[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                            OCTOBER 3, 2017


                           Serial No. 115-40


Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
27-760 PDF                  WASHINGTON : 2018                     
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected]                        
              Committee on Oversight and Government Reform

                  Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Trey Gowdy, South Carolina           Jim Cooper, Tennessee
Blake Farenthold, Texas              Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina        Robin L. Kelly, Illinois
Thomas Massie, Kentucky              Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida                Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida              Val Butler Demings, Florida
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia                Peter Welch, Vermont
Steve Russell, Oklahoma              Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin            Mark DeSaulnier, California
Will Hurd, Texas                     Jimmy Gomez, California
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan
Greg Gianforte, Montana

                     Sheria Clarke, Staff Director
                  Robert Borden, Deputy Staff Director
                    William McKenna General Counsel
                Troy Stock,  Subcommittee Staff Director
                         Kiley Bidelman, Clerk
                 David Rapallo, Minority Staff Director

                 Subcommittee on Information Technology

                       Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Blake Farenthold, Texas              Stephen F. Lynch, Masschusetts
Steve Russell, Oklahoma              Gerald E. Connolly, Virginia
                                     Raja Krishnamoorthi, Illinois
                            C O N T E N T S

Hearing held on October 3, 2017..................................     1


Mr. Matthew J. Eggers, Executive Director, Cybersecurity Policy, 
  U.S. Chamber of Commerce
    Oral Statement...............................................     2
    Written Statement............................................     5
Mr. Tommy Ross, Senior Director of Policy, The Software Alliance 
    Oral Statement...............................................    18
    Written Statement............................................    21
Mr. Josh Corman, Director of the Cyber Statecraft Initiative, 
  Atlantic Council
    Oral Statement...............................................    30
    Written Statement............................................    32
Mr. Ray O'Farrell, Chief Technology Officer, VMware
    Oral Statement...............................................    45
    Written Statement............................................    47


Opening Statement of Representative Gerald E. Connolly...........    82
Questions for the record for Mr. Eggers, submitted by Chairman 
  Hurd...........................................................    84
Questions for the record for Mr. Ross, submitted by Chairman Hurd    89
Questions for the record for Mr. Corman, submitted by Chairman 
  Hurd...........................................................    92
Questions for the record for Mr. O'Farrell, submitted by Chairman 
  Hurd...........................................................   102



                        Tuesday, October 3, 2017

                  House of Representatives,
            Subcommittee on Information Technology,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:19 p.m., in 
Room 2247, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the subcommittee] presiding.
    Present: Representatives Hurd, Mitchell, Issa, Amash, 
Gianforte, Kelly, Raskin, Connolly, and Krishnamoorthi.
    Mr. Hurd. The Subcommittee on Information Technology will 
come to order. And, without objection, the chair is authorized 
to declare a recess at any time.
    The very first hearing we held in the subcommittee just 
over 2-1/2 years ago was titled, ``Cybersecurity: The Evolving 
Nature of Threats Facing the Private Sector.'' Since that first 
hearing, we have held over a dozen hearings on a variety of 
cybersecurity issues facing the Congress and the country, 
including encryption technology, the risk posed by insecure 
legacy Federal IT systems, and the opportunities and challenges 
posed by connected vehicles.
    Today's hearing on the Internet of Things builds on all the 
work we have done over the last 2-1/2 years to better 
understand the innovations of the digital age and how to 
implement needed legislative updates to continue protecting 
consumers and allowing American creativity to grow.
    The Internet of Things presents an opportunity to improve 
and enhance nearly every aspect of our society, economy, and 
day-to-day lives. But in order for us to be able to fully 
harness this technology, the Internet of Things needs to be 
built with security in mind and not as an afterthought. When 
integrating these devices into our lives, people need to know 
that they are secure.
    Unfortunately, we are far from this ideal state because 
many IoT devices violate basic cybersecurity practices. Some 
IoT devices lack the ability to be patched or include hard-
coded passwords that cannot be changed by the user. This 
lateral vulnerability was explored in the recent attack on Dyn, 
which took down Netflix, Spotify, Twitter, and a number of 
other websites for hours.
    Senators Mark Warner and Cory Gardner have recently 
proposed one way of potentially increasing the cybersecurity of 
these devices by introducing a bill that would set minimum 
security requirements for devices purchased by the Federal 
Government. I applaud them for the effort and the thought that 
went into this legislation.
    I look forward to getting into the details of that 
legislation in today's hearing to answer some questions like, 
is the definition of IoT in the bill too broad? Does the bill 
apply to mobile devices? Should it? The cybersecurity 
requirements for devices in the bill might make sense now, but 
will they soon become outdated?
    As I have said before, we have great challenges in front of 
us, but also a tremendous opportunity to be bold and decisive 
and reform the Federal Government. I thank the witnesses for 
being here today, and look forward to hearing and discussing 
bold ideas to increase the level of cybersecurity of the 
Internet of Things so that we can all benefit from the 
revolutionary opportunities it offers.
    And as usual, I'm glad to be able to explore these issues 
with my friend and ranking member, the Honorable Robin Kelly 
from Illinois. And when she arrives, we'll recognize her for 
her opening remarks.
    Mr. Hurd. But we'll go ahead and make introductions of our 
witnesses. We have Mr. Matthew Eggers, the executive director 
for cybersecurity policy at the U.S. Chamber of Commerce; Mr. 
Tommy Ross, senior director of policy for the Business Software 
Alliance; Mr. Josh Corman, director of the Cyber Statecraft 
Initiative at the Atlantic Council; and Mr. Ray O'Farrell, 
chief technology officer at VMware. And welcome to you all.
    And pursuant to committee rules, all witnesses will be 
sworn in before they testify, so please rise and raise your 
right hand.
    Do you solemnly swear or affirm the testimony you're about 
to give is the truth, the whole truth, and nothing but the 
truth, so help you God?
    Thank you.
    The record will reflect all witnesses answered in the 
    In order to allow time for discussion, please limit your 
testimony to 5 minutes. Your entire written statement will be 
made part of the record. And as a reminder, the clock in front 
of you shows your time remaining. And the light will turn 
yellow when you have 30 seconds left and red when your time is 
    And now I would like to recognize Mr. Eggers to give your 
opening remarks.

                      WITNESS TESTIMONIES


    Mr. Eggers. Thank you, sir.
    Good afternoon, Chairman Hurd, Ranking Member Kelly, and 
other distinguished members of the IT Subcommittee. My name is 
Matthew Eggers, and I'm the executive director of cybersecurity 
policy with the U.S. Chamber of Commerce. On behalf of the 
Chamber, I welcome the opportunity to testify before this 
    Let me begin by noting our appreciation for your support 
and leadership regarding the Modernizing Government Technology 
Act. Its passage is a top chamber of priority. I recognize that 
you're considering legislation comparable to S. 1691, The 
Internet of Things Cybersecurity Improvement Act of 2017. I've 
combined my statements to the Chamber's thinking on IoT and 
    The Chamber is optimistic about the future of IoT. Many 
observers predict that the connectivity of the IoT will bring 
positive benefits through enhanced efficiency and productivity 
across the economy. The Chamber is advancing roughly five 
principles to foster valuable outcomes in this area.
    First, the IoT is complex, and there's no silver bullet to 
cybersecurity. The IoT includes both devices and services, such 
as sensors and smartphone apps. It is composed of two major 
segments: consumer IoT and industrial IoT. There's a 
distinction emerging between managed and unmanaged IoT. Some 
IoT services and devices are consumer deployed, while others 
are administered by third parties, like a cloud provider. The 
advantages of the IoT will be realized in an environment that 
prioritizes industry managing cyber risks and government 
avoiding regulations that would stunt IoT innovation and 
    Second, managing cyber risk across the internet in 
communications ecosystem is crucial to growing in the IoT and 
increasing businesses' gains. The Chamber wants device makers, 
service providers, and buyers to win from the business 
community leading the development of state of the art IoT 
technologies. Sound private sector-led IoT risk management can 
create a virtual cycle of security in which consumers demand 
secure devices and services and industry prioritizes security 
in their offerings. Different risk management practices will be 
relevant for different IoT audiences and situations.
    Third, the business community will promote policies 
favorable to the security and competitiveness of the digital 
ecosystem. Businesses cannot expand to create jobs if they are 
burdened by complex and expensive regulations. Leading industry 
stakeholders are attuned the importance that cybersecurity 
brings to the marketplace. Perfect security of network-
connected devices is ambitious, but the Chamber urges all 
stakeholders to make the cybersecurity of the IoT a priority, 
not simply for security's own sake, but for the IoT ecosystem 
as a whole. It is crucial that policymakers approach new 
technologies with a dose of regulatory humility.
    Fourth, IoT cybersecurity is best when it's embedded in 
global and industry-driven standards. Cyber standards and 
guidance are optimally led by the private sector and adopted on 
a voluntary basis. They are most effective when developed and 
recognized globally. Such an approach averts burdening 
multinational enterprises in IoT adopters with the requirements 
of multiple and often conflicting jurisdictions.
    Fifth, public-private collaboration needs to advance 
industry interests. Two examples are worth highlighting. One, 
the NTIA. The telecom and information arm of the Commerce 
Department is working with businesses to assess what actions 
stakeholders should take to advance the IoT, including cyber. 
The agency is leading a multistakeholder process to address IoT 
security upgradability and patching of consumer devices.
    Two, missed, the department's standards body did an admiral 
job of convening many organizations to develop the popular 
cybersecurity framework, which was released in 2014, and the 
Chamber's built the national education campaign around it. The 
Chamber strongly believes the Commerce Department is well 
positioned to bring together stakeholders to identify existing 
standards and best practices to enhance the security and 
resilience of the IoT.
    Thank you for giving me a chance to convey the Chamber's 
views, and I'm happy to answer any questions. Thank you.
    [Prepared statement of Mr. Eggers follows:]
    Mr. Hurd. Thank you, Mr. Eggers.
    And now it is an honor and indeed a pleasure to introduce 
my friend and our ranking member, the Honorable Robin Kelly 
from the great State of Illinois.
    Ms. Kelly. Well, thank you, Mr. Chair.
    Chairman Hurd, thank you for calling today's hearing, and 
thank you to our witnesses for being here today. We are here to 
talk about a critically important bill and the security of IoT 
devices that the Federal Government uses. Senators Warner and 
Gardner recently introduced S. 1691, the Internet of Things 
Cybersecurity Act, to help ensure that Federal agencies procure 
secure IoT devices. I have been working on the discussion draft 
of the companion bill. I want to thank the Senators for their 
continued leadership on this important cybersecurity issue.
    IoT devices are incredibly helpful for American citizens, 
businesses, and our Federal Government. From drones to smart 
light bulbs to connected cars, hundreds of millions of 
Americans benefit from these devices every day. In fact, we 
expect to have more than 20 billion internet connected devices 
online by 2020.
    Unfortunately, the high demand and lucrative market for IoT 
devices has also attracted bad actors who crank out cheap 
products that are insecure, unreliable, and vulnerable to 
malware. We all know the dangers posed by unsecured devices. 
Even the least tech savvy among us learned about the 
consequences last October when a distributed denial-of-service 
attack, or DDoS, attack on DNS service provider Dyn shut down 
internet access for millions on the East Coast. We learned that 
the attack was carried out by a bot that composed of thousands 
of compromised IoT devices. It was a sobering reminder that 
everyday appliances like web cams, smart TVs, and even 
thermostats can be turned into cyberweapons. There is no doubt 
that these attacks are growing in frequency and severity. The 
proliferation of IoT devices makes these attacks that much 
    It is estimated that October's Dyn attack only used a 
fraction of the botnets' capabilities. We can only imagine the 
disruption that a larger cyber attack would cause. Lives are at 
stake in this matter. Given the gravity of this situation, 
Congress must be concerned about both disruptive cyber attacks 
and protecting sensitive data. Comprised devices can become 
access points for malicious actors to gain entry into the 
Federal Government's network.
    S. 1691 and my draft companion bill bakes security into the 
procurement process. These bills ensure that procured devices 
meet minimum security requirements. We are talking about basic 
cyber hygiene, like ensuring that devices are patchable, that 
they do not contain known vulnerabilities or hard-coded 
    The legislation also provides agencies with flexibility to 
waive these requirements if they employ similar requirements or 
use third-party device certification standards. These 
requirements make our agencies more secure, while providing 
flexibility to vendors and agencies.
    We cannot predict the future of technology, which is why my 
discussion draft also includes the creation of emerging 
technology's advisory board to review and provide 
recommendations to update guidelines in realtime to address 
emerging threats.
    Importantly, these bills are not meant to provide extensive 
in-depth regulation. Sector-specific regulators will devise 
more precise rules to address the unique risks to each sector. 
Instead, they would establish minimal flexible standards for 
government procurement of IoT devices.
    I've long said that the Federal Government must be a leader 
in cybersecurity. This legislation takes us closer to that 
goal, but my bill draft is not finished. We need the input of 
people like our witnesses, other stakeholders, and the public 
to make my bill as strong as possible so that our Federal 
agencies can be safe and secure. It is a fine line to walk to 
secure our IT systems while encouraging innovation. I hope that 
at the end of this process we have struck that perfect balance. 
I look forward to hearing the witnesses' ideas and 
contributions to strengthen this bill.
    And again, thank you, Mr. Chairman.
    Mr. Hurd. I'd like to thank the ranking member. I always 
say that cybersecurity is one of the final remaining bipartisan 
issues in Washington, D.C.
    Ms. Kelly. No. Have hope. No, there's more.
    Mr. Hurd. There we go. I like that. PMA, positive mental 
    So I'd like to now recognize Mr. Ross for your 5-minute 
opening remarks.

