092016-executive-summary_xg_en.pdf. Full report available at
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
---------------------------------------------------------------------------
DHS's application of this standard for removal is also aligned with
Congress' goal in passing CISA: to enhance security while
simultaneously protecting privacy. Personal information is constantly
targeted by hackers, as we have seen in countless data breaches,
whether they be at Government agencies like the Office of Personnel
Management (OPM), health care providers like Anthem, retailers like
Target and Home Depot, financial institutions like J.P. Morgan, or
technology companies like Yahoo.\20\ The more personal information is
shared with more entities, the larger the target for malicious hackers
and nation-states seeking to breach our defenses.\21\ Thus, by reducing
the amount of personal information shared under CISA, DHS is serving a
critical security function, as well as protecting privacy.
---------------------------------------------------------------------------
\20\ See Brian Naylor, One Year After OPM Data Breach, What Has The
Government Learned?, NPR, Jun. 6, 2016, http://www.npr.org/sections/
alltechconsidered/2016/06/06/480968999/one-year-after-opm-data-breach-
what-has-the-government-learned; Steve Ragan, Anthem: How Does a Breach
Like This Happen? CSO, Feb. 9, 2015, http://www.csoonline.com/article/
2881532/business-continuity/anthem-how-does-a-breach-like-this-
happen.html; Michael Kassner, Anatomy of the Target Data Breach: Missed
Opportunities and Lessons Learned, ZD Net, Feb. 2, 2015, http://
www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-
opportunities-and-lessons-learned/; Julie Creswell & Nicole Perlroth,
Ex-Employees Say Home Depot Left Data Vulnerable, NY Times, Sept. 19,
2014, https://www.nytimes.com/2014/09/20/business/ex-employees-say-
home-depot-left-data-vulnerable.html?partner=rss&emc=rss&_r=2; Matthew
Goldstein, Nicole Perlroth & Michael Corkery, Neglected Server Provided
Entry for JPMorgan Hackers, NY Times, Dec. 22, 2014, https://
dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-
identified/?_r=1; and Asha McLean, Yahoo Says 32m User Accounts Were
Accessed via Cookie Forging Attack, ZD Net, Mar. 2, 2017, http://
www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-
forging-attack/.
\21\ Robyn Greene, Is CISA Gift-wrapped for Hackers and Nation-
State Actors? The Hill, Aug. 3, 2015, http://thehill.com/blogs/pundits-
blog/technology/250070-is-cisa-gift-wrapped-for-hackers-and-nation-
state-actors.
---------------------------------------------------------------------------
Privacy is not only essential to data security but also to trust.
To the extent that information sharing is an important element of a
holistic cybersecurity strategy, having adequate standards in the law
and its application are essential to expanding its reach and impact.
Companies will be uncomfortable sharing information if they worry their
users will see it as harmful to their privacy. Indeed, 2 months before
CISA's final passage, many leading technology companies and trade
associations specifically cited its insufficient privacy protections as
their grounds for opposition to the bill.\22\
---------------------------------------------------------------------------
\22\ Robyn Greene, Tech Industry Leaders Oppose CISA as Dangerous
to Privacy and Security, The Hill, Oct. 21, 2015, http://thehill.com/
blogs/pundits-blog/technology/257601-tech-industry-leaders-oppose-cisa-
as-dangerous-to-privacy-and.
---------------------------------------------------------------------------
Though DHS has done a good job implementing CISA in a manner that
protects privacy and enhances security, Congress should address the
outstanding concerns outlined above by codifying these sensible
implementations in the law itself. This would provide the public and
the private sector with the assurance that the protections as applied
by the various guidelines and procedures will not be altered or
reinterpreted in a manner harmful to privacy by this or any future
administration.
Finally, more must still be done to increase information sharing by
the Government with the private sector. Throughout the debate on
information sharing security experts were clear that CISA would likely
have only a modest impact on security, if it had any impact at all,
because it focuses on increasing information sharing from the private
sector to the Government or to other private-sector entities. These
experts argued that in order to enhance cybersecurity by increasing
information sharing, the Government needs to improve its system for
sharing actionable information with the private sector. Specifically,
experts called on the Government to declassify more information and
share it with a broader set of stakeholders, to speed up its
declassification process, and to expand the pool of stakeholders that
are cleared to receive Classified indicators.\23\ Congress should look
to how it can help DHS address these concerns.
---------------------------------------------------------------------------
\23\ Sara Sorcher, Security Pros: Cyberthreat Info-sharing Won't Be
as Effective as Congress Thinks, Christian Sci. Monitor, Jun. 12, 2015,
http://www.csmonitor.com/World/Passcode/2015/0612/Security-pros-
Cyberthreat-info-sharing-won-t-be-as-effective-as-Congress-thinks.
---------------------------------------------------------------------------
While improving information sharing can be an important element to
cybersecurity, it is just one of many steps that must be taken overall.
Ultimately, the only effective approach to cybersecurity will be a
holistic approach.
additional steps to strengthen private sector-public sector
partnerships to improve cybersecurity and protect privacy
OTI has long argued that while information sharing can have value,
it is only a part of the more holistic approach to cybersecurity that
Congress, the Federal Government, and the private sector must take.
That approach necessitates more resources for the Federal Government,
as well as more public education about cybersecurity threats and how to
defend against them. The Federal Government also needs to take a
``whole-of-Government'' approach to cybersecurity issues. This is
especially needed in two areas: The establishment of policies on
vulnerabilities management, and identifying ways to encourage users and
private companies to adopt security best practices, like increasing the
use of multi-factor authentication and encryption.
Ensuring that all agencies have sufficient resources to buy newer,
more secure hardware and software systems, and to recruit and retain a
robust staff of skilled security and technology policy experts, has
been a long-standing problem. This was one of the problems that led to
the OPM breach that resulted in the exfiltration of over 20 million
records. Ann Barron-DiCamillo, DHS lead on the team that investigated
the breach, stressed that ``[OPM] had older systems, that needed to be
modernized . . . They had neglected networks from the perspective of
putting in the cybersecurity sensors and technologies that they need to
find adversaries in the network.''\24\
---------------------------------------------------------------------------
\24\ One Year After the Government Data Breach, supra note 20.
---------------------------------------------------------------------------
Less than a year after the OPM breach became public, the previous
administration announced the establishment of the President's
Commission on Enhancing National Cybersecurity.\25\ The commission
concluded its work with the issuance of the Cybersecurity National
Action Plan (CNAP). Many of the Commission's recommendations focused on
adequately resourcing the Federal Government. They recommended
increasing the cybersecurity budget to $19 billion in fiscal year 2017,
including investing $3.1 billion in information technology
modernization to ensure that Federal devices and networks would be
compatible with modern security tools; and allocating an additional $62
million to training and hiring new cybersecurity personnel.\26\
---------------------------------------------------------------------------
\25\ Michael Daniel, Ed Felten, & Tony Scott, Announcing the
President's Commission on Enhancing National Cybersecurity, The White
House, Apr. 13, 2016, https://obamawhitehouse.archives.gov/blog/2016/
04/13/announcing-presidents-commission-enhancing-national-
cybersecurity.
\26\ Press Release, Office of the Press Secretary, White House,
Fact Sheet: Cybersecurity National Action Plan (Feb. 9, 2016), https://
obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-
cybersecurity-national-action-plan.
---------------------------------------------------------------------------
These recommendations to significantly increase Federal spending
related to cybersecurity are well taken, considering the scale of
attacks on Federal Government networks in recent years and the
difficulty the Federal Government has hiring and retaining
cybersecurity experts.\27\ As Congress drafts the budget for fiscal
year 2017, it should allocate whatever resources will be necessary to
hire a skilled workforce, and to modernize Federal Government networks
and harden them against attacks.
---------------------------------------------------------------------------
\27\ Dustin Volz & Warren Strobel, NSA Risks Talent Exodus Amid
Morale Slump, Trump Fears, Reuters, Feb. 28, 2017, http://
www.reuters.com/article/us-usa-cyber-nsa-idUSKBN1672ML.
---------------------------------------------------------------------------
In addition to proper resourcing, the Federal Government, including
DHS, should continue its efforts to educate industry and the public
about how to better protect themselves on-line. Increased education on
how to identify social engineering attacks is particularly needed.
Internet users' susceptibility to these kinds of threats has proven to
be a somewhat intractable problem over the years. The most recent
Verizon data breach report found that 30 percent of recipients of
phishing emails opened them (a 23 percent increase from the prior
year), and 12 percent of those people downloaded the malicious
attachment or clicked on the malicious link.\28\ Nonetheless, raising
awareness of these threats via campaigns like ``Stop. Think. Connect.''
may be the first step to reducing the threats' effectiveness.\29\
---------------------------------------------------------------------------
\28\ Supra note 19, at 3.
\29\ Stop. Think. Connect., Dep't of Homeland Security, https://
www.dhs.gov/stopthinkconnect (last visited Mar. 5, 2017).
---------------------------------------------------------------------------
While resourcing and education are important, DHS must also be part
of a whole-of-Government approach to cybersecurity and engagement with
the private sector. Two areas that could most positively impact our
Nation's cybersecurity are vulnerability management and wide-spread
adoption of security best practices.
One key aspect of vulnerability management is incentivizing the
private sector and individuals to protect themselves against known
vulnerabilities by regularly updating their software so that known
vulnerabilities are patched. Yet for 8 years, Congress focused almost
entirely on how to increase information sharing about those
vulnerabilities, without doing anything to help ensure that they are
patched. Indeed, CISA explicitly states that a company is not required
to act on the threat information it receives.\30\
---------------------------------------------------------------------------
\30\ Supra note 1 at � 1505(c)(1)(B).
---------------------------------------------------------------------------
Unsurprisingly, the private sector often only takes action to
update their systems after a massive breach, but maintaining updated
software would protect against the vast majority of threats.
Approximately 85 percent of successful exploits used the same 10
vulnerabilities, all of which have patches available.\31\ In order for
CISA to have its intended impact, the Government and the private sector
must turn information sharing into action by encouraging more and more
regular patching of known vulnerabilities.
---------------------------------------------------------------------------
\31\ Supra note 19 at 10.
---------------------------------------------------------------------------
Another critical aspect to vulnerabilities management concerns how
the Federal Government and Congress approach laws and policies
impacting vulnerability research and disclosure, and Government
participation in the market for previously undiscovered
vulnerabilities, called ``zero-days.'' Last year, OTI published a
research paper called ``Bugs in the System'' that serves as a primer on
the vulnerabilities ecosystem. We concluded that the leading factors
hindering effective vulnerabilities management were a lack of clarity
about how best to disclose newly-discovered vulnerabilities in order to
see them patched; the chilling effect that out-of-date technology laws
have on security researchers; and the existence of and U.S. Government
participation in the zero-day market.\32\
---------------------------------------------------------------------------
\32\ Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, Bugs
in the System, New America's Open Tech. Institute (July 2016), https://
na-production.s3.amazonaws.com/documents/Bugs-in-the-System-Final.pdf.
---------------------------------------------------------------------------
We made five recommendations as to how Congress and the Federal
Government could most effectively address these issues:
1. The U.S. Government should minimize its participation in the
zero-day market: The zero-day market incentivizes selling
vulnerability information to the highest bidder rather than
disclosing it to the vendor so it can be fixed, and it caters
to the intelligence and law enforcement arms of democratic
governments and repressive regimes alike, as well as spies and
criminals. The U.S. Government can significantly shrink this
market simply by abstaining from it and instead relying on and
growing resources and technical expertise at agencies like the
NSA;\33\
---------------------------------------------------------------------------
\33\ Id. at 21.