                    TESTIMONY OF TOMMY ROSS

    Mr. Ross. Chairman Hurd, Ranking Member Kelly, members of 
the subcommittee, it's a real honor for me to be here with you 
today. My name is Tommy Ross, and I'm here on behalf of BSA/The 
Software Alliance. With operations in over 60 countries around 
the world, BSA is the leading advocate for the global software 
industry, which contributes over 10 million American jobs and 
over a trillion dollars to the U.S. economy.
    Our members are among the world's leading innovators of 
software and analytics capabilities that undergird the Internet 
of Things, or IoT. They are deeply invested in the success of 
the IoT because of its potential to transform and improve our 
lives. The Internet of Things is already generating new and 
improved business models and business processes in nearly every 
sector of the economy, from agriculture to cutting edge 
scientific research. And it's delivering unprecedented 
conveniences and opportunities to individual citizens.
    At the core of the Internet of Things is the ability to 
analyze, process, and move data in novel ways. If we are to 
realize the tremendous potential of the IoT, we must secure 
that data against malicious cyber activity.
    As the chairman said in his opening remarks, products must 
be developed with security in mind and not with security as an 
afterthought. For that reason, BSA's members are deeply 
committed to advancing strong cybersecurity throughout the IoT 
market. In fact, as we celebrate National Cybersecurity 
Awareness Month, BAS is launching a new cybersecurity policy 
agenda entitled, ``Security in the Connected Age,'' and our 
agenda asserts cybersecurity for the Internet of Things as a 
high priority for policymakers. I've included a copy of this 
agenda in my written testimony.
    Our agenda emphasizes five categories for policy 
development: promoting a secure software ecosystem, 
strengthening the government's approach to cybersecurity, 
driving international harmonization, developing a 21st century 
cyber workforce, and embracing emerging technologies to 
strengthen security.
    Drawing on this agenda, I offer several principles in 
concrete policy recommendations for securing the IoT in my 
written testimony. In my time before you now I'd like to focus 
on three of those recommendations.
    First, the calibrated approach to capturing the complexity 
of the Internet of Things will be essential to crafting 
effective IoT policies. IoT devices and the systems they 
support come with a broad range of characteristics, including 
widely varying levels of vulnerability and risk, a diversity of 
functions, and target markets of different types. An IoT-
enabled pacemaker, for example, carries a much different set of 
risks than a connected toothbrush. Some devices, if compromised 
by malicious cyber activity, could pose direct risk to an 
individual's safety or the public health. Others are unlikely 
to cause physical damage, but could be commandeered by botnets, 
as the ranking member mentioned. Rather than a one-size-fits-
all approach, we need a risk-based policy framework that 
accounts for these differences.
    Second, IoT policies should build on existing software 
industry best practices. We should not treat the Internet of 
Things as some wholly new and unexplored realm demanding new 
and different policies. IoT devices are built around hardware 
and software that have been regular features of the technology 
landscape for years, even decades. In the software industry, 
the private sector and the government have worked closely over 
many years to develop a robust set of guidelines, best 
practices, and international standards for developing and 
sustaining secure software. As you consider cybersecurity in 
the IoT we should begin here.
    Finally, effective IoT cybersecurity policies will 
recognize that the government has an important role, but it 
should be cautious in how it exercises its role to avoid 
interventions that will stunt the development of innovative 
products, including new cyber tools. In general, it should 
focus on convening and facilitating, rather than dictating 
solutions. The government can be most effective when it takes 
action to foster market-driven solutions, particularly those 
that can impact markets globally.
    The government can play a critical role by driving 
multistakeholder processes to confront the most critical or 
most challenging questions and to seek to harmonize policy 
frameworks across sectors based on the outcomes of those 
multistakeholder processes.
    Beyond that, though, the government must lead by example. 
As Ranking Member Kelly said in her opening remarks, the 
Federal Government must be a leader in cybersecurity. It must 
drive the market by demanding the most innovative security 
solutions private industry can provide and invest in emerging 
technologies that can reshape security architectures. Too often 
government acquisition is driven towards the lowest cost 
solutions rather than those that provide the best value. That 
must change.
    In summary, we argue that policies for the Internet of 
Things will be most effective when they are risk-based rather 
than one-size-fits-all, when they build on existing best 
practices instead of reinventing the wheel, and when they 
facilitate collaboration between government and industry to 
tackle a shared challenge.
    Thank you again for the opportunity to appear before you 
today. I look forward to your questions.
    [Prepared statement of Mr. Ross follows:]
    Mr. Hurd. Thank you, Mr. Ross.
    Mr. Corman, you're up. Five minutes for your opening 
remarks. Thanks for being here.

                    TESTIMONY OF JOSH CORMAN

    Mr. Corman. Thank you.
    Chairman Hurd, Ranking Member Kelly, distinguished members 
of the committee, thank you for the opportunity to testify 
today. My name is Joshua Corman. I am a founder of 
iamthecavalry.org, a grassroots volunteer cyber safety 
initiative focused on where bits and bytes meet flesh and 
blood. Until yesterday I was the director of the Cyber 
Statecraft Initiative for the Atlantic Council, a nonprofit 
international policy think tank. And as of yesterday I am now 
the chief security officer for PTC to drive more maturity and 
safety into the industrial IoT sector. And lastly, relevant to 
today, I was testimony to the 2016 Presidential Commission for 
Enhancing National Cybersecurity and had the privilege of 
serving on the congressional task force for healthcare 
cybersecurity, which published in June.
    Beyond my written testimony, I'd like to highlight three 
things. One is the cost of inaction and the urgency of time. 
While some want to wait, time really is the enemy here, and 
delayed response will have consequences in breaches; in effect, 
public safety; in the confidence in our government; and in very 
large parts of our economy, and could cede our leadership 
position in the international policy response after the next 
major attack in ways I fear through my work at the Atlantic 
Council would be very deleterious to U.S. interests and to our 
economic interests.
    Number two, the Senate bill is promising because it focuses 
on an 80/20 rule type backbone of maximum benefit from minimum 
burden or on hovering around known vulnerabilities and 
reasonable cyber hygiene. These reasonable evergreen 
expectations both preserve and enable free market choice by 
definition. They are more descriptive than prescriptive, 
focusing on what is required versus how to do it, despite 
industry talking points. Further, they may even serve as a very 
necessary safe harbor rubric for inevitable software liability 
when we have our first casualties due to where bits and bytes 
meet flesh and blood.
    And then third, this rubric could be made even better with 
a software bill of materials. Enhancing the Senate bill with a 
software ingredients list, or also referred to as a software 
bill of materials, would add significant protections and better 
reflect insights and findings from prior initiatives like the 
Presidential Commission, which highlighted the need for food 
labels and transparency to enable better free market choice; 
our healthcare Cybersecurity Task Force, which is strongly 
urging a software bill of materials to reflect what Philips 
Medical and others are voluntarily doing to make medical 
equipment safer in life critical use cases. And while the 
industry has reacted negatively to such approaches in the past, 
many of those arguments have been weak or have failed to fully 
appreciate the benefits of such an approach, both of which I'd 
be happy to speak to in Q&A or followup.
    Further, we continue to misidentify as a Nation, especially 
when talking about the NIST cybersecurity framework, that 
cybersecurity is not only about confidentiality of data. It is 
about public safety, human life, capital expenditures, physical 
harm. And I think what we're seeing with NotPetya and other 
attacks is property damage, severe interruptions to our supply 
of vaccines for a national supply, et cetera.
    And while I appreciate, especially from the technology 
community, the need--the reluctance to regulate technology, 
it's hard to argue that private sector is doing a good job here 
even on the regulation of data. About 100 of the Fortune 100 
have lost intellectual property and trade secrets. Nearly every 
retailer has had a breach of credit card data several times, 
despite adhering to industry best practices, and I think the 
fact that we have a broad history of software security 
practices is part of the problem. We have failed secure low 
consequence use cases like replaceable data, and now we're 
increasingly dependent upon technologies where the consequences 
of failure could have a national security or public safety 
    The breaches are getting bigger, like Ashley Madison and 
Target. They're affecting government, like the Pentagon and the 
OPM breach. And now they're affecting hospitals. Initially, 
last February, with Hollywood Presbyterian shutting down 
patient care for a week due to an accidental ransomware 
infection, and more recently, 65 hospitals in the U.K., 65 
hospitals in one day were shut down, and it was 20 percent of 
their national capacity.
    And while we have been reluctant, the primary reason to be 
reluctant to regulate software IoT, including my own 
reluctance, has been a fear that doing so may stifle innovation 
or hurt the economy. And I think these uncomfortable truths are 
showing a failure to have some reasonable regulation of 
software and IoT is stifling innovation and hurting the 
    If we are cavalier about this, I do fear the international 
response. There's severe appetite to do things in Germany, in 
the U.K., and there are even attempts to break up the free open 
internet to have a U.N. takeover of governments. And the 
easiest solutions, the next Mirai botnet that we can't stop, 
are very dangerous to U.S. interests and may cede our current 
model and economic engagement with the internet.
    Lastly, on a personal level, I'm very encouraged to see the 
enthusiastic support for the value of white hat research in 
coordinated vulnerability disclosure, and there's been 
significant strides there, which are already bearing fruit for 
the voting hacking machines, for medical devices, and for 
automobiles, and I'd like to see that continue. I'd be happy to 
answer your questions.
    In closing, time is the enemy. The bill focuses on maximum 
benefit for minimum burden, and could be even strong with a 
bill of materials. I am encouraged by this hearing and the bill 
as a turning point that we might have the courage and will to 
do the technical solutions we've had available. Thank you.
    [Prepared statement of Mr. Corman follows:]
    Mr. Hurd. Thank you, Mr. Corman.
    Mr. O'Farrell, you're now recognized for 5 minutes.