---------------------------------------------------------------------------
2. The U.S. Government should establish strong, clear procedures
for Government disclosure of the vulnerabilities it buys or
discovers: When the Government discovers or purchases
vulnerabilities that put American internet users and companies
at risk, it should ensure that they are disclosed and patched
as soon as possible. While there is a process, called the
Vulnerabilities Equities Process (VEP), to decide when the
Government should disclose vulnerabilities, little is known
about how that process works, how often it is used, and how
effective it is at ensuring vulnerabilities are disclosed.
Congress should investigate this issue, and then codify a
process that agencies would be required to follow, and that
heavily favors disclosure;\34\
---------------------------------------------------------------------------
\34\ Id. at 21-22.
---------------------------------------------------------------------------
3. Congress should establish clear rules of the road for Government
hacking in order to protect cybersecurity in addition to civil
liberties: Government hacking is as privacy-invasive as
wiretapping, and it introduces a set of unique risks to
security and to civil liberties, such as Government malware
spreading to innocent people's computers, or resulting in
unintended damage or the creation of new vulnerabilities. Yet,
Congress has not established a clear legal framework for
Government hacking, with rules and constraints that address
these unique concerns, as it did to address concerns associated
with wiretapping;\35\
---------------------------------------------------------------------------
\35\ Id. at 23.
---------------------------------------------------------------------------
4. Government and industry should support bug bounty programs as an
alternative to the zero-day market and investigate other
innovative ways to foster the disclosure and prompt patching of
vulnerabilities: We can improve security by creating more
avenues through which security experts can disclose
vulnerabilities and diverse incentives for disclosing them,
like through Vulnerability Reward Programs, often referred to
as bug bounty programs. These programs also provide an outlet
for researchers who do not want to participate in the zero-day
market; and\36\
---------------------------------------------------------------------------
\36\ Id.
---------------------------------------------------------------------------
5. Congress should reform computer crime and copyright laws, and
agencies should modify their application of such laws, to
reduce the legal chill on legitimate security research: Out-of-
date laws like the Electronic Communications Privacy Act
(ECPA), the Computer Fraud and Abuse Act (CFAA), and the
Digital Millennium Copyright Act (DMCA), chill security
research. This is because under these laws, security
researchers are threatened with criminal and civil penalties
for their efforts to identify vulnerabilities and fix them.\37\
---------------------------------------------------------------------------
\37\ Id. at 24.
---------------------------------------------------------------------------
Finally, in addition to improving vulnerabilities management, the
Federal Government must work with the private sector to help drive a
cultural shift in Government and industry that embraces privacy by
design, and that fuels wide-spread adoption of security best practices.
OTI recently launched a project called ``Do the Right Thing'' in which
we studied the factors that led to the wide-spread industry adoption of
now common, though not yet ubiquitous, security tools like transit
encryption by default and offering two-factor authentication. We found
that Government was often influential in spurring increased adoption of
these tools.\38\
---------------------------------------------------------------------------
\38\ Kevin Bankston, Ross Schulman & Liz Woolery, Getting Internet
Companies To Do The Right Thing, https://www.newamerica.org/in-depth/
getting-internet-companies-do-right-thing/ (last visited Mar. 5, 2017).
For a summary of all of the most common factors spurring the spread of
three privacy and security best practices, see Kevin Bankston, Ross
Schulman & Liz Woolery, Key Lessons, https://www.newamerica.org/in-
depth/getting-internet-companies-do-right-thing/key-lessons/ (last
visited Mar. 5, 2017).
---------------------------------------------------------------------------
DHS and other relevant Federal agencies should champion the use of
multi-factor authentication and of encryption to protect stored data
and communications in transit.\39\ DHS should also work with relevant
Federal entities and industry leaders to encourage a ``privacy by
design'' approach to product development, including employing security
mechanisms like automatic software updates and offering multi-factor
authentication and encryption services by default. Thinking about
security holistically and from the ground up will be especially
important as more devices become connected and the internet of things
morphs into simply ``the internet.''
---------------------------------------------------------------------------
\39\ The question of how to address law enforcement access to
encrypted communications has been the subject of intense controversy
for several years. OTI strongly opposes any policy proposal that would
amount to a mandate for exceptional access to encrypted communications,
commonly referred to as encryption backdoors. For a detailed
explanation of OTI's position on exceptional access for law
enforcement, see Kevin Bankston, Written Statement to the House
Committee on Oversight & Gov't Reform Subcommittee on Information
Technology. Encryption Technology and Possible U.S. Policy Responses,
Hearing, Apr. 29, 2015, http://oversight.house.gov/wp-content/uploads/
2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdf.
For more materials on OTI's position on encryption, see Read this
Before You Rail Against Encryption, New America's Open Tech. Institute
(Nov. 19, 2015), https://www.newamerica.org/weekly/101/read-this-
before-you-rail-against-encryption/.
---------------------------------------------------------------------------
In conclusion, while CISA improved in some areas over the course of
the Congressional debate, the final law left certain privacy concerns
unresolved and in need of reform. CISA also addresses only a fraction
of what Congress and industry should be thinking about as they work to
enhance cybersecurity. The focus must now turn to an outcomes-based
approach. Congress must ensure that all Federal agencies, including
DHS, have the resources necessary to hire robust teams of security and
technology policy experts, and maintain modern and up-to-date systems
and equipment. It will also be essential to find ways to incentivize
the private sector and individuals to take action based on new
information, such as patching known and newly-discovered
vulnerabilities and clarifying the Government's approach to
vulnerabilities management in general. Finally, the relevant Federal
agencies should take advantage of their bully pulpit to encourage
broader adoption of security best practices like the use of encryption
and two-factor authentication.
Mr. Ratcliffe. Thank you, Ms. Greene.
Thanks all the witnesses for your testimony.
I now recognize myself for 5 minutes to ask questions.
In my opening remarks, I talked about the fact that we have
got a new administration and with that provides us an
opportunity to regroup and reassess.
I want to ask a broad question and give you all an
opportunity to answer this.
To the extent that, you know the President's cybersecurity
advisers, maybe even Secretary Kelly are listening to our
hearing today or are subsequently briefed on it, if you had the
opportunity to tell them to focus on one or two of the highest
priorities or specific action items that you think that this
administration ought to be focused on with respect to its DHS
mission, what would that be? It could relate to private-sector
relationships for cybersecurity or protection of our critical
infrastructure at large.
But if you had that message to give, what would it be?
So let me start with you, Mr. Nutkis.
Mr. Nutkis. Thank you, Mr. Chairman.
So I think from an ISAO perspective, the guidance we want
is, what are the expectations and the role? I think, as the
other testifiers have presented, we in industry are willing to
step up and provide a lot of the interface. So with regards to
AIS, we do that directly. So everyone in industry connects with
us, we connect with DHS. We deal with a lot of the
anonymization, a lot of the accuracy issues. So for us, it is
guidance in working with what the expectations are.
We deal with a lot of the--we were sharing before the
liability protections in CISA. We would like to see those
increased and better guidance. So we would like to see clarity
around the expectations from industry.
Then with regards to the framework, I will echo those
sentiments is, it is voluntary and each industry has its own
interpretation of the guidance and the guidelines that are
established.
So the cybersecurity framework is a high-level framework.
Each industry then has to customize it for their own
requirements and then it has got to be customized specifically
to the organization.
I just want to make sure there is clarity that one size
does not fit all. There has got to be the ability for
industries and organizations to be able to implement that based
on the specific needs in a voluntary basis.
Mr. Ratcliffe. Thank you.
Mr. Montgomery.
Mr. Montgomery. Thank you. It is labor, labor, trained
labor. As we have all talked about, the size and scale of the
footprint, the impact upon our lives, the cyber impact upon our
lives, it grows by leaps and bounds every minute. The notion
that we are going to out-labor this one person at a time is
preposterous.
So if we break labor into two buckets, bucket No. 1 is,
certainly there is a shortfall, not only, as Ms. Greene pointed
out, in the public sector, but also in the private sector. We
are having trouble hiring people, too. So an intense focus upon
education, making cyber a desirable career and an accessible
career across a wide, disparate labor force that wants to work
in cyber is essential.
But also, the need for reduced labor. We are not going to
out-labor this problem one person at a time. So information
sharing, automation, the ability to act at machine speed.
Our adversaries, as Mr. Greene pointed out earlier, they
already utilize machines in order to further their campaigns
and make it more automated. We need to be doing the same thing,
not only with information sharing, but how we act on behalf of
critical infrastructure.
Mr. Ratcliffe. Thank you.
I will just say we have talked about the cyber work force
as a priority of this subcommittee going forward, so I was glad
to get your remarks.
Mr. Greene.
Mr. Jeffrey Greene. So focusing on DHS, I think we need a
clear statement. I would like to see a clear statement from the
administration that there will be a civilian lead for, you
know, continuing DHS, a civilian lead for the civilian cyber
effort. I think it is important to send a message both to the
companies that have developed relationships with DHS to know
those are going to continue and also around the globe.
Secondarily is something that you mentioned in your opening
statement, look at the operationalization of DHS. From our
perspective having a long relationship, we know where the touch
points are. We know who does cyber in DHS, who we reach out to
for a specific issue. But if you don't know the structure and
you are on the outside looking in, it is really hard to discern
who does cyber, where you want to go to.
I do think aggregating the functions in a central place and
providing an operational context to it is important.
Mr. Ratcliffe. Thank you, Mr. Greene.
Mr. Gillis.
Mr. Gillis. So I would focus very much on implementation.
We are at a place right now where there aren't massive
statutory barriers to executing the cybersecurity mission. We
need to implement more effectively.
We have had a 10-year discussion within this country about
roles and missions of DHS, of DOD, of the intelligence
community, of law enforcement, how all of those entities can
work together with the private sector and internally. And not
re-litigating that and moving forward with being more effective
on the operational environment under that broad policy
construct would be essential.
So what we have seen in at least some of the publicly-
available iterations of the draft Executive Order on
cybersecurity I think has been a progression to get back under
that framework, where the roles and responsibilities reflect
continuity from the Bush administration, CNCI, Comprehensive
National Cybersecurity Initiative, through the Obama
administration policy, through the bipartisan legislation that
this committee has led. So not re-fighting the turf battles and
the roles and missions and getting to a point where we can
execute in a way that is automated and efficient is where I
would focus.
Mr. Ratcliffe. Terrific, thanks very much.
Ms. Greene.
Ms. Robyn Greene. Thank you. I think the things that I
would convey would be in terms of the guidance that DHS
promulgated to implement CISA. I hope that this committee and
the administration will continue to support DHS in that
important work and not do anything to water down the
protections or articulations of the definitions in the
guidance.
As we know, privacy and security are inextricably
intertwined. As Mr. Gillis pointed out, it is very important
that information be actionable. I think that one of the things
DHS did very well in promulgating this guidance is ensuring
that companies focus on sharing actionable information. So
supporting that effort will be critical.
Additionally, making sure that information is a two-way
street, ensuring that DHS starts to do a better job of getting
information to the private sector and doesn't just rely on
information sharing be from private sector to the Government.
I would also agree with the need to increase resources and
to ensure that agencies have the funding that they need to hire
the best people and to update their systems, as I noted in my
opening statement.
Finally, empowering DHS to work with Federal agencies to
shore-up their systems. One of the things that had been
contemplated in the Executive Order is bringing the Department
of Defense more into that work. I think that would be a
mistake.
Having civilian control over domestic cybersecurity was one
of the main points of contention during the debate over CISA
and, as Ryan just pointed out, has been settled. I think that
we should start moving forward instead of moving back and re-
litigating past debates.
Mr. Ratcliffe. I thank you all. I think you gave some very
thoughtful, helpful, and constructive answers. So I appreciate
that.