                   TESTIMONY OF RAY O'FARRELL

    Mr. O'Farrell. Chairman Hurd, Ranking Member Kelly, thank 
you for the opportunity to testify today at this important 
hearing. I am Ray O'Farrell, chief technology officer at 
VMware. I am head of VMware's IoT team. VMware is headquartered 
in Palo Alto, California, and is one of the largest software 
companies in the world, and is also part of the Dell Technology 
family of companies.
    The emergence of IoT, or the Internet of Things, is a 
technological step in which more and more aspects of the 
physical world, from manufacturing to banking to home 
monitoring to healthcare, transportation, and even smart cities 
are interconnected and coupled with analytics and intelligence. 
Some consider the Internet of Things to be the basis of the 
next industrial revolution.
    This level of IoT interconnect will lead to exciting new 
opportunities for American innovation and job growth. However, 
with the increased interconnect there is also a threat of cyber 
attack on this new infrastructure. We've already witnessed some 
of the security challenges for IoT. For example, just a year 
ago, an IoT distributed denial-of-service attack took down 
major internet platforms and disrupted the internet services of 
millions of Americans. And in May of this year, the WannaCry 
attack is estimated to have affected 100,000 organizations in 
150 countries, and in the context of IoT, that included 
healthcare-related IoT systems. The threat and the impact of 
IoT-based cyber attack is not theoretical, it is real.
    VMware is a leader in data center and IT infrastructure 
management, including the management of end-user devices such 
as cell phones. We do this for the Federal Government and the 
largest companies in the world. We extend this management and 
security approach to the world of IoT and to the IoT industry. 
We applaud Senators Warner and Gardner for introducing this 
proposal of the Internet of Things Cybersecurity Improvement 
Act of 2017, and the committee for releasing a discussion draft 
and holding today's hearings.
    There are several provisions of the proposal that VMware 
specifically supports. Firstly, we believe that IoT devices 
should from the outset be designed with vulnerability patching 
capabilities built in.A simple patching requirement would have 
drastically reduced or eliminated the WannaCry breach.
    Secondly, we support several of the cyber hygiene concepts 
in the proposal, including microsegmentation and multifactor 
authentication. The concept of microsegmentation plays a 
critical role in ensuring that IoT-related data and information 
are segmented and properly protected against IoT cyber 
    Thirdly, we also support the consideration included in the 
proposal that leverages security benefits introduced by 
properly managed IoT gateways, eight systems which act as 
isolation and management gateways to help prevent and remediate 
any compromise of connected devices.
    In closing, the Internet of Things will have significant 
positive impact on American innovation and American jobs. 
Billions of IoT-connected devices will be on the free market 
for consumers, businesses, and government to consider 
purchasing. And the U.S. has a ripe opportunity to claim global 
leadership in this space. But security is the key principle 
that will enable and advance further adoption of IoT. If 
consumers, businesses, and government do not feel that IoT 
products are secure, it will only hinder U.S. global leadership 
in a growing and innovative IoT industry.
    The Internet of Things Cybersecurity Improvement Act of 
2017 provides a thoughtful framework modeled after the 
industry-recognized NIST framework. The specific proposal 
focuses narrowly and appropriately on the procurement process 
by the Federal Government of IoT technology. If the U.S. 
Government decides to spend American taxpayer dollars to gain 
the productivity and efficiency benefits that IoT technologies 
can bring to the government, then it is reasonable to assume 
that the government should be confident in the security levels 
of the IoT devices it is purchasing.
    Chairman Hurd and Ranking Member Kelly, I applaud the 
leadership of the committee for holding this hearing today. 
Thank you for the opportunity to testify. And I look forward to 
answering the committee's questions.
    [Prepared statement of Mr. O'Farrell follows:]
    Mr. Hurd. Thank you, Mr. O'Farrell.
    Now, it's with great pleasure to recognize the gentleman 
from California, Mr. Darrell Issa, for his first round of 
    Mr. Issa. Thank you, Mr. Chairman.
    And I think the public, in hearing we're doing something on 
the Internet of Things, probably in spite of your testimony 
would consider that, well, this must be new. But, Mr. 
O'Farrell, I'm going to use you and a little bit of our gray 
hairs to establish something for a moment.
    When you began in the industry, people were dialing, auto 
dialing to find modems and then trying to invade people's 
systems that were connected by modems, correct?
    Mr. O'Farrell. That's correct, yes.
    Mr. Issa. And the advent of firewalls and private systems, 
VPNs, point-to-point connection was in response to that and 
other challenges, right?
    Mr. O'Farrell. Yes. Broadly bringing a level of security 
and protection.
    Mr. Issa. So is it fair to say that the products that the 
public is hearing today, the Internet of Things products, could 
be set aside in totality and we could have this discussion 
today only about connected--externally connected computers, 
whether mainframe minis, if they were still around, or micros?
    Mr. O'Farrell. So there are similarities in the existing 
data center infrastructure, and, in fact, you would see many of 
the same issues appearing, how do I secure my infrastructure, 
how do I protect it, feeding back out into the world of IoT. I 
think there is one difference, though, to highlight, and the 
difference is, unlike your typical data center infrastructure, 
you are not protecting just data; obviously, that's important 
to protect, but you're protecting physical infrastructure. 
These devices can be controlling equipment in a hospital.
    Mr. Issa. Sure.
    Mr. O'Farrell. So there's different aspects.
    Mr. Issa. But if you're controlling the electric grid, 
you're controlling thousands of hospitals, right?
    Mr. O'Farrell. Correct, yes.
    Mr. Issa. So using that as a reference, would you all 
agree, if you can, that, in fact, this is not a new problem, 
but what we're really dealing with is a problem that goes back 
to the first connected product that had access even by 
telephone to the outside? That's fair to say, right?
    Okay. I'll take no noes as a yes for now. But let me follow 
up by asking you all a question. When we look at a fully 
qualified domain name, in the IPv4 world, our problem was we 
ran out of numbers to distinctly connect points so we could 
identify a point and its effective location. Is that a fair 
statement, for those that have been around? And then we went to 
IPv6 in order to have enough points that we could identify 
uniquely. Anyone? Mr. O'Farrell?
    Mr. O'Farrell. Yes, IPv6 increases the number of available 
addresses enormously.
    Mr. Issa. So as we're here looking at the question of a lot 
of things that are going to be done, would it be fair to say 
that the ultimate solution for point-to-point connections and 
conversations is, in fact, to eventually have every point in 
some way be fully qualified and fully identified so that when 
the chairman has a product that's being addressed by a product 
asking it to do something, its chances of it being anything 
other than an approved product reasonably asking for that 
information can be dramatically reduced? In other words, you 
can no longer spoof the way the bots do, spoof an event to get 
somebody to do something that they wouldn't do if they knew who 
you were? Is that a long but fairly accurate statement?
    Mr. Corman. Such a maneuver would help certain aspects of 
the threat model, but not all. And to also respond to your 
prior point, while things like the NIST cybersecurity framework 
and things like remotely exploitable modems are familiar and we 
can glean from the past, there are material differences. The 
Cavalry has published a framework of six differences, which are 
at least good questions to marshal yourself through, and 
succinctly they are--they're different adversaries with 
different motivations. They're different consequences of 
failure, including public safety human life. Different 
environmental contexts where you're not going to have layered 
defenses. Different composition of goods. Different economic 
realities for margins and costs to goods, and different time 
scales for time delays.
    Mr. Issa. You know, I appreciate all of that, but that's 
sort of like saying that the horse and buggy has nothing in 
common with the car when you're just trying to get to church. 
The reality is that--the reason I asked this line of 
questioning with my limited 5 minutes is, what it appears to 
this member, who has been around since the 1970s as a manager 
of a computer facility in the military, is we have old problems 
that have never been resolved. We now are in a position where 
quicker, faster, and with greater devastation the problems can 
lead to catastrophic problems for our society, for human life, 
and yet in a sense we've never resolved that great question, 
which started off with the modem that said you can call me, but 
I'm only going to call back to the number that's programmed in 
me, that two-way authentication that came out back in the modem 
    In a sense, the reason I ask the question, and I'll close, 
Mr. Chairman, is it appears as though unique and thorough, 
fully qualified identity with the appropriate authentications 
is going to have to be part of any solution or you're going to 
have exactly what happened to Jared Kushner's lawyer who 
emailed ``forward'' to a spoofer what he was supposed to send 
to the son-in-law of the vice president only a few days ago, 
because you've got to know who you're talking to or, 
inevitably, all the security in the world won't do you any good 
when you send it to the wrong place.
    Mr. Chairman, I'll take that as a yes if they don't revise 
and extend on it, but it's an area of concern, and thank you 
for continuing this.
    Mr. Eggers. You know, if I may, let me just throw in a 
couple of thoughts that, A, we share your concerns about 
security and making sure that as we go from, let's say, device 
to end user, as we expand and we want to the Internet of 
Things, we're doing it in a way that minimizes those risks. 
Authentication is a key topic. I know we at the Chamber, we 
have supported the TENS stick, the trusted authentication 
concept and effort that was launched in 2011.
    But I think to your bigger point, we do share your concerns 
about security and the need for increased security and risk 
management. One thing I think we would look to is some kind of 
a layered approach, right? No single one thing is going to get 
us to where we want to be. And I would also want to look 
closely at what kind of measure metric we look to get there. We 
at least in--at the Chamber, there are private sector-led 
efforts to look at whether or not a device, widget, gadget is 
more secure, let's say, than another. We probably would be a 
little skeptical or at least want to proceed with caution if 
government's going to put a thumb on the scale. It may be 
premature to at least select one certification model versus 
    I'll finish there. Thanks.
    Mr. Hurd. Ranking Member Kelly is now recognized for her 
opening questions.
    Ms. Kelly. Thank you.
    As the IoT market continues to grow rapidly, there are 
concerns that it has grown without proper security standards or 
market incentives to safeguard against bad actors. We haven't 
done a good job of rewarding good actors who bake in security. 
But for the Federal Government uses, an unsecured device poses 
a great threat to information security and sensitive data.
    A 2017 report by the Government Accountability Office found 
that IoT device vulnerabilities can be caused by, and I quote, 
``a lack of security standards addressing unique IoT needs.''
    Mr. O'Farrell, would you agree that IoT devices pose a 
unique cybersecurity challenge?
    Mr. O'Farrell. Yes, I would. Partially because the impact 
of a cybersecurity breach on an IoT device, as we've noted, can 
affect something very real in the physical world, including 
human life.
    Second of all, IoT devices by their nature are not behind a 
brick wall in a data center. They're at the bottom of oil 
wells. They're in factories. They're in buildings, which means 
the ability to physically attack them or interface with them 
becomes possible. Therefore, I think that a layered approach as 
to how you secure it becomes more important.
    So the bill mentions, for instance, use of IoT gateways and 
microsegmentation. These are second order of protection, which 
can be used to protect those devices themselves, even if they 
become compromised in some way.
    Ms. Kelly. And so you agree that establishing at least 
minimal cybersecurity standards would help prevent IoT device 
    Mr. O'Farrell. Yes. I think in the context of the bill, 
which is essentially highlighting the existing NIST standards 
from a cybersecurity point of view and applying them to IoT in 
the context of the Federal Government procuring those devices, 
yes, I do.
    Ms. Kelly. And, Mr. Corman, would you agree?
    Mr. Corman. I do. And there's several things we could do. 
We wanted to focus on things that were 80/20 rule-ish. And I 
think if you squint--everything really hovers around 
vulnerabilities that are known. Known vulnerabilities are more 
than 30 percent more likely to be attacked by adversaries than 
unknown. And we discussed this with Chairman Hurd in Las Vegas. 
We had this notion of IoT really should have five postures 
towards any failure. They're going fail. They're going to fail 
often. How do you avoid failure? By building security in versus 
building on. How do you take help avoiding failure? From 
willing allies like through coordinated disclosure. How do you 
capture, study, and learn from failure? With logging in 