The Chair now recognizes the Ranking Minority Member, Mr.
Richmond, for his questions.
Mr. Richmond. Thank you, Mr. Chairman.
Ms. Greene, I will start actually where you were leaving
off in terms of the guidance that DHS was able to issue. But I
guess my question would be, are there privacy issues that DHS
did not or could not rectify through guidance? If so, what were
they?
Ms. Robyn Greene. Thank you, that is a really important
question. So there were a few areas that DHS was not able to
address through its guidance, primarily the over-broad law
enforcement use authorizations and the potential for the
President to establish a second authorized portal for
information sharing.
I will elaborate on why the potential for a second portal
is particularly concerning. First, having that second portal
would decentralize the information-sharing process, which is
anathema to the purpose of CISA. It would reduce situational
awareness.
Second, it would create confusion as to the DHS's role as
the civilian lead in the Federal Government in information
sharing with the private sector.
It would also waste taxpayer dollars. It would result in
bypassing the work and resources that have been put into
standing up the NCCIC in order for them to develop the
relationships that they have developed with the private-sector
entities.
Finally, if the second portal was set up in a law
enforcement agency or an intelligence oversight agency, like at
the FBI or the director of national intelligence, it would
undermine user trust, which is just essential for companies to
feel comfortable engaging in the information-sharing program.
Mr. Richmond. Do you expect the administration to address
any of that? Or what are you hearing?
Ms. Robyn Greene. I haven't heard anything with regard to
how the administration will be approaching changing DHS's
implementation of its guidance or sort-of reopening CISA to
amend these problems. I would certainly encourage Congress to
start thinking about whether it would be possible to amend CISA
to address those concerns.
But most importantly, I hope that this committee will work
to bolster DHS in its efforts to implement CISA in the manner
that it is done, which is balancing privacy and security.
Mr. Richmond. Thank you.
I will ask this question to the panel since we have a whole
bunch of experts here.
We hear a lot about whether DHS's automated indicator
sharing is or isn't working. For instance, whether the data is
timely, whether the volume of data is manageable and the cost
of running the program.
So from your perspective, can you tell us what is fact and
what is fiction in terms of the automated indicator sharing?
Mr. Nutkis, if you want to start.
Mr. Nutkis. Sure. So having been involved in information
sharing now for 5 years within the industry and now with
Government, it is an iterative process. So ourselves in
industry had a substantial problem in trying to collect IOCs.
We went from 4 percent of the organizations contributing to 100
percent through the enhanced IOC program and accuracy. So we
realize it is iterative.
Our experiences are quite positive. We had initial
technical issues. We realized, by the way, that there aren't a
substantial number of organizations that are sharing. But we
have seen more and more that are sharing and we are getting
better and better indicators back.
No question that it is not as effective as it could be. But
based on where we were 5 years ago, they certainly have made a
lot more progress in a short amount of time. So we actually
have high hopes that if they can encourage other organizations
to share, and that is really what it comes down to, you know,
we see a ton of situational awareness across our sector, we
would like to see more across the other sectors. We certainly
would like to see more information disclosed from Government.
But the progress we have seen is positive.
Mr. Montgomery. I will give you both the good and the bad.
I agree with Mr. Nutkis. What I think is good is that we are
establishing the right kinds of muscle memory.
Ten years ago, 15 years ago, the idea of sharing an
information security tidbit with a third party was anathema. I
mean, it wasn't done. In fact, it was considered
counterproductive. So I think we are establishing very, very
good muscle memory. The sharing of IOCs among disparate third-
party public and private organizations, that is good muscle
memory.
On the downside, what is actually being shared and its
usefulness and its timeliness, yes, we do need to improve. For
example, if you were an auto mechanic and I handed you a bolt
and said, OK, fix it, you wouldn't really understand where the
bolt was from on the car or what kind of manufacturer it was
from or whether it was a car or a truck. You would just
understand that I had a problem. I think once we say, hey, this
bolt fell off of my 1967 Fiat, now you are starting to
understand the context that is required.
I believe the muscle memory and the sharing will get us
toward those, but certainly we need some better guidelines
about what constitutes good data coming in.
Mr. Jeffrey Greene. I would echo what Mr. Montgomery said.
I think probably one of the most significant wins is that we
now have a formal process, we are not relying on just
relationships.
We are right now in the midst of an analysis as to whether
it makes sense for us to really jump in on AIS. One of the
things we are looking at is how much work it takes to really
make sense to figure out that the nut came from a Fiat once we
get data back.
We are in a little different position just because of the
volume of data that we get in through our own sensors. So there
is, you know, a lot of information we have already obtained on
our own, so there may be less unique data than other
organizations.
But we have reviewed in the past and are now revisiting
again to see if it has evolved to a place where it is useful to
us. So we are looking at the questions that you asked, right
now. But the most important thing, though, is we now have a
formal process as opposed something that is purely
relationship-based.
Mr. Gillis. So on the operational side, I would echo all of
these statements, which is that AIS has the right foundation.
It needs to be sharing more particularly on the context side.
If you look at the Cyber Threat Alliance, the way that we are
now sharing is not just a quantity of indicators of compromise,
you have to actually share with context. So what phase of the
attack is this in? Is it intelligence and reconnaissance? Is it
command-and-control? Is it linked to a known campaign?
With that broader context, if AIS can incorporate some of
those technological best practices, it will be far more
valuable in what it does.
On the programmatic side, this seems simple, but I have
talked to DHS about this, so as a DHS alum I wanted to stick
with this. There are some challenges to just on-boarding. They
are short-staffed and there is not a real customer service
focus to outreach to the private sector and bring even willing
participants on in a timely and effective manner.
So they recognize that. It is something that is very much
correctable, but it would go a long way as you go out to
companies and try and build trust, because AIS is only going to
be more effective with more parties involved. Making that
process as easy as possible is an administrative thing that I
think can add real operational value.
Mr. Richmond. Let me thank you.
Mr. Montgomery, you must be a golfer because you used
``muscle memory'' as opposed to just saying habit or something.
But just thought I would point that out. Thanks.
Mr. Ratcliffe. The gentleman yields back.
The Chair now recognizes the gentleman from Wisconsin, Mr.
Gallagher. The Chair also welcomes him and Mr. Fitzpatrick and
Mr. Garrett and Mrs. Demings to our subcommittee. We are glad
to have you all.
With that, the gentleman is recognized.
Mr. Gallagher. Thank you, Mr. Chairman.
Mr. Montgomery and Mr. Greene, at the end of the second
quarter of 2016, I believe Amazon and Microsoft, IBM and Google
combined for about 55 percent of the global cloud
infrastructure market share. What more could we be doing as a
committee to ensure security of that vital cloud computing
system? Is there any more attention we need to be paying to the
actual physical security of these systems as we talk about
securing sort of cyber space?
Just easy questions today.
[Laughter.]
Mr. Montgomery. Boy, that is a big-boy-pants question.
[Laughter.]
Mr. Gallagher. The only kind of pants we wear on this
committee.
[Laughter.]
Mr. Montgomery. All right. So let us start with hardware
and physical security because I think it is foundational,
whether it is cloud or whether it is brick-and-mortar.
One of the things that we recognize across the technical
folks on the committee is that if you don't have a good
foundation, the pyramid gets top-heavy very, very quickly. So
underlying chip-level, firmware-level security is essential in
the trust model.
Because what you are doing when you go to a--now, when we
do go to the cloud, you are basically renting a data center
from somebody else. So the physical controls and the physical
security and the chip-level security have to be sacrosanct.
Intel has long led with respect to this with a series of
freeware tools that are available in order to test the efficacy
and tamper-proof or tamper state of the firmware and chips that
the commonly-used cloud providers utilize.
I think that one of the things that is challenging about
cloud is that, just like any other technology, it is not a
panacea. It is a useful tool for solving a series of problems.
But one of the things that I think Government can do is help
establish, what problem are you trying to solve? Are you trying
to buy CPU cycles very cheaply? The cloud is the best way for
doing that. Are you trying to have highly regulated or
Classified or Sensitive data housed at the same security as
brick-and-mortar, but have someplace else or somebody else do
it? Your mileage may vary on costs. You will get there, but
your costs will wind up being different.
So what can we do? Homeland's role here in terms of
communication is essential. What do we mean by cloud? If I
asked all of the committee Members or subcommittee Members, you
would all have your own idea on what cloud means.
So putting some definitions around what we mean, what the
best uses are, what Government should be doing or potentially
not doing, where brick-and-mortar is appropriate versus cloud
is a great start to helping to identify not only what should we
doing at home in our own data closet, but also which third-
party partner that you mentioned should we be going to and why.
I think that is a great start.
Mr. Jeffrey Greene. So I would start by cloud is a
different domain, a different environment, but a lot of the
same risks and threats. So let us not overthink in the sense
that we have to come up with something brand new. I would apply
the same thing to this internet of things which is growing. Let
us not forget the lessons we have learned and act like we have
to start from scratch.
So a lot of the same traditional cyber hygiene is going to
apply. I think you also need to distinguish between whether we
are talking about securing the actual cloud provider or
securing the user of the cloud.
Then you get get down to risk-based decisions. If I am
using the cloud to host my kid's Minecraft site, probably not a
high-level security needed. If a power generation plant or some
critical infrastructure is using the cloud for some capacity,
much higher need for security there. In that case, you have to
think about what is the obligation for both the cloud provider
and the organization that chooses to use the cloud, which is a
fine decision.
Here, I think the NIST framework comes in well, both for
the cloud provider and the user. Use the risk-based
calculations in the framework to figure out what you are doing
right, what you are doing wrong, where your gaps are, how you
improve them. So I would encourage you to think about it from
both ends.
Mr. Gallagher. Great. Quickly, Mr. Gillis, in the 30
seconds we have, one of your co-founders is Israeli. Every day
I hear about a new Israeli company in this space. What are we
doing with them now? What can we learn from the Israelis who
seem to be a leader in this space?
Mr. Gillis. Sure. So there are certainly some lessons
learned from Israel. It is obviously a very different dynamic
and not just the neighborhood that they are in, but the
mandatory service. So there is a lot of institutional knowledge
as well as Israel as a government has done a lot both to
attract American company investment and to ensure that those
that they have within country that have expertise are supported
from a venture capital perspective as they transition to the
private sector.
I would also echo on the cloud side of things, too, you
know, fundamentally, we talked earlier, you have got to protect
your customers wherever their data resides and transits. So as
Jeff has said, you need to move effective technology geared to
the specific how of defending a cloud and evolve that into that
new area.
But the principle remains the same, which is that you need
to be secure, whether it is in a data center, whether it is at
a terminal, or on a mobile device.
Mr. Gallagher. Thank you.
Thank you, Mr. Chairman.
Mr. Ratcliffe. The Chair recognizes the gentlelady from
Florida, Mrs. Demings.
Mrs. Demings. Thank you. Thank you to our witnesses for
being with us today.
Ms. Greene, as we continue to assess the impact of cyber
intrusions and begin to make adjustments to cyber policies
based on what we know about these intrusions, what must we keep
in mind on the privacy and the civil liberties front to make
sure we balance security with the privacy concerns?
Ms. Robyn Greene. Thank you. I think ensuring that we
maintain a civilian lead within the Federal Government on
cybersecurity is going to be absolutely essential as we move
forward in this space.
Additionally, always remembering that the more we are
protecting privacy, the more we are increasing security. Well-
curated information is going to be one of the best tools that
we have and security experts are in nearly unanimous agreement
that that almost never includes information like communications
content or personally identifiable information.