evidence. How do you respond to failure? With security updates 
and patching. And how do you contain and isolate failure? With 
segmentation and isolation to fail safely.
    And those are really you must be this tall to ride the 
Internet of Things kind of concepts. Obviously, there's so much 
more we could do, but that's a really minimum viable--I once 
said unpatchable IoT are the lawn darts of the internet in that 
they are inherently unsafe.
    Ms. Kelly. Thank you.
    Both the House and Senate versions of the IoT Cybersecurity 
Improvement Act require minimum security requirements from 
vendors selling IoT devices to the government. These include 
basic best practices like federally procured devices being 
patchable and not using hard-coded passwords.
    Mr. O'Farrell, do you believe these standards are 
    Mr. O'Farrell. Yes, I do. I also note that the bill gives, 
under some circumstances, the ability to be able to waive those 
if a device does not support that, as long as another security 
technique is put in place.
    Ms. Kelly. Right. And can you describe how these practices, 
basic hygiene, can provide a reasonable level of security for 
the government to feel confident in purchasing IoT 
    Mr. O'Farrell. So you've already heard to some degree how 
IoT, sort of the existing ways that you secure data centers and 
infrastructure, also applies and becomes applicable in some way 
to IoT. Many of the things which are described here, 
authentication, microsegmentation, least privilege access, all 
of those are core concepts described by NIST to secure data 
center infrastructure and cyber infrastructure, so the same 
would apply equally to IoT.
    Ms. Kelly. Thank you.
    Mr. O'Farrell. It just becomes an extension--I'm sorry. It 
just becomes an extension, essentially, of the existing data 
center infrastructure.
    Ms. Kelly. Okay. IoT devices promise exciting opportunities 
and benefits we cannot ignore, as all of you agree the security 
implications. Government data must be protected, and it is 
essential that we address the cybersecurity concerns now rather 
than retroactively. The IoT Cybersecurity Improvement Act 
provides basic security standards that are necessary for 
protecting government data and can set a positive example for 
the IoT industry at large. I believe the legislation serves as 
an excellent starting point for IoT security. And I yield back.
    Mr. Hurd. I'd like to thank the ranking member.
    And if my memory is correct, Mr. Gianforte, this is your 
first--this is your first hearing with us. It's great to have 
someone with your background, experience, and patents on this 
committee. And you're now recognized for your opening 5 minutes 
of question.
    Mr. Gianforte. Thank you, Chairman Hurd and Ranking Member 
Kelly. It's my pleasure to be here. Thank you for the testimony 
that you're providing for us today. I appreciate the effort. We 
need to make sure that our government is secure, and 
particularly the Internet of Things security is important.
    I want to ask questions in two areas. And as Chairman Hurd 
mentioned, I ran a cloud computing business for many years, and 
we had thousands of clients. We had over a thousand cyber 
attacks per day that we had to defend against, so I have some 
familiarity here.
    I'd like to talk a little bit about NIST vulnerabilities. 
How often does NIST publish updates on vulnerabilities? Just 
based on your knowledge, Mr. O'Farrell.
    Mr. O'Farrell. I don't actually know the exact number. I 
know we get vulnerabilities from NIST, but also from broadly 
across the industry. You know, large software companies like 
Microsoft and others would publish those vulnerabilities as 
well, and so it would not be unusual to see a steady stream of 
vulnerabilities coming in every month.
    Mr. Gianforte. Every month there would be new ones?
    Mr. Corman. Every day.
    Mr. Gianforte. Every day there's updates.
    So are all vulnerabilities, Mr. O'Farrell, created equal or 
are some more severe than others?
    Mr. O'Farrell. Some are more severe than others. The 
challenge with the vulnerabilities, you can't always tell or 
predict whether the vulnerability is going to be exploited in 
some way. Remember, a vulnerability simply says there is 
something here which could be a problem. It doesn't say this 
has been used to attack or exploit in some way. So you have to 
be careful with respect to how you rate vulnerabilities, but 
there is a rating for vulnerabilities and they are not all 
created equal.
    Mr. Corman. If I may add to that, we have a common 
vulnerability scoring system for various factors. We have 
recently learned it's insufficient for safety critical, and 
there's a special project through MICR to look at safety 
critical in hospitals, for example.
    Mr. Gianforte. But to your point earlier, Mr. Corman, some 
are more important than others from a risk perspective.
    Mr. Corman. Well, for consequence severity and context, 
yes, but there's also one more thing in the written testimony 
I'd like to call out, which is that for all known 
vulnerabilities there are a special subset that if they're in 
created attack tools or if they're in an exploited database, 
they're 30 times more likely. So your heavier risk-based 
clustering of this to enhance the yield.
    Mr. Gianforte. Mr. O'Farrell, where I'm driving here is, in 
a complex system that includes an operating system, maybe an 
application server, an application communication software, all 
of these systems are collections of various components. Given 
the frequency with which vulnerabilities are published, is it 
possible for a complex system to have no vulnerabilities over a 
12-month period?
    Mr. O'Farrell. I think it is highly unlikely. I think that, 
in fact, you have to expect and to some degree that there's 
probably some vulnerability in there. It's complex. It's got 
many pieces of software and products. And I think if at all 
possible, you need to build into your security stance the 
expectation that you're going to have to adopt and deal with 
some form of exploit should it occur. So control and second-
layer protection is a part of the story.
    Mr. Eggers. Sir, if I could--go ahead, sir.
    Mr. Gianforte. And I raise this, because in the legislation 
as it stands today it says that all procurement by the Federal 
Government will have no vulnerabilities. And I just want to 
highlight that some are more important than others. We may want 
to differentiate in some way.
    Mr. Eggers. I think--I was just going to add that I think 
that a focus on, A, a definition of what we mean by ``internet-
connected device'' I think is crucial. B, I would say that you 
are right, NIST, its database of vulnerabilities ranks low to 
high. US-CERT pushes out vulnerability and other update 
information, if you will, regularly. I get them.
    One of the things I think that's relevant, at least in 
terms of the conversation here, is I think everybody is right 
to focus on the vulnerabilities and to upgrade fix. One of the 
issues, at least in terms of if you are a provider, and one of 
the questions that we've got is there's a requirement for 
tracking notification.
    Mr. Gianforte. Mr. Eggers, if I could just claim my time 
    Mr. Eggers. You may, sir. Of course.
    Mr. Gianforte. Thank you.
    And I just wanted to, in my remaining 50 seconds, Mr. Ross, 
I have a question about standard practices in the software 
industry. As in the legislation there are particular clauses 
that require manufacturers of Internet of Things to provide 
perpetual updates to software, and I think the process of 
providing a way to do update is good. In the software industry, 
is it standard practice that that's done as part of the initial 
purchase price of the product or is there typically a separate 
maintenance contract that is designated to ensure that you get 
updates to your products?
    Mr. Ross. I think that very much depends on the product. 
You know, so you see, obviously, we all have apps on our 
iPhones that get free updates, you know, without paying any 
extra, and other companies provide update services as a 
separate package.
    Mr. Gianforte. And if there was a requirement to provide 
perpetual updates, what impact would that have on the initial 
purchase price of the product itself?
    Mr. Ross. Again, I think it depends on the business and its 
sort of, you know, business model how it generates revenue, so 
I don't think there's a single answer for the entire----
    Mr. Gianforte. But if a vendor had to provide more 
services, typically prices would go up?
    Mr. Ross. You could certainly expect that in some cases.
    Mr. Gianforte. Okay. Thank you.
    And I yield back. Thank you for your patience, Mr. 
    Mr. Hurd. Thank you.
    Mr. Raskin, you're now recognized for 5 minutes.
    Mr. Raskin. And thank you very much, Mr. Chairman.
    So I'm interested in last year's cyber attack with the 
Mirai botnet, which took down the internet for most of the East 
Coast. And it was an attack that preyed on the Internet of 
Things connected devices like web cams and routers and so on. 
And as I understand it, it infected the IoT devices with 
malware, and then the hackers were able to gain control of the 
devices and use them to drive an overwhelming amount of traffic 
towards the target.
    Mr. O'Farrell, let me ask you, in the aftermath of the 
Mirai botnet attack, it was revealed that the attackers had 
used only about 20 percent of the computing power of 20 percent 
of the entire botnet, so in other words, a small fraction of a 
small fraction of the actual capabilities. How would a similar 
attack ramped up affect the Federal Government, if they came 
after us?
    Mr. O'Farrell. I think the ramp-up would have an equivalent 
ramp-up in terms of impact. Now, obviously, after that attack, 
organizations will have looked at other ways they can protect 
from such a denial-of-service attack, so it would have been 
some changes made to try and protect against that. But if the 
full force of that attack had been used at that time, with the 
internet as it stood at that time, it is likely the impact 
would have equally been proportionally large. So in terms of 
the Federal Government, it would have brought down major 
internet providers, and that in turn would have begun to affect 
what the Federal Government does day to day.
    Mr. Raskin. Gotcha. Many of the IoT devices are shipped 
with hard-coded passwords that are unable to be patched or 
updated. What risk does a hard-coded password or device present 
to our ability to respond?
    Mr. O'Farrell. So I think as Congressman Issa mentioned, 
you can identify these devices in terms of an IP address of 
some sort, whether it's IP6 of or IP4, however, the actual 
identification of the device in terms of--sorry, of somebody 
accessing the device is typically handled by a password of some 
    A hard-coded password is typically very early somebody 
posts that on the network. You'll get a message on the internet 
saying if you're accessing this camera, these types of camera, 
here's the type of hard-coded password. So effectively you have 
no password, which effectively means then those devices are 
open for people to access them and then try and exploit them in 
some way.
    Mr. Raskin. Thank you much.
    Mr. Corman, how does Senator Warner's bill address that 
issue? Are there other legislative measures that we should be 
contemplating to deal with that problem?
    Mr. Corman. One of the things I wrote in my written 
statement just in full disclosure is that Federal procurement 
alone won't stop the next Mirai botnet. The government does not 
buy enough of those devices, and the overwhelming majority of 
the ones that hit the internet that afternoon were from 
Vietnam, outside the country purchased by others.
    What we like about the bill is the fact that it sets, by 
example through purchasing power, a model that can be 
replicated by hospitals, other organizations, and the 
international policy community in a reasonable way. There are 
some very ugly and dangerous counterproposals, such as bricking 
devices; doing deep packet and inspection at the carrier, the 
edge, which could get into net neutrality issues; and 
balkanization and Geo-IP filtering that would play directly 
into the hands of Russia, China, and some of the people who 
tried to take over the free open internet a few years ago and 
nearly succeeded. So there are other things that can be done, 
some of them having very dangerous side effects for the economy 
and for U.S. interests.
    Mr. Raskin. Let me just follow up on that. The use of these 
IoT devices is expanding rapidly around the world. I think it's 
estimated that by 2020, there could be more than 20 billion of 
them. Does that increase our exposure? Does it make it a more 
dangerous situation?
    Mr. Corman. Yes. I used to be the director of security 
intelligence for Akamai, which handles the largest denial-of-
service attacks in the world, and the math doesn't handle even 
Mirai. It certainly won't handle the growth rates.
    So while I really like some of the hygiene principles to 
lead by example, these have to be adopted by the private 
sector, whether through self-regulatory, through purchasing, 
through free market forces. But this bill alone won't stop the 
next Mirai, but it sets an example that could make more devices 
higher hygiene than lower hygiene.
    Mr. Raskin. Do you--and I could open this up, does the 
panel think that manufacturers are doing enough to ensure the 
security and the safety of the IoT devices?
    Mr. Corman. No.
    Mr. Ross. So I think some are and some aren't. And I think, 
you know, what we need to do is incentivize those who are, you 
know, providing good security and building it into their 
products to have more opportunities, including through 
government contracting, and to have that good work recognized. 
And then we need to find ways to incentivize those who are not 
doing a good enough job to do better. So I think they're not 
all the same, but certainly there are some actors out there who 
are not taking security seriously enough.
    Mr. O'Farrell. I mean, I think I would echo the sense that, 
one, they're not all the same, but, two, for those who do do 
the good job, you know, to make sure that they have the benefit 