So as we move forward, ensuring that whatever new
undertakings, you know, lay ahead and whatever changes to the
guidance that may be made for CISA, we always keep privacy and
minimizing unnecessary information sharing at the forefront.
Mrs. Demings. Also for Ms. Greene, in President Obama's
cybersecurity Executive Order, there was a designated role for
the Privacy and Civil Liberties Oversight Board. Should this
board have a designated role in future Executive Orders and
legislation? How important is it to have a fully functioning
Privacy and Civil Liberties Oversight Board?
Ms. Robyn Greene. So in previous iterations of information-
sharing legislation, there had also been a role for the Privacy
and Civil Liberties Oversight Board contemplated. OTI supported
the inclusion of the PCLOB as an entity to oversee the
implementation of information-sharing programs.
Whether it is expanded into the cybersecurity space or not,
the Privacy and Civil Liberties Oversight Board plays an
incredibly important role in Americans' privacy. It not only
conducts oversight of counterterrorism activities for the
Federal Government and their implications on privacy and civil
liberties, it also serves as a sounding board for the
intelligence community to ensure that they are doing things in
the best way for privacy possible.
Oftentimes, the PCLOB will actually raise concerns or make
suggestions about how the intelligence community can be
improving privacy that they simply hadn't thought of yet. So
they do play a critical role in bolstering Americans' privacy
and civil liberties.
Mrs. Demings. Thank you.
This next question is, for the sake of time, for any
witness who feels it is more appropriate for them.
For a long time, the information-sharing conversation has
been stuck on gathering data, either making it easier to
participate or offering incentives to share.
It is time to start shifting our attention to focus on what
we should do with the cyber threat data that we collect?
Mr. Jeffrey Greene. Real quick, I think I am very pleased
to hear the idea of shifting away from incentives, not that
companies or organizations are going to turn them down. But at
the highest policy level, I have always had a little discomfort
with this notion that we need to give incentives for people to
improve their cybersecurity. It is not something that we should
have to incent people to do.
We need to get to a world where securing your data, whether
your personal, your corporation, your pizza shop, is the same
as locking your door. In college I worked at a bicycle store,
and when I left at night no one had to incent me to lock the
door so someone wouldn't steal my bikes. I think we need to get
to a place in cybersecurity where the mind-set is that this is
just a reality of doing business.
I do have some concern that a continuing discussion of
incentives perpetuates this idea that cybersecurity is some
extra that we need to encourage people to do as opposed to just
the reality of the world we live in today.
Mr. Nutkis. Just to give you a perspective from industry,
so we use the terms ``consumption'' and ``actionability.'' I
think the problem is, is that we work with Fortune Six
organizations and we work with two-doc practices. So when we
are talking about the shift, we also have to shift the
approach.
I think we have piloted and we have seen methods of high-
tech, low-touch where, you know, we hear from the smaller
organizations that they just don't have the resources, they
don't have the appetite. They are trying to screen patients for
Zika virus or other things and that is what they are going to
worry about. They are not worrying about information security.
They expect that that will be an automated process that the
vendors are going to have to figure out how to automate that
process.
So it is not a one-size-fits-all, but the consumption and
actionability is clearly an issue we have to shift to.
Mrs. Demings. Great, thank you so much.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
Pennsylvania, Mr. Fitzpatrick.
Mr. Fitzpatrick. Thank you, Mr. Chairman.
Thank you to the Ranking Member as well.
Thank you to the panel for being here today on a really
critical issue.
I have said many times, of all the threats we face as a
country, I am not aware of a larger threat than that of cyber
threats, both from a National security standpoint and an
economic security standpoint.
When the law enforcement folks appear before us, I am going
to ask them about their relationship with each other.
Generally, the FBI and DHS have concurrent jurisdiction on the
Federal level over cybersecurity-related issues.
But the question I want to ask this panel, given that you
are representing the private sector, is your relationship with
law enforcement, with both organizations, because in order to
advance the ball in this arena it is critically important from
both sides, not just from the private sector, but from law
enforcement that there be a solid relationship, that there be
information sharing, that there be established protocols as far
as reporting incidents.
I can tell you, coming from that profession, we relied
heavily in all areas, but particularly in this area, on the
private sector and sharing information with us as law
enforcement officials, educating us.
What I would like to know from the members of the panel is,
how has that relationship been with both agencies when it comes
to sharing information about threats, digital fingerprints, and
the like? What is working? What is not working? What can be
improved in that area?
Mr. Gillis. Sure. Let me give you a little bit of
historical perspective as well here, because I can tell you
from while I was in government when the U.S. Government first
started responding to victim notifications, sometimes one
company would call several different agencies. As ridiculous as
this sounds, we have seen instances where each agency would
show up with a different nondisclosure agreement, the company
would sign each one of those and then the agencies couldn't
share amongst each other.
Absurd as that is, we have come a long way in just the
basics along those lines. I think you have seen much better
collaboration amongst the Secret Service and FBI. I think they
are working well together.
To give you a personal anecdote from the private sector
side as well, we have talked a little bit before about raising
the cost of an attack. So first, that starts with preventing
attacks, to weed out unsophisticated actors and also to make
sophisticated actors up their game in a way that makes it more
easily attributable.
Law enforcement is going to be an important component of
that. Right now because the noise is so prolific, it is hard to
go after malicious actors because there are so many people in
the space. If the technology can weed out some of the
unsophisticated actors, it can allow law enforcement to go
after those criminals in a way that they will be forced to come
out in the open more. It will be easier to identify who is
acting because they are going to have to develop, not just use
freely available tools, but develop their own tools that will
make it easier to identify those entities.
We as security companies will sometimes be able to identify
as those campaigns are coming in, this is the infrastructure
they are using. So when that case occurs, we contact FBI,
Secret Service, and others as appropriate to help say this is
the playbook that is being run against us and that can help
inform investigations.
So they do have a very important role and it is something
that we focus on from a private-sector side.
Mr. Jeffrey Greene. Yes. I would echo that. I would say
that direct to DHS, as I mentioned earlier. Just last week, we
had 10 analysts in to talk about a specific threat that they
are looking at, to share our research on. At any point in time,
we are active with several active FBI investigations, providing
information about criminal infrastructure, indicators of
compromise.
Not just us, but industry in general has developed a fairly
good relationship with the large actors out there. It is
something we can certainly provide you more details on some of
the cases that we and others have worked on.
Mr. Montgomery. So I would say I would agree with respect
to collaboration. For instance, nomoreransom.org is a not only
National law enforcement collaboration, but also cross-vendor
where we have actually harvested and returned keys to victims
in conjunction with law enforcement investigations.
So I would say with respect to collaboration, there is a
lot of progress, there is a lot of great partnership and
cooperation.
There is one instance where I think we can make improvement
and it is when there is a data classification around a
Government event. I will give you a functional example, the
Iranian incursion into Navy SQL servers.
Basically by classifying the event, what we are doing is
restricting the number of people who can lend assistance and
also allowing the adversary to operate with impunity where, if
we can release this information sooner, we are actually
affecting not only Government, but private-sector organizations
that have the same, very, very common, to Ryan's point, very
low-hanging fruit attack.
So whereas I think the collaboration is good, when there is
a Government instance requiring data classification, we are
classifying too quickly sometimes and not allowing that
information to be propagated both in public and private sector.
Mr. Nutkis. So just for a slightly different perspective.
So we end up working between DHS and FBI on almost, I would
say, a weekly basis between some event that is going on in the
industry. It is sometimes hard to understand the roles. It
certainly, I think, recently has been much more clarified
between the Bureau and Secret Service.
The term that I can't stand hearing is active law
enforcement investigation which shuts down the sharing. That is
really, so they will reach out, they will ask for a whole bunch
of stuff or we will share a whole bunch of stuff with them, and
then everything stops.
From our perspective, since we already are aware of it
because we were sharing it across multiple organizations, in
fact we are not sure why they can't share back as we are trying
to work the same incident as they are.
So again, we understand the obstacles they are under. You
know, we found that certainly it is a great, you know,
relationship, but their hands are tied. So we end up spinning a
lot of cycles.
Also, the part that has, I think, become much more
efficient is now they reach out to us. They used to reach out
to a hundred organizations individually. They reach out to us
and then we will reach out as an outreach effort, which
certainly makes it much more efficient.
Mr. Fitzpatrick. What do you think the solution is
regarding obviously their hands are tied as far as disclosing
law enforcement sensitive information regarding an on-going
investigation?
Mr. Montgomery, regarding the classification issue, what
are suggested improvements on how to deal with that?
Mr. Nutkis. Well, I am not sure I have an answer
specifically because unfortunately we are not aware of what
they are not sharing. But it appears that they don't have to--
from our perspective, the effort that we are trying to put in
place is cyber resilience. We are trying to defend the public
sector from additional loss. So there has to be a happy medium
here where they can provide us with enough information to
defend the sector without compromising a law enforcement
investigation.
But right now, I don't think they are going through the
analysis. It is a binary. It is yes, there is a law enforcement
investigation, stop, versus what do we need to give the sector
to protect itself? I think that varies based on the
significance of the investigation and the significance of the
threat.
Mr. Montgomery. I can't agree more with Mr. Nutkis. This
knee-jerk to classify an issue, for instance, a SQL server on
an Unclassified network, having an issue for which there is a
7-year-old patch, this doesn't feel like a National security
issue, this feels like an overreaction to what has occurred on
an Unclassified DOD network.
That information could have been useful to a broad swath of
practitioners, both in the private and public sector. But the
knee-jerk classification makes that impossible. So I would
agree, the context around the event makes it easy to decide
what should be disseminated quickly and what should not.
Mr. Jeffrey Greene. Mr. Gillis made a great point before,
that a lot of times the information that law enforcement holds
or is looking at exists and that private sector has developed
that on their own. So we may have evidence of the compromise or
know what needs to be done and there is a way and times to push
that out without any connection back potentially to the fact
that there is law enforcement if Palo Alto holds it, if McAfee,
Intel, or Symantec. There are creative solutions that we can
work toward.
Mr. Fitzpatrick. I am over my time, but we really would
like to work with you on that because that is something that is
really important, and it is something I think we could work to
fix.
So I yield back, Mr. Chairman.
Mr. Ratcliffe. Last but not least, the Chair recognizes my
friend from Rhode Island, the Chairman of the Congressional
Cyber Caucus, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Thanks for holding
this hearing.
I want to thank our panel of witnesses here today for your
testimony and the work that you are doing to help protect our
Nation in cyber space.
So I wanted to follow up and just talk a little bit more
about the information-sharing issue and build on some of the
questions that Mr. Richmond had asked earlier.
I just wanted to start with Mr. Montgomery and then the
panel members can chime in as well.
But, Mr. Montgomery, I just have a couple of clarifications
I would like to make from your written testimony, if you don't
mind.
First, you state, today, AIS does not provide a means for
enriching the information it shares and it simply shares
minimal IOC information. So do you mean that AIS and the STIX
and CybOX expressions used under the program are not able to
convey meaningful, contextual information or that as a matter
of practice the information being shared currently lacks the
rich, holistic content?
You know, I want to figure out, is this a logistics and
capabilities part of the protocols with AIS? Or is it the
information that they are receiving isn't robust enough?
Mr. Montgomery. Yes. Unfortunately, it is both. The ability
to extract information from a generic individual IOC, like a
domain name or a URL or a fingerprint of a file, unless the IOC
is so damning and points to such a condition, typically it is
simply one of the needles in a pile of needles.
So two things are required. One, a greater degree of
context around how a particular IOC was collected, under what
context. How was it received? How was it transmitted? From
whom, to whom? When was it received? Was it received during the
course of the normal 9-5 business cycle? Was it sent wildly out
of band?
These are the kinds of pieces of information that a
practitioner would require in order to try and sort out what to
do next. The ability to provide those levels of context as part
of AIS is both--it is a technical limitation that we can't do
that today. It is also sort-of it is base-table stakes in terms
of what a practitioner would do next.
So if we were to make recommendations on change, it would
be around sort-of that practitioner knowledge that comes with
an individual IOC because then it becomes a force multiplier.
Mr. Langevin. OK, very good. Thank you.
So another question, again following up on Mr. Richmond's
question, relates to the free rider problem that you describe
with information sharing.
So I have been impressed with CTA's work to address this
problem, particularly as it moves away from volume-based
measures of input to quality-based ones. So in your testimony,
you state that DHS declassifying more information will help
address the issue of free rider.
While I certainly fully support quicker declassification of
threat indicators, it mystifies me how this is going to
incentivize the private sector to share with Government. Can
you help clarify that for me?
The rest of the panel, I welcome any comments that you
might have, how we can deal with free riders in the broader
ecosystem.
Mr. Montgomery. Sure. So with respect to this has been the
long-standing issue with the private-sector sharing. As Mr.
Nutkis pointed out, we feel like we give information and we
don't get the same yield back.
A declassification process would allow the Government to
determine, particularly as it relates to homeland and its
critical infrastructure mission, what is the implication of a
particular piece of information as it relates to the physical
critical infrastructure before giving it back?
But if that vetting process included even a Classified
effort among vendors who were, as Mr. Greene pointed out, we
sit at a lot of interesting nexuses. If we are able to
complement that effort, collaborate in even the
declassification effort, we all have our cleared elements. In
order to get to that point to say, look, although the
Government has classified a particular piece of information, it
is in the wild or it is in the dark web. The value is only
allowing adversaries to operate with impunity.
This would allow people to get real yield back from the
program on a more timely basis.
Mr. Gillis. Sure. Let me add also on a sector-by-sector
basis within industry. One of the real values of the Cyber
Threat Alliance is that everybody in there is a security
vendor, has sophisticated capabilities, and our customer base
is across all sectors of industry.
So by sharing information, No. 1, we wanted to ensure that
the barrier to entry wasn't just a pay-for-play, but that you
had to contribute significant, actionable intelligence on a
regular basis. The benefit of that is that all of our customer
set is better protected.
If you looked at ISACs, so financial sector, energy sector,
health sector, for example, the less that those ISACs have to
do for plugging in individual indicators of compromise or
stopping individual playbooks, if they can rely on the security
vendors to do that, then you can have more participation within
those industry verticals on things that are specific to their
sector. So there is a real force multiplier across different
sectors of industry by coupling the CTA with the role of the
Government and the role of these different ISACs on a sector-
by-sector basis.
Mr. Nutkis. Yes, I would agree with that. Although this has
been an issue that we have had to deal with. I am not sure if
people realize the only organization that doesn't benefit from
information sharing is the one who shared.
So as we have gone through this and we did our original
analysis, we found that 4.1 percent of the organizations that
were in our information-sharing center were actually
contributing. Of that, they were contributing in a relatively
abysmal way, 7 weeks between identification to sharing and
things like that.
We then went to what we called enhanced, which you had to
share within 5 minutes and it had to have the metadata and you
had to share complete indicators. What we did is we delayed the
participation or the sharing of those indicators by 14 days to
anyone else. That was the only carrot we could find which was,
if you wanted better indicators you had to share better
indicators. That was really the incentive.
Actually, it worked. We were able to get a lot of
organizations to step up to the table, by the way recognizing
that, and I think this is also important, that there is an
underlying element here that gets lost, which is a lot of the
issues with sharing has to do with the maturity of the
organization or their ability to share in the first place.
So even though we are sharing, we also have this other
issue, if you are not mature enough to share, are you mature
enough to consume. I know that gets lost on a lot of this and
this hearing is on sharing, but we need to make sure as we
share, again, as the technology vendors look to improve the
infrastructure and the security technology, is how do we
consume them.
Mr. Langevin. Thank you, Mr. Chairman.
Is it your intention, Mr. Chairman, to do a second round or
are we just doing a first round?
Mr. Ratcliffe. Yes. Unfortunately, just one round today.
Mr. Langevin. OK. So I have some additional questions I
would like to submit for the record and hopefully our witnesses
can respond in writing.
Mr. Ratcliffe. Terrific.
Mr. Langevin. Thank you.
Mr. Ratcliffe. Thank the gentleman.
The Chair now recognizes my colleague from Texas, Ms.
Jackson Lee.
Ms. Jackson Lee. Thank you for the courtesy of the Chair
and the Ranking Member.
Thank all the witnesses today.
Let me just begin and thank you for what I have gleaned in
this hearing. I appreciate maybe global responses if you could
quickly give.
A bill that I introduced, H.R. 940, Securing Communications
of Utilities from Terrorist Threats, and an aspect of it is to
seek voluntary participation on ways that DHS can best defend
against and recover from terrorist acts that have an impact on
National security. It involves working with the private sector.
Then H.R. 935, Cybersecurity and Federal Workforce
Enhancement, is to seek a more trained work force that will be
working for the Federal Government.
In the course of my questions, maybe someone would answer
the importance of obtaining skills to address our Nation's
deficit in the number of workers that are so crucial.
I also look forward to introducing soon Prevent Zero-Day
Events which would help DHS in working with sector-specific
entities to better understand the detection of undiscovered or
unreported vulnerabilities in software and firmware. That one
in particular I would like to have a comment on as I ask the
question.
So I want to ask a specific question that deals with, in
the wake of the Russian cyber campaign against our electoral
system, about there has been discussion about the importance of
attribution. Panel, could you speak to why it matters,
particularly as interest grows in exacting retribution? That is
the question of attribution as to, how did it happen?
Also, we are now hearing without details of the potential
release of a number of tactics that are being used by the CIA.
Again, news reports speculate that this may have come from
individuals with access who work for private contractors.
You are from the private sector. I would be interested in
your vetting processes regarding individuals that have access
to governmental, confidential security data and information.
I would also like to put on the record, Mr. Chairman, the
request for a briefing. It may be this committee, it may be
another subcommittee, any one, or the full committee. That I
believe that we should receive a Classified briefing as to what
actually was released that impacts negatively on the
intelligence community regarding the representation that
Wikileaks has released through information they received, some
very viable and important data. I think that this is a key
responsibility that we have.
So could you begin? Who will take questions?
Mr. Gillis. I will start with securing utilities, where you
began there. So that is an essential area that we as a Nation
need to be concerned about. It is an area where we collectively
need to work, again public/private.
Let me give you an example of one instance in which we have
done so. So last fall, our security intelligence team
identified new strands, new iterations of what is called the
Shamoon attack. Shamoon attack is what was levied against Saudi
Aramco, an oil producer within Saudi Arabia, that had destroyed
35,000 hard drives in 2012.
We noticed in late fall that there were new evolutions of
some of that old infrastructure with new techniques being used.
As we identified that, we called up Department of Homeland
Security, ensured that they had a predecisional copy of that
report, ensured that they were able to help protect U.S.
Government networks against it, ensured that they were able to
distribute that across the broader USG community, ensured that
they were able to help develop their own critical
infrastructure bulletin so that U.S. industry in the electric
sector and other utilities were able to prevent against those
types of attacks.
So that is a place where, if you look from a National
security and economic security perspective, utilities are
obviously key. It is essential to look at the intersection of
physical and cybersecurity, as this committee does here and an
example of something that we highly value and DHS has a
tremendous role toward.
Ms. Jackson Lee. Mr. Nutkis and Mr. Montgomery, can you
answer the question about the issue of, how do you vet your
individuals that work with Government data? What do you think
about attribution?
Mr. Nutkis. With regards to vetting, we follow the
Government's requirements for vetting. So DHS has a formal
process which requires for vetting of anyone who has access to
Classified information. That is the process that we follow.
With regards to attribution, we, again, there is--from
cyber resilience and defending, that is a different, you know,
that is not as relevant for us down in the private sector.
We want to know what the threat is, how real the threat is,
what to do about it. It is really about either anticipating the
threat so that we can have a defense posture.
Although it has always been interesting and as we go to
various briefings to understand where the threats are coming
from and, again, it helps us protect our networks and protect
the environment, specific attribution to the individual threat
actor, it has always been interesting, but we have never really
determined how best to use it and certainly use it on a wide
scale at an industry level.
Ms. Jackson Lee. Mr. Montgomery.
Mr. Montgomery. With respect to people having access to
Government data, we use the same DSS and OPM clearance
processes as everybody else does. We do some stove-piping of
Government data away from other systems in order to meet the
physical and data security requirements.
With respect to attribution, I think attribution, it is a
step that I think people are prioritizing more heavily at the
wrong times. Asking about attribution first in the wake of a
breach or of a successful attack is much akin to trying to
decide what color carpet to put in your house while it is still
on fire.
There is a point at which you should decide what color
carpet to put in the house, but put the fire out first.
There are hygiene and security elements that are far more
important to take care of, particularly as it relates to
utility and critical infrastructure, long before sorting out
which foreign national, which we may or may not ever get
jurisdiction over, is ultimately responsible.
So while I think that attribution is an important step in
the life cycle of an event, putting it first is what we seem to
do as a society and as a technical society. It should be far,
far further down the track so that the events can't occur again
rather than figuring out who to blame.
Ms. Jackson Lee. Does anyone else?
Mr. Chairman, you have been very gracious. I know that the
answers refer to the private sector and do not, in respect to
attribution and retribution, I appreciate Mr. Montgomery, do
not reflect on the importance of our Government finding out who
this should be attributed to. Therefore, we have the
opportunity to deal with what our response will be.
Certainly, as the house is on fire, I would like to say, in
concluding, I would like to get it before the house is on fire,
I would like it not to happen. That is what I hope as Members
of the Homeland Security Committee and this committee that we
can work in that preventative mode. That would make us all
safer and securer and make the work with our partners in the
private sector a smoother pathway.
I yield back, Mr. Chairman.
I thank you, Mr. Montgomery.
Mr. Ratcliffe. Thank the gentlelady for her remarks.
That concludes our hearing. I had high expectations, as I
said at the outset, and from my perspective those expectations
have been met for this hearing.
I think the testimony and the responses to questions that
we have had from the witnesses have been particularly
insightful and instructive, certainly to the committee, and
hopefully to the new administration.
So I thank you all for your testimony, and I thank the
Members for their thoughtful questions today.
The Members of the committee, at a minimum Mr. Langevin,
perhaps others, will have additional questions for some of the
witnesses. We will ask you to respond to those in writing.
Pursuant to committee rule VII(D), this hearing record will
be held open for a period of 10 days.
Without objection, the subcommittee will stand adjourned.
[Whereupon, at 11:41 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Honorable James Langevin for Daniel Nutkis
Question 1a. AIS was one of the central accomplishments of the
Cybersecurity Act of 2015, and I believe that real-time, machine-to-
machine sharing can make a real difference in protecting our networks.
I have, however, been concerned by the lack of participation in AIS,
particularly because in order to function, it needs to take advantage
of the network effects of a robust pool of participants. Why do you
think participation numbers are so low, particularly since we heard
from the private sector repeatedly while working on the bill that this
sort of initiative was urgently needed?
What specific measures could DHS take to encourage private-sector
participation?
Question 1b. Does your organization/company participate in AIS?
If yes: (a) When did you join the program? (b) What were your
initial set-up costs to do so? (c) What factors motivated your decision
to join AIS?
If no: (a) Have you considered joining AIS? If so, what factors
caused you to decline to participate? (b) What would need to change
about the program to make it worthwhile to participate?
Answer. Response was not received at the time of publication.