of being able to, you know, fit the requirement policies of the 
Federal Government. That's a positive message to them, and it's 
rewarding the people who do the good job as opposed to those 
who do not.
    Mr. Eggers. If I may, I think the intent of the bill to 
bring more secure devices into the Federal Government is sound. 
Very sound. It is how we get there, I think, that's the trick.
    In terms of working with so many different businesses 
across multiple sectors, I think Tommy's right. We're kind of 
in a gray zone where I think, if anything, when I step back and 
I look at a bill like this, I say, how can we make sure that 
the companies that are making devices securely--and there's a 
lot of standards out there. There are a lot of companies 
building devices according to this or that standard, guidance, 
or best practice. I want to make sure that they're the ones 
that win and, ultimately, consumers, the purchasers, will too.
    Mr. Raskin. Thank you. I yield back, Mr. Chairman.
    Mr. Hurd. Thank you.
    Mr. Mitchell, you're now recognized for 5 minutes.
    Mr. Mitchell. Thank you, Mr. Chairman.
    Let me ask the panel, whoever wants to jump in on this 
question, you talk about government standards and those 
standards generating more confidence in the private sector as 
well. How much confidence do you have that, in fact, 
government-mandated standards are going to improve the 
    Mr. Corman. One of the things I like here is it's not the 
government mandating standards for the private sector, it's the 
government as a purchaser acting in their own selfish interests 
to protect the interests, not just against larger scale DDoS, 
but against the next OPM breach or against people surveilling 
your offices or any and other number of things where our smart 
TVs or smart gadgets could be a risk. So this is more leading 
by example than forcing something. It could catalyze 
    Mr. Mitchell. Let's talk about--give me a second, and I 
want to hear from everybody else--leading by example to Federal 
Government. Last we had a hearing several weeks ago, maybe a 
couple months ago at this point, there were 143 chief 
information officers in the Federal Government; 143 of them was 
I think the count. How does that give us confidence? I mean, I 
ran a fair size private company. There was one CIO who I held 
directly accountable for our security of all things, not just 
our internet access, but all the other applications we used. 
I'm concerned that with 143, I'm not sure we're going to get 
anywhere near the level of concern we have. How do you feel 
that's going to help us?
    Mr. Corman. I think we're getting the critical mass slowly. 
The Presidential Executive Order on cybersecurity, two quotes, 
The Federal Government ``has for too long accepted antiquated 
and difficult-to-defend IT,'' and, ``Known but unmitigated 
vulnerabilities are among the highest cybersecurity risks 
    The DHS' six strategic principles for IoT covers this. The 
Presidential Commission, FDA, Department of Transportation. 
There's a critical mass forming around what some of these are 
and an increased recognition that what we had been doing don't 
work across those federated CISOs to treat the Federal 
Government as an enterprise.
    Mr. Mitchell. Okay. Mr. Eggers?
    Mr. Eggers. Congressman Mitchell, if I may, to your point 
about standards, I think standards are really important. Our 
companies live and breathe by standards. They are successful 
because they use standards that are private sector led, 
industry driven, global in nature very often.
    The thing about the bill--again, the intent about bringing 
secure devices into the government is sound. I think one of the 
things we want to look at is are we scoping the device of the 
definition of internet-connected device adequately? And I think 
the answer is we don't know really yet. I think one of the 
things we'd like to do is talk with groups like NIST, NTIA to 
help inform how we make that decision. It's very broad. It 
could capture low-end devices that really aren't intended to be 
plugged into the bill. It does consider, obviously, devices 
that are at least capable, but should they? It's not clear. In 
many cases, they shouldn't be.
    One of the issues I will--and then I'll finish, is one of 
the issues about tracking vulnerabilities and making patches 
and upgrades is you could find a situation if you're a 
contractor--and that term too is vague--the lengths at which 
they've got to go to track virtually any known vulnerability, 
and there are a lot of avenues for finding those, and you would 
be beholden to quite a notification structure, and so that 
gives me pause. The idea about upgrading is sound, but the 
notification, among other things, gives me pause.
    Mr. Mitchell. Mr. O'Farrell, you had a comment?
    Mr. O'Farrell. Maybe two things. One of them, in terms of 
the--you know, as a taxpayer looking at the Federal Government 
purchasing IoT infrastructure, I would like to know that 
they're getting value for their money, and security is a key 
part of that.
    Mr. Mitchell. Absolutely.
    Mr. O'Farrell. So that's where I see those key guidelines. 
They represent what is a reasonable model around security.
    With respect to the broadness of the definition of IoT, 
yes, I think devices at the edge, they're difficult to 
describe, and they'll probably see opportunity to focus a 
little bit more on describing that, but the legislation does 
describe mechanisms that says, if devices are simple enough 
such that they cannot meet all of the requirements with respect 
to patching and so on, that there are some waivers associated 
with that.
    With respect to describing vulnerabilities, I think the 
bill specifically is trying to imply you should not be 
delivering equipment with known vulnerabilities, and then based 
on patching you get to fix those vulnerabilities, if and when 
they appear and when you find out about them. That's why the 
patching is a critical part of the story when combined with 
recognizing that vulnerabilities will occur.
    Mr. Mitchell. Mr. Ross, you had a comment. The last few 
seconds here.
    Mr. Ross. Sure. I will try to make it quick. But I think, 
you know, as you look at the Internet of Things, it really does 
describe a really broad array of devices, including, you know, 
at one end, sensors that don't even have operating systems and 
are designed to be cheap and mass-produced and can be so, while 
minimizing security risks, depending on how they're deployed in 
a network environment.
    And at the other end, you know, looking at, really, life-
critical systems, as Mr. Corman has discussed. And I think that 
definition, it's really important that we capture it, because 
there is a cost-benefit equation here. And in some cases, the 
government is going to want to be able to buy devices that are 
inexpensive and mass-produced without having to build in a lot 
of security features that would drive up the cost and make them 
unsustainable. And you think about things like sensors and 
infrastructure that you want to put in place and leave for 50 
years just to tell you, you know, seismic activity over time.
    I think that security standards are very important, but 
being calibrated against risk is what allows us to drive 
security in the most sort of efficient and rational way.
    Mr. Mitchell. One other quick comment and I'll yield back, 
Mr. Chair, is that you mentioned incentivizing them, and in my 
mind, it's also creating systems that the general public 
understands what the government is doing so they can assess how 
they do that. And today's hearings raise concerns for me. I 
have a camera system in my house for security, and to be 
absolutely blunt with you, it's a small town, and I can access 
it on my phone, I'm not sure if it has patches and what they do 
to patch it. I should know better.
    So I'll yield back.
    Mr. Hurd. Mr. Corman, did you have a----
    Mr. Corman. Yeah, I'll be very brief. Some of 
Representative Gianforte's comments, and your own, they kind of 
make the case for what I said earlier about the value of 
software bill of materials. If it is unrealistic to perpetually 
update,if it might cost more money, if the company has gone out 
of business--the camera manufacturer--these things allow at 
least the procurer to assess, am I affected, where am I 
affected, should I unplug it? And there are a series of use 
cases that this would ameliorate or soften with that increased 
    Just like a bill of materials or food label, like if you're 
allergic to peanuts or if you're allergic to some sort of food 
and, you know, having some sort of ingredients list allows me 
to make a choice. And if there were a recall, if we did find 
out there was a bad batch of a certain ingredient in the food 
we ate, we know to stop eating it. And such a function could be 
applied to IoT and software as well.
    Mr. Mitchell. Thank you, Mr. Chair.
    Mr. Hurd. Thank you.
    Now I recognize myself, and not necessarily for as much 
time as I may consume, but I'm going to take my time.
    Mr. Ross, maybe we pick up on a comment you just made. If a 
censor doesn't have an operating system, how can it be used in 
a DDoS attack?
    Mr. Ross. So, again, it really depends on--and I think one 
of the things that we need to think about when we're thinking 
about IoT security more broadly is not just how a device 
functions, but how a device fits into a broader network. And, 
you know, Mr. Eggers has mentioned taking a multilayered 
approach. How we build in security at different levels within a 
network can really shape outcomes far beyond the individual 
device. That said----
    Mr. Hurd. But should the person developing that censor take 
those concerns into, as they're developing, how that censor 
    Mr. Ross. I think the person developing the censor needs to 
be able to respond to the demand for the product, and security 
ought to be part of that demand. But you can imagine a 
situation in which you might want to deploy, for example, a lot 
of sensors with limited security built into the devices 
themselves but adopting network solutions that allow you to 
manage security through cloud services, through network 
security mechanisms that use those devices in a controlled 
way,and even patch them through cloud-based services rather 
than patching individual devices.
    You know, the innovation around security approaches to 
securing IoT devices and other devices is incredible. And 
really, you know, we're seeing innovation in the security space 
keep pace with innovation in the product space. In other words, 
there's new approaches to security that we're seeing every day. 
And so I think it's really important, as we craft policy, not 
to limit the ability for those network-based solutions to sort 
of take hold.
    Mr. Hurd. And I'll ask this question again to you, Mr. 
Ross. And then, Mr. O'Farrell, I'd welcome your thoughts on 
this as the software guys here.
    How difficult is the code to have--to update a widget or a 
device that we're considering part of the Internet of Things? 
How difficult is that code to write? Is that standard code? Is 
it something that is open source information out--open sourced 
out there where you pull that module and say, hey, here's how 
we do it? Is there a commonly accepted way of doing that?
    Your thoughts on that. Mr. Ross first, and then Mr. 
O'Farrell, your opinions.
    Mr. Ross. Sure. The two gentleman to my left probably have 
a better technical background to answer that, but I would say, 
you know, 2016 IoT developers survey found about 25 percent of 
IoT devices don't have operating systems. So accepting patches 
and that kind of thing is--you know, without an operating 
system is much more challenging.
    That said, you know, I think the complexity of the codes 
sort of depends on the code base and the product itself and, 
you know, individual manufacturer's approach to coding. But I 
would defer to my more technically savvy colleagues.
    Mr. Hurd. I'll let Mr. O'Farrell and Mr. Corman and Mr. 
Eggers, if you have comments, I'd welcome that on this question 
    Mr. O'Farrell?
    Mr. O'Farrell. So in terms of broader applicability of 
patching, your PC at home is constantly patched. Every cell 
phone that's out there, from evenmajor manufacturers, is 
constantly patched. The applications living on those are 
constantly patched. So the concept of being able to say, is 
patching a well-known function, yes, it is.
    I think where the challenge that Mr. Ross is pointing out, 
you may have a class of devices who are so simple that they 
don't necessarily have the ability to handle a software 
upgrade. They may not even have software at all. They might be 
a very simple device just relaying temperature or something. 
Under those circumstances, then you need to apply other 
techniques. You either need to have that device talk to a 
gateway, and then the gateway itself is patched and secured, or 
you do things with network segmentation or other network 
management capabilities to be able to secure that piece of 
    Mr. Corman. Just to add to that, some of it's knowing how 
to do secure updates over the air without making that a 
security risk itself. And we do know how to do that. That 
information is available. Some of it is going to raise the cost 
of goods on some of these devices because they need to future-
proof a larger image than they started with. There are some IoT 
platforms that anticipate and build in the ability to do 
updates securely with encryption. There are some that are 
cheap, maybe too cheap to be safely used. So it's not a zero 
cost, but we know how to do it. Technically, there are 
platforms that could do it, and if we reward those that do.
    And then lastly, the NTIA process for upgradability did say 
it could be an out of station based model, where you say, I am 
patchable, I commit to patching for X years. And that goes into 
the Federal Government's purchasing decision of, if I'm going 
to buy an unpatchable device, I'll have to spend more 
aftermarket, or just choose not to buy it.
    Mr. Hurd. Mr. Eggers, do you have an opinion?
    Mr. Eggers. Yes, sir. Quickly. So I was just going to add 
that I hear from members that much depends on the device and 
where it's supposed to be, with the kind of device, the 