Question 2. One of my goals this Congress is to get a better handle
on cybersecurity metrics: Namely, are the actions we are taking having
measureable improvements on our security? Based on your experience, how
can we better measure cybersecurity outcomes?
Answer. Response was not received at the time of publication.
Question 3a. On December 29, 2016, the Department of Homeland
Security released a Joint Analysis Report (JAR) regarding Russian
malicious cyber activity designated as GRIZZLY STEPPE. Included in the
JAR were indicators that were released in STIX and CSV formats.
How did your organization/company utilize the JAR?
Question 3b. Did you find the technical indicators of malicious
Russian cyber activity useful? Why or why not?
Question 3c. What proportion of the technical indicators was your
organization/company aware of before the release of the JAR?
Question 3d. Do you believe the JAR helped improve the Nation's
cybersecurity?
Answer. Response was not received at the time of publication.
Questions From Honorable James Langevin for Scott Montgomery
Question 1a. AIS was one of the central accomplishments of the
Cybersecurity Act of 2015, and I believe that real-time, machine-to-
machine sharing can make a real difference in protecting our networks.
I have, however, been concerned by the lack of participation in AIS,
particularly because in order to function, it needs to take advantage
of the network effects of a robust pool of participants. Why do you
think participation numbers are so low, particularly since we heard
from the private sector repeatedly while working on the bill that this
sort of initiative was urgently needed?
Answer. The limited level of private-sector participation in the
AIS system has many causes. These include:
Most organizations have an inherent hesitation or fear to
share cyber threat information. There is a concern that sharing
may expose internal corporate information unnecessarily.
General counsels have found it easier to have policies that
restrict sharing to all but the most trusted partners.
The sign-up process for AIS is a bit onerous. The process
could be made much easier and more streamlined to incent
participation.
Currently, AIS only shares indicators and mitigations. While
these pieces of information are large components of the cyber
threat life cycle, there is currently no way to enrich data
that an organization receives from AIS. In other words, if an
organization finds additional data sets that can be used to
enrich the data received from DHS, it has no way to share these
data sets with the AIS community.
The limited legal liability protection established in the
legislation and implemented in regulation has been and
continues to be confusing.
Question 1b. What specific measures could OHS take to encourage
private-sector participation?
Answer.
Provide general counsels with more information that shows
the value of participating in AIS.
Clarify liability protection.
Improve the sign-up process to make it is easier to
understand and implement.
Provide an organization's IT/security staff with materials
they can use ``to sell'' the effort to their management and
general counsel.
Question 1c. Does your organization/company participate in AIS?
Answer. McAfee recently spun-out as a separate, stand-alone
company. As such, we are currently developing new internal processes
and procedures. Currently, we do not participate in the AIS program.
Question 1d. Have you considered joining AIS? If so, what factors
caused you to decline to participate?
Answer. McAfee is still deciding whether to join AIS.
Question 1e. What would need to change about the program to make it
worthwhile to participate?
Answer. The program would be much more valuable if there was a
means to enrich the data provided. It is our understanding that AIS
does not provide a unique set of indicators to the private sector. This
means that multiple indicators could come from different submitters
that, practically speaking, are the same. This puts the burden of data
clean-up on every participating organization. It would be better for
all if AIS did this data clean-up as part of their redistribution
process.
Question 2. One of my goals this Congress is to get a better handle
on cybersecurity metrics: Namely, are the actions we are taking having
measurable improvements on our security. Based on your experience, how
can we better measure cybersecurity outcomes?
Answer. It is very difficult to accurately measure progress in the
cybersecurity domain. Scope and scale are the main challenges.
There are organizational risk management tools that can be used to
track and depict organizational cyber program improvements, such as the
NIST Cybersecurity Framework, but they are not appropriate when
comparing one organization to another.
Because cybersecurity impacts so many parts of our digital world
today, appropriate metrics need to be developed for each of the
specific areas being examined. For instance, with an organizational
baseline, it is not hard to measure how fast patches are deployed each
month within a given organization. Macro-level measurements, on the
other hand, are much more complex and difficult to develop. For
example, how would you measure the impact of delaying procurement of
new cybersecurity capabilities? The cybersecurity landscape is very
much an arms race between the defenders and the malicious actors. If
the process to acquire new capabilities takes two or more years, what
effect does that have on an organization's defensive capabilities?
Given the many difficulties associated with metrics, it would be
useful for NIST to create a metrics research effort. Such an activity
should not be tied to the NIST Cybersecurity Framework, but should be a
stand-alone effort that considers the scope and scale of the various
needs for measurement. Organizational internal measurements, sector-
specific comparison metrics, and consumer-, industry-, and National-
level improvement tracking could all be areas of study. A research
effort of this magnitude and complexity would require NIST to work in
close collaboration with industry to produce a successful outcome.
Question 3a. On December 29, 2016, the Department of Homeland
Security released a Joint Analysis Report (JAR) regarding Russian
malicious cyber activity designated as GRIZZLY STEPPE. Included in the
JAR were indicators that were released in STIX and CSV formats.
How did your organization/company utilize the JAR?
Question 3b. Did you find the technical indicators of malicious
Russian cyber activity useful? Why or why not?
Question 3c. What proportion of the technical indicators was your
organization/company aware of before the release of the JAR?
Question 3d. Do you believe the JAR helped improve the Nation's
cybersecurity?
Answer. This event occurred prior to McAfee spinning-out from Intel
and becoming an independent company. Since McAfee and Intel are two
separate stand-alone companies, it would not be appropriate for McAfee
to discuss Intel's use of the JAR. Intel's threat intelligence team
should respond to this question.
Question 4a. Your company is involved in the Cyber Threat Alliance.
What indicators does your company choose to share with CTA? By what
process are they selected?
Answer. The slide below depicts the information shared between CTA
members, which Members agreed to.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Question 4b. How does your company decide which indicators to share
with the Government? To your knowledge, how does CTA decide which
indicators (if any) to share with the Government?
What criteria/process is used to select indicators/threat
intelligence to share with the Government?
What is the reason for not sharing more threat indicators with the
Government?
Answer. The CTA does not currently allow direct Government
membership. The Cyber Threat Alliance is a coalition of cybersecurity
companies and is focused on expanding its private-sector membership. It
should be noted, though, that the CTA has a history of sharing
intelligence during events of National significance such as CryptoWall
3 and WannaCry with the appropriate Federal agencies. We expect to
continue working with agencies on research/takedowns in those
situations
Question 4c. What technical protocols does CTA use to share threat
indicators?
Answer. The CTA members share information via STIX/TAXII.
Question 5. What suggestions do you have for DHS to enhance the
Nation's cybersecurity workforce, in both the public and private
sectors?
What actions can be taken by the Department acting alone, and what
requires public/private collaboration?
Answer. DHS is an active participant in NSF's CyberCorps
Scholarship for Service (SFS) program. DHS should support the expansion
of this program.
The CyberCorps SFS program is designed to increase and strengthen
the cadre of Federal information assurance specialists that protect
Government systems and networks. Here's how it works: The National
Science Foundation (NSF) provides grants to about 70 institutions
across the country to offer scholarships to 10-12 full-time students.
Students get free tuition for up to 2 years in addition to stipends--
$22,500 for undergraduates and $34,000 for graduate students. They also
get allowances for health insurance, textbooks, and professional
development. Some universities also partner with DHS on these programs.
Students generally have to be juniors or seniors and must qualify for
the program by attaining a specific GPA, usually at least a 3.0 or
higher. Upon completing their coursework and a required internship,
students earn a degree, then go to work as security experts in a
Government agency for at least the amount of time that they have been
supported by the program. After that they can apply for jobs in the
public or private sector.
With additional funding, the CyberCorps SFS program certainly could
be expanded to more institutions and more students within each of those
schools. To date, the Federal Government has made a solid commitment to
supporting the SFS program, having spent $45 million in 2015, $50
million in 2016, and the most recent administration's budget requests
$70 million. As a baseline, an investment of $40 million pays for
roughly 1,560+ students to complete the scholarship program. Given the
size and scale of the cyber skills deficit, policy makers should
significantly increase the size of the program, possibly something in
the range of $180 million. At this level of funding, the program could
support roughly 6,400 scholarships. Such a level of investment would
make a real dent in the Federal cyber skills deficit, estimated to be
in the range of 10,000 per year. At the same time, this level of
investment could help create a new generation of Federal cyber
professionals that can serve as positive role models for a countless
number of middle and high school students across the country to
consider the benefits of a cyber career and Federal service. Indeed,
this positive feedback loop of the SFS program might well be its
biggest long-term contribution.
What should the private sector do to make an impact on the cyber
skills deficit? The private sector must also be prepared to up-level
its partnerships with the Government and others in industry to ensure a
steady supply of worthwhile internships, co-ops, and training
opportunities. In a recent report from McAfee and the Center for
Strategic and International Studies (CSIS), a lack of quality training
opportunities was cited as a significant reason why cyber practitioners
seek alternative employment. For this reason, it is not only imperative
that public-sector entities compensate their cyber professionals well,
but also provide ample opportunities for employees to learn new skills
and train on new technologies. With more robust public-private
partnerships in this area, private companies in different industries
can reach individuals at every stage in their career and engage them
with new opportunities to learn about a wide variety of digital
environments and next-generation technologies.
Questions From Honorable James Langevin for Jeffrey Greene
Question 1a. AIS was one of the central accomplishments of the
Cybersecurity Act of 2015, and I believe that real-time, machine-to-
machine sharing can make a real difference in protecting our networks.
I have, however, been concerned by the lack of participation in AIS,
particularly because in order to function, it needs to take advantage
of the network effects of a robust pool of participants. Why do you
think participation numbers are so low, particularly since we heard
from the private sector repeatedly while working on the bill that this
sort of initiative was urgently needed?
What specific measures could DHS take to encourage private-sector
participation?
Question 1b. Does your organization/company participate in AIS?
If yes: (a) When did you join the program? (b) What were your
initial set-up costs to do so? (c) What factors motivated your decision
to join AIS?
If no: (a) Have you considered joining AIS? If so, what factors
caused you to decline to participate? (b) What would need to change
about the program to make it worthwhile to participate?
Answer. The roll-out of DHS's Automated Indicator Sharing (AIS)
program was an important step in developing real-time information
sharing. And while the program is still new, it shows great promise.
Symantec is currently testing AIS to determine how the automated feed
can contribute to our overall protection system and in the coming
months will be conduct a pilot program to ingest some of the indicators
and review them for accuracy and value.
The current participation rate in AIS no doubt reflects in part
that it is still relatively new--it has only been functioning for less
than 1 year. Some companies, especially smaller ones, are still
establishing internal policies for sharing. Additionally, investing in
the STIX/TAXI protocols could be a resource barrier for some smaller
companies that might otherwise want to join. In larger companies,
policy development can be a lengthy process as it typically includes
input from operational, corporate, legal, and privacy functions. Last,
while the fidelity of the indicators is improving, the quality in the
early days was inconsistent and some would have caused false positives
had they been fully deployed within a company or across a security
vendor's customer base.
As a security vendor, Symantec is in a different position from many
potential program partner. We are concerned with much more than our own
systems; rather, we have to assess the impact on millions of customers
around the world who rely on our near-real-time security updates. Each
indicator of compromise needs to be carefully vetted to ensure we are
pushing out quality indicators with a minimum of false positives. This
vetting requires context, which at times has been insufficient. We
recognize that DHS is in a difficult spot--industry is asking for both
timely and rigorously-vetted information and this balance can be
difficult to strike. DHS has made strides in the year AIS has been
operational, and we hope that will continue.