operating environment in which it's supposed to function.
    I think one of the challenges with protecting the Internet 
of Things is we are dealing with legacy devices that really 
weren't ever meant to be connected to the internet. And our 
colleagues will say, hey, then we build a security appliance, 
some kind of protective system firewall, what have you, around 
    So I think, at least in terms of engaging government, 
business to business, a lot of times they will work through 
these tough issues around software upgrading and so forth,what 
devices can do, what are their limitations. And I think that is 
really important to understand. There are certain devices that 
are meant to do some things and devices aren't supposed to do 
other things. And so I think our members, and generally what I 
hear is they're very cognizant about what devices can do and 
where they should go and how they should be protected.
    Mr. Hurd. So would it be fair--and I'll welcome all four of 
our illustrative panel's opinions on this. On this legislation 
when it says the IoT device must be patchable, would adding 
something to the effect of, if it has an operating system, and 
if not, then, X, Y, and Z?
    Mr. Corman. I think the existing bill in the Senate 
anticipates this and allows for waivers and allows for NIST to 
specify compensating controls for devices that can't do this,as 
opposed to maybe making some brittle assumptions that may not 
hold up over time. I do like Ranking Member Kelly's comment 
about keeping some sort of advisory board to keep these vibrant 
and evergreen. I think a lot of the ones in the bill right now 
are evergreen, but we do want to make sure that this is--you 
know, there's no unintended consequences or byproducts of this.
    Mr. Eggers. I would say one of the items about the bill 
that I've noticed that seems to be helpful is it's forward-
looking, right?We're trying to say, hey, let's project forward 
and say how can we do some things that we know we should do?
    One of the issues that I think has come up with our members 
is the roll that third-party certifications may apply where 
that's applicable. We are in favor of private sector entities 
looking to different labels, certification models, if you will, 
but to have government possibly put a thumb on that scale seems 
to be premature----
    Mr. Hurd. Who is doing that right now?
    Mr. Eggers. Well, you've got different organizations. 
You've got UL. You've got different organizations providing, I 
think, approaches, let's say in Europe.
    The challenge, I think, with this is the speed of the 
threat, the dynamic nature of trying to put, let's say 
contents, we're not clear about what contents would be in that 
label. Would it be proprietary information? What kinds of maybe 
software-related information would be on that label? Can it 
keep up with the threat? And then, at least in our experience, 
once kind of a selection by parts of government take hold, it's 
hard to extract ourselves from that model. Right?
    Mr. Hurd. So is there any scenario current or in the future 
that you can think of where you need to have a password hard 
coded into a device?
    Mr. Eggers?
    Mr. Eggers. You know, I would say at least I've gotten 
positive feedback on the idea that once you receive a device, 
you should be able to change that pass code. That's helpful. 
But to your question, I'd have to get back to you.
    Mr. Hurd. So you've never had a member come to you and say, 
man, I really need to make sure that password is password in 
that device because it's not going to be able to function?
    Mr. Eggers. They would say that that is a bad idea 
    Mr. Hurd. Mr. Ross, do you have an opinion? I know there's 
like a bunch--we're on like three or four different kind of 
questions right now.
    Mr. Ross. Yeah, I know.
    Mr. Hurd. Throw it out there.
    Mr. Ross. Well, let me take your first question first on 
the patching. I think, you know, as you know, when product 
developers are considering how to approach a product, there's a 
few variables that are intentioned, you know. You have 
computing power, battery power, cost, size of the device. You 
add more computing power, you add more cost, you need more 
batteries, you increase size. So I think it's--I'm hesitant, 
when looking at the government's diverse needs for sensors and 
other IoT devices in a variety of different contexts, including 
national security, including infrastructure, I'm hesitant to 
say if you have an operating system, you need to be patched.
    There are tradeoffs that you should make. And considering 
risk in, you know, how you apply security measures I think gets 
you a better outcome. It gets you----
    Mr. Hurd. So on----
    Mr. Ross. --security, you know, built to--calibrated to the 
risk that the devices pose.
    Mr. Hurd. So is there a scenario in which you would advise 
the Federal Government that operating some system that has an 
operating system to not patch that software?
    Mr. Ross. There may be. I mean, there are very small 
operating systems on very small devices, and we may have a need 
as a government. Again, you know, I come from----
    Mr. Hurd. Based on the level of threat or the 
    Mr. Ross. Right. So I come from a national security 
background. And as you I'm sure know, the Department of Defense 
and the intelligence community, they want to put sensors on 
everything. And I've heard goofy proposals about putting 
sensors on cows to track their movements with pneumatic herders 
and see where those herders go. It happens.
    The ability to deploy----
    Mr. Hurd. I may have been involved in a few of those 
conversations, by the way.
    Mr. Ross. Yeah. So, you know, the ability to deploy cheap 
mass-produced devices that may not pose a risk, a substantial 
risk to life, public safety, the economy and so on, may be a 
trade off that we want to be able to make for other purposes.
    And I think, again, it's not to say that there shouldn't be 
standards;it's to say that the standards should be more nuanced 
than one size fits all, that there should be a risk framework 
that governs how standards are applied.
    So back to your second question, I'm not sure that I can 
conjure up a scenario where a hard-coded password might be 
appropriate. The one thing I would say is that we have--you 
know, as you know, you're the champion of the modernizing 
government IT act that we desperately need. The government is 
using systems, and I'm sure I could read this off of the 
talking points around the legislation, that are 50 years old or 
older.That's true in a lot of different contexts. And many 
systems, you think about industrial control systems, are built 
to last a very long time. And what we're doing now is we're 
applying software and other devices retroactively to help 
manage those systems.
    I know that we've heard from some of our members that 
managing those systems that are, you know, themselves very old 
and based on out-of-date protocols and that kind of thing, 
require solutions that may not be, you know, within the 
confines of the security standards on this bill.
    That said, I don't have any specific use cases in which a 
hard-coded password would be necessary to the function of those 
kinds of devices.
    Mr. Eggers. And if I may, Mr. Chairman, come back to my 
answer about the need for, let's say, taking a device and 
changing the pass code so it's harder for a bad actor to 
commandeer that device. So I said uniformly it would be a bad 
idea. I think, generally speaking, most of our folks would say 
that's a bad idea.
    I do wonder, because it has been raised, about, let's say, 
the nature of a device, let's say in a medical situation where 
access to that device in an emergency setting, let's say, you 
need to get in, you need to operate it, and if there are 
challenges with, let's say, the credentials, what have you, 
it's one thing that's come up. So I would say maybe, like a lot 
of things where we operate really in a zone of gray, that's one 
thing I might just flag. But on balance, you don't want a bad 
actor to easily commandeer your device.
    Mr. Hurd. Mr. Corman?
    Mr. Corman. Just building upon what's been previously said. 
We looked at the medical device for safety critical emergency 
access extensively on the congressional task force for the last 
year and a half. There's a difference between having a hard-
coded unchangeable fixed password that adversaries can guess 
and take advantage of and the ability to go back to a factory 
default or a safe mode or emergency override with physical 
    So I hear that come up often as an excuse, I'm not saying 
it's being used that way this time, but no one's saying you 
shouldn't be able to get to a factory default mode. It's more a 
matter of are we making it incredibly easy to be herded into a 
    And Mirai had to publish its source code after it was done. 
So even though the first attacks were cameras, one of my first 
calls was to the Food and Drug Administration to say that the 
three defining characteristics of Mirai were it was internet 
facing, it had a fixed password that was guessable, and it was 
unpatchable. And I just described most connected medical 
equipment, including half-million-dollar imaging systems and 
bedside infusion pumpshooked up to people. You can Google these 
    So one thing I wanted to clarify is there's a difference 
between being able to reset them versus how exposed we are with 
the current condition.
    The second thing is, I'm fully onboard with a risk-based 
decision. It's come up several times. What I want to extend to 
that, though, and clarify is risk to whom. Because the risk of 
you buying your internet-based camera is--who cares if your 
camera gets hacked for you. The risk with the externalities and 
the tragedy of the commons, that the collective might of all 
those were able to hurt someone else.
    So we should absolutely do risk assessments. But if we 
narrowly hone in on what's the use case of the buyer as opposed 
to what's the collective hygiene public health issue of those 
being herded into a collective might, that must be part of that 
risk association.
    Mr. Hurd. Mr. O'Farrell, close out the time that I do not 
    Mr. O'Farrell. Okay. With respect to the password question, 
I think if a device needs a password, a hard-coded password 
effectively means you've no password. So if the device has a 
password at all, then a hard coded one does not work for that.
    Thinking through to devices, yes, on the extreme sensor 
side of devices, your devices with no operating system, and I 
would argue, they are not really connected to the internet. 
They are in turn connected to other systems which connect to 
the internet, and they're the systems which then need to be 
protected. But if the device itself is connected to the 
internet or backed into a data center over TCP/IP or some 
equivalent protocol, broadly speaking, it will probably have an 
operating system or at least needs to be protected using a 
gateway or something else.
    Mr. Hurd. Thank you.
    And we're now round two. Robin Kelly, you're now recognized 
for your next 5 minutes.
    Ms. Kelly. Oh, only five for me, huh. Okay.
    There's no doubt in my mind that Congress must establish 
cybersecurity standards to protect internet-connected devices 
from hackers and bad actors, but I also understand the other 
side that, you know, there's concern about rigidly crafted 
regulations that would stifle innovation.
    Mr. O'Farrell, do you believe that the Federal Government 
can develop IoT cybersecurity without too much stifling of 
    Mr. O'Farrell. So I believe that in the context of the 
proposal where you're trying to establish what are really 
pretty basic security rules are basically a kind of a rules of 
the road for what the Federal Government should be doing for 
procurement. I think the balance of being able to establish 
those rules and making sure that you're basically getting value 
for money against any potential curtailing of innovation, I 
think is a good balance. These are pretty basic rules. They are 
not going to some inappropriate level of constraint.
    Ms. Kelly. And Mr. Corman had made the comment he thought 
that the advisory board was a good idea. Do you agree with that 
    Mr. O'Farrell. Yes, I do. I think partially one of the 
challenges with Internet of Things and anything having to do 
with cyber moving forward is, as several people have pointed 
out, you do not know what the threat of tomorrow is going to be 
and you do not know what adoptive level of security you're 
goingto have to bring. So an advisory board would help to be 
able to surface those and react to those before they become a 
real problem.
    Ms. Kelly. Okay. And, Mr. Corman, the Senate version 
already has the waiver process. Do you think that's a good idea 
and would ease some concerns?
    Mr. Corman. To a certain extent. One theory I have is the 
notion that you can't sell a product with known vulnerabilities 
unless you get a waiver. I think it'll be the norm that on any 
given day that you sell you will have some known vulnerability. 
So we want to make this as streamlined as possible. That's why 
I err on disclosing, in other words, avoiding a failure to 
warn. And, you know, the expectation of patching or the 
ingredients list to know if you need to, even if your vendor 
doesn't warn you or can't.
    So the ability to have a pressure release valve of a waiver 
process makes sense, because then the agency is explicitly 
accepting that risk and can do other things to swarm and 
surround that. But I'd want to make sure that the common path 
is the easy path is the safe path. And waivers may just be a 
way to undermine this, so I tend to favor carrot and stick. FDA 
did something where they essentially said, if you have a 
disclosure program and you can fix your issue in 30 to 60 days, 
then you don't have to go through a recall process. Kind of 
being very clever to say the safe thing is easy thing.
    So you can do it however you want, but you're going to want 
to do it this way. And my only comment on the waivers is let's 
make sure that they're rare and necessary as opposed to 
burdensome and slowing down the Federal Government.
    Ms. Kelly. And we all know that, as much as we try, no 
piece of legislation is perfect, so I wanted to give each of 
you a chance to make a suggestion toward this legislation.
    Mr. Eggers?
    Mr. Eggers. Yes, ma'am. Thank you for asking.
    I will confess I have not looked at the advisory board idea 
in detail, but I will. I'm more familiar with the Senate bill. 
I might even suggest, maybe if there's one thing to take away 
at least from my thoughts here today, it's that maybe going 
broader than an advisory board. And what do I mean by that is 
we found that the Commerce Department can play a really 
powerful role--NTIA, NIST in particular--to bring multiple 
stakeholders. The four of us are just a portion of that.
    What they can do--and I think the NIST cyber framework 
effort is a good model. They brought folks together. They're 
able to say, here's what our interests are. They were 
consulted. They provided input. There's a lot of back and 
forth, right? It was quality input-output. I think industry 
bought it in a major way. We may need to do that here. We are 
supportive of that.
    I think that the Commerce Department--I don't want to speak 
for them, but I think they would be open to that idea. One 
thing I might suggest is it's not clear if our friends at NIST 
and NTIA have the resources they need to carry that forward. 
One thing I might suggest is we look at what they may need, we 
may want to consult with them, hey, maybe it doesn't need to be 
as big as the framework effort where we have about maybe 5 to 6 
workshops in the span of about 13 months.
    But here's what I took away: Industry played a big role. So 
did government. Our members bought in, by and large. I can go 
out, and we do, we promote that framework to about six major 
chambers, State, local chambers, every year, lead up every year 
to a summit. So we're able to promote that tool, not only 
domestically to our businesses, but as a model globally. And 
that's one of the things we're aiming to, is that we have a 
process, a model that can work for business wherever they are 
on the globe. Thank you.
    Ms. Kelly. Thank you.
    Mr. Ross. Thank you, Member Kelly. If I might, I'd offer 
three things. First of all, I think it's a very promising piece 
of legislation, and, you know, we think the idea of the 
government using its purchasing power to drive security makes a 
lot of sense. So these are offered in the spirit of improving 
that legislation.
    Number one, the definition of internet-connected devices, 
as I've been suggesting, I think needs to reflect risk. And I 
know that NIST is working on looking at a risk-tiering or a 
categorization of IoT devices. I think that's maybe something 
that can be built upon in the definition.
    Second of all, I think we really like the emphasis on 
security research and coordinated vulnerability disclosure. But 
there are some refinements that we would like to see to make 
sure that patches can be fully deployed before vulnerabilities 
are disclosed to the public.
    And then the third thing, I'm not sure exactly how you get 
this in the legislation, but what we would not want to see is 
any set of standards become sort of the new lowest bar where, 
you know, that leads to acquisition workforce to buy products 
that are the cheapest possible as long as they meet the bar. We 
want to see competition for better cybersecurity and the 
government buying for value, not just for lowest cost. And I 
think the more we can do to incentivize that, the better off 
we'll be.
    Ms. Kelly. Thank you.
    Mr. Corman. I love the question. I appreciate it being 
asked. Thank you.
    I mean, clearly, I proactively mentioned there's tremendous 
value in a list of ingredients for free market choice at 
purchase time to tell better products from worse, to answer am 
I affected and where am I affected, when there's an active 
attack in the wild that you might be able to actually defend 
yourself against, and for the devices that have gone out of 
business, the manufacturers, the ability to defend yourself in 
those important use cases.
    And if I were to add to that, there is a technical standard 
being discussed called MUD, or Manufacturer Usage Description. 
It's a very elegant, very simple idea that a device--every 
device--would advertise to the network this is the man I need 
to talk to and this is the port I need to speak on. And if 
other devices in the network noticed it was doing something 
else, it must be compromised. It's something that on its own 
may not get as much adoption, but were this part of a 
government procurement wish list or fast track or incentivized, 
it could be promising. It's not very robust now, but I like the 
concept. And it could go even furtherand leverage free market 
innovation. I think this idea came out of Cisco, if I recall.
    And then just a little caution on the disclosure idea, I do 
agree that great care has to be done on the notion of safe 
harbor for coordinated vulnerability disclosure. And in my 
written testimony, I cautioned against MPVD reinventing the 
wheel. There's been significant and robust debate with the 
Librarian of Congress, the Copyright Office,who is recommending 
that the current exemptions to the MCA for research that 
allowed or enabled the voting machines, medical, to get the 
strength of law and be made permanent.
    I would not want to undo some of those really subtle 
nuances, nor would I want to tie that to the availability to 
patch first. There are many devices that cannot be patched, but 
it's still meaningful to know, to shield yourself, and insulate 
yourself. So rather than designing that right now, I would be 
happy to comment further, but I think that that last well-
intended suggestion could backfire in unanticipated ways that I 
could articulate.
    Ms. Kelly. Thank you.
    Mr. O'Farrell. Thank you very much for the opportunity to 
comment on improvements to the bill.
    I think I see two areas. One of them is related to the 
definition of IoT devices themselves. As you can see, it's an 
area of quite a few questions, but specifically, it points to 
those IoT devices which are being procured by the Federal 
Government for use by the Federal Government. I think it would 
be good to clarify that, if that was to be extended further in 
some way, that that would be done in cooperation with industry.
    So the advisory board, part of that, or even strengthening 
that in some way to say that we're dealing in this world, which 
is going to be highly adoptive and highly volatile and, 
therefore, we need to constantly keep working with industry as 
we come up with new standards or new rules of the road. I would 
like to see that incorporated a little bit more strongly in the 
    Ms. Kelly. Thank you. And I'm done.
    Mr. Hurd. Mr. Raskin, you're now recognized for an 
additional 5 minutes.
    Mr. Raskin. Thank you, Mr. Chair.
    Ms. Kelly asked one of the questions I wanted to ask and 
maybe--no, it's an excellent question, Ms. Kelly.
    But I did want to ask a similar kind of question which is, 
at a time when the crises facing the country are multiplying--
you know, we had the worst act of mass gun violence, random gun 
violence in our history a couple days ago; we've got millions 
of Americans still without power, without water, facing very 
perilous conditions in Puerto Rico and the Virgin Islands and 
so on--how would you express to the public the importance and 
the urgency of what it is you've come to testify about? How 
would you explain to people why this is something that really 
requires our attention?
    Mr. Eggers?
    Mr. Eggers. Sure. Yes, sir. Thank you.
    I think it's pretty simple:We want the IoT to expand and be 
successful. We think it's going to lead to economic growth and 
to jobs, but to do that we have to manage risks, smartly. I 
think that the bill here provides an opportunity for a dialogue 
around these important issues.
    One of the things that we're going to do is we're going to 
provide the committee, at least I anticipate that we'll do it 
relatively soon, thoughts on the provisions, at least in the 
Senate bill, and then we'll move on from there. But I 
appreciate the opportunity to provide our thoughts.
    But I think, if anything, we want to make sure businesses 
gain as they're producing securely, and so will consumers. But 
I think we have to manage risks as we expand the IoT. Thank 
    Mr. Raskin. Anybody else? Mr. Corman?
    Mr. Corman. One of the lines I put in the Presidential 
testimony, which was in August last year, has become more true 
every single day with NotPetya, with WannaCry. And I'm going to 
read it verbatim. I said: Through our overdependence on 
undependable things, we have created the condition such that 
the actions of any outlier can have a profound and asymmetric 
impact on human life, economic, and national security.
    That was a concern of things coming. If you look at 
healthcare as a sixth of our economy, there's a promise and a 
peril to these things. But in a sixth of our economy, connected 
medicine is creating new cures, it's dropping the costs, it's 
increasing access.
    If we are cavalier about risks like this, any crisis of 
confidence in the public to trust these things could have a 
very deleterious effect on, not just patient safety, but the 
    And further, imagine something like the Harlem Presbyterian 
outage or the WannaCry outage, during a shooting, during a 
Boston Marathon bombing, during an earthquake or hurricane 
relief when we need it most. So this is something we have--back 
to overdependent on undependable IT. Our failure rate is about 
100 percent on highly replaceable assets like credit cards. And 
even though we haven't dramatically improved our cybersecurity 
on those tolerable losses, we have increased our dependence on 
these safety critical and national security things.
    So without being dire or doom and gloom, we've run out of 
runway for these low consequence failures. And I think it's not 
just that we want economic growth, it's that we want the 
confidence of the public and the national security intact.
    Mr. Raskin. Thank you.
    Mr. O'Farrell?
    Mr. O'Farrell. Yeah. Maybe to echo a little bit, I think 
the reason why this is important is because IT security today 
is, to a large degree, around privacy or ensuring that 
financial or other transactions take place securely.
    IT security in the context of IoT is going to be around 
real factories, healthcare, things which directly affect the 
economy, things that directly affect the day-to-day life within 
a city. And because of that, compromise or damage associated 
with those are going to real--and much more impactful in a 
very, very real way. You have an opportunity to react to a 
privacy breach of some sort. You do not have an opportunity to 
react if a factory is brought down or if there's real danger 
put into a city because of traffic system's been hacked or 
something like that.
    This is why it's important. We're early in the days. IoT is 
a fledgling story at this stage. So you have an opportunity to 
build in some security from the very beginning rather than 
dealing with it after something really bad happens.
    Mr. Raskin. Mr. Ross?
    Mr. Ross. Sir, I would say we can get this wrong in two 
different directions. One would lead us to lose the benefits of 
innovation, and the other would lose the benefits of 
    You know, it's not just the physical risks that these 
devices turned against us can pose, it's also losing out on the 
cutting edge scientific research that these devices are 
offering or the benefits to public health or the benefits to, 
you know, critical infrastructure and that kind of thing. And 
if we don't protect them from cyber attacks, we lose those 
    On the other hand, if we go too far and we adopt indigenous 
standards that put us at odds with the rest of the world, and 
we close off the internet and we segment and fragment, we lose 
the ability to transact business around the world and the 
benefit to our economy that that brings us.
    Mr. Raskin. Thank you.
    Mr. Chairman, I also wanted to take a second to thank you 
for calling this hearing today. Unsecure IoT devices pose 
significant risk to our national security and can have 
devastating consequences, as Mr. Corman said. So I think that 
the Internet of Things Cybersecurity Act is a great first step 
to protect federally procured IT devices and sensors from cyber 
    And I want to thank Representative Kelly for excellent 
legislation, and I do strongly support her bill.
    Mr. Hurd. Thank you, Mr. Raskin.
    And some final questions from me. How do we prevent--if we 
say you have to be this tall, from that staying--that that's 
the floor--or that would be the ceiling, actually, how do we 
make sure that we continue--that industry continues to follow 
good digital hygiene?
    Mr. Corman. We did encounter this at the PCI data security 
center, the effort to set a minimum, and we got one, right. It 
almost caused a race to the bottom, and we don't want to cause 
    I think that's why the language we use here is critically 
important. And I think it's an ``and.'' I don't think it's, do 
you do in this, private sector, public-private partnership or 
some minimum hygiene to protect your own interests right now, 
especially with time being the enemy.
    If these thing are evergreen, like never have a password 
you can't change, we can act on that and we can encourage best 
practices, carrots and sticks, preferential purchasing, with a 
parallel effort that does leverage things that can be layered 
on top of it. It is always a risk. We need to define a minimum 
that you get it. That's why we have to be very careful, 
conscientious here that this is something to do the 80/20 rule 
now. It can't be the finish line.
    Mr. Hurd. Mr. O'Farrell?
    Mr. O'Farrell. So I don't think we should be afraid to set 
the minimum. And some of these minimums here are pretty basic 
    Mr. Hurd. Pretty minimum, huh?
    Mr. O'Farrell. Pretty minimum. And so we should not be 
afraid to set those as minimums because we fear, you know, 
we're not going to be able to do more as it is appropriate. I 
think the most important thing though, as it is appropriate, 
does require a lot of interface with industry.
    Obviously, I am part of a company who produces a lot of 