Question 2. One of my goals this Congress is to get a better handle
on cybersecurity metrics: Namely, are the actions we are taking having
measureable improvements on our security? Based on your experience, how
can we better measure cybersecurity outcomes?
Answer. Cybersecurity metrics is certainly a hotly-debated topic.
At core, measuring success is often proving the negative--pointing to
attacks that did not occur or did not succeed. Moreover, how do you
show what might have happened if you do not have appropriate tools and
procedures in place? One approach is to focus on cyber hygiene basics
that provide a foundation for an effective cyber defense posture. These
are relatively easy to measure and include activities such as:
Hardware and Software Asset Management.--Identifying all
hardware and software assets; it is often said that ``you can't
protect what you can't see.''
Configuration Management.--Properly configuring assets to
eliminate known threat vectors.
Vulnerability Management.--Scanning assets for known
vulnerabilities and applying the appropriate patches.
Identity Credential and Access Management.--Checking user
privileges to ensure they are limited to only the rights they
need and limiting any excessive privileges found.
Multi-Factor Authentication (MFA).--Implementing MFA and
enforcing its use.
Consistent progress on these basic--but critical--foundational
activities will lead to a reduction of some of the most commonly
exploited cyber threat vectors.
Question 3a. On December 29, 2016, the Department of Homeland
Security released a Joint Analysis Report (JAR) regarding Russian
malicious cyber activity designated as GRIZZLY STEPPE. Included in the
JAR were indicators that were released in STIX and CSV formats.
How did your organization/company utilize the JAR?
Question 3b. Did you find the technical indicators of malicious
Russian cyber activity useful? Why or why not?
Question 3c. What proportion of the technical indicators was your
organization/company aware of before the release of the JAR?
Question 3d. Do you believe the JAR helped improve the Nation's
cybersecurity?
Answer. We received the December 29, 2016 Joint Analysis Report
(JAR) regarding Russian malicious cyber activity designated GRIZZLY
STEPPE and reviewed the indicators to ensure that our customers were
properly protected. While most DHS reports include substantive analysis
and some actionable information, on this occasion we believe the report
fell short. Unfortunately, the indicators led to a high volume of false
positives and in some cases the indicators proved to be unrelated to
the threat itself. Finally, we were already aware of all indicators
provided and those that we were not aware of were unrelated to the
threat. However, to its credit, DHS issued an updated report that was
higher in quality in terms of analysis and accuracy of indicators.
Question 4a. Your company is involved in the Cyber Threat Alliance.
What indicators does your company chose to share with CTA? By what
process are they selected?
Question 4b. How does your company decide which indicators to share
with the Government? To your knowledge, how does CTA decide which
indicators (if any) to share with the Government?
What criteria/process is used to select indicators/threat
intelligence to share with the Government?
What is the reason for not sharing more threat indicators
with the Government?
Question 4c. What technical protocols does CTA use to share threat
indicators?
Answer. The Cyber Threat Alliance (CTA) is an excellent example of
the private sector banding together to improve the overall safety and
security of the internet. In 2014, Symantec, Fortinet, Intel Security,
and Palo Alto Networks formed the CTA to work together to share threat
information. The goal was to distribute detailed information about
advanced attacks and thereby raise the situational awareness of CTA
members and improve overall protection for our customers.
Prior industry-sharing efforts were often limited to the exchange
of malware samples, and the CTA sought to change that. Over the past 3
years the CTA has consistently shared more actionable threat
intelligence such as information on ``zero day'' vulnerabilities,
command-and-control server information, mobile threats, and indicators
of compromise related to advanced threats. By raising the industry's
collective intelligence through these new data exchanges, CTA members
have delivered greater security for individual customers and
organizations. In short, the CTA is not about one vendor trying to gain
advantage--we are all contributing and sharing with the community.
Each member must share at least 1,000 samples of new Portable
Executable (PE) malware per day that are not observed on VirusTotal
over the preceding 48 hours at the time of sharing, and meet at least
one of the following three criteria:
Mobile Malware.--At least 50 samples of new mobile malware
per day in the APK, DEX, or other popular mobile malware file
formats that are not observed on VirusTotal over the last 48
hours at time of sharing.
Botnets C2 Servers.--At least 100 botnet command-and-control
servers (C2), and/or peer-to-peer nodes, per week beyond those
listed on public forums such as ZeusTracker, must be different
than the previous week's dump from the contributing member; and
must be active upon sharing.
Vulnerabilities & Exploits Sites.--At least 100 attack sites
per week beyond those listed on public forums, must be
different than the previous week's dump from the contributing
member, and must be active upon sharing.
CTA is also committed to initiatives such as developing industry
best practices that will improve cybersecurity for individuals and
governments. As CTA moves forward with its mission, Government
partnerships will be an important piece of the process.
Question 5a. What suggestions do you have for DHS to enhance the
Nation's cybersecurity workforce, in both the public and private
sectors?
Question 5b. What actions can be taken by the Department acting
alone, and what requires public-private collaboration?
Answer. Today, there are an estimated 1 million cybersecurity jobs
in the United States that supposedly cannot be filled. We believe that
a new approach to IT professionals generally will help solve this
problem. There are many general IT professionals in both Government
agencies and in businesses around the world, and with in-house training
they could become specialized security professionals. Their roles could
in turn be filled by junior IT professionals or even recent graduates.
Looking to existing IT staff to train for security roles has several
benefits--these personnel will already know an organizations' systems,
and providing another opportunity for career growth will improve
retention and job satisfaction. Training the current IT workforce in
cybersecurity is also fiscally smart, as it allows governments and
enterprises to cut down their contract workforce and train from within,
leading to a more secure IT environment.
We do this at Symantec, in part by conducting an annual ``Cyber War
Games'' exercise. This exercise takes IT professionals from 10 regions
around the world and creates scenarios to encourage innovative thinking
and growth in cybersecurity skills. These types of activities allow us
to find hidden expertise in current employees as well as new expertise
to bolster our own workforce. In addition, Symantec created the
Symantec Career Connection (SC3). SC3 is an innovative program designed
to help close the cybersecurity workforce gap while creating meaningful
career paths for underrepresented young adult and veterans. Through
targeted classroom education combined with hands-on training, SC3
graduates are working amongst many of the world's largest and reputable
companies.
Thank you again for the opportunity to testify and to provide these
further responses.
Questions From Honorable James Langevin for Ryan M. Gillis
Question 1a. AIS was one of the central accomplishments of the
Cybersecurity Act of 2015, and I believe that real-time, machine-to-
machine sharing can make a real difference in protecting our networks.
I have, however, been concerned by the lack of participation in AIS,
particularly because in order to function, it needs to take advantage
of the network effects of a robust pool of participants. Why do you
think participation numbers are so low, particularly since we heard
from the private sector repeatedly while working on the bill that this
sort of initiative was urgently needed?
What specific measures could DHS take to encourage private-sector
participation?
Question 1b. Does your organization/company participate in AIS?
If yes: (a) When did you join the program? (b) What were your
initial set-up costs to do so? (c) What factors motivated your decision
to join AIS?
If no: (a) Have you considered joining AIS? If so, what factors
caused you to decline to participate? (b) What would need to change
about the program to make it worthwhile to participate?
Answer. Response was not received at the time of publication.
Question 2. One of my goals this Congress is to get a better handle
on cybersecurity metrics: Namely, are the actions we are taking having
measureable improvements on our security? Based on your experience, how
can we better measure cybersecurity outcomes?
Answer. Response was not received at the time of publication.
Question 3a. On December 29, 2016, the Department of Homeland
Security released a Joint Analysis Report (JAR) regarding Russian
malicious cyber activity designated as GRIZZLY STEPPE. Included in the
JAR were indicators that were released in STIX and CSV formats.
How did your organization/company utilize the JAR?
Question 3b. Did you find the technical indicators of malicious
Russian cyber activity useful? Why or why not?
Question 3c. What proportion of the technical indicators was your
organization/company aware of before the release of the JAR?
Question 3d. Do you believe the JAR helped improve the Nation's
cybersecurity?
Answer. Response was not received at the time of publication.
Question 4a. Your company is involved in the Cyber Threat Alliance.
What indicators does your company chose to share with CTA? By what
process are they selected?
Question 4b. How does your company decide which indicators to share
with the Government? To your knowledge, how does CTA decide which
indicators (if any) to share with the Government?
What criteria/process is used to select indicators/threat
intelligence to share with the Government?
What is the reason for not sharing more threat indicators
with the Government?
Question 4c. What technical protocols does CTA use to share threat
indicators?
Answer. Response was not received at the time of publication.
Question 5a. What suggestions do you have for DHS to enhance the
Nation's cybersecurity workforce, in both the public and private
sectors?
Question 5b. What actions can be taken by the Department acting
alone, and what requires public-private collaboration?
Answer. Response was not received at the time of publication.
Questions From Honorable Cedric Richmond for Robyn Greene
Question. Your organization, the Open Technology Institute, has
taken a relatively hard line on two issues that are central to the
current cybersecurity threat landscape--first, on the dangers of active
cyber defense (i.e. allowing companies to ``hack back''); and second,
that the Government should adopt a more transparent, Congressionally-
authorized process for when to disclose zero-day vulnerabilities in its
possession. What are some of the key considerations policy makers
should bear in mind on these issues?
Answer. New America's Open Technology Institute (OTI) opposes
proposals to authorize active cyber defense (also known as ``hacking-
back'') because they threaten to undermine cybersecurity rather than
enhance it, and may result in harming innocent third parties. Hacking-
back is a form of digital vigilantism. As vigilantism is illegal in the
physical world, so too should it remain on-line. As Congress carefully
weighs the risks and rewards that may result from hack-back proposals,
it will likely find that the risks are unjustifiably high.
Hacking is dangerous whether you are a victim reacting to a cyber
attack, a malicious actor, or a Government. Authorizing cyber attack
victims to hack-back will almost certainly result in harms to innocent
third parties. It is possible that a malicious actor could obtain
malware used in a hack-back and turn it against innocent third parties.
Further, attribution of the attack, though constantly improving, is
still exceedingly difficult. When deploying an active cyber defense, it
is difficult to guarantee that the device or network affected does not
belong to an unrelated third party who has been misidentified as the
malicious actor. Additionally, the hack-back could target a perceived
malicious actor who is actually a person or entity that has been the
victim of a cyber attack themselves, like a hospital or fire department
whose network has been taken over by a botnet.
Finally, even if an attack has been successfully attributed to a
particular malicious actor, identifying that attacker can still be
difficult and time-consuming. Because of the rapid-response nature of
hacking-back, it is possible that an entity will be retaliating against
foreign actors, including nation-states. This could put entities that
choose to engage in hacking-back in a conflict of law with the country
where their target is located. It could also raise diplomatic concerns.
For example, if hacking-back was legal in 2014, Sony could have chosen
to retaliate against its attackers who turned out to be agents of the
North Korean government, a hostile foreign power, instead of seeking
assistance from law enforcement.
FBI Director Comey raised similar concerns at two speaking
engagements this year. He was unequivocal in his opposition to allowing
victims to hack-back. He cautioned that such an authorization was
dangerous, and that it would interfere with the FBI's ability to
conduct its investigations into cyber crimes.\1\ OTI agrees with this
assessment and would urge Members of Congress to oppose any proposal
that legalizes hacking-back.
---------------------------------------------------------------------------
\1\ See James Comey, Dir. Fed. Bureau of Investigation, Speech at
Boston Cybersecurity Summit 2017 (Mar. 8, 2017), https://
www.youtube.com/watch?v=VzhVYv7K4qc; and James Comey, Dir. Fed. Bureau
of Investigation, Speech at U. of Tex. Austin (Mar. 23, 2017), https://
www.youtube.com/watch?v=iR5EwIbUvA0.