software. I want to be able to have a seat at the table to be 
able to say, what are the guidelines that we need to follow, 
how are we going to secure that, and so on. So being involved 
in that and involving industry is very important. That does not 
mean we should not be afraid to set this bare minimum, which 
is, you know, based on what NIST or what some basic cyber 
hygiene is in place today.
    Mr. Hurd. Mr. Eggers and Mr. Ross?
    Mr. Eggers. Mr. Chairman, I might just add that I'm always 
a little concerned, at least I hear concerns expressed from 
members about minimums and maximums, only because the 
environment moves so quickly.
    One of the things that I think we want to try to do is 
encourage demand for stronger devices, right. And that may mean 
that maybe they're more expensive, maybe not. We want makers of 
devices and those that provide manage services and so forth to 
gain from that extra security.
    One of the things I think about when I start hearing 
minimums and maximums is, are we in this space going to set 
some kind of check-the-box formula where it, A, might give us a 
false sense of security? Maybe with that false sense of 
security we are not deploying resources optimally. We've seen 
that happen.
    The other thing is, it's not clear where a minimum goes to 
maybe a higher level. Much depends on the implementation. One 
thing we have seen is once regulation sort of get going, they 
are hard to pull back and harmonize. And that's one of the 
things we're struggling with now.
    Mr. Hurd. I'm assuming Equifax didn't have a high enough 
minimum, right? You know, and so we--yes, there should be a--I 
get the fear. Because my goal is that Congress never gets in 
the way of entrepreneurship and growth, but it's being made 
hard when private sector companies are not following basic 
digital system hygiene. Nobody opted in for their information 
to be in Equifax, right? And so I get that frustration. But 
then your members need to get their act together.
    Mr. Eggers. So let me offer a thought. I think you're 
concerned--I'm not going to argue with your concerns, but 
here's what I hear from members. So I think one of the things 
we don't do a good job with is whether it's OPM, SEC, Equifax, 
and other entity,we're going to have more,we don't do a great 
job of creating a safe space where an organization can come in 
as soon as they think that there's something wrong and say, 
here's what's going on. Rather than having an environment where 
they're having a finger pointed at them, and you're saying, why 
did you let this happen,we say, hey, we'll get to that. What 
can we do to help make things better so we can pull in 
information, in a voluntary way, and we can learn and get that 
information out to other organizations?
    I honestly haven't learned enough about what's happened 
with some of these recent breaches to really have a firm sense 
that I can comfortably say that one organization did very, very 
poorly and one didn't. I understand that organizations have had 
challenge, but sometimes we don't know the full picture. And we 
haven't, at least one thing is, bills like this don't 
necessarily contemplate what are we going to do about the bad 
guys, right? What are we going to do about pushing back on bad 
actors?I think deterrence, at least through denial, stronger 
devices are some, but what are we also going to do to make an 
example of bad back actors?So they think, for example, hey, I'm 
not going to do this again.
    Mr. Hurd. Mr. Ross?
    Mr. Ross. Mr. Chairman, two points. I think one, you know, 
we focused a lot on minimum standards today. Part of my 
suggestion about a risk-based framework is thinking about 
higher risk devices as well. And, you know, we may decide we 
don't want to make sure certain devices are patchable or have 
hard-coded passwords at the very low end. But at the high end, 
not having a hard-coded password may not be enough. We may want 
to insist upon two-factor authentication or other identity-
management approaches that are much stronger than just not 
having a hard-coded password. So I think that's one important 
    The second thing is, if we want minimum standards for 
government procurement or any other sorts of standards to drive 
or sort of race to the top for cybersecurity, market mechanisms 
are really important. And part of that means that consumers, 
both at the enterprise level and on an individual household 
basis, need to have information to make informed decisions that 
factor in security. And right now, we don't have sufficient 
tools to get information to consumers in ways that they can 
understand and act upon. So I think that's another really 
important part of the solution.
    Mr. Hurd. Mr. Corman.
    Mr. Corman. You know, I almost wanted to bring up Equifax, 
but obviously Equifax is not an IoT device. That said, the 
cause here was a known vulnerability that was able to be 
remediated but wasn't. It's very similar to this rubric, right? 
A known but unmitigated vulnerability.
    To the point raised just now, though, there is a tongue-in-
cheek, much shorter bill we could do, if we want to avoid being 
prescriptive. We could have a bill that basically says, let the 
free market do whatever the heck it wants, you are liable for 
all damages caused by a known vulnerability or a default 
    It's as free market and open to interpretation, as you 
want. You can be a risk taker, you can be a risk avoider, you 
can change the cost of goods. A little tongue-in-cheek, but to 
a certain extent, we have to decide what's reasonable and 
what's appropriate for the shared responsibility model of the 
goods that we're inheriting.
    So we don't have to necessarily tell them what to do. I 
think these ones are pretty evergreen, as we've testified thus 
far. That said, if we want the criteria to change over time, 
I'dlike to remind everyone listening, not just the committee, 
this is a statutory authority. I believe we're going to get 
software liability through case law. I think a jury of their 
peers is going to find that harm caused to a loved one due to a 
software defect is no different than harm caused by a physical 
defect. And we will get case law introducing something, whether 
or not there's a regulatory or a purchasing procurement 
    So part of the virtue of this particular experiment and 
this leading by example with procurement guidelines, is I 
believe, and I said this in my testimony as well, this could 
create a rubric that could be a safe harbor clause for any case 
law around this.
    So rather than fighting it or wondering what it might do 
badly, I think it creates a very tenable, intractable building 
block for the private sector to insulate their harm and 
insulate their maximum liability. They don't like that at 
first. I think in the fullness of time, we're going to see this 
not come through statutory but through case law.
    Mr. Hurd. Thank you.
    Will the gentleman from the Commonwealth of Virginia be 
interested in asking questions or making comments?
    Mr. Connolly. I would. Thank you, Mr. Chairman.
    Mr. Hurd. And he is recognized for the final 5 minutes.
    Mr. Connolly. I thank the CHAIR.
    And let me follow up on what you were just saying, Mr. 
Corman. I take your point, and it may be the way to go. But on 
the other hand, statutory action influences case law. And not 
having a statute means that a court in some ways has to itself 
impose minimum standards if it's going to find liability. And 
so that's not always a desirable outcome from a legislative 
point of view.
    You may want to comment on that.
    Mr. Corman. There was a significant discussion on this in 
the Presidential Commission on Enhancing National 
Cybersecurity, which did ask the Department of Justice to 
explore the current state of the law with regards to software 
liability, just as an uncomfortable truth.
    One of the discussions that went in great detail is that if 
a court is doing this in a vacuum, if they place the liability 
in the wrong place, it could have devastating effects on the 
software industry. For example, most of these vulnerabilities 
that are exploited are in third-party, open-source code that 
are 100 percent volunteer. So if you were to place 
responsibility for all the harm caused by Heartbleed when it 
hit the Federal Government April a few years ago, on the poor 
guy who introduced the code at 4:00 a.m., on New Year's Day, no 
one will ever contribute to open source again. And since 90 
percent of the software in closed source in commercial goods 
it's open source, you would have just single handedly destroyed 
the software industry. And that's not actually a big stretch 
for a nontechnical jury.
    Mr. Connolly. True.
    Mr. Corman. Yeah.
    Mr. Connolly. But, you know, in some of this discussion one 
would think--let's take Equifax--that it's Equifax that's the 
victim. Well, 143 million people are also victims. They've had 
their data compromised. And where do they seek redress?
    Your argument that it's a free market, I heard you say, 
maybe tongue-in-cheek, but an absolute free market doesn't 
necessarily protect the other victims who've had their 
financial information compromised.
    Mr. Corman. It's my sincere belief that a few years from 
now, whether we chose to do it or are forced to do it, we're 
going to end up with a rubric that people are not responsible 
for zero day attacks from China, but they are absolutely 
responsible for known avoidable vulnerabilities. I think 
everything is going to hinge on what was known and avoidable.
    Mr. Connolly. Well, you know, GAO in a series of reports 
basically found, and I quote: ``While there are many industry-
specific standards and best practices that address information 
security, standards and best practices specific to IoT 
technologies are still in development and not widely adopted.''
    Now, Congress, generally in this sphere, has been reluctant 
to legislate, actually. Some would criticize us for being too 
reluctant. But that kind of finding suggests, as the chairman I 
think was indicating, either industry adopt some industry-wide 
standards that people can adhere to that give us some comfort 
in protecting the citizens we represent, or we have to do it.
    Mr. Ross.
    Mr. Ross. Congressman, if I might. I think it's a great 
point. I think we will get maximum bang for the buck when those 
standards are international standards, because so many devices 
are produced overseas. And I think there is a gap. There's a 
gap, for example, you know, there is a proliferation of 
different types of operating systems for IoT devices, and that 
has a real impact on their security. Having a--you know, having 
international standards around IoT operating systems might be 
something we ought to explore. And I think the government can 
play a big role in supporting efforts to develop international 
    And that's something we haven't looked at nearly enough, in 
my view, because, you know, a lot of times international 
standards are developed on the side by people who, you know, 
work in the industry and try to come up with an international 
standard in their free time. That can't be how we approach 
security. We need a much more focused approach on identifying 
where there are gaps or where standards are out of date and 
really putting some support behind developing them in the 
international context.
    Mr. Connolly. And that's a good point. I would just say, 
keep in mind that if this isn't done with some robustness by 
the private sector, sooner or later the public sector will be 
under enormous pressure. For example, if there ever is 
something that we kind of agree is a cyber Pearl Harbor, the 
shutdown of the electric grid, or the banking system, writ 
large, the public pressure on us to do something will be 
    And so some sense of urgency, it seems to me, is really 
important within the private sector to get some kind of basic 
standards that people buy into that are reassuring, that aren't 
just, you know, PR, but that actually provide some protection 
that is measurable and testable.
    Absent that, I fear that some day it will be done for you, 
because the pressure will be so great after some incident, 
Equifax apparently isn't it, but it was big enough that it got 
a lot of attention. And I just fear that when that day comes, 
absent private sector activity, you're going to see tremendous 
pressure on the legislative branch to protect the public.
    Mr. Ross. Congressman, I fear that too. I think the one 
thing I would say is that it doesn't necessarily have to be the 
private sector taking action versus the public sector, but the 
private sector and the public sector working together is really 
powerful. And I think what we've seen, you know, within this 
framework is that industry and government got together on a 
framework that has proved very valuable by all accounts. But 
it's now, you know, the government and the private sector 
together are also now taking it to the International 
Organization of Standardization and seeking to internationalize 
it as a standard. And I think that's a great model for how we 
can explore IoT cybersecurity, but also other areas where we 
really need to fill in the gaps on international 
standardization for security.
    Mr. Connolly. And I know my time is up, but I would agree 
with you. I think that's a preferable way to go, but it's got 
to be robust, it's got to be measurable and testable, it's got 
to be reassuring to the public and most of the stakeholders. 
Otherwise when something happens, that will be found to have 
been as inadequate as it is.
    Mr. Ross. Absolutely.
    Mr. Connolly. I thank the chair.
    Mr. Hurd. Thank you, sir.
    And I'd like to thank our panel of witnesses today. This 
really was an invaluable conversation. I always feel when I 
leave a hearing with just as many questions as answers, it's 
actually a good thing. And so thanks for taking the time,thanks 
for y'all's perspective.
    And the hearing record will remain open for 2 weeks for any 
member to submit a written opening statement or questions for 
the record.
    And if there's no further business, without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 4:08 p.m., the subcommittee was adjourned.]



               Material Submitted for the Hearing Record