---------------------------------------------------------------------------
Unlike hacking-back, establishing a permanent process for
disclosing previously unknown vulnerabilities (often called zero-days)
in the Government's possession is essential to improving cybersecurity.
As we have seen from the Shadow Brokers disclosures,\2\ the arrest of
an NSA contractor for hoarding zero-days at his home,\3\ and the recent
CIA leaks,\4\ secrets get out. There is no way to guarantee that when
the Government is in possession of zero-days and related exploits, that
information will not eventually be leaked, posing significant and
immediate risks of exploitation to Americans and internet users
everywhere.
---------------------------------------------------------------------------
\2\ See David E. Sanger, ``Shadow Brokers'' Leak Raises Alarming
Question: Was the NSA Hacked?, NY Times (Aug. 16, 2016), https://
www.nytimes.com/2016/08/17/us/shadow-brokers-leak-raises-alarming-
question-was-the-nsa-hacked.html; Bruce Schneier, Another Shadow
Brokers Leak, Schneier on Security (Nov. 1, 2016), https://
www.schneier.com/blog/archives/2016/11/another_shadow_.html; and Don't
Forget Your Base, Medium (Apr. 8, 2017), https://medium.com/
@shadowbrokerss/dont-forget-your-base-867d304a94b1.
\3\ Ellen Nakashima, Matt Zapotosky, & John Woodrow Cox, NSA
Contractor Charged with Stealing Top Secret Data, Wash. Post (Oct. 5,
2016), https://www.washingtonpost.com/world/national-security/
government-contractor-arrested-for-stealing-top-secret-data/2016/10/05/
99eeb62a-8b19-11e6-875e-2c1bfe943b66_story.html.
\4\ Scott Shane, Matthew Rosenberg, & Andrew W. Lehren, Wikileaks
Releases Trove of Alleged C.I.A. Hacking Documents, NY Times (Mar. 7,
2017), https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-
hacking.html.
---------------------------------------------------------------------------
When the Government discovers or purchases vulnerabilities that put
American internet users and companies at risk, it should disclose them
as soon as possible so they may be patched. To ensure this happens,
Congress should codify a interagency review and disclosure process. Any
such process should be mandatory, such that no matter how the
Government comes into possession of a zero-day vulnerability, it must
submit it for review so that disclosure to the developer can be made in
a timely manner.
The review of vulnerabilities should be undertaken with a
presumption in favor of disclosure, and a requirement for recurring
review of any vulnerability that is not disclosed. The reviews should
be conducted by a set group of stakeholders representing the prevailing
interests in favor of and opposing disclosure. Those stakeholders
should represent the equities of the U.S. economy, including the
digital economy; domestic cybersecurity and critical infrastructure
owners and operators; the intelligence community; and the civil rights
and civil liberties communities.
Finally, the process should include robust transparency mechanisms.
The vulnerability review and disclosure process should be transparent
about the points of inquiry it considers when making its assessments,
and what agencies participate in the reviews. Congress should also
require the review board to publish annual public reports that assess
the efficacy of the process, and provide related metrics, such as the
number of zero-days submitted for review, and the percentage of those
zero-days that were disclosed to developers.
Questions From Honorable James Langevin for Robyn Greene
Question 1a. AIS was one of the central accomplishments of the
Cybersecurity Act of 2015, and I believe that real-time, machine-to-
machine sharing can make a real difference in protecting our networks.
I have, however, been concerned by the lack of participation in AIS,
particularly because in order to function, it needs to take advantage
of the network effects of a robust pool of participants. Why do you
think participation numbers are so low, particularly since we heard
from the private sector repeatedly while working on the bill that this
sort of initiative was urgently needed?
What specific measures could DHS take to encourage private-sector
participation?
Question 1b. Does your organization/company participate in AIS?
If yes: (a) When did you join the program? (b) What were your
initial set-up costs to do so? (c) What factors motivated your decision
to join AIS?
If no: (a) Have you considered joining AIS? If so, what factors
caused you to decline to participate? (b) What would need to change
about the program to make it worthwhile to participate?
Answer. Though New America does not currently participate in the
Department of Homeland Security's Automated Information Sharing (AIS)
program, one of the concerns that we raised as CISA was being debated
was that it would not address the need for two-way information sharing.
Security experts and witnesses at the March 9, 2017 hearing were clear
that for information sharing to be effective, the Government must be
willing and able to increase its declassification and sharing of unique
cyber threat indicators in a timely and actionable manner.\5\
---------------------------------------------------------------------------
\5\ ``While DHS has made progress, it still needs to improve the
quality and the quantity of the threat data it shares with the private
sector to address this issue of the free rider. DHS should thus
declassify larger categories of threat data and actively share them
with the private sector. DHS should issue many more security clearances
to qualified company representatives to enable access to the most
sensitive, and potentially most valuable, pieces or classes of threat
data.'' Current State of DHS Private Sector Engagement for
Cybersecurity: Hearing Before the H. Homeland Sec. Subcomm. on
Cybersecurity and Infrastructure Protection, 115th Cong. 7 (2017)
(Written statement of Scott Montgomery, V. President and Chief
Technical Analyst, Intel Security Group), http://docs.house.gov/
meetings/HM/HM08/20170309/105671/HHRG-115-HM08-Bio-MontgomeryS-
20170309.pdf. See also Sara Sorcher, Security Pros: Cyberthreat Info-
sharing Won't Be as Effective as Congress Thinks, Christian Sci.
Monitor, Jun. 12, 2015, http://www.csmonitor.com/World/Passcode/2015/
0612/Security-pros-Cyberthreat-info-sharing-won-t-be-as-effective-as-
Congress-thinks.
---------------------------------------------------------------------------
Rather than focusing on persuading more companies and Information
Sharing and Analysis Organizations and Centers to join AIS, DHS should
focus on showing these entities why joining AIS would be beneficial by
increasing information sharing by the Government to the private sector.
DHS should also endeavor to be transparent about how much information
it shares with the private sector, and what the quality of that sharing
has been.
Additionally, many technology companies voiced opposition to CISA
just before its passage citing to concerns, shared by the privacy
community, about the civil liberties of their users.\6\ Companies may
feel more comfortable participating in information sharing under CISA
if Congress amended the law to address those concerns. Specifically,
Congress could amend CISA to strengthen the requirement to remove
personal or identifiable information before sharing by clarifying that
such information is not directly related to a cyber threat unless it is
necessary to ``detect, prevent, or mitigate'' it.\7\
---------------------------------------------------------------------------
\6\ Robyn Greene, Tech Industry Leaders Oppose CISA as Dangerous to
Privacy and Security, The Hill, Oct. 21, 2015, http://thehill.com/
blogs/pundits-blog/technology/257601-tech-industry-leaders-oppose-cisa-
as-dangerous-to-privacy-and.
\7\ Dep't of Homeland Security & Dep't of Justice, Guidance to
Assist Non-Federal Entities to Share Cyber Threat Indicators and
Defensive Measure with Federal Entities under the Cybersecurity
Information Sharing Act of 2015 5, https://www.us-cert.gov/sites/
default/files/ais_files/Non-
Federal_Entity_Sharing_Guidance_(Sec%20105(a)).pdf.
---------------------------------------------------------------------------
Congress should also consider amending CISA to narrow the law
enforcement use authorizations so that information shared can only be
used for cybersecurity purposes and investigations into related
computer crimes. Finally, Congress can resolve the privacy community
and technology industry's concerns by removing the authorization for
the President to designate a second authorized information-sharing
portal.
Question 2. One of my goals this Congress is to get a better handle
on cybersecurity metrics: Namely, are the actions we are taking having
measureable improvements on our security? Based on your experience, how
can we better measure cybersecurity outcomes?
Answer. The annual Verizon Data Breach Investigations Report is one
of the best-available resources for measuring the effectiveness of our
actions to improve cybersecurity. The report provides a good 60,000-
foot view of the state of cybersecurity threats and response. It can
also help to provide guideposts for where to focus resources to yield
the most improvement.
For example, year after year, these reports make clear that the
vast majority of cyber threats target previously known vulnerabilities,
so Americans fall victim to data breaches simply because they have
failed to maintain updated software. Verizon's 2016 report concluded
that 85 percent of successful exploits used the same 10
vulnerabilities, all of which have patches available.\8\ This marks an
improvement over the previous year, where Verizon found that ``99
percent of the exploited vulnerabilities were compromised more than a
year after the CVE was published,'' and 97 percent of those exploits
targeted just 10 vulnerabilities.\9\
---------------------------------------------------------------------------
\8\ Verizon, 2016 Data Breach Investigations Report: Executive
Summary 10 (2016), http://www.verizonenterprise.com/resources/reports/
rp_dbir-2016-executive-summary_xg_en.pdf. Full Report available at
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
\9\ Verizon, 2015 Data Breach Investigations Report 15-16 (2015),
https://msisac.cisecurity.org/whitepaper/documents/1.pdf.
---------------------------------------------------------------------------
Thus, the reports show that one of the most meaningful ways to
enhance cybersecurity would be to reduce the frequency of successful
attacks that were preventable. Despite the improvements that are being
made, Congress should place greater focus on identifying policy
solutions that will encourage more and more regular vulnerability
patching. Additionally, Congress should identify ways to incentivize
companies to incorporate privacy by design as they build their products
and services, such as by providing automatic security updates.
Though Verizon's annual report, and similar reports from other
companies are helpful, they do not provide the granular data that may
be necessary to respond to more advanced threats or to identify certain
trends. For this, improving metrics is key. DHS is currently
collaborating with the insurance industry through the Cyber Incident
Data and Analysis Working Group to try to establish a repository for
sharing of current and historical non-personally identifiable cyber
incident data.
The goal of the repository would be to create a data-rich resource
that can be analyzed to ``promote greater understanding about the
financial and operational impacts of cyber events, the effectiveness of
existing cyber risk controls in addressing them, and the new kinds of
products and services that cybersecurity solutions providers should
develop to meet the evolving risk mitigation needs of their
customers.''\10\ Thus, if effective, the repository would yield new
metrics that can be used to improve risk mitigation strategies, and may
also positively impact the cybersecurity insurance market. Congress
should follow the progress of this working group to determine if such a
repository is an effective way to obtain more and more actionable
metrics on the effectiveness of our cybersecurity strategy.
---------------------------------------------------------------------------
\10\ Dep't of Homeland Sec., Enhancing Resilience Through Cyber
Incident Data Sharing and Analysis: The Value Proposition for a Cyber
Incident Data Repository 2 (2015), https://www.dhs.gov/sites/default/
files/publications/dhs-value-proposition-white-paper-2015_v2.pdf. For
more resources on the CIDAWG, see Cyber Incident Data and Analysis
Working Group White Papers, Dep't of Homeland Sec, https://www.dhs.gov/
publication/cyber-incident-data-and-analysis-working-group-white-papers
(last accessed Apr. 13, 2017).
---------------------------------------------------------------------------
Question 3a. On December 29, 2016, the Department of Homeland
Security released a Joint Analysis Report (JAR) regarding Russian
malicious cyber activity designated as GRIZZLY STEPPE. Included in the
JAR were indicators that were released in STIX and CSV formats.
How did your organization/company utilize the JAR?
Question 3b. Did you find the technical indicators of malicious
Russian cyber activity useful? Why or why not?
Question 3c. What proportion of the technical indicators was your
organization/company aware of before the release of the JAR?
Question 3d. Do you believe the JAR helped improve the Nation's
cybersecurity?
Answer. New America did not utilize the Joint Analysis Report (JAR)
regarding Russian malicious cyber activity designated as GRIZZLY
STEPPE.
[all